Escolar Documentos
Profissional Documentos
Cultura Documentos
7 8 9 10 11 12
Introduction
Nonprofits around the world are dynamic organizations working in many This solution includes capabilities across Office 365, Enterprise Mobility +
areas who face security risks that rise with the impact they can achieve. They Security (EMS) suite, and Azure Platform as a Service (PaaS). EMS makes it
face challenges from sophisticated actors that can deploy significant possible to integrate other cloud services and use the same identity provider,
resources to breach an organization. This solution demonstrates how to build secure access capabilities, and monitoring solutions across your entire
an environment with essential cloud services. It includes prescriptive security environment.
design for protecting identities, email, and access from mobile devices.
This guidance includes only cloud services but you can also use these
recommendations with a hybrid on-premises environment.
The latest Office apps for your PC and Mac, including Strengthen sign-in authentication with verification
Office suite and updates to protect your environment. Create and edit Multi-factor options, including phone calls, text messages, or
Office Online documents from a browser. authentication
mobile app notifications.
Fully installed Office experience across PCs, Macs, Define policies that provide contextual controls at the
Office on PCs, Windows tablets, iPad® and Android™ tablets, and most user, location, device, and app levels to allow, block,
Conditional access
tablets, and phones mobile devices. or challenge user access.
1 TB of personal cloud storage that can be accessed from Protect apps and critical data in real time using
OneDrive for anywhere and syncs with a PC/Mac for offline access. Risk-based machine learning and the Microsoft Intelligent
Business Easily share documents with others and control who can conditional access
Security Graph to block access when risk is detected.
see and edit each file.
Communications sites to keep your organization up to Monitor suspicious activity with reporting, auditing,
date. Team sites and document libraries protected at the Advanced security and alerts, and mitigate potential security issues using
SharePoint Online
appropriate level for the sensitivity of your data and reporting
focused recommendations.
projects.
Host online meetings with audio, HD video, and web Publish, configure, and update mobile apps on
conferencing over the Internet. Join meetings with a single Mobile application enrolled and unenrolled devices, and secure or
Online meetings
touch or click from the smartphone, tablet, or PC of your management
remove app-associated corporate data.
choice.
Broadcast Skype for Business meetings on the Internet for Enroll corporate and personal devices to provision
up to 10,000 people, who can attend in a browser on Mobile device settings, enforce compliance, and protect your
Meeting broadcast
nearly any device. Meetings include real-time polling and management
corporate data.
sentiment tracking.
Encrypt sensitive data and define usage rights for
Persistent data persistent protection regardless of where data is
protection
Azure PaaS analytics environment stored or shared.
Build and secure an analytics environment in Azure using Gain visibility, control, and protection for your cloud-
Azure PaaS SQL Data Warehouse and Azure Data Lake. Protect access Microsoft Cloud based apps Identify threats, abnormal usage, and
Analytics to this environment using the same capabilities as App Security
other cloud security issues.
Office 365.
Reduce your security responsibility Security responsibility SaaS PaaS IaaS On-prem
By using Microsoft cloud services, you greatly reduce the attack surface you Data governance &
are responsible for. This solution shows you how to configure the controls rights management
that are provided for you to secure your data, devices, and identities with
Client endpoints (devices)
Office 365 (SaaS). The same approach can be used with other cloud services.
Account & access
management
“Identity & directory infrastructure” refers to integration with on-premises Identity & directory
directories. If you’re using cloud-only accounts, this doesn’t apply to you. The infrastructure
guidance in this solution is designed for cloud-only environments, but can
also be used with hybrid environments with on-premises directories. Application
Network controls
When you use Office 365 and EMS, you don’t have responsibility for securing
these layers. By using Microsoft cloud services, you greatly reduce the
amount of work required to keep your environment secure. Decades of Operating system
engineering experience has enabled Microsoft to develop leading -edge best
practices in the design and management of online services. Through Physical hosts
industry-leading security practices and unmatched experience running some
of the largest online services around the globe, Microsoft delivers enterprise
cloud services you can trust. Physical network
For more information, see Microsoft Cloud Security for Legal and Compliance Physical datacenter
Professionals
Microsoft Customer
November 2017 © 2017 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at CloudAdop t@microsoft.com.
Common attacks and Microsoft capabilities that protect your organization Capabilities with blue text are included
in this guidance.
Phishing Any employee clicks on a link and Attacker uses stolen credentials to gain Attacker moves laterally, gaining Attacker removes data from the
enters their credentials. environment.
