Ravikumar Sathyamurthy @shakthiraviMicrosoft MVP | Office Servers and Services

Understanding the benefits of Azure Active Directory, Enterprise Mobility + Security (EM+S) and Tips to get prepared for GDPR Compliance.

18/11/2017 www.anywherexchange.com

• Identity as a Control Plane – Setting the Stage

• Azure AD and EM+S an Overview

• Understanding the benefits of Azure AD & EM+S

• Microsoft 365 Enterprise Introduction

• GDPR Overview

• Tips to get Prepared for GDPR Compliance

• Q&A

Windows Server

Active Directory

Azure

Public cloud

Microsoft Azure Active Directory

CommercialIdPs

ConsumerIdPs

PartnersCustomers

Azure AD

Connect

Built on top of the free offering, provides a robust set of capabilities to empower enterprises with demanding needs on identity and access management

Additionally, Azure AD premium offers:

• An Enterprise SLA of 99.9%

• Usage rights to Identity Manager Server and CALs

Azure Active Directory Premium

Azure AD Editions: http://bit.ly/1gyDRoN

• Advanced user lifecycle

management

• Low IT overhead

• Monitor your identity bridge

• Cloud-connected seamless

authentication experience

• Single sign-on to 1000s pre-

integrated apps/ Your own apps

• Secure remote access to on-premises

apps

• SSO to mobile apps

• Support for lift-and-shift to the cloud

• Control access to resources

• Safeguard user authentication

• Respond to advanced threats with

risk-based policies and monitoring

• Mitigate administrative risks

• Governance of on-premises and

cloud identities

• Ease of use for end users

/Integration with Office

• Cross-organization collaboration

• Any time, any place productivity

with Windows 10

• Support for consumer facing

applications

1000s of apps, 1 identity

Provide one persona to the workforce for SSO to 1000s of cloud and on-premises apps

Manage access at scale

Manage identities and access at scale in the cloud

and on-premises

Cloud-powered protection

Ensure user and admin accountability with better security and governance

Enable business without borders

Stay productive with universal

access to every app and

collaboration capability

Every Office 365 and Microsoft Azure customer uses Azure Active Directory

272K 90%56K950M12.8M

+30%YoY

+45%YoY

+74%YoY

+200%YoY

Conditional

Access

Multi-Factor

Authentication

Addition of

custom cloud

apps

Remote Access to

on-premises

apps

Privileged Identity

Management

Dynamic GroupsIdentity

Protection

Azure AD DSOffice 365 App

Launcher

Group-Based

Licensing

Access

Panel/MyApps

Azure AD

Connect

Connect Health

Provisioning-

Deprovisioning

Azure AD Join

Self-Service

capabilities

MDM-auto

enrollment /

Enterprise State

Roaming

Security

Reporting

Access ReviewsHR App

Integration

B2B collaboration

Azure AD

B2C

SSO to SaaS

Microsoft

Authenticator -

Password-less

Access

I want to provide my employees secure

and easy access to every application

from any location and any device

I need my customers and partners

to access the apps they need from

everywhere and collaborate seamlessly

I want to quickly deploy applications to

devices, do more with less and automate

Join/Move/Leave processes

I want to write applications that work with my

corporate identities in Azure Active Directory

I want to protect access to my

resources from advanced threats

I need to comply with industry regulation

and national data protection laws

Conditional

Access

Multi-Factor

Authentication

Addition of

custom cloud

apps

Remote Access

to on-premises

apps

Privileged

Identity

Management

Dynamic GroupsIdentity

Protection

Azure AD DSOffice 365 App

Launcher

Group-Based

Licensing

Access

Panel/MyApps

Azure AD

Connect

Connect Health

Provisioning-

Deprovisioning

Azure AD Join

Self-Service

capabilities

MDM-auto

enrollment /

Enterprise State

Roaming

Security

Reporting

Access ReviewsHR App

Integration

B2B

collaboration

Azure AD

B2C

SSO to SaaS

Microsoft

Authenticator -

Password-less

Access

1

2

3

4

5

6

ENTERPRISE MOBILITY + SECURITY

Holistic, intelligent,

innovative security to keep

up with new threats.

Identity-drivensecurity

Secure your enterprise fast –

while keeping what you have

and saving money.

Comprehensive solution

Encourage secure work habits

by providing the best apps

with built-in security.

