AIP: I know when you open my document, and I can revoke access! (Compliance + Sales = Seller Hero)

Have you sent an email to someone (perhaps a customer) that contained an important document and wish you could see if they have opened it? What if you accidently sent the document to the wrong audience, wouldn’t it be nice to revoke access? Perhaps it’s a sales quote and you want it to expire in 30 days? Well the future is here, and this is possible today using Azure Information Protection (AIP), included with Enterprise Mobility + Security, Microsoft 365, or a plan that includes AIP with Office 365. In this blog post we will explore from an end-user perspective how they can see if their recipient has opened the document, and how to revoke it’s access.

Azure Information Protection enables your organization to classify it’s data and apply security policy to that data, but more importantly gives the end-users visibility and control over how the data is consumed. This tool is extremely powerful for both IT and end-users, because it allows you to not only discover what data is in the organization, but classify it based on some criteria (i.e. Confidential, Secret, Top Secret and risk to organization) and apply policies that govern who can access what data based on the classification assigned.

This can be especially useful when you need help complying with regulations like GDPR. For more information about Azure Information Protection, I suggest reading the IT Pro documentation: What is Azure Information Protection? As I will not be covering full technical details here, such as how to configure the protection policy. I also highly suggest reviewing the AIP client user guide HERE.

You’re telling me I can see who has opened my document?

Yes! If I send you a document, spreadsheet, PDF, PowerPoint, etc – I can see if you have opened that file, doesn’t matter how it was sent either (email, file transfer over Skype, posted to Teams,etc). I can also see who has opened the file, by their identity, regardless if they were the intended recipient. I simply control this using the site https://track.azumrerms.com

When I browse to the site, and login, I can see a list of the documents I have protected using Azure Information Protection:


Clicking on one of the documents, I have access to see how many views (and by whom), how many (and by whom) were denied access to the document, among other controls. Let’s click on the list at the top menu


Here I can see who (by user identity, as signed into the Office applications) have attempted to access the document and whether or not they were successful. This is extremely useful!


Clicking on Map at the top menu I can see where in the world the document has been accessed. If all my users were accessing from the US, and then one user was from outside the US – this could indicate a stolen identity or data breach, and I may want to revoke access to the document.


Clicking on Settings from the top menu, allows me to do something REALLY COOL: Whenever the document is accessed – I can receive an email notification! Why is this really cool? I might be a salesperson and this document might be a proposal to a client. If I never receive an email indicating you never opened the document, then I know you may not be interested and I need to adjust my sales approach. This is one of the features of the product (in my opinion) that sells itself. Having that type of intelligence can be critical to the closure of a deal.


At the bottom of the page, I can revoke everyone’s access to the document by the clicking Revoke Access button:


At the bottom, I click Confirm:


All access to the document has now been revoked:


How does this work?

All roads lead to identity:

When a file is protected using Azure Information Protection (AIP), the file is actually encrypted at the file level, and the encryption travels with the file where ever it goes. This encryption is tied to the user’s identity in Azure Active Directory (AD). When the file is accessed, they are authenticating to Azure AD, and authorization is checked, the file is de-encrypted and the user can view the file. For more detailed technical information on how this encryption process works see How does Azure RMS work? Under the hood

So, if I give you a super sensitive file that has been protected using AIP, unless you have my identity – or have been granted authorization – you cannot open the file. This is (in my opinion) a game changer, as this means your organization’s data can travel from device to device (personal home computer, work computer, mobile devices, USB sticks, etc) and the data will stay encrypted. It doesn’t matter if the device is protected or not – because the file is already encrypted. It doesn’t matter if I accidently send the file to someone I shouldn’t have – because it’s already encrypted.

What’s required to do this? A few things as outlined in the technical documentation but most importantly: The recipient (inside or outside your organization) needs to have an identity account in Azure Active Directory.

What if the recipient does not have an Azure AD account?