Identity-based attacks
Attacker targets access to the user’s mail and files. access to cloud services and
employees by email or resources in the environment.
Exchange Online Protection blocks Multi-factor authentication prevents Cloud App Security detects and alerts
other unsafe links or
malicious hyperlinks in a message. password-only access to cloud services, Azure AD conditional access rules can on anomalous activity, such as download
websites.
including Exchange Online mailboxes and protect all SaaS apps in your activity, and can suspend user accounts.
Office 365 Advanced Threat Protection OneDrive for Business files. environment with multi-factor Intune Mobile Application Management
protects against links in mail and files that Azure AD conditional access rules block authentication and other protections. rules prevents business data from
Spear-phishing are redirected to unsafe sites. Protection access from unmanaged PCs. Cloud App Security detects and alerts leaving approved business apps on
Attacker uses information continues dynamically after mail is on anomalous activity for all SaaS apps mobile devices.
delivered. Azure AD Smart Account Lockout
specifically about a user to temporarily locks out accounts with high-risk in your environment, including activity Windows Information Protection (WIP)
construct a more plausible Windows Defender SmartScreen checks login activity. originating from new and infrequent protects business content on devices
phishing attack. sites against a dynamic list of reported locations, suspicious locations, new and with file level encryption that helps
Risk-based conditional access protect apps untrusted devices, and risky IP addresses.
phishing sites and warns users. and critical data in real time using machine prevent accidental data leaks to non-
learning and the Microsoft Intelligent Securing Privileged Access Roadmap is business documents, unauthorized apps,
Weak passwords are systematically Security Graph to block access when risk is guidance to mitigate lateral traversal and and unapproved locations.
Brute-force attack identified. detected. credential theft techniques for your on- Office 365 Exchange mail flow rules
premises and hybrid cloud environments. prevent auto-forwarding of mail to
Attacker tries a large list Azure AD password protections enforce
of possible passwords for For on-premises networks, Advanced external domains.
minimum requirements for passwords, Threat Analytics identifies abnormal
a given account or set of dynamically ban commonly used passwords, Office 365 data loss prevention (DLP)
accounts. activity by using behavioral analytics and rules prevent sensitive data from leaving
and force reset of leaked passwords. leveraging Machine Learning. the environment.
Azure AD Smart Account Lockout
temporarily locks out accounts with high-risk Azure Information Protection and Azure
Other similar attacks: login activity. Rights Management encrypts and
Watering hole attacks, permissions sensitive files. Protection
leaked passwords. For on-premises networks, Advanced Threat travels with the files.
Analytics detects brute-force activity targeted
to the domain. Azure technologies provide encryption
for disks and storage, SQL Encryption,
and Key vault.
Devices compromise Malicious files and viruses are introduced Any employee clicks on a malicious link Attacker moves laterally, gaining
into the environment. or opens a malicious file. access to cloud services and SQL Database dynamic data masking
Device-based attacks
November 2017 © 2017 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at CloudAdopt@microsoft.com.
Microsoft Security Planning and implementation guidance for fast-moving
organizations that have an increased threat profile
7 8 9 10 11 12
Solution deployment
Planning for your solution is an iterative process. As you move
through the topics in this guide, you’ll understand how earlier
decisions affect components planned later in the process. Revise your
design as needed.
In this first step you identify the needs of The Subscriptions and licensing topic (5) In the Tenant setup and configuration topic
your users and map these to the appropriate recommends plans for this solution based on (6) we walk you through the process of
cloud capabilities. The available capabilities the desire to protect an organization with a setting up your Office 365 and EMS tenants.
for collaboration and secure access depend higher-than-average threat profile. Review This includes configuring tenant-wide
on the account types. This topic helps you this plan and make adjustments for your own settings that are recommended as starting-
make initial decisions that lead to a high-level organization. points for a secure environment, configuring
design for your environment. You’ll also the Azure AD groups you planned, and
design your strategy for Azure AD groups to getting started with Cloud App Security.
support the solution both for licensing and
for protection. See the Identity and
capability planning topic (4).