Managed mobile productivity

Information protection

Identity-driven security

Managed mobile productivity

Identity and access management

Azure Information

Protection Premium P2

Intelligent classification and

encryption for files shared

inside and outside your

organization

(includes all capabilities in P1)

Azure Information

Protection Premium P1

Encryption for all files and

storage locations

Cloud-based file tracking

Microsoft Cloud

App Security

Enterprise-grade visibility,

control, and protection for

your cloud applications

Microsoft Advanced

Threat Analytics

Protection from advanced

targeted attacks leveraging

user and entity behavioral

analytics

Microsoft Intune

Mobile device and app

management to protect

corporate apps and data on

any device

Azure Active Directory

Premium P2

Identity and access

management with advanced

protection for users and

privileged identities

(includes all capabilities in P1)

Azure Active Directory

Premium P1

Secure single sign-on to

cloud and on-premises apps

MFA, conditional access, and

advanced security reporting

EMS

E3

EMS

E5

Azure Protection

Mobile device & app management

Information protection

Holistic and innovative solutions for protection across users, devices, apps and data

Protect at the

front door

Detect &

remediate attacks

Protect your

data anywhere

Azure Active Directory

Premium

Microsoft

Intune

Azure Information

Protection

Microsoft Cloud

App Security

Microsoft Advanced

Threat Analytics

Identity and access management

Threat detection

Technology Benefit E3 E5

Azure Active Directory

Premium P1Secure single sign-on to cloud and on-premises app

MFA, conditional access, and advanced security reporting ● ●

Azure Active Directory

Premium P2Identity and access management with advanced protection for

users and privileged identities ●

Microsoft IntuneMobile device and app management to protect corporate apps

and data on any device ● ●

Azure Information Protection P1Encryption for all files and storage locations

Cloud-based file tracking● ●

Azure Information Protection P2Intelligent classification and encryption for files shared inside

and outside your organization ●

Microsoft Cloud App SecurityEnterprise-grade visibility, control, and protection for your

cloud applications ●

Microsoft Advanced Threat AnalyticsProtection from advanced targeted attacks leveraging user

and entity behavioral analytics ● ●

Identity and access management

Managed mobileproductivity

Information protection

Threat Detection

Enterprise Mobility + Security

Basic identity mgmt.

via Azure AD for O365:

• Single sign-on for O365

• Basic multi-factor

authentication (MFA) for O365

Basic mobile device

management

via MDM for O365

• Device settings management

• Selective wipe

• Built into O365 management

console

RMS protection

via RMS for O365

• Protection for content stored in

Office (on-premises or O365)

• Access to RMS SDK

• Bring your own key

Azure AD for O365+

• Advanced security reports

• Single sign-on for all apps

• Advanced MFA

• Self-service group management

& password reset & write back

to on-premises,

• Dynamic Groups, Group based

licensing assignment

MDM for O365+

• PC management

• Mobile app management

(prevent cut/copy/paste/save as

from corporate apps to

personal apps)

• Secure content viewers

• Certificate provisioning

• System Center integration

RMS for O365+ • Automated intelligent

classification and labeling of

data

• Tracking and notifications for

shared documents

• Protection for on-premises

Windows Server file shares

Advanced Security

Management

• Insights into suspicious activity in

Office 365

Cloud App Security

• Visibility and control for all cloud

apps

Advanced Threat Analytics

• Identify advanced threats in on

premises identities

Azure AD Premium P2

• Risk based conditional access

Information protection

Identity-driven security

Managed mobile productivity

Identity and access management

Windows 10

Enterprise Mobility +Security

• Single sign-on for business

cloud apps

• Device setup and registration

for Windows devices

• Windows Store for Business

• Traditional domain join

manageability

• Manageability via MDM and

MAM

• Encryption for data at rest and

generated on device

• Encryption for data included in

roaming settings

• Conditional access policies for

secure single sign-on

• MDM auto-enrollment

• Self-Service Bitlocker recovery

• Password reset with write back

to on-premises

• Cloud-based advanced security

reports and monitoring

• Enterprise State-Roaming

• Mobile device management

• Mobile app management

• Secure content viewer

• Certificate, Wi-Fi, VPN, email

profile provisioning

• Agent-based management of

Windows devices (domain-

joined via ConfigMgr and

internet-based via Intune)

• Automated intelligent

classification and labeling of

data

• Tracking and notifications for

shared documents

• Protection for content stored in

Office and Office 365 &

Windows Server on premises

Windows Defender Advanced

Threat Protection

• Identify advanced threats focused

on Windows 10 behavioral sensors

Cloud App Security

• Visibility and control for all cloud

apps

Advanced Threat Analytics

• Behavioral analytics for advanced

threat detection

Azure AD Premium

• Risk based conditional access

Information protection

Identity-driven security

Managed mobile productivity

Identity and access management

Microsoft 365

A complete, intelligent, secure solution to empower employees

Intelligent security

Unlocks creativity

Built for teamwork

Integratedfor simplicity

Microsoft 365 powered device

The best way to deliver Microsoft 365 to your employees.

Office 365 + Windows 10 + Enterprise Mobility + Security

Office 365 Enterprise

Chat- centric workspace

Email & Calendar

Voice, Video & Meetings

Office applications/ co-authoring

Sites & Content Management

Analytics

Advanced Security & Compliance

Enterprise Mobility+ Security

Identity & Access Management

Managed Mobile Productivity

Information Protection

Identity Driven Security

Windows 10 Enterprise

Advanced Endpoint Security

Designed For Modern IT

More Productive

Powerful, Modern devices

Microsoft 365 Enterprise

https://docs.microsoft.com/en-us/microsoft-365-enterprise/

FastTrack for Microsoft 365Move to the cloud with confidence

Migrate email, content, and light up Microsoft 365 services

Deploy and securely manage devices

Enable your business and gain end-user adoption

Delivered by Microsoft engineers as part of your subscription

Tight integration with qualified partners for additional services

MaximizedROI

FasterDeployment

HigherAdoption

FastTrack.microsoft.com

The General Data Protection Regulation

(GDPR) imposes new rules on organizations

in the European Union (EU) and those that

offer goods and services to people in the EU,

or that collect and analyze data tied to EU

residents, no matter where they are located.

