In my last few blog posts I have explained what is Azure information protection and how we can use it to protect sensitive data in an organization. You can access those using following links,

Step-by-Step Guide: Protect confidential data using Azure information protection 

Step-by-Step Guide: Automatic Data Classification via Azure Information Protection 

Step-by-Step Guide: On-premise Data Protection via Azure Information Protection Scanner 

In this blog post I am going to demonstrate how we can use Azure information protection to secure sensitive data transfers over email. 

My organization is using Office 365. With recent content search I found out sales team shares credit card details of customers via emails. These are very sensitive data and I want to make sure they can’t share these data with anyone else (internal or external). 

To do that first I am going to setup a new label in Azure Information Protection. In my previous blog post http://www.rebeladmin.com/2018/12/step-step-guide-protect-confidential-data-using-azure-information-protection/ I explained how to setup labels so I am not going to repeat the steps. 

This new label is called CreditCardData. Megan is sales manager and she has co-owner permissions for the data with this label. Rest of the sales team is only having viewer permissions. They only can read the data. For testing purpose, I am using one of the sales user Isaiah.

The data protected by this label will have watermark applied. 

Also, I like to apply this label automatically to any data with credit card number. for that I am using a condition. 

Now we have the label, next thing is to publish it. to do that,

In my previous blog posts, I explained what Azure information protection is and how we can use it to do data classification and protect sensitive data. In those, I was using data stored in corporate OneDrive accounts. But in most cases organizations use on-premises file servers. in this blog post I am going to explain how we can use Azure information protection with on-premises file shares.

To do this we are going to use component called Azure Information Protection Scanner. This comes with Azure Information Protection add-on that we normally install in user computers. 

Pre-requisites 

1) Windows Server 2012 R2 or newer

2) Minimum SQL Server 2012 (Express, Standard or Enterprise)

3) Service Account to run the service – Ideally this should be AD sync account and should have log on locally & log on as a service permission. If you have lockdown environment, you can use local account to run service and separate Azure AD account to do authentication. In my demo I am going to use this method. 

4) The Azure Information Protection client installed

5) Classification with automatic protection – More details can find under http://www.rebeladmin.com/2018/12/step-step-guide-automatic-data-classification-via-azure-information-protection/

Create Service Account

In my demo server I have created a local user called aipsa and assign local administrator rights. 

File Share

For demo purpose I have created a file share called DataShare and add different types of files to it. 

SQL Server 2017 Express

In my demo server I have SQL Server 2017 Express installed. This will use for AIP Scanner. 

AIP Client Install

We need full AIP client install before we start the scanner configuration. 

1) Log in to the server as Administrator

2) Download AIP client from https://www.microsoft.com/en-gb/download/details.aspx?id=53018

3) Run the AzInfoProtection.exe as Administrator

4) Accept terms & conditions in first screen

5) It will start the installation

In my previous blog post I explained how we can use Azure information protection to protect sensitive data in an organization. You can access it using http://www.rebeladmin.com/2018/12/step-step-guide-protect-confidential-data-using-azure-information-protection/ . In that post I have created labels with permissions and assign it to documents to protect sensitive data. But in an organization, we deal with lots of data. So, applying label manually is not practical. Therefore, AIP offers automatic data classification to overcome this challenge. Using this feature, we can apply conditions to labels. When conditions are met, it will automatically apply the relevant label to data. 

This feature supports many industry recognized information types. It also allows to create our own conditions with information patterns specific for our requirements. In below I list some examples for predefined information types available in AIP.

• Canada Bank Account Number

• Canada Driver's License Number

• Canada Health Service Number

• Canada Passport Number

• Canada Personal Health Identification Number (PHIN)

• Canada Social Insurance Number

• Chile Identity Card Number

• China Resident Identity Card (PRC) Number

• Credit Card Number

• EU Debit Card Number

• EU Driver's License Number

• EU National Identification Number

• EU Passport Number

• EU Social Security Number or Equivalent ID

• EU Tax Identification Number

• U.K. Driver's License Number

• U.K. Electoral Roll Number

• U.K. National Health Service Number

• U.K. National Insurance Number (NINO)

• U.S. / U.K. Passport Number

• U.S. Bank Account Number

• U.S. Driver's License Number

• U.S. Individual Taxpayer Identification Number (ITIN)

• U.S. Social Security Number (SSN) 

Actions followed by condition can be either automatic classification or recommended classification. If it is automatic classification, label will apply immediately after conditions are met. If its recommended classification, system will recommend the label but will not apply it to data. 