Before you can secure access to cloud After making decision for identity Cloud administrators are valuable targets for
services you need to account for devices. In management and device protection, the cyber criminals. The Securing administrative
the Device protection and access topic (7), Conditional access rules for protecting access topic (9) shows you how to protect
plan how you expect users to access cloud identities and access from devices topic (8) your global admin cloud accounts.
services from devices (PCs and phones). Plan shows you how to put your plan into action
the desired protection for each category. This with Azure AD conditional access rules,
topic includes a starting-point Intune device policies, and Intune app
recommendation that you can adjust for your protection policies. This topic illustrates a
organization. plan based on the starting-point
recommendations provided in the Device
protection and access topic. You can adjust
this plan for your organization.
SharePoint Online and OneDrive for Business With protection in place, you can now add The Azure analytics topic (12) illustrates a
are the core of your collaboration users to the environment and enable them recommended secure environment for
environment. The SharePoint and OneDrive for multi-factor authentication. Adding users working with large data sets. This includes a
for Business topic (10) recommends tenant- to the appropriate Azure AD groups combination of Azure SQL Data Warehouse
wide settings for these services. It also provisions them with licenses, gives them and Azure Data Lake.
recommends and demonstrates how to permissions to resources, and enforces
configure team sites with protection that conditional access rules and related policies.
allows for the appropriate level of open or See the Add users to your environment
secure collaboration. Finally, this topic topic (11).
demonstrates how to implement Azure
Information Protection to protect highly
confidential files. Use these
recommendations to design an environment
that meets the needs of your organization.
November 2017 © 2017 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at CloudAdop t@microsoft.com.
Microsoft Security Planning and implementation guidance for fast-moving
organizations that have an increased threat profile
Guidance for Nonprofits
This topic is 4 of 12 in a series 1 2 3 4 5 6
7 8 9 10 11 12
Plan for users, account types, and Azure Active Directory groups
Agile organizations can be made up of users with a variety of purposes. Some Planning for identity is an iterative process. This topic is designed to get you
are permanent contributors while others might only work for a few weeks or started. As you learn more about how identity choices influence
months. Some contributors might be employed by partner organizations. A implementation you can fine-tune your plan.
few contributors might be experts that you consult with rarely but at critical
moments for your organization, such as a university researcher.
1. Categorize your users 2. Decide what type of accounts to use 3. Plan for Azure AD groups
Take stock of the types of contributors to your Azure Active Directory lets you manage Groups in Azure AD are used for several
organization. What are the logical groupings? accounts for partners (B2B accounts) in purposes that simplify management of your
Group users by high-level function or purpose addition to accounts for users you manage cloud environment.
to your organization. directly (tenant domain accounts). Some cloud
Use group-based licensing to assign services to
capabilities extend to users who have no
For this example solution, we’ve identified a your users automatically as soon as they arrive
association with your directory (no account
variety of user categories for a nonprofit to in the cloud.
management).
demonstrate the planning and implementation
Some groups can be populated dynamically
process. This topic details capabilities and protections
based on attributes.
that can be applied to each type of account.
Senior and strategic This will help you decide which users belong Use groups to automatically provision users for
IT staff directly in your tenant domain, which users can SaaS applications and to protect access to those
staff
be managed using B2B accounts, and which applications with multi-factor authentication and
users require no management at all. other conditional access rules.
Operations staff Analytics staff
This mapping of categories to account types is Groups can be used to provision SharePoint
used as an example. team sites. Groups can also be used in Azure
Regular core staff Field staff Rights Management templates to protect files
Tenant domain accounts with encryption and permissions.
Senior and Example Azure AD groups for this solution are
Consultants and Hourly-paid strategic staff IT staff Operations staff
vendors contract staff provided later in this topic.
https://myapps.microsoft.com
Azure Active Directory capabilities are available Multi-factor authentication and conditional access
for B2B accounts at a ratio of 1 licensed user to
5 B2B users.
Azure AD Identity Protection
For example, if you assign 10 licenses to users
for Azure Active Directory P2, you can also use
these capabilities with up to 50 B2B users
Azure AD Privileged Identity Management
without assigning additional licenses.
Mobile Application
Management (MAM)
OneDrive for Business Files can be shared with B2B users and external users
Why use B2B accounts? Does my B2B partner need a tenant domain account?
Azure AD business-to-business (B2B) collaboration capabilities enable any • Do I need to monitor B2B accounts using cloud app monitoring tools?
organization using Azure AD to work safely and securely with users from any These tools will alert on B2B accounts if they haven’t been scope out. But
other organization, small or large. Those organizations can be with Azure AD these tools cannot automatically take action on B2B accounts, even if
or without, or even with an IT organization or without. You can provide these accounts are licensed for these tools. If you need the ability to take
access to documents, resources, and applications to your partners, while automated action on user accounts for anomalous behavior, add them as
maintaining complete control over your own corporate data. tenant domain accounts.