If the file is being sent to someone outside your organization, and that recipient does not have an identity account in Azure Active Directory you have a few options:

  1. The recipient can signup for “Azure RMS for Individuals” by browsing to this website and going through the wizard. Microsoft will check the email address to see if it’s associated with an AIP subscription, or an Office 365 subscription that includes AIP. If it is not found, you can register and essentially an account in Azure Active Directory will be created for you. For more information about this process see: RMS for individuals and Azure Information Protection (Note, this DOES NOT sign your company up for anything, this is tied to a single identity so you can use the viewer or sign into a protected file)
  2. If you do not want to go with option 1 (although, it’s VERY easy!) then your second option is actually pretty interesting. When AIP is used with Exchange Online – and that document is sent using Office 365 Message Encryption, then you can sign in using a Gmail, Hotmail or Microsoft (Live) account! See New Capabilities Available in Office 365 Message Encryption
  3. The last option, uses the Azure Information Protection client. You can manually specify the recipients who are authorized to access the file (by email address) and their associated permissions using the AIP client:


IMPORTANT: All three options require the user to sign into Office on their device (or use the Azure AIP Viewer) with the identity that is associated with the AIP protected file. So, if I receive a spreadsheet from you sent to johndoe@gmail.com, I need to sign into Excel on my device as johndoe@gmail.com.

NOTE: Notice above, there is an option to Expire Access. I can have the file expire after say, 30 days and no one can open it afterwards. This is again another important feature that adds tremendous value (salesperson that wishes to expire a quote after 30 days).

Conclusion:

As you can see, Azure Information Protection can provide tremendous value back to your organization with empowering employees to take control over their data and ensure it’s security. However, this also enables them to be more productive through being able to seamlessly share the sensitive files outside the organization and track it’s usage. This used to require different 3rd party products and trying to get them integrated with the environment was a challenge.

It’s important to note, I have not shown all the back-end configuration that can be performed by IT to add additional value and to meet organizational requirements. Please review the technical documentation to learn more about the following: trusted domains, permissions based on classification type, Office 365 Message Encryption (and how typing the recipient’s email address in the To line in Outlook automatically grants them permissions, etc.)

If you own AIP through Microsoft 365, Office 365 or Enterprise Mobility and Security – give this a try and tell me about your success in the comments below!

Video: Do you know the Microsoft Security Story?

Do you know the Microsoft security story? Watch the video below as I present how Microsoft can help protect your ever expanding digital estate through cyber security for your digital transformation.

In the video I discuss the following topics (click to learn more):

Intune: MDM Enrollment Experience (complete device management) (OLD)

Microsoft Intune, part of Enterprise Mobility + Security (EMS), is an Azure based service that enables IT to manage devices at scale (iOS,Android,MacOS,Windows) and customize them, just like you would with an enterprise Windows PC. This provides a wealth of capability for IT to ensure devices are secure and protect intellectual property on them, but are also easy, efficient to use and do not create a burden on the end user. Let’s take a look at how to enroll a device into Intune MDM from the end-user’s perspective.

Note: Refer to the technical documentation for more information on how to configure Intune for MDM enrollment.

With my personal (or corporate owned) iPad I’m going to download the Company Portal app from the App Store:

Once downloaded, I’m going to launch the Company Portal app. Upon launching I will be prompted to sign-in:

Microsoft will recognize my credentials as Azure Active Directory credentials and will take me to my company’s sign-in page (still inside the app):

Once I click Sign-in, Company Portal will load:

Once signed in, there will be instructions prompting me I need to get my device managed in order to access my corporate applications and data. I’m going to tap Begin.

Next, I’ll be made aware of what information on the device my IT department will have visibility to, and what they won’t. For me this is an important screen and step for users to develop trust with IT and the process. I’m going to tap Continue:

Next, I’ll be made aware of the next few steps. First redirected to Settings where I’ll be prompted to install the Management Profile and then re-directed back to the Company Portal. I’m going to tab Next:

I’m going to tap Allow for the redirect to Settings:

Upon redirect to Settings, I’m going to tab Install

Tap Install again:

I will be warned about how my IT Department will have visibility to the data on my iPad. Tab Install again:

Next, I will tap Trust,
indicating I trust the source of this management profile (Microsoft) to enroll my iPad into remote management:

Once the process finishes, I’ll tap Done:


Upon tapping done, I’ll be redirected back to Company Portal:

It looks like enrollment is complete! I’ll tap Done

Upon exiting the app, as part of my company’s policy, the Microsoft Outlook app will be installed. I need to tap Install to give my consent:

In addition, my company’s policy requires that I set a passcode on my iPad:

Next, I’m going to launch Outlook so I can access my email:

Notice my email profile is already configured! I’m going to tap Add Account:

And I’ll be taking directly to my mailbox:

