Tag Archives: Office 365

Microsoft Compliance Manager makes it easy to deal with compliance challenges!

If you are living in Europe, you may aware how GDPR (General Data Protection Regulation) is storming through IT world. Service providers, Vendors and pretty much every business who deals with digital data are looking or making plans to face GDPR which is going to enforce from 25 May 2018. Some already compliance and some are still struggling to figure it out. It’s a time people talk about compliances more than ever. Compliances are always painful to deals with. Its involves knowledge, experience, skills, people, time, roles and responsibilities, services and many more. More importantly need to evaluate how these compliances, laws are matching with each business model. There is no single button or shortcuts to make organizations to comply with these compliances which comes time to time. 

These compliances are also changes based on industry trends or needs. Even your organization comply with certain compliances today, it may not in 6 months’ time. so, continues awareness and skills are also required to maintain the compliance status. For an organization, it’s not one-man job either. Different roles will have different responsibilities to make it possible. Some compliances are just “good to have” type. but some compliances are must for certain business to operate and some compliance are backed by law, so that types leave no choice. 

This whole GDRP experience taught some lessons,

Complexity – when new regulations and compliances are enforced, lack of information, complexity, lack of experience and skills make it difficult for organizations to adopt it in short period of time. This rush and uncertainty can make organizations to make vulnerable moves which can lead in to bigger problems. 

Compatibility with other compliances – Sometime businesses may comply with multiple compliances. So, things you do to comply with one compliance can affect to compliances you already comply with. It is hard to keep track of each and individual actions and measure its impact. 

Commitment – As I explain before, it is not one-man job, different parties, different roles need to make relevant commitment to achieve compliance targets. Organizations always finds it difficult to measure commitments or evaluate task progress throughout the implementation process.  

Tools and methods – As everyone agrees there are no shortcuts to comply with compliances. It is not like installing a software or enabling a service. Organizations needs to go through relevant rules and see how its apply with its infrastructure, business models. But it is not always practical to do all these manually. As an example, GDPR has more than 100 rules. If we not use tools or other methods to see how its apply to existing infrastructure, it can be time consuming, complex process. There are existing tools which gives your reports based on the information you provide but so far, I am not aware of a tool which do real time analysis of infrastructure and reports back about compliances status. 

On Last Ignite event Microsoft introduced Compliance Manager tool which simplifies the compliance adoption process for organization. As a service provider Microsoft also have role to play to make its cloud products comply with these compliances. So, Microsoft creates a service where it explains how it’s done its task and give insight to customers to do their bit in form of tasks. Each of these tasks include detail explanation. Each of these tasks can assign to a user and measure its progress real-time.   

This service is available for Azure and Office 365 customers. This is not only covering GDPR, it also covers other compliance such as ISO 27001:2013, ISO 27018:2014. This is currently on preview and it will generally available in 2018. 

In order to access this tool, you need to have valid Office 365 Subscription. Azure and Dynamic support is coming soon. This also can test using trial Azure account. Once you have login details ready, go to https://servicetrust.microsoft.com/ and click on “Launch Compliance Manager” 

comp1

In next page, it will ask about the subscription. If you have valid subscription already you can use “Sign In” option. 

comp2

After successful authentication, it will load the Dashboard for the compliance manager. 

comp3

Each tile represent compliance. Using “Add Assessment” button we can add new compliances to the list. To do it first click on Add Assessment option. 

comp4

Then in the pop up select relevant product and click on Next

comp5

In next window, you can select the relevant assessments and click on Add to Dashboard

comp6

Each of the tile have two sections. One is to list down the controls Microsoft comply with and one is to list down controls customer comply with. 

comp7

In order to see these in details click on the assessment name on the tile. 

comp8

Then it lists down the section for each control. 

comp9

As an example, if I expand one of task related to Microsoft, it explains what is it and what Microsoft did to implement it and who assessed it. 

comp10

Now if I do the same for customer controls I can see similar details. But most of it need to be fill by customer. It provides detail description of the assessment. If go to customer actions it gives some insights what customer need to do to pass the assessment. 

comp11

comp12

It also has two sections where we can add notes about implementation, test plan and management response. 

comp13

Using Test Date option we can define the data for assessment. 

comp14

Using Test Result drop down we can select the assessment status.

comp15

Using Manage Documents option we can upload relevant documents for the task. 

comp16

comp17

More importantly using Assign button task can assign to another user in the organization. 

comp18

In my demo, I am assigning it to user Agnes Schleich with high priority. 

comp19

Email notification for this is not working yet, but in future once task been assign, it will send email notification to user. 

Now when I login as user Agnes Schleich to compliance manager, I can see the assigned task under action items.

comp20

Cool, isn’t it? Microsoft promised to add more and more assessment in coming months to make life easier with compliances. Once you done evaluation, do not forget to provide feedback using Feedback button. 

This marks the end of this blog post. If you have any questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.  

Which azure active directory edition I should buy?

4ac52e5b-b3ac-4fbd-bbc7-bd4bae8403da

Azure active directory is responsible for providing identity service for Microsoft online service’s needs. When I talk to people about azure AD one of most common problem they ask is what version I should buy? my existing subscription will work for the features I looking for? The myth is, lot of people still thinks azure subscriptions and prices are complicated, but if you understand what each subscription can do it’s not that hard. I have seen people paying for Azure AD premium version when azure AD free version can give the features they needed for their environment and some people struggling to implement features only available for premium version using their free azure AD instance. In this blog post I am going to list down the features for each azure AD version and hope it will help you to decide the version you need for your setup.