• Give external users access to apps in your environment (SharePoint team • Do I need to apply mobile app management policies to B2B users
sites and other SaaS and PaaS applications) without adding them directly accessing organization data? In this case, you can license B2B users for
to your domain. these capabilities. You don’t need to give them a tenant domain account.
• Reduce licensing costs (compared to adding domain accounts). • Will my B2B user have access to sensitive and highly confidential data
and the ability to download this data to their devices? Does this B2B user
• Protect access with conditional access rules, including multi-factor
have access to multiple libraries of sensitive and highly confidential data?
authentication.
If this is true, consider the risks of the device becoming compromised or
stolen. If this risk is not acceptable, consider using a tenant domain
Should my regular staff member be added as a B2B account
account and managing their devices. This also gives you the opportunity
instead? to use cloud app monitoring tools to take action on anomalous behavior,
• Does this person also work for another organization? Does that such as downloading large amounts of data.
organization manage their devices?
• Does this person use current Office 2016 apps and receive updates
through a subscription with another organization?
• Do I need to provide a secure mailbox for this person?
If another organization is providing these services for a staff member, they
might just need a B2B account.
IT admins Administration of services. Use dedicated accounts, not user accounts. Create separate user EMS E5
accounts for non-admin activity. Use one of the groups below, as appropriate. This group is Office 365
licensed with a mailbox to receive alerts from cloud app monitoring tool. Members of this
group are higher value targets for hackers, so additional protection can be applied using
this group.
IT global and security Global administrators and security administrators of your cloud services. This is a sub-set of
administrator accounts your IT admins. These accounts are the highest-value targets for cyber criminals.
All tenant domain accounts Used for licensing. This group can be used to configure baseline-protection rules for access Office 365
(dynamic group) to services. More restrictive rules can be applied to other groups and the results are EMS E5
additive.
All B2B accounts View and manage all B2B accounts in one place. Apply conditional access rules for B2B No Licensing
(dynamic group) users that don’t require device enrollment and management.
Senior and strategic This group is used for access to data with sensitive and higher levels of protection.
staff Members of this group are higher value targets for hackers, so additional protection can be
applied using this group.
Operations staff Permissions for SharePoint team sites and other resources, as appropriate.
Analytics PaaS app Users with access to the PaaS analytics environment. Use this group for additional licensing
users for this environment, if needed, including permissions for SharePoint team sites related to
analytics work. Members of this group are higher value targets for hackers, so additional
protection can be applied using this group.
Regular core staff Permissions for SharePoint team sites and other resources, as appropriate.
Field staff Permissions for SharePoint team sites and other resources, as appropriate.
Additional sensitive Add regular users to this group who have access to one or more libraries of sensitive data
data users but are not members of the ‘Senior and strategic staff’ group.
Select AIP-protected Add users to this group to give access to AIP-encrypted files. Before adding users to this
data users group, see “Adding permissions for external users” in the SharePoint topic (10). Monitor the
membership of this group frequently. Setting this group up early allows you to account for
individuals outside your organization who might need to create an individual account in
Azure AD to be included in secure access to highly confidential data.
Conditional access Use this group in conditional access rules to give your organization a way to quickly resolve
exclusion group access issues for highly mobile individuals who find themselves locked out based on
conditional access policies. In the event a user is locked out and you do not suspect
suspicious activity, temporarily add the user to this group while you resolve their access
issue.
November 2017 © 2017 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at CloudAdop t@microsoft.com.
Microsoft Security Planning and implementation guidance for fast-moving
organizations that have an increased threat profile
Guidance for Nonprofits This topic is 5 of 12 in a series 1 2 3 4 5 6
7 8 9 10 11 12
Capabilities E3 capabilities plus: EMS E3 capabilities plus: This is included with EMS E5.
Advanced Skype for Business meetings and Risk-based conditional access
Every Azure AD paid license includes
voicemail capabilities Privileged identity management rights to 5 B2B collaboration users (5:1
Advanced analytics with Power BI Pro and Automated classification and encryption model).
Microsoft MyAnalytics for files
Advanced Threat Protection For example, if you assign 10 licenses to
Microsoft Cloud App Security users for Azure Active Directory P2, you
Advanced Data Governance can also use these capabilities with up to
Compare all Enterprise Mobility +
Advanced Security Management Security Plans 50 B2B users without assigning
Compare all Office 365 for Nonprofits additional licenses.
