#RMS in Azure

December 6, 2016

 

Hello,

Today we’ll run a RMS scenario in our demo office 365 environment. RMS provides the ability to restrict certain actions to documents ( office and other ) depending on the authenticating user by encrypting the required files. This way you can share confidential data in an easy way and make sure only the allowed persons can perform some actions with the documents.

You can find a clear overview here ( https://docs.microsoft.com/en-us/information-protection/understand-explore/what-is-azure-rms )

clip_image002

What is Azure Rights Management? | Azure Information Protection

https://docs.microsoft.com/en-us/information-protection/understand-explore/what-is-azure-rms

 

Now, we’ll start by enabling the feature on a limited group.

Step 1 : we’ll limit the usage to a test group so we’ll use the procedure described in https://docs.microsoft.com/en-us/rights-management/deploy-use/activate-service

We have downloaded and installed the required Azure AD Rights Management Administration toolset.

clip_image004

Hmm. Apparently we need the MS Online Services Sign-in assistant first.

https://support.office.com/nl-nl/article/Microsoft-Online-Services-aanmeldhulp-opnieuw-installeren-6f295d05-ae37-4054-8faf-c89dd48d1827?ui=nl-NL&rs=nl-NL&ad=NL so download and install.

Ok straightforward setup of both components.

clip_image006

Now let’s create a test group that will be used in order to validate the RMS functionality. In this case we create a azure security group.

clip_image008

You’ll need to install the azure AD powershell module in order to retrieve the id of the group.

See : https://msdn.microsoft.com/en-us/library/jj151815.aspx

Then run some commands in order to retrieve the required ID.

clip_image010

Now we can set the RMS feature active for a specific security group and only if the user has the correct

PS C:\Windows\system32> Set-AadrmOnboardingControlPolicy -UseRMSUserLicense $True -SecurityGroupObjectId 532a71c3-f370-47bb-9dd8-34026ea751cf

WARNING: The tenant user on-boarding control policy will be updated by this operation.

license assigned.

clip_image012

Verify the result by using get-aadrmonboardingControlPolicy

clip_image014

Ok done, now let’s add our test user to the group.

clip_image016

And let’s add the required license to our user. In this case the allready assigned E3 license covers RMS ( see https://technet.microsoft.com/nl-be/library/office-365-plan-options.aspx and https://technet.microsoft.com/en-us/dn858608 )

clip_image018

And enable it !

clip_image020

You can now check the status by using portal.azure.com -> Rights management status

clip_image022

If you click through you’ll see that there are 2 templates allready published

clip_image024

On the client device download and install the rights management sharing application for Windows. This application is available for multiple OS’s.

clip_image026

Set it up

clip_image028

All went well

clip_image030

Now if you create a word document and save it then you can use explorer to add RMS based security to this document

clip_image032

If you use the protect in place option then you will see that the client will download the policies from the RMS system and then present the options to use these templates ( 2 templates are created by default )

clip_image034

As soon as the document is protected you’ll see the RMS banner if you open the document in Word.

clip_image036

Now you can also share the content in a secure way, this will create a secured attachment with specific rights included

However when I tried to share it with an external user with commercial email ( @hotmail / @gmail / … ) this will not work ( yet, this functionality will be implemented in a next version of the product )

clip_image038

But you can share it with other ( non commercial ) email addresses. Now there are 2 possbilities :

-> The recipient already uses an azure service so it has a azure active directory and can authenticate

-> The recipient does not already use an azure service so it needs to be enrolled in Azure ad in order to be able to authenticate

The user can use this link ( https://docs.microsoft.com/en-us/information-protection/understand-explore/rms-for-individuals-user-sign-up )

Once done you can track usage etc by using web link ( the specific link will be added to your email message )

clip_image040

Additional info and faqs can be found here : https://docs.microsoft.com/en-us/information-protection/get-started/faqs-rms

Overall some great functionality at your fingertips !

Enjoy.

