This is a continuation of a series of articles on Azure services from an operational engineering perspective with the most recent introduction to Microsoft Intune with the link here. The previous article mentioned Microsoft 365 capabilities. This article discusses data privacy with Microsoft 365.  

Microsoft 365 for enterprise is a complete, intelligent solution that empowers everyone to be creative and work together securely. It is designed for large organizations, but it can also be used for medium-sized and small businesses that need the most advanced security and productivity capabilities.   

Microsoft 365 scenarios include productivity, collaboration, education, people, and workplace intelligence. It includes services that manage user and device identity, access, compliance, security and helps protect organizations from data leakage or loss.   

An organization maybe subject to regional data privacy regulations that requires protection, management, and provisioning rights and controls over personal information stored in the IT Infrastructure. One of the examples of the data privacy regulation is the General Data Protection Regulation. Failure to comply with this data privacy regulation can result in substantial fines.

Examples of the types of data in the Microsoft 365 include chat sessions in Microsoft Teams, emails in Exchange, and files in SharePoint and OneDrive. The steps to assess risks and to take appropriate actions to protect the data in Microsoft 365 is now discussed in this section. The Microsoft 365 identity, device and threat protection controls for the data privacy needs also provide additional information.

The data privacy capabilities are brought together by several features including the compliance manager which helps to manage regulatory compliance activities, an overall score of the current compliance configuration, and find recommendations for improvement. It is a workflow-based risk assessment tool.

The Microsoft 365 defender for Office 365 helps to protect Microsoft 365 apps and data such as email messages, office documents and collaboration tools from attack.

The sensitivity labels help to classify and protect the organization’s data without hindering the productivity of users and their ability to collaborate.

The data loss and protection capabilities help to detect, warn and block risky, inadvertent or inappropriate sharing of data containing personal information, both internally and externally.

The data retention labels and policies help to implement governance controls and data retention.

The email encryption capability helps to protect personal data by sending and receiving encrypted email messages.

These capabilities help put safeguards in place but continuous monitoring, investigation and response to security incidents will be required, nevertheless.

Microsoft 365 is an identity-based cloud. When the identities are isolated, it becomes a sovereign cloud. The standard Microsoft 365 cloud is used by Enterprise, Academia and even home Office 365 tenants. It has the most features and tools, global availability, and lowest prices. Since it’s the default choice between the clouds, everyone qualifies. The sovereign 365 clouds for geared for advanced data protection both by virtue of isolated identities as well as better controls.

 This is a continuation of a series of articles on Azure services from an operational engineering perspective with the most recent introduction to Microsoft Intune with the link here. The previous article mentioned Microsoft Intune with its device and application management capabilities. This article discusses its usage with Microsoft 365. 

Microsoft 365 for enterprise is a complete, intelligent solution that empowers everyone to be creative and work together securely. It is designed for large organizations, but it can also be used for medium-sized and small businesses that need the most advanced security and productivity capabilities.  

Microsoft 365 scenarios include productivity, collaboration, education, people, and workplace intelligence. It includes services that manage user and device identity, access, compliance, security and helps protect organizations from data leakage or loss.  

The scenario used to describe Microsoft 365 is often the one used to set up the infrastructure for hybrid work. This is achieved by allowing on-site and remote workers to access the organization’s on-premises and cloud-based information, tools, and resources easily and securely. 

Microsoft 365 for enterprise consists of local and cloud-based applications and productivity services, Windows 10 enterprise, and device management and advanced security services. The applications work with a full suite of online services for email, file storage and collaboration, meetings and more. The windows 10 enterprise improves productivity and security and for IT professionals, provides comprehensive deployment, device, and app management. The device management and advanced security services includes Microsoft Intune that enables workforce productivity while protecting organizational data. 

Microsoft 365 enterprise is available in three plans which include E3, E5 and F3. E3 provides access to Microsoft 365 core products and features which further workforce productivity. E5 includes Defender for office 365, security tools and collaboration tools. It includes all the E3 capabilities plus advanced security, voice, and data analysis tools. F3 helps workers in the field with purpose-built tools and resources. 

Microsoft 365 add-ons are available for E3 users. These add-ons are for Identity and Threat protection, Information protection and compliance, Microsoft 365 E5 Compliance, and Microsoft 365 E5 Insider Risk. These add-ons enable E3 users to take advantage of features in E5.