Plans
Why this is Advanced Threat Protection for email Risk-based conditional access and Cloud Azure Active Directory P2 includes risk-
recommended drives the recommendation for E5 for all App Security drive the recommendation for based conditional access which can be used
users with a mailbox. EMS E5. with B2B accounts.
Advanced Data Governance capabilities Also, Cloud App Security can’t be used for
can be used to automate protection for B2B accounts and device management for
data loss prevention. B2B accounts is limited, even with
additional licensing, so risk-based
conditional access helps here.
Consultants /
Senior and Operations Regular core Paid volunteers
IT Staff Analytics staff Field staff Board Directors
strategic staff staff staff (B2B)
(B2B)
Office 365 E5
EMS E5
November 2017 © 2017 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at CloudAdop t@microsoft.com.
Microsoft Security Planning and implementation guidance for fast-moving
organizations that have an increased threat profile
Guidance for Nonprofits This topic is 6 of 12 in a series 1 2 3 4 5 6
7 8 9 10 11 12
1 Create your Office 365 tenant 2 Add an EMS tenant to your Office 365 3 Check Secure Score when done
tenant Visit your Office 365 Secure Score site.
Office 365 dev/test environment Office 365 and EMS dev/test https://securescore.office.com
Create an Office 365 E5 trial subscription environment Access to Secure Score requires the
Add an EMS trial subscription to your admin account for the trial environment
Office 365 trial subscription
Office 365 Secure Score analyzes your Office 365 organization’s security
based on your regular activities and security settings and assigns a score.
After setting up your Office 365 subscription, take note of your starting
score. The work you do as part of this solution to protect your
environment will increase your score.
The goal is not to achieve the max score, but to be aware of
opportunities to protect your environment that do not negatively affect
productivity for your users.
https://securescore.office.com
Introducing the Office 365 Secure Score
What’s next
Use the guidance in the rest of this topic to configure recommended tenant-
wide settings that protect your environment.
Includes default settings Yes Includes a default policy Yes Includes a default DKIM signature Yes
What to watch for: Recommended — edit the default policy: DKIM is an authentication process that can
• Too much spam — Choose the • Common Attachment Types Filter — help protect both senders and recipients
Custom settings and edit the Default Select On. from forged (spoofed) and phishing email.
spam filter policy. You can also create custom malware filter Your tenant includes a default signature for
• Spoof intelligence — Review senders policies and apply them to specified users, your domain. Create an additional DKIM
that are spoofing your domain. Block groups, or domains in your organization. signature if you add custom domains to
or allow these senders. your tenant.
View the dashboards and reports in the Security and Compliance Center
Visit these reports and dashboards to learn more about the
health of your environment. The data in these reports will
become richer as your organization uses Office 365 services.
For now, be familiar with what you can monitor and take
action on.
Threat explorer
If you are investigating or experiencing an attack against
your Office 365 tenant, use the threat explorer to analyze
threats. Threat explorer shows you the volume of attacks
over time, and you can analyze this data by threat
families, attacker infrastructure, and more. You can also mark
any suspicious email for the Incidents list.
Reports — Dashboard
View audit reports for your SharePoint Online and Exchange
Online organizations. You can also access Azure Active
Directory (AD) user sign-in reports, user activity reports, and
the Azure AD audit log from the View reports page.
Sharing settings for individual sites can be more restrictive than this tenant-wide • Anonymous access links expire in this many
policy, but not more permissive. This guide includes recommended configurations for days. Enter a number, if desired, such as 30
team sites protected at higher levels. For more information, see the SharePoint and days.
OneDrive for Business topic (10) in this guide.
• Default link type—select Internal (people in the
organization only). Users who wish to share
using anonymous links must choose this option
from the sharing menu.
More information
Manage external sharing for your SharePoint
Online environment
In the meantime, use one of the following methods to accomplish this for
SharePoint Online and OneDrive for Business:
• Use PowerShell, see Block apps that do not use modern authentication.
• Configure this in the SharePoint admin center on the “device access’
page — “Control access from apps that don't use modern
authentication.” Choose Block.