I’m curious though, what are the other policies my company is applying to my device? Let’s launch settings and take a look. Clicking on General and then Management Profiles I can see the various certificates being applied:

If I go back and tap Apps I can see the required apps my company is pushing and requiring me to install:

If I go back and tap Restrictions I can see the restrictions of what my company will not allow me to perform on my iPad. It looks like they block iCloud from backing up, blocking the camera, and requiring a passcode:

Conclusion: As you can see the end user experience is straight forward and easy to enroll the device into Intune MDM. From here, depending upon how my IT Administrator configured policies I can have VPN/WiFi profiles pushed down, printers configured and a vast amount of other configurations and customizations done to the device. Pretty cool!

Intune: MDM Enrollment Experience (complete device management)

Microsoft Intune, part of Enterprise Mobility + Security (EMS), is an Azure based service that enables IT to manage devices at scale (iOS,Android,MacOS,Windows) and customize them, just like you would with an enterprise Windows PC. This provides a wealth of capability for IT to ensure devices are secure and protect intellectual property on them, but are also easy, efficient to use and do not create a burden on the end user. Let’s take a look at how to enroll a device into Intune MDM from the end-user’s perspective.

Note: Refer to the technical documentation for more information on how to configure Intune for MDM enrollment.

With my personal (or corporate owned) iPad I’m going to download the Company Portal app from the App Store:

 

Once downloaded, I’m going to launch the Company Portal app. Upon launching I will be prompted to sign-in:

Microsoft will recognize my credentials as Azure Active Directory credentials and will take me to my company’s sign-in page (still inside the app):

Once I click Sign-in, Company Portal will load:

Once signed in, there will be instructions prompting me I need to get my device managed in order to access my corporate applications and data. I’m going to tap Begin.

Next, I’ll be made aware of what information on the device my IT department will have visibility to, and what they won’t. For me this is an important screen and step for users to develop trust with IT and the process. I’m going to tap Continue:

Next, I’ll be made aware of the next few steps. First redirected to Settings where I’ll be prompted to install the Management Profile and then re-directed back to the Company Portal. I’m going to tab Next:

I’m going to tap Allow for the redirect to Settings:

Upon redirect to Settings, I’m going to tab Install

Tap Install again:

I will be warned about how my IT Department will have visibility to the data on my iPad. Tab Install again:

Next, I will tap Trust,
indicating I trust the source of this management profile (Microsoft) to enroll my iPad into remote management:

Once the process finishes, I’ll tap Done:


Upon tapping done, I’ll be redirected back to Company Portal:

It looks like enrollment is complete! I’ll tap Done

 

Upon exiting the app, as part of my company’s policy, the Microsoft Outlook app will be installed. I need to tap Install to give my consent:

In addition, my company’s policy requires that I set a passcode on my iPad:

Next, I’m going to launch Outlook so I can access my email:

Notice my email profile is already configured! I’m going to tap Add Account:

 

And I’ll be taking directly to my mailbox:

I’m curious though, what are the other policies my company is applying to my device? Let’s launch settings and take a look. Clicking on General and then Management Profiles I can see the various certificates being applied:

 

If I go back and tap Apps I can see the required apps my company is pushing and requiring me to install:

If I go back and tap Restrictions I can see the restrictions of what my company will not allow me to perform on my iPad. It looks like they block iCloud from backing up, blocking the camera, and requiring a passcode:

Conclusion: As you can see the end user experience is straight forward and easy to enroll the device into Intune MDM. From here, depending upon how my IT Administrator configured policies I can have VPN/WiFi profiles pushed down, printers configured and a vast amount of other configurations and customizations done to the device. Pretty cool!

Microsoft 365 Overview and Briefing (Video)

Microsoft 365 is a compelling offering that enables organizations ranging from the small to mid-size business all the way to enterprise on their journey towards digital transformation. At a high level, Microsoft 365 combines the best of Windows 10, Office 365 and Enterprise Mobility + Security into a single offering that customers can purchase. However, what exactly is Microsoft 365, and what does it mean to have it? How does this technology help me and my organization? What does it mean to bring creativity into the workplace? How does teamwork enable a more collaborative environment? What does integrated for simplicity and intelligent security mean, and how does it impact me as an IT professional?

I recorded a short 20 minute presentation (click the video below to watch) that will give you an overview of Microsoft 365 Enterprise – and I hope that it will inspire you to learn more about the value this service provides and the incredible capabilities that can open new possibilities for your organization. Enjoy!