There are 4 Azure AD editions,

1) Free

2) Basic

3) Premium P1

4) Premium P2

Free – if you subscribed to any Microsoft online service such as azure or office 365 you will get the free azure AD version. You do not need to pay for this. But it got limited features which I will explain later in this post.

Basic – Designed for task workers with cloud-first needs, this edition provides cloud centric application access and self-service identity management solutions. With the Basic edition of Azure Active Directory, you get productivity enhancing and cost reducing features like group-based access management, self-service password reset for cloud applications, and Azure Active Directory Application Proxy (to publish on-premises web applications using Azure Active Directory), all backed by an enterprise-level SLA of 99.9 percent uptime.
 
Premium P1 – Designed to empower organizations with more demanding identity and access management needs, Azure Active Directory Premium edition adds feature-rich enterprise-level identity management capabilities and enables hybrid users to seamlessly access on-premises and cloud capabilities. This edition includes everything you need for information worker and identity administrators in hybrid environments across application access, self-service identity and access management (IAM), identity protection and security in the cloud. It supports advanced administration and delegation resources like dynamic groups and self-service group management. It includes Microsoft Identity Manager (an on-premises identity and access management suite) and provides cloud write-back capabilities enabling solutions like self-service password reset for your on-premises users.
 
Premium P2 – Designed with advanced protection for all your users and administrators, this new offering includes all the capabilities in Azure AD Premium P1 as well as our new Identity Protection and Privileged Identity Management. Azure Active Directory Identity Protection leverages billions of signals to provide risk-based conditional access to your applications and critical company data. We also help you manage and protect privileged accounts with Azure Active Directory Privileged Identity Management so you can discover, restrict and monitor administrators and their access to resources and provide just-in-time access when needed.
 
azure ad version 1
azure ad version 2
azure ad version 3
 
You can find more info about the subscriptions from 
 
if you got any question feel free to contact me on rebeladm@live.com

 
Note : Image Source https://f.ch9.ms/thumbnail/4ac52e5b-b3ac-4fbd-bbc7-bd4bae8403da.png

Step-by-Step guide to create federated sharing between on-premises Exchange 2013 and Office 365 Organization

Recently I was working on a project for a customer and I thought to share the problem and solution so in future it will help my blog readers.

Problem

My client has an on-premises Microsoft exchange 2013. Recently they are acquiring a company. This company is using Office 365. The both companies like to see calendar free/busy information when they schedules meetings etc.

Solution

Exchange 2013 offers a feature called “federation trust”. Federation trust will create trust relationship between on-premises exchange server and Azure active directory authentication system. Then it can use to create federated sharing with other federated organizations to share calendar free/busy information. The same method can use to create federated sharing between on-premises exchange server and office 365.

What you need?

Before start the configuration we need to have following ready,
1)    Exchange administrator Privileges for on-premises exchange setup
2)    Global administrator privileges for Office 365 portal
3)    Access to DNS Zones to add TXT record for the on-premises exchange domain ( it is public dns entry )
4)    Auto discovery should be fully functioning with on-premises exchange setup. If you got problem with it need to fix before start this configuration as you will end up with one way calendar free/busy info sharing.

Configuration on on-premises Exchange 2013

1)    Log in to EAC as exchange administrator
2)    Go to organization > sharing

ex1

3)    Then click on enable (if you not using any federation trusts already) and start the federation trust wizard. It is straight forward setup and once wizard completes click on close.
4)    Then under the federation trust click on modify

ex2

5)    In new window Sharing-Enabled Domains, next to step 1 click on brows
6)    In Select Accepted Domains, select the primary domain name of the on-premises exchange setup and click OK
7)    This will create a federation trust with Azure AD authentication system. Please make note of the TXT record in the windows. Then add it to DNS zone (it should resolve via public dns). Make sure this record is created correctly as you will not be able to verify domain ownership with Azure AD authentication system. Sometime DNS propagation can take up to 24 hours and it’s all depend on your DNS provider. Once record is created click on Update
8)    Once it’s done it will looks like following. It creates unique federation trust namespace and will register with Azure AD authentication system.

ex3

9)    If you got additional domains, click on + mark to add. Once done click on update and exit from the window.

ex4

10)    Now we need to add office 365 domain and allow them to see the free busy information. To do that on same sharing window, under the Organization sharing click on + mark

ex5

11)    In new window, fill the info about the office 365 domain and set the sharing permissions as you desired. But I highly recommend to use same permissions in both ends to avoid issues. Of policies mismatch it may work on one-way only.  Once changes are done click on save.

ex6

12)    That’s it, it completes the federation trust setup on on-premises exchange 2013 end.

Configuration on Office 365 end

1)    Log in to Office 365 portal and click on exchange admin center

ex7

2)    In EAC go to the Organization

ex8

3)    Under the organization sharing click on + to add on-premises exchange domain

ex9

4)    In new window add the info about on-premises domain and also set sharing permissions, once done click on save.

ex10

Now it’s all done, it’s time for testing.
Some time you may notice the even after setup office 365 users may not be able to see the calendar free/busy info while it work from the other end. So best way to start troubleshooting this problem is to follow this troubleshoot link https://support.microsoft.com/en-us/help/10092/troubleshooting-free-busy-issues-in-exchange-hybrid-environment

But I have notice sometime you need to restart IIS on on-premises exchange 2013 CAS to get this working.

Hope this help and if you have any questions feel free to contact me on rebeladm@live.com