With these capabilities, IT professionals managing on-site, and cloud-based infrastructure enable hybrid worker productivity. Those workers can access cloud-based service and data in their Microsoft 365 subscription and organizational resources anytime and from anywhere. Their sign-ins are secured, and their applications and devices can be managed with cloud security. The hybrid workers can be as productive and collaborative as on-premises.

This is a continuation of a series of articles on Azure services from an operational engineering perspective with the most recent introduction to Microsoft Intune with the link here. The previous article mentioned Microsoft Intune with its device and application management capabilities. This article discusses its usage with Microsoft 365. 

Microsoft 365 for enterprise is a complete, intelligent solution that empowers everyone to be creative and work together securely. It is designed for large organizations, but it can also be used for medium-sized and small businesses that need the most advanced security and productivity capabilities.  

Microsoft 365 scenarios include productivity, collaboration, education, people, and workplace intelligence. It includes services that manage user and device identity, access, compliance, security and helps protect organizations from data leakage or loss.  

The standard Microsoft 365 cloud is used by Enterprise, Academia and even home Office 365 tenants. It has the most features and tools, global availability, and lowest prices. Since it’s the default choice between the clouds, everyone qualifies. That said there are sovereign 365 clouds for advanced data protection.  

The scenario used to describe the Microsoft 365 is often the one used to setup the infrastructure for hybrid work. This is achieved by allowing on-site and remote workers to access the organization’s on-premises and cloud-based information, tools, and resources easily and securely. The key layers of architecture that empower these workers include the following capabilities. MFA enforced with security defaults helps protect against compromised identities and devices by requiring a second form of authentication for sign-ins. Optionally, conditional access can be enforced with MFA based on the properties of the sign in. Conditional access policies can also be authored to be risk-based so that the sign-ins can be protected with Azure AD identity protection. Self-service password reset is another feature where Intune can step in with automations that are self-service for the users. It leverages the Azure Active Directory to turn on self-service password reset where the organization’s workforce is asked to register. When they register, they get instructions for resetting their password themselves. The Azure AD application proxy provides remote access for web-based applications hosted on intranet servers. Azure Point-to-site VPN can create a secure connection from a remote worker’s device to the intranet through an Azure Virtual Network. Windows 365 supports remote workers who can only use their personal and unmanaged devices with Windows 365 cloud PCs. Remote desktop services allow employees to connect to their domain joined windows computers. Remote Desktop Services Gateway encrypts communications and prevents the RDS hosts from being directly exposed to the internet. Microsoft Intune manages devices and applications. Configuration Manager manages software installations, updates, and settings on the devices. Endpoint Analytics determines the update readiness of the windows clients. Windows Autopilot sets up and pre-configures Windows devices.

With these capabilities, IT professionals managing on-site, and cloud-based infrastructure enable hybrid worker productivity. Those workers can access cloud-based service and data in their Microsoft 365 subscription and organizational resources anytime and from anywhere. Their sign-ins are secured, and their applications and devices can be managed with cloud security. The hybrid workers can be as productive and collaborative as on-premises.

One of the ways for new and upcoming services involves writings APIs once but exposing the through Microsoft Graph and other outlets with the help of wrappers 

 

This is a continuation of a series of articles on Azure services from an operational engineering perspective with the most recent introduction to Microsoft 365 with the link here. The previous article mentioned Microsoft 365 with its broad capabilities. This article discusses its usage with Intune and Microsoft Graph. 

Microsoft 365 for enterprise is a complete, intelligent solution that empowers everyone to be creative and work together securely. It is designed for large organizations, but it can also be used for medium-sized and small businesses that need the most advanced security and productivity capabilities.  Microsoft Intune manages devices and applications. Configuration Manager manages software installations, updates, and settings on the devices. Endpoint Analytics determines the update readiness of the windows clients. Windows Autopilot sets up and pre-configures Windows devices.

Microsoft Intune APIs serve to expose all features of Microsoft Intune for programmatic access. They can be used to define and enforce compliance policies, protect company data, create and deploy device configuration policies, create and deploy device access control policies, and perform remote actions to manage devices. They can be used to deploy apps to devices, manage access to eBooks, and define and deploy app configuration settings, app protection settings, and app usage policies. They can be used to automate defining and assigning role-based access control, auditing and reporting compliance, usage and access and managing telecom expenses. All the Intune APIs are made available via Microsoft Graph. 