EU General Data Protection Regulation

Enhanced personal privacy rights

Increased duty to protect data

Mandatory breach reporting

Significant penalties for non-compliance

When must we be compliant?

What if we are not compliant?

Who needs to be compliant?

Organizations inside or outside of the EU

that process personal data of EU residents.

Companies can be fined up to €20m or 4% of

annual global turnover, whichever is greater,

for failure to meet GDPR requirements.

The European Parliament approved and adopted

the GDPR in April 2016 and enforcement begins

on May 25, 2018.

2012 May 25 2018Spring 2014 April 27 2016 2016/20172015

EU Council

reaches

agreement

Separate negotiations

within Council and

European parliament

European

Commission publishes

legislative proposal

EP reaches

agreement

Negotiations

and approval

among the

three

institutions

Regulation published

in the Official

Journal

Two-year

implementation

phase

EU general data protection regulation

EuropeanCommission

EuropeanParliament

Regulation

applies going

forward

What are the key changes to address the GDPR?

Personal

privacy

Controls and

notifications

Transparent

policies

IT and

training

Organizations will need to:

• Train privacy personnel &

employees

• Audit and update data

policies

• Employ a Data Protection

Officer (if required)

• Create & manage compliant

vendor contracts

Organizations will need to:

• Protect personal data using

appropriate security

• Notify authorities of

personal data breaches

• Obtain appropriate

consents for processing

data

• Keep records detailing data

processing

Individuals have the right to:

• Access their personal data

• Correct errors in their

personal data

• Erase their personal data

• Object to processing of

their personal data

• Export personal data

Organizations must:

• Provide clear notice of data

collection

• Outline processing

purposes and use cases

• Define data retention and

deletion policies

Personal dataAny information related to an identified or identifiable

natural person including direct and indirect identification.

Examples include:

• Name

• Identification number (e.g., SSN)

• Location data (e.g., home address)

• Online identifier (e.g., e-mail address, screen names,

IP addresses, device IDs)

Sensitive personal dataPersonal data afforded enhanced protections:

• Genetic data (e.g., an individual’s gene sequence)

• Biometric Data (e.g., fingerprints, facial recognition,

retinal scans)

• Sub categories of personal data including:

• Racial or ethnic origin

• Political opinions, religious or philosophical beliefs

• Trade union membership

• Data concerning health

• Data concerning a person’s sex life or sexual

orientation

How the EU GDPR defines personal data

Protecting customer

privacy with GDPR

What does this mean for my data?

31Microsoft Confidential – for internal only use by partners.

DiscoverIdentify what personal data you have and

where it resides1

ManageGovern how personal data is used

and accessed2

ProtectEstablish security controls to prevent, detect,

and respond to vulnerabilities & data breaches3

ReportKeep required documentation, manage data

requests and breach notifications4

Step-by-Step GDPR Compliance

Bing

Xbox Live

OneDrive

Microsoft Digital

Crimes Unit

Microsoft Cyber Defense

Operations Center

Azure

Microsoft

Accounts

Skype Enterprise Mobility

+ Security

Azure Active Directory

Access

granted

to data

Apps

Risk

MICROSOFT INTUNE

AZURE ACTIVE DIRECTORY

MICROSOFT CLOUD APP SECURITY

AZURE INFORMATION PROTECTION

MICROSOFT ADVANCED THREAT ANALYTICS

!

Device

!

CONDITIONALACCESS

Location

Classify

Audit

Protect

Label

!

!

DEMOS!

IF

Privileged user?

Credentials found in public?

Accessing sensitive app?

Unmanaged device?

Malware detected?

IP detected in Botnet?

Impossible travel?

Anonymous client?

High

Medium

Low

User risk

10TBper day

THEN

Require MFA

Allow access

Deny access

Force password reset******

Limit access

High

Medium

Low

Session risk

Azure

BingOneDrive

Microsoft

Cyber Defense

Operations Center

Microsoft

Cybercrime Center

Xbox Live

Microsoft

Accounts

Skype

Enforce on-demand, just-in-time administrative access when needed

Use Alert, Audit Reports and Access Review

DomainUser

Global Administrator

Discover, restrict, and monitor privileged identities

DomainUser

Administrator privileges expire after

a specified interval

https://servicetrust.microsoft.com/

Microsoft.com/GDPR

Microsoft Online

Services and GDPR

• Microsoft Azure

• Office and Office 365

• Microsoft Dynamics 365

• Enterprise Mobility Suite

• Windows and Windows Server

• SQL Server

Q&A