How to Make the Most out of the Microsoft Licensing to Secure Your Environment
In this multi-part blog, we will walk through the best ways to take on the challenges around successfully implementing your M365 licensing while increasing your ability to secure the environment. Challenges include how to plan for the integration of the M365 product suite with existing processes to maximize the investment in the licensing that was purchased and being able to manage the amount of change that the M365 adoption can bring in a consumable way.
Previous sections of this blog series talked through the importance of Identity and Access Management (IAM) and protecting data throughout the environment. While it was mentioned in those blogs about dealing with external identities and sharing, this blog will dive deeper into some of the solutions that Microsoft brings to bear as part of M365 licensing. This part of the series goes back to those two topics and dives deep into what can be done to better manage the people from outside our organizations and the data that they may have access to.
Managing External Identities
Managing users that are coming in from outside the organization has always been an issue since there has been limited configuration and control available over how, when, and to what the user could connect. These are conditions that we need to establish even tighter with those external parties than we do with our internal users. The question is, how do we do that without generating huge amounts ot overhead and oversight? Unfortunately, the answer to that question is not universal, but will involve a combination of the following:
Azure B2B
Azure Business to Business (Azure B2B) has been a foundational component of the external identity strategy for a significant time. The solution has morphed over the years to include new capabilities to better control and have visibility into what is happening with guest users. The basic process of Azure B2B is for an internal user to add an external user to an internal resource. When that happens, an invitation will be sent to the external user, and they will proceed by authenticating against the account that was shared with. This then creates an AAD object in the tenant that is designated as a “Guest.” This process has worked, but it is hard to centrally manage and audit. There are available options, though:
- Limit those who can invite and who can be invited – This is a fundamental decision to make when configuring the AAD tenant. If the decision is to leave the directory with the default settings, then any user will be able to invite any external user to share anything in the environment. This is low maintenance but can create significant challenges in tracking and managing external identities. There are options, though, to limit the users who can invite external identities to just a subset of users within security groups. It is also possible to limit the people who can be invited to specific domains.
- Configure Cross Tenant Access (CTA) – CTA is a newer option in the battle with managing external identities. CTA allows for a number of things to happen and be configured:
- Specific external AAD tenants can be added to the CTA solution so that it sets up a federation with that other AAD directory.
- This is a one-way federation for the directory that the configuration is performed.
- This can be scoped to just a single security group that has access as well once the federation is set up, so unless the external users are part of that security group, they will not be able to gain access to the AAD tenant as an external identity.
- The configuration can dictate if any of the following will be accepted from the external directory:
- MFA tokens
- Device Compliance
- Both inbound and outbound settings can be configured for the AAD directory that is in scope.
- B2B Direct Connect – This is an additional capability that allows for the use of Shared Channels in Microsoft Teams. To set this up, though, both AAD tenants need to have CTA configured for the users involved in the shared channel. The result of this is that from a user perspective, there is no need to switch back and forth between tenants within the Teams applications and everything can be seen within a single session.
- Cross-tenant access overview - Microsoft Entra | Microsoft Learn
- Specific external AAD tenants can be added to the CTA solution so that it sets up a federation with that other AAD directory.
- Self Service Sign-up – This capability has been available for a while, but it not regularly used. This feature allows for workflows to be created to allow an external user to request access to a resource within tenant. This is especially useful when the access is for a specific application and this feature can ben enabled on a per app basis to provide a better overall user experience.
- Conditional Access (CA) – This has always been a key component of securing identities and it stays that way in being able to manage external users as well. Within CA, there are options to scope policies to “Guest” users and it should be used to control the requirements for MFA, application access, and other criteria based on the specific use cases present.
- Enable multiple Identity Providers – Microsoft now supports the ability to leverage other external identity partners like Google and Facebook. These should be looked at and configured to determine if they will help to better the overall requirements for external identities.
- Azure AD B2B collaboration overview - Microsoft Entra | Microsoft Learn
Azure B2C
There are times when the users that need access to internal services and resources are from anywhere including public domains like Google, Twitter, Amazon, etc. Many times the users may number in the thousands and would not be manageable through the Azure B2B service. In these instances, Azure B2C provides a service to not only provide access to the internal resources, but also the segregation of those users from your internal directory. This allows for all of the users to get to what they need while maintaining a higher level of security and lowering overall risk for the internal environment. To find out more information around this solution and all the ways it can integrate into your existing CRM, IdP, and other solutions, go here: What is Azure Active Directory B2C? | Microsoft Learn. It is important to remember that Azure B2C is an additional service that will incur additional costs.