1 Create Azure AD groups 2 Add criteria for dynamic membership to 3 Assign licenses to the appropriate groups
Create the groups you have planned in Azure
the appropriate groups for group-based licensing
AD
Create a group and add members in Azure Managed dynamic rules for members in a Assign licenses to a group
Active Directory group
Get started with Cloud App Security or Office 365 Advanced Security
Management
Use Office 365 Advanced Security Management to evaluate risk, to alert on Because this solution recommends the EMS E5 plan, we recommend you
suspicious activity, and to automatically take action. Requires Office 365 E5 start with Advanced Security Management so you can use this with other
plan. SaaS applications in your environment.
Or, use Microsoft Cloud App Security to obtain deeper visibility even after Start with default policies and settings.
access is granted, comprehensive controls, and improved protection for all Deploy Cloud App Security
your cloud applications, including Office 365.
More information about Microsoft Cloud App Security
Overview of Advanced Security Management in Office 365
November 2017 © 2017 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at CloudAdop t@microsoft.com.
Microsoft Security Planning and implementation guidance for fast-moving
organizations that have an increased threat profile
Guidance for Nonprofits This topic is 7 of 12 in a series 1 2 3 4 5 6
7 8 9 10 11 12
Starting-point recommendation
This guidance is intended for lightweight, rapidly moving organizations. This solution provides prescriptive guidance for protecting access to email,
These starting-point recommendations acknowledge that you might not have files, and other resources with multi-factor authentication, conditional access
a lot of control over the devices users bring to the environment. These rules, and Intune management. The guidance is based on these starting -point
recommendations are also intended to provide a variety of options for recommendations. You can adjust this guidance to support the decisions you
protecting devices, including data on the devices. Adjust this guidance for make for your environment.
your organization based on your threat profile. Support for managing MAC devices is coming soon.
Intune-managed PCs.
Senior and strategic staff Windows 10 with BitLocker, Windows Defender, Windows Firewall, and
Windows Information Protection (WIP) as a minimum configuration.
If Windows 10 is not used, enroll PCs in Intune and use device compliance
IT staff policies to ensure the health of these devices.
Latest versions of Office 2016, including updates.
Intune App Protection for unmanaged BYOD devices Intune management for enrolled devices
PC protection
Unmanaged
Unmanaged Managed
Capability No action Users can Intune MAM Intune device System Center Group Policy
necessary configure this management Configuration Object
Manager
Licenses
November 2017 © 2017 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at CloudAdopt@microsoft.com.
Conditional access rules for protecting identities and access from devices
This page illustrates the set of policies and rules to achieve the starting -point recommendations Prerequisite Windows 10 PCs: Mac: In a hybrid enterprise environment
detailed in the previous topic. Policies and rules are additive. If two of the same type of policy or • Turn on BitLocker device protection • Use FileVault to encrypt your Mac disk administrators can use Group Policy Objects
action for users • Protect your PC with Windows Defender • Install and use reliable antivirus software and System Center Configuration Manager to
rule is applied to a user, the most restrictive policy or rule is enforced. Many of these rules are
• Turn Windows Firewall on • Turn on firewall protection automatically configure these protections on
described in more detail in Recommended security policies and configurations.
Windows 10 PCs.
Help for users: Protect your account and devices from hackers and malware
Azure AD groups Azure B2B accounts Device type Azure AD conditional access policies Azure AD Identity Intune device policies and profiles Intune App Protection policies and
(without additional Protection user risk
policy
conditional access rules
licensing)
Require multi-factor Policy 1: High risk users must Define compliance Create a WIP app
Senior and authentication (MFA) Require compliant change password policies policy for managed
strategic staff for access to Office PCs and mobile Windows 10 devices
365 services when devices (This forces users to (one policy for all
sign-in risk is change their platforms)
IT staff
medium or high (This rule enforces password when
device management signing in if high risk
with Intune) activity is detected
Operations staff for their account) Create a device Define app sharing Only allow access to Define app policy
configuration profile profiles for iOS and Exchange Online and (one policy per
for email access Android for Work SharePoint Online platform)
from apps that
Analytics staff support Intune app
policies
Board Consultants
Members and vendors
Hourly paid
contract staff
Notes for rules Apply to all users, Apply to the Azure AD Include all users (no Create one policy for Create a Windows Create a policy for Configure this in the Create two conditional One policy per
exclude the groups. exclusions). all platforms. Information Protection each platform (iOS, classic Intune portal. access rules: platform (Android,
Conditional access Select the same Cloud Conditions: User risk is For more information, (WIP) with enrollment Android). One policy for iOS and • Exchange Online iOS).
exclusion group for apps as the MFA High. see “Device policy using the Azure Android for Work (not Select targeted apps
• SharePoint Online
temporary exceptions. policy. compliance policy” in portal for Microsoft available for regular and policy settings.