So, let’s see it in actions. 

in my demo environment I have a label setup under AIP called Sales confidential. In my previous blog post I have demonstrate how to setup a label so I am not going to repeat it again. You can read step-by-step guide about it using http://www.rebeladmin.com/2018/12/step-step-guide-protect-confidential-data-using-azure-information-protection/ 

in my label I have setup my sales manager Megan as the co-owner for the data and sales executive Isaiah a viewer. I am going to apply this label to any document which have credit card number in it. My label settings are as following,

Data is the new oil. It created new currency, it opened up new opportunities, new revenue streams. When more and more data been transferred in to digital format, it opens up new security concerns about confidential data. How we can make sure corporate confidential data not been shared? 

I have some confidential data saved in OneDrive. It is being shared with my sales team. Majority of team members are working from home at least 2-3 days in the week. I need to make sure this confidential data not been shared with anyone else. In this demo I am going to show how I fix with this issue. 

The solution that I am going to use in here is Azure Information protection. This works with labels & permissions. We can label data and associate relevant permissions to it. Permissions define what users can do and can’t do with data.

So, let’s see this in action. As first step we need to go ahead and setup labels. To do that,

1. Log in to https://portal.azure.com as global administrator

2. Then go to All Services | Azure Information Protection 

3. Then click on Labels | Add a new label 

4. In new page, provide name and description for the label. Then click on protect under Set permissions for documents and emails containing this label. 

5. Click on Azure (cloud key) and in new window click on Add permissions. 

In my previous posts I explained how we can add devices to Intune and how we can push applications to those. This is another blog post under same category and in here I am going to talk about managing device compliances using Microsoft Intune. 

In an infrastructure, we know how trusted device should looks like. We use different tools and services to make sure those does. As a simple example, most use group policies to make sure firewall, windows updates are up and running. But now, it is hard to define infrastructure boundaries as many people use same device for work and personal stuff. More and more people are working remotely. So, administrators are losing control over the devices. With Microsoft Intune we can easily define compliance policies and detect devices which is not meeting infrastructure requirements. It is similar how network policy server works in BYOD environment. 

In this demo I am going to create compliance policy to detect the devices which doesn’t have firewall and antivirus services running. once it detects, it also should send notification to IT department so they aware that non-compliance device is in network.  

1. To start, log in Azure portal as Global administrator

2. Then go to All Services | Intune | Devices

3. Under devices I can see my demo device is in healthy state. 

4. First, we need to create device group, so I can target it with the policy. to do that go to Intune home page and click on Groups

5. Then click on New Group

6. Then create the new security group with demo device. 

In my previous post I explained how we can enroll Windows 10 devices into Microsoft Intune. You can access it using http://www.rebeladmin.com/2018/11/step-step-guide-enroll-windows-10-devices-microsoft-intune-using-autopilot/ . In this post I am going to demonstrate how to publish applications to windows 10 devices via Microsoft Intune (To devices which is enrolled successfully).

Tip

Before you enroll devices make sure you already have enabled MDM & MAM auto enrollment for all users/selected users. Otherwise device will not auto-enroll with Intune. 

These settings are under Azure Active Directory | Mobility (MDM & MAM) 

1. Log in to Azure Portal as Global Administrator

2. Then go to Intune | Devices | All Devices & Verify the status of enrolled devices

3. As next step, I am going to create device group. it will help us to publish applications in to target easily. To do that, go back to Intune home page and click on Groups | New Group

If you worked with SCCM or VDI solutions you may already know that creating & managing system images is a painful task. If you are using Microsoft Intune as your MDM solution, we can use Intune & Windows autopilot feature to enroll & prepare device for the production use without worrying about re-build or applying custom operating system images. Windows autopilot is a windows 10 feature which can use to pre-configure, reset, repurpose, recover devices. In this demo I am going to demonstrate how to prepare & enroll windows 10 device in to Microsoft Intune using Windows autopilot. 

Prerequisites

1. Windows 10 version 1703 or higher must be used. Supported editions are:

• Pro

• Pro Education

• Pro for Workstations

• Enterprise

• Education

2. One of the Azure Active Directory (automatic MDM enrollment and company branding features) and MDM subscription:

• Microsoft 365 Business subscriptions

• Microsoft 365 F1 subscriptions

• Microsoft 365 Enterprise E3 or E5 subscriptions, which include all Windows 10, Office 365, and EM+S features (Azure AD and Intune)

• Enterprise Mobility + Security E3 or E5 subscriptions, which include all needed Azure AD and Intune features

• Azure Active Directory Premium P1 or P2 and Intune subscriptions (or an alternative MDM service)   

In my demo environment, I have windows 10 enterprise virtual machine with latest windows updates. Let’s see how we can enroll it to Azure Intune with Autopilot. 