P.S. Stay tuned as I will soon have another blog post on a video of Microsoft 365 demo in action!

Gaining visibility to “shadow IT” and discovering cloud apps in use today

You may not realize it, but your organization is already operating in the cloud. Even if your IT department hasn’t deployed cloud services yet, your employees already have, and your organization is 100% responsible for the security and compliance of that data. This is known as “shadow IT”, where an organization is using application services, but IT has not yet approved their use – and it creates a major challenge for IT and a major risk for the organization.

As an IT professional for 15+ years, one of my top priorities is to help my fellow IT professionals understand shadow IT. This represents a major threat to us, individually, because as business groups and teams within our organizations continue to go outside of IT for their technology needs – this contributes to the growing irrelevance of us (IT) and de-values what we do for the organization. In addition, if the data stored or used by these cloud applications is compromised – the business will turn back to IT to “solve and fix” the problem (which can be challenging when you have no control over that application and didn’t realize it was being used in the first place).

(In my experience, many IT professionals and senior IT leadership such as the IT Director or CIO may already be aware there is a shadow IT problem – but they may not know it’s severity or where to start the remediation process)

Sure, you can attempt to “block” shadow IT – but blocking won’t solve the issue. Users will always find another way, and blocking will just inhibit innovation, productivity and creativity that your users want (among other more important things such as employee recruiting/retention, and organization competitiveness). Therefore, it’s important we discover what apps are in use today and develop a strategy to control those apps and to protect the data they access and use – then we can talk about what other apps we may want to block that aren’t approved.

There’s three steps for which to create an action plan to mitigate this challenge and risk of shadow IT:

  1. Gain visibility and discover what applications are in use, authentication being used, and security and compliance of those applications. From here you can associate a level of risk and determine if controlling or blocking makes sense.
  2. Through control of applications use, policies can be developed (that are aligned to your organization’s compliance requirements) that define which applications are approved and how/what data can be in the cloud.
  3. By protecting against threats, define a baseline for application access, and analyze abnormal patterns/behaviors that stray from that baseline. Understand if anomalies are actual threats and develop a strategy to address them.

(for an additional overview on shadow IT, download the free Microsoft ebook here)

In this blog post, I will take you through the first step in this three step process of Visibility using Microsoft Cloud App Security (CAS) that is part of the Enterprise Mobility + Security (EMS) suite of products. For a quick overview of CAS, watch this 2-minute video. The goal of this post is to inspire you to learn more about how you can develop a strategy for addressing shadow IT in your environment – and will not be a complete “how to” guide.

IMPORTANT:
I will not be discussing licensing and how to purchase CAS nor will I be discussing a detailed approach for how to plan, deploy and operate CAS in your environment. However, I do need to note that for the cloud application ranking to work, you must have Cloud App Security (E5) – this will not work with E3 (for more information see this). For additional CAS topics, please refer to the excellent documentation we have located here.

Visibility – Discovering cloud applications users are accessing

To discover the cloud applications your users are accessing, Microsoft Cloud App Security (CAS) can be used. This provides an agentless and unobtrusive way to gain the visibility required, and is fast and easy to do. This is performed by uploading (manually or automatically) logs from your internet proxies or firewalls to CAS for an analysis. CAS will analyze the traffic using a catalog of some 15,000 cloud applications and provide a risk score to help you assess the risk of that app within your organization. For more information on the firewalls and proxies that are supported, see Set Up Cloud Discovery.

As an example, let’s take a look at how to do this:

Login to the Cloud App Security portal at https://portal.cloudappsecurity.com. Click the Discover menu, then select Create snapshot report


In the Create new Cloud Discovery snapshot report, fill out the required fields and select a data source. For my example I will choose a Blue Coat proxy access log. Now, if this were a real report, under Choose traffic logs I would browse for that log file to upload. However, for my example I will click view and verify… and then select download sample log – and then upload that sample log by clicking Create:




Note: Notice the Anonymize private information check box. This is interesting, and can mask the actual usernames of your users to keep them private or can be used in a security investigation. Click here to learn more.

Once uploaded, the data will start to be parsed and processed. It’s important to note this process may take up to 24 hours. When the processing is completed, the status of the report will change to Ready. Click on Ready to then view the report.


