Securing Access to Office 365

Posted on Tuesday, October 02, 2018
Get in touch
By Andrew Kemp
Technical Architect - Microsoft


More News

Why should I secure access?

Office 365 has been around since 2011, growing from strength to strength. More and more companies are adopting cloud and SaaS based applications and most now have a “Cloud First” mentality. Securing access to these services should never be overlooked.

Something I get asked with any implementation is:

“I have Office 365 E1/E3/E5, that’s all the licences I need isn’t it? Do I really need Azure AD Premium/EM+S Licensing?”

In short, my answer is:

“No, it’s not all you need, you really do need Azure AD Premium P1 or EM+S.”

The Office 365 licences offer you access to the online services (Exchange Online, Skype for Business, OneDrive for Business, SharePoint Online, Microsoft Teams, Yammer etc). This access is from any device at anytime from anywhere! Great? – No! not great! Here’s why…

Traditionally your data would sit behind a firewall internally and would allow you access to your services through the use of a VPN, firewall rules and/or a remote desktop/app solution such as Citrix. With access to these services you would have also probably implemented some sort of two-factor authentication to further secure access.

You cannot wrap a firewall around Office 365 to access it in the traditional manner. Sure, if you’re using ADFS you can add claim rules in to allow only active sync, for example access from external addresses, but this can soon become unmanageable and, more importantly, can cause issues with support if you have any authentication problems down the line.

Enterprise organisations have not been adopting cloud services for this very reason as they wanted to be able to secure access to the online services. Now with the Microsoft offerings an increasing number of large global enterprises are adopting the cloud as they can secure the access.

Large enterprises need to be able to secure access to the services based on various conditions, these may include:

  • Location – Inside/outside the corporate network?
  • Resource – What are they accessing?
  • Device – What are they accessing the services from?
  • Management of the devices/application that the data is accessed from

How to secure access to Office 365

To secure access to Office 365 you will need Azure AD Premium P1 as a minimum. Azure AD Premium P1 incudes the Conditional Access services. However, if you’re storing data in the cloud you will want to secure the data as well, this can be done via the Enterprise Mobility + Security (EM+S) suite.

Conditional Access can check the access based on specified criteria, for example:

  • Coming in from a domain-joined device inside the corporate network, it will allow you access with no further verification.
  • Coming in from an unknown location, regardless of device, it will prompt for Multi-Factor Authentication and then allow access.
  • Coming in from a personal device it will only allow access to email, for example, via the Outlook app.

Intune further compliments the Conditional Access by providing Mobile Application Management (MAM) policies to personal devices and Mobile Device Management (MDM) policies to company-owned devices.

Potentially you can go to town on these policies to control access, but in my experience the best approach is to keep it simple and don’t over complicate it. Have a set of baseline policies that you can enforce.

Azure AD Premium offers your users Single Sign-On to an unlimited number of third party cloud apps and potentially ties in your conditional access to these third party applications. This enables secure access to the Microsoft services as well as the likes of SalesForce, People HR/WorkDay, DocuSign Concur and many more SaaS offerings.

You can then also offer the same conditional access to internal applications that have been published via the AppProxy. Azure AD Premium also offers your users the ability for self-service password resets.

A comparison of versions of AD Premium can be found here.

What are your options?

Whilst Office 365 Licensing offers you access to the online services, to be able to secure it you need to purchase at least Azure AD Premium P1 (if you’re already using an Existing MDM) or if you have no MDM in place EM+S E3/E5 would be the best licences to purchase.

Azure AD Premium P1 can be purchased individually or it comes as part of the EM+S E3 bundled licence which includes Azure AD Premium P1 Intune, Azure Information Protect P1, Microsoft Advanced Threat Analytics, ConfigMgr Licences and Windows Server CALs. EM+S E5 offers these additional features on top of the EM+S E3 services, Azure Active Directory P2, Azure Information Protect P2 and Microsoft Cloud App Security.

Get in touch

If you’re interested in finding out more about the best way to secure access to Office 365, contact your Softcat Account Manager, or get in touch using the form below

Get in touch
Comments

We would love to hear any comments you have about this article!