Access: Allow access, Allowed apps = Allow
Cloud apps: Office 365 Don’t select platforms this article: Policy Intune Android). Recommended:
but require password apps that support
Exchange Online and (this enforces change. recommendations to iOS = Select Allow • PowerPoint
Intune app policies.
Office 365 SharePoint compliant devices). help secure email. managed documents • Excel
Online. Apply to all users.
Access controls: Grant in other managed • Word
Conditions: Sign-in risk access, but require apps. • Microsoft Teams
is medium and high. device to be marked as Android for Work = • Microsoft
Access controls: Grant compliant. Apps in work profile SharePoint
access, but require can handle sharing • Microsoft Visio
For Policy 2, also select
multi-factor request from personal Viewer
“Require approved
authentication. profile (under Work • OneDrive
app” (coming soon)
and “Require one of profile settings). • OneNote
the selected controls.” • Outlook
This topic is 8 of 12 in a series November 2017 © 2017 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at CloudAdopt@microsoft.com.
Microsoft Security Planning and implementation guidance for fast-moving
organizations that have an increased threat profile
Guidance for Nonprofits This topic is 9 of 12 in a series 1 2 3 4 5 6
7 8 9 10 11 12
Dedicated global admin accounts Multi-factor authentication (MFA) Conditional access policy Cloud App Security or Advanced
Security Management (ASM)
Sign in with them only for tasks that
require global administrator Be protected even when an attacker Require that all global admin Get email notification of global admin
privileges. determines a global admin account and accounts use MFA. account and role change activity.
its password.
More information
1 Create an Office 365 group named IT 2 Create an Office 365 security (Azure AD) 3 Create up to three global admin accounts—
Admins-Notify and add the user accounts group named Global Admins. such as GlobalAdmin1, GlobalAdmin2, and
of IT staff that will be notified of global GlobalAdmin3—with very strong passwords.
administrator account activity and changes Enable MFA for each global admin account,
in roles for user accounts. and add them to the Global Admins group.
4 Sign in as each admin account and configure 5 Configure a conditional access policy to 6 Sign in as each global admin account and test
the MFA method. require members of the IT Admins group to MFA and the conditional access policy.
use MFA (if you haven’t already included
them in a policy).
More information More information
7 Enable Cloud App Security or ASM and 8 Sign in as a global admin account, change 9 Check the inbox of one of the user accounts
configure two policies: the role of one of your other global admin in the IT Admins-Notify group for emails for
• An activity policy for Administrative activity
accounts to the user role, and then change the global administrator sign-in and the role
that sends email alerts to the IT Admins- it back to the global administrator role. changes.
Notify group
• An activity policy for Role changes that sends
email alerts to the IT Admins-Notify group
More information
Create dedicated administrator workstations from which all Use Azure Privileged Identity Management (PIM) for on-demand, "just
sign-ins with a global administrator account must be done. in time" administrative access.
November 2017 © 2017 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at CloudAdop t@microsoft.com.
Microsoft Security Planning and implementation guidance for fast-moving
organizations that have an increased threat profile
Guidance for Nonprofits This topic is 10 of 12 in a series 1 2 3 4 5 6
7 8 9 10 11 12
Home & news page Users can see and access their sites from:
Who has access? Everybody in the organization, Members only. Others can Members only. Others can Members only. Others cannot
including B2B users. request access. request to access. request access.
Site-level sharing Sharing allowed with anybody. Sharing allowed with anybody. Only members of the site can Only group members can
controls Default settings. Default settings. access contents of the site. access contents of this site.
Members can grant non- Sharing is limited to
members access to specific members of the site.
content on the site, but the site Other users cannot request
admin needs to approve these access to the site or
actions. contents.
DLP rules Warn users when sending files Block users from sending files
that are labeled as sensitive outside organization. Allow
outside the organization. users to override this by
Add a policy tip to describe how providing justification,
to share the file by encrypting including who they are sharing
the file with a password. the file with.
Example project Event planning site Video production & Analytics team site Strategic planning site
sites Shared calendar approval team Finance team site Trade secret files
Speech writing team
Research and communications
• You can apply labels to content automatically if it matches specific Label Team site protection level
conditions.