   
 

For demonstration purposes, while that report is processing, let’s take a look at another report that is ready to view by clicking on Ready:


As you can see, the dashboard tab provides an excellent overview into the type of applications, specifically which applications that users are using – and even the top users who are using them. In the Discovered apps pane of the dashboard, let’s take a closer look at the cloud applications users are using. I’m going to change the sort from Traffic to Users so we can view how many users are using each app.

Note: There’s plenty more to the reports than what I am covering here, please refer to the documentation I previously mentioned for additional information.

IMPORTANT: Clicking on the icon in any of the dashboard panes will allow you to export the data to a .csv file. This is useful to continue to parse through the data and generate custom visuals (perhaps for a presentation to a customer or your IT leadership).


These applications are dived into three categories: Sanctioned (approved), Unsanctioned (non-approved), and Other. Within Contoso, OneDrive for Business is approved – and that’s reflected below. However, the biggest unsanctioned application in use is Box, which is not approved. Let’s click on Box to examine additional details. Below we can see details as to how many users, how much data traffic and even which users are using the application (by clicking on the Users tab):



Clicking on the Info tab will give me details about the cloud application such as information about the company and various security and compliance details that will help me to understand the risk this application may have in my environment. Note, in the upper right corner the , this is a risk score that CAS assigns. Cloud applications are evaluated against a catalog of over 15,000 applications and are ranked and scored based on more than 60 risk factors such as:

  • Holding status of the company (private/public)
  • Encryption methods
  • Industry and regulatory compliance certification status (i.e. SOX, SSAE,etc)

These risk scores can be customized and overridden, and you can even suggest an improvement on a risk if you disagree. Each item is ranked on a scale of 1-10 and carries a certain percentage weight for the overall risk score (also on a scale of 1-10)

Note: For more detailed information on risk scores click here.


Clicking the next to an item, will display additional details of the risk:


Clicking the icon next to an item will display a window where you can give feedback such as specifying a suggested new value. For example, if you find a discrepancy in CAS when compared to the vendor’s documentation on their website. When submitting feedback you can suggest a new risk factor, update the score , or specify the app is outdated – and also provide your email address to follow up if you like:


Speaking of risk factors, I mentioned how this can be customized. Clicking on the in the upper right corner and selecting Cloud Discovery Settings will display settings for your discovery – starting with Configuring Score Metric. For each of the categories such as Founded there is a slider that allows me to specify that category’s importance (and weight to the score). Sliding all the way to the left will ignore that category. This could be useful based on the type of applications you find in your discovery, your industry and other preferences.


Clicking on the Discovery menu and selecting Cloud Discovery Dashboard will take us back to the main dashboard. Notice on the right side the doughnut chart, let’s explore that a little deeper. I’m going to change the sort from Traffic to Apps. As I hover the cursor over “High, Medium and Low risk apps” the chart will change indicating how many apps fall into one of those three risk categories, further allowing me to develop an analysis of shadow IT within my environment. As I use that analysis to build a strategy for how to control and protect, filtering on the severity level (i.e. high) could allow me to prioritize which apps I want to solve for first.





Clicking on High risk apps will display a breakdown of those discovered apps that meet the high risk criteria, on the Discovered Apps tab. Additional control of these apps can be performed from here such as tagging it as Sanctioned or Unsanctioned, and generating a block script (which is really cool!).


Lastly, as part of our initial discovery let’s examine the users who are using these discovered apps. Clicking on the Users tab, will display the top 100 users in the environment who are accessing these apps. From here, I will sort based on highest upload (to see who is uploading the most amount of organizational data to the app) and then click that user to examine details – for example it appears Maximillian@contoso.com is uploading the most amount of data.


Clicking on Maximillian@contoso.com will display a dashboard specific to discovery of the apps that user is using and an overview of how much traffic and transactions are being performed.


Clicking on the Discovered Apps tab allows me to see the cloud applications this particular user is using:


Conclusion

As you can see, Microsoft Cloud App Security can provide you with insights into both sanctioned (approved) and non-sanctioned (unapproved) cloud applications that your users are using to help you develop a strategy for mitigating shadow IT and ultimately enabling the users to do their best work, using the apps they want. In this blog post we covered at a high level the initial discovery, and in future blog posts I will discuss how to implement controls around those applications to search them for data, and provide protection policies for the data in those apps. Enjoy!