Gino D

Advertisements

Quid Pro Quo EMS

September 14, 2016

Hello,

Quid Pro Quo …or in the words of Austin Powers : Squid Pro Quo, meaning “a feavour for a feavour”. From the corporate ICT’s perspectieve this translates to : we provide additional services that you can use whenever, wherever but … We need to have some information about the location and device before we do that.

Sounds good … Let’s take a popular cloud service like mail/calendar or cloud storage as an example.

What might be a good compromise :

We’ll provide you access to onedrive for business but … We like to make sure the device is locally encrypted , has a minimum of security applied to it and is not jailbroken.

And we provide you with a single sign on experience on your corporate machines but require some kind of multi factor authentication on BYOD.

Let’s see how we could do this. You’ll need active directory Premium to start with this.

First we open our admin center -> Azure AD -> Domain -> and use the applications tab

clip_image002

Now we’ll continue for the Sharepoint online service and configure it.

clip_image004

Now we’ll activate the MFA for a sepcific Office 365 security group of users and request MFA only when the user is not in a “work” location.

clip_image006

You’ll need to define what work locations are by clicking the link . So first we’ll go for the scenario when we require MFA when the user is not @ Work.

Additional info can be found here : https://azure.microsoft.com/en-us/documentation/articles/active-directory-conditional-access-azuread-connected-apps/?rnd=1

So we’ll define the work locations in this case based on ip / subnet combination.

Now if I logon to the onedrive from my machine in that ip subnet -> we expect no MFA

Unfortunately I kept on recieving the Additional verification box …

BTW : the Microsoft Authenticator App is simply a great tool !

No more hassles with copy/paste of codes through sms or applications. The app simply allows you to approve or deny the authentication request.

Install the app -> link your account by scanning a QR code ( use myapss.microsoft.com )

clip_image008

And approve or deny

clip_image010

Great functionality there … But back to the subject … Why do I require MFA now ? …

clip_image012

Now if I modified the trusted IP range with my external IP address recieved from my ISP ( as my Wifi router is of course using NATting )

clip_image014

Bingo ! No MFA request …

clip_image016

While if I do this from another machine -> I recieve the request for MFA.

clip_image018

 

Okay now let’s go one step further and deny access if not @ work.

clip_image020

 

Now let’s see the result if we try to connect on a not @ Work location machine.

clip_image022

 

 

Yes ! No access …

So overall this is some great functionality , MFA is not a on/off scenario and we can have a granular implementation per service and define different settings per location.

We can select to force MFA when not on work location or simply block access completely. It’s clear that cloud first mobile first is really on track.

Next up : device based access rules.

Enjoy.

Gino D


EMS

August 15, 2016

Hello,

Empowerment of users is always great, we all want to be able to do some required actions when we want to, instead of logging requests and waiting for the actions to occur.

The Microsoft EMS is a combined set of cloud services wrapped up in one license formule. More info can be found here : https://www.microsoft.com/en-us/cloud-platform/enterprise-mobility. But today we focus on the olympic games in Rio 2016 self serivce group management and password reset.

First we need to enable the required features in Azure AD.

clip_image002

Now add the test user to the required Azure groups and open https://myapps.microsoft.com

Now this user can create new security or office 365 groups ( depending on the group membershp above )

Now what’s really great is that we can delegate the group membership ( adding or removing users to the group ) to the group owners. We could also do this using AD and supply a users and computers mmc internally or use FIM but this is straight out of the box.

Let’s see how it looks.

clip_image004

Now we can create a new group ( we’ll use an O365 group )

clip_image006

Now we have set up this group to require owner approval, so in this case we can decide who can be a member.

So if we log on with another user ( with an EMS license ) , look for the group we can request access !

clip_image008

Let’s join.

clip_image010

And the owner can approve / deny,

clip_image012

And the requested user can verify the status of his request using the same interface but my requests

clip_image014

That’s it , great functionality for delegating the creation and the ownership of security or office 365 groups. Power to the users !

Enjoy.

Gino D.