Microsoft Graph enables integration with the best of Microsoft 365, Windows 10 and Enterprise mobility and security services in Microsoft 365, using a standard set of REST APIs and client libraries for all data sources that makes it convenient for developers to seamlessly integrate different data sources. It uses the concepts of users and groups to elaborate on these functionalities.  A user is an individual who uses Microsoft 365 cloud services and for Microsoft Graph, it is the focus for which the identity is protected, and access is well managed. The data associated with this entity and the opportunities to enrich the context, provide real-time information, and deep insights are what makes Microsoft Graph so popular. A group is the fundamental entity that lets users collaborate and integrate with other services which enable scenarios for task planning, teamwork, education and more.  

By providing a common API framework to expose device management and application management capabilities to developers for building mobility and security services using Microsoft 365, the combination of Intune, Microsoft 365 and Graph provides unparalleled capabilities. With these capabilities, IT professionals managing on-site, and cloud-based infrastructure enable hybrid worker productivity. Those workers can access cloud-based service and data in their Microsoft 365 subscription and organizational resources anytime and from anywhere. Their sign-ins are secured, and their applications and devices can be managed with cloud security. The hybrid workers can be as productive and collaborative as on-premises.          

 

This is a continuation of a series of articles on Azure services from an operational engineering perspective with the most recent introduction to Microsoft Intune with the link here. The previous article mentioned Microsoft Intune with its device and application management capabilities. This article discusses its usage with Microsoft 365. 

Microsoft 365 for enterprise is a complete, intelligent solution that empowers everyone to be creative and work together securely. It is designed for large organizations, but it can also be used for medium-sized and small businesses that need the most advanced security and productivity capabilities. 

Microsoft 365 scenarios include productivity, collaboration, education, people, and workplace intelligence. It includes services that manage user and device identity, access, compliance, security and helps protect organizations from data leakage or loss. 

The standard Microsoft 365 cloud is used by Enterprise, Academia and even home Office 365 tenants. It has the most features and tools, global availability, and lowest prices. Since it’s the default choice between the clouds, everyone qualifies. That said there are sovereign 365 clouds for advanced data protection. 

The scenario used to describe the Microsoft 365 is often the one used to setup the infrastructure for hybrid work. This is achieved by allowing on-site and remote workers to access the organization’s on-premises and cloud-based information, tools, and resources easily and securely. The key layers of architecture that empower these workers include the following capabilities. MFA enforced with security defaults helps protect against compromised identities and devices by requiring a second form of authentication for sign-ins. Optionally, conditional access can be enforced with MFA based on the properties of the sign in. Conditional access policies can also be authored to be risk-based so that the sign-ins can be protected with Azure AD identity protection. Self-service password reset is another feature where Intune can step in with automations that are self-service for the users. It leverages the Azure Active Directory to turn on self-service password reset where the organization’s workforce is asked to register. When they register, they get instructions for resetting their password themselves. The Azure AD application proxy provides remote access for web-based applications hosted on intranet servers. Azure Point-to-site VPN can create a secure connection from a remote worker’s device to the intranet through an Azure Virtual Network. Windows 365 supports remote workers who can only use their personal and unmanaged devices with Windows 365 cloud PCs. Remote desktop services allow employees to connect to their domain joined windows computers. Remote Desktop Services Gateway encrypts communications and prevents the RDS hosts from being directly exposed to the internet. Microsoft Intune manages devices and applications. Configuration Manager manages software installations, updates, and settings on the devices. Endpoint Analytics determines the update readiness of the windows clients. Windows Autopilot sets up and pre-configures Windows devices.

With these capabilities, IT professionals managing on-site, and cloud-based infrastructure enable hybrid worker productivity. Those workers can access cloud-based service and data in their Microsoft 365 subscription and organizational resources anytime and from anywhere. Their sign-ins are secured, and their applications and devices can be managed with cloud security. The hybrid workers can be as productive and collaborative as on-premises.          

 

This is a continuation of a series of articles on Azure services from an operational engineering perspective with the most recent introduction to Microsoft Intune with the link here. The previous article mentioned Microsoft Intune with its device and application management capabilities. This article discusses the APIs for Microsoft Intune.  

These APIs serve to expose all features of Microsoft Intune for programmatic access. They can be used to define and enforce compliance policies, protect company data, create and deploy device configuration policies, create and deploy device access control policies, and perform remote actions to manage devices. They can be used to deploy apps to devices, manage access to eBooks, and define and deploy app configuration settings, app protection settings, and app usage policies. They can be used to automate defining and assigning role-based access control, auditing and reporting compliance, usage and access and managing telecom expenses. All the Intune APIs are made available via Microsoft Graph.