1. Log in to Azure Portal as Global Administrator

2. Go to Azure Active Directory | Devices | Device Settings

3. Check settings under Users may join devices to Azure AD, if you have selected users or group, make sure you going to use those accounts for the enrollment process. in my environment I allow All.

4. Then go to Azure Active Directory | Users. Then go to the user you going to use for the enrollment and verify relevant licenses are assigned. 

5. In order to import devices, we need find out serial numbers, Windows product IDs & hardware hashes. To do that log in to your windows 10 machine and install following script. Then we can create CSV with relevant info. 

Install-Script -Name Get-WindowsAutoPilotInfo

You also can download script from https://aka.ms/Autopilotshell and install manually. 

In my previous post I explain how we can use Azure AD B2B to share services/resources between organization. Once these B2B users are register with Azure AD, we can apply “Conditional Access” polcies to control their access further. In this demo I am going to show how to do that. 

Prerequisites

Before we start please go ahead and read my previous article about Azure AD B2B, because in this post I am going assume that you already finish the sign-up process for Azure AD B2B users. 

 You can access the post using http://www.rebeladmin.com/2018/11/cross-organization-collaboration-azure-ad-b2b/ 

In my demo environment, I have sg-Finance security group. All the users from Finance department are part of it. I do have several applications assigned to them. Company Contoso recently made partnership with another company. Some privileged users from this new company required access to the applications used by sg-Finance users. Therefore, I went ahead and made them member of this group using Azure B2B. However, I need to put extra layer of security for these external user access requests to make sure my sensitive data been protected.  

1. To start the configuration, I am logging in to https://portal.azure.com as Global Administrator

2. Then Azure Active Directory | Groups | sg-Finance | Members. In here I can see B2B user dmfrancis

3. Now go back to Azure Active Directory home page and click on Conditional Access

4. Then click on New policy

In on-premises Active Directory environment, we use “trusts” to establish identity infrastructure connection between businesses. Based on trust type and access permissions, users from one organization can access resources/services in other infrastructure using their own domain credentials. Azure AD B2B does the same thing for cloud resources but in much more easier way. In this demo I am going to demonstrate how easily we can allow users from other organizations to access our cloud resources using Azure AD B2B. 

In my demo environment, I do have an Azure AD user group called sg-Finance . All the users from Finance department are members of this group. I have assign several SaaS applications to them. Company Contoso recently merge with another company. Few privileged users from new company like to access some financial data belongs to Contoso. The relevant data is currently available via SaaS applications which is used by sg-Finance group members. In this demo, I am going to invite external user to be part of sg-Finance group so they can access same applications. 

1. To start, log in to Azure Portal https://portal.azure.com as Global Administrator

2. Then go to Azure Active Directory | Groups

3. Then go to sg-Finance group and then Members.

4. In here, Megan is a member of this group. I log in to http://myapps.microsoft.com as Megan to verify SaaS application access. In this demo I am using Box as sample app. 

5. Now go back to group page and click on Add members

Complex passwords are a basic requirement to protect a system from cyber-attack. Even today most of the cyber-attack could have prevented if users were using complex, un-guessable passwords. I agree this is not the best solution especially as we are moving towards password-less authentication (Azure AD already released preview for it you can find more about it via http://www.rebeladmin.com/2018/09/step-step-guide-azure-ad-password-less-authentication-public-preview/). However, attackers always try the low hanging fruits first. In on-premises AD environment we can force users to use complex passwords via group policy. however, we couldn’t ban passwords using this method. Now Azure AD support banned password lists and smart lockout for Azure AD & on-premise AD in hybrid setup. Smart lockout is using cloud intelligence to detect password spoofing attempts from attackers. In this demo I am going to demonstrate, how to enable this feature in hybrid environment to protect both sides. 

As the first step, let’s enable the password protection. 

1. Log in to Azure Portal as global admin

2. Click on Azure Active Directory

3. Then Authentication Method

4. New window is to define password protection settings. In this demo, I am keeping the default thresholds for custom smart lockout. To define ban password list, click on Yes for Enforce custom list and then type the passwords you like to ban.