Access Reviews and Access Packages
To make sure that both internal and external users are managed appropriately, Access Packages and Access Reviews should be leveraged as part of the user lifecycle. While this capability requires an Azure AD P2 license, it add the ability to automate and standardize the onboarding, offboarding, and review of users, their memberships, their roles, and their access across the environment. For external users, this can be leveraged to assign specific sets of permissions across resources such as applications, groups, Teams, and Sites. Once the packages are configured, Access reviews can then be assigned to make sure that membership to those access packages is correct. The solution also offers the ability to decide which packages are self service and which ones would require approval. More information can be found here: What is entitlement management? - Microsoft Entra | Microsoft Learn
Managing External Sharing
Once the IAM component of the external access is architected and configured, the configuration or the external sharing must be addressed. The design of this is going to be based off the following:
- Defining the use cases for external sharing – This is the most critical step in the process and these use cases may even define some of the IAM configurations listed above. Each use case should be documented and agreed upon. Once this is completed, the technical requirements to accomplish the use case in the most secure manner will fall into place. The overall process will involve asking questions like:
- Who needs access?
- Where are those users coming from?
- How will they access the resource (mobile, desktop, web browser, application, etc.)?
- What kinds of data are involved (PII, PHI, Financial, Confidential, etc.)?
- How often does the access occur?
- What will they be doing once they have the access?
- How long do they need the access for?
- Base Configurations within Office 365 Admin console, SharePoint, OneDrive, Teams, Yammer, M365 Groups, and Power BI
- Most of the solutions within the M365 licensing suite have specific configurations that address sharing and how they handle external (Guest) users.
- Each solution must be configured independently to account for the defined use cases that were defined.
- Settings should be reviewed at least yearly to determine if there are new features to leverage to better meet requirements or provide additional functionality/protections.
- This includes settings within the Office 365 Admin console which routinely has new features added.
- New features are often turned on by default.
- Items in the Message center should be reviewed weekly for new updates, changes, and fixes that are being released.
- Handling external sharing specifically with Teams – Teams has a few unique options to it that are not present in any of the other solutions. These are outlined below:
- Regular Channel – This is the typical type of channels found in Teams. This is what will be contained within 90+% of Teams that are created. Permissions work by providing the exact same level of access for all members/owners of the team. This means that every single person in the Team will by default get to see and do all the same things that others in the group can do except for add other members which only owners can do.
- Private channels – The private channel allows for the creation of a channel that includes only a subset of the existing members/owners of the Team. These users that are provided access will all have the same access within the channel, but others not included will not even see the channel within the Team.
- Shared Channels – These are the newest type of Channel within the Microsoft Teams solution. This channel type allows for the inclusion of users that are not present in the rest of the Team and can even include external identities. To get this to work with external users, it requires the configuration of CTA on both the source and destination tenants.
- Auditing and tracking – This is a critical component of any strategy around data governance and access for external parties. All auditing should be turned on and kept for at minimum 90 days for investigative purposes. The data may need to be kept longer based on specific regulatory or compliance requirements. At minimum, the following log sources should be getting monitored and alerting should be configured:
- Azure AD Activities
- Azure AD Sign-in logs
- PIM Logging
- Access Package/Review Logging
- Office 365 activity logs
- Defender logging:
- Endpoint
- Office
- Identity
- Cloud Apps
- Information Protection logging
- Integrating Defender for Cloud Apps – If there are EMS E5 or equivalent licensing in place that includes the use of Defender for Cloud Apps, then it should be used to help build additional telemetry. Part of this telemetry and capability comes from integrating Cloud Apps with:
- Defender for Endpoint
- Information Protection
- Defender for Office
- Defender for Identity
- Connected Applications
- Cloud Discovery sources.
What is up next?
In this series so far, we have covered how to start, tackling identity, dealing with data governance, and now handling external sharing and identities. Over the next few posts, we will cover:
- Managing the Endpoints
- Deploying Defender solutions
- Extending security across SaaS Applications
In the official Part 4, we will tackle the ways to leverage Intune to manage endpoints for configuration, configuration, compliance, updates, and reporting. Stay tuned for part 4 of 7 coming out soon!
We are here to help! Please contact us if you would like to have a conversation about this at any time.