Microsoft Graph enables integration with the best of Microsoft 365, Windows 10 and Enterprise mobility and security services in Microsoft 365, using REST APIs and client libraries. It uses the concepts of users and groups to elaborate on these functionalities.  A user is an individual who uses Microsoft 365 cloud services and for Microsoft Graph, it is the focus for which the identity is protected, and access is well managed. The data associated with this entity and the opportunities to enrich the context, provide real-time information, and deep insights are what makes Microsoft Graph so popular. A group is the fundamental entity that lets users collaborate and integrate with other services which enable scenarios for task planning, teamwork, education and more.  

Microsoft 365 for enterprise is a complete, intelligent solution that empowers everyone to be creative and work together securely. It is designed for large organizations, but it can also be used for medium-sized and small businesses that need the most advanced security and productivity capabilities.

Microsoft 365 scenarios include productivity, collaboration, education, people, and workplace intelligence. It includes services that manage user and device identity, access, compliance, security and helps protect organizations from data leakage or loss.

The standard Microsoft 365 cloud is used by Enterprise, Academia and even home Office 365 tenants. It has the most features and tools, global availability and lowest prices. Since it’s the default choice between the clouds, everyone qualifies. That said there are sovereign 365 clouds for advanced data protection.

Together Intune, Microsoft Graph and Microsoft 365, can ensure a modern workplace.

 

 

This is a continuation of a series of articles on Azure services from an operational engineering perspective with the most recent introduction to Microsoft Intune with the link here. The previous article mentioned Microsoft Intune with its device management capabilities. This article discusses the lifecycle of devices and applications. 

Microsoft Intune is a cloud-based service that manages devices and their applications. These devices can include mobile phones, tablets, and notebooks. It can help configure specific policies to control applications. It allows people in the organization to use their devices for school or work. The data stays protected, and the organizational data can be isolated away from the personal data on the same device. It is part of Microsoft’s Enterprise Mobility and Security EMS suite. It integrates with the Azure Active Directory to control who has access and what they can access. It integrates with Azure Information Protection for data protection.  

Intune can help with the lifecycle management of the devices and applications. All devices must go through various stages of the lifecycle from enrollment, through configuration and protection, to retiring the device when it is no longer required. As an example, a phone used by an end-user for work purposes must first be enrolled with an Intune account to allow the company to manage it, then it must be configured for compliance and the data stored must be protected and finally, the device must be retired by wiping away all the sensitive data. Setting up device enrollment is the first step and the devices that can be enrolled can vary in size, shape, model, and functionality.  Even personal notebooks can be enrolled with the guarantee that the data will be isolated between usages for work and personal requirements.  Devices must be configured next to leverage all the offerings of Intune such as to be secure and compliant with the company standards, to manage how the devices operate, and to adhere to one or more policies. Devices do not necessarily lose functionalities when they are configured. They might just have more protection added to use those functionalities.  When users want to access company resources such as their work email or company network, they need not know all the complex settings Intune reduces this burden for them.  The Intune client software can also add more device management capabilities to the devices. The protection of the device is from unauthorized access or malicious attacks. These additional layers of protection are provided by multi-factor authentication, Windows Hello for business settings, and policies applied with the Intune client software. Finally, the devices go through the end of the lifecycle including resetting and removing from management. If they are lost or stolen, then they must be properly replaced.

The app lifecycle is somewhat like the device lifecycle in that it is also cyclic, but it goes through the lifecycle stages for add, deploy, configure, protect and retire. The first step in the application lifecycle is the addition of the application. The procedures remain the same for many different types of applications. The next stage is deploy, and Intune can assign devices and users to the applications. Additionally, in some app stores, app licenses can be purchased in bulk across users. Deployment is transparent. For example, license usage can be tracked from the Intune administration console. The configure part of the application lifecycle is easy to do with the tools that Intune provides and generally involves updating the application, configuring extra functionality, and managing browser policies. Intune gives many ways to help protect the data in the applications, but the main ones are the use of conditional access and application protection policies. The former controls access to say emails and services based on conditions and the latter protects company data used by the applications by say preventing their running if the device is jailbroken or rooted. Finally, an application can become outdated or require to be removed and this is made easy with uninstallation.

Together device and application lifecycle can ensure that they pose no risk to the company and allow the devices to expand their capabilities safely and securely.