• You can apply protection using data loss protection (DLP) capabilities. Highly Confidential Highly confidential
• People in your organization can apply a label manually to content in
Outlook on the web, Outlook 2010 and later, OneDrive, SharePoint, and Sensitive Sensitive protection
Office 365 groups. Users often know best what type of content they’re
working with, so they can classify it and have the appropriate policy
applied. Private Baseline protection
Internal Public
Baseline protection
Sensitive protection
Highly confidential
Deployment
1 Install the Information Protection client 2 Use the client toolbar to apply labels 3 Upload files to the SharePoint library
You can script and automate the installation, Users outside your organization who are Be sure users know which SharePoint library
or users can install the client manually. included in permissions do not need to be to use for your highly confidential files.
involved in labeling. Their permissions will A
The client side of Azure Information Protection
allow them to access the contents of files.
Installing the Azure Information Protection
client
Download page for manual installation
November 2017 © 2017 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at CloudAdop t@microsoft.com.
Microsoft Security Planning and implementation guidance for fast-moving
organizations that have an increased threat profile
Guidance for Nonprofits
This topic is 11 of 12 in a series 1 2 3 4 5 6
7 8 9 10 11 12
1 Add new users to Azure Active 2 Add B2B collaboration users 3 Add users to the intended Azure AD
Directory These are users who do not belong directly to
groups
These are your tenant domain users. your organization. These are the groups you created during
tenant setup.
Add new users to Azure Active Directory Add B2B collaboration users to your Manage group membership for users in your
organization Azure Active Directory tenant
1 Enable users for MFA 2 Setup MFA for B2B collaboration users
To start requiring MFA for a user, change Learn how MFA works with B2B accounts.
the user's state from disabled to enabled.
Getting started with Azure Multi-Factor Conditional access for B2B collaboration
Authentication in the cloud users
November 2017 © 2017 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at CloudAdop t@microsoft.com.
Microsoft Security Planning and implementation guidance for fast-moving
organizations that have an increased threat profile
Guidance for Nonprofits This topic is 12 of 12 in a series 1 2 3 4 5 6
7 8 9 10 11 12
Azure analytics
Data analysis and business intelligence is a very important element
of a successful organization. The ability to analyze data on To address these needs, Microsoft recommends the
beneficiaries, donors, historical information, and current trends can combination of Azure SQL Data Warehouse and Azure
help the candidate and senior staff make informed decisions about Data Lake.
program development and direction.
Data Lake
With Data Warehouse and Data Lake, permissions can be
Permissions to access the data and perform
Secure managed with Azure AD groups that are part of your identity
analysis should be confined to data analysis staff.
infrastructure.
Scalable You need an analytics environment that can scale SQL Data Warehouse can scale to essentially unlimited data
for incoming data. sets.
Programs on donors. Therefore, your analytics By separating storage from compute resources, SQL Data
Cost-effective environment should balance functionality with Warehouse allows you to only pay for what you store and
ongoing costs. when you analyze it.
headquarters Azure
Machine Learning
T-SQL
Data Polybase
analysts queries Azure Data
Data Lake
Lake
SQL Data Warehouse
Third-
party
Once your data is stored in SQL Data Warehouse and Azure Data • SQL and structured data is stored in SQL Data Warehouse
Lake, your data analysts can use a variety of SQL-based tools to • Unstructured data is stored in Azure Data Lake, but is accessible
access and perform BI. for analysis by Polybase queries sent to SQL Data Warehouse
With firewall rules, you can Traffic to and from your SQL You can use SQL Server You can use SQL Server
specify the set of IP addresses Data Warehouse is always Authentication accounts or Authentication accounts or Azure
from which connections must encrypted. Additionally, you Azure AD accounts. For AD accounts. For example, you can
be initiated. For example, you can encrypt the data stored at example, you can specify that specify that the only Azure AD
could whitelist the public IP rest with Transparent Data the only Azure AD accounts accounts that can authenticate are
addresses of your Encryption (TDE). that can authenticate are those in your Analytics staff Azure
organizational headquarters. those in your Analytics staff AD group.
Azure AD group.
If you use all of these security methods, the only people with access to Threat detection for SQL Data Warehouse
the SQL Data Warehouse are those in your Analytics staff Azure AD
You can use Azure SQL Data Warehouse Auditing to detect
group, with specific permissions or database roles, and are connecting
anomalous database activity that could be a potential security
from your campaign headquarters. At all times, the data is encrypted
threat and send you an email notification.
at rest and when sent over the Internet.
More information More information
More information
November 2017 © 2017 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at CloudAdop t@microsoft.com.