Save to My DOJO
Microsoft 365 (formally Office 365) is quickly becoming essential for most modern workplaces. However, are the security concerns of using cloud-based infrastructures justified? What can Microsoft 365 admins do to make sure their vital data is as secure as it can be? We asked two Microsoft experts to discuss the issue in a live webinar (watch it now, for free) during which the audience asked some really great questions about the topic. Here is the full set of answers to the most pressing questions about Microsoft 365 security including additional questions about Altaro Office 365 Backup and responses to two polls answered by the attendees.
Poll 1 Results: What Challenges do you Encounter when Deploying Office/Microsoft 365 Security?
Poll 2 Results: Which of the following Security Features is Most Important to You?
Note that Altaro webinars are presented live twice on the day to enable as many people in different time zones the chance to attend. The questions here were collected from both webinar sessions. Similarly, the poll responses have been added together as well.
Questions about Office/Microsoft 365 Security
|Hi, we have a firewall that can do some of these things and we also have licenses for ATP. Should we use both products or rely on one?||Hi Joshua, I would rely on one if you can. The fewer products in the security stack the more secure your systems are (Generally)|
|Which sku will give us the ability to have SCCM licenses?||Licensing in the Microsoft world is always complex. However, the plans and pricing page for both M365 Business and M365 Enterprise provides a ton of information. For information on Enterprise SKUs look here – https://www.microsoft.com/en-us/microsoft-365/compare-microsoft-365-enterprise-plans. For information on Business SKUs look here – https://www.microsoft.com/en-us/microsoft-365/business#compareProductsRegion. Outside of that, I would suggest discussing further with you Microsoft Rep or Channel partner for more information.|
|Hello, David from the UK here. We’re looking to deploy MFA for all users but our initial checks indicate there are users using legacy auth on occasion, but we cannot see why that would be the case. Would you have any concerns about a rollout of MFA to all users and any pitfalls we should be mindful of?||I’ve found that users will accommodate MFA as long as there is plenty of upfront communication. Be sure to communicate the plan and show screenshots of what they should expect to see and you should be fine! 🙂|
|Can I use Endpoint Configuration Manager & Intune to push software on desktop computers, or is this just for mobile devices?||Yes, you can use Endpoint Config Manager to Push software. We’ll try to build some content around this in the future.|
|Hi. Why is Secure Score Max number different?||It depends on your license since different licenses contain different products so the “size” of the scan will vary.|
|Hi, I’m using Azure AD to manage the user of my local PC. From the management dashboard, I can define what each user can do or not do, correct?||I would suggest reviewing this document for more info: https://docs.microsoft.com/en-us/mem/intune/fundamentals/manage-windows-pcs-with-microsoft-intune|
|Regarding the Microsoft Secure Score, it is better to have a low or high score?||The higher the better for the secure score.|
|M365 Business Pre has AD p1 now, yes ??||For information on Enterprise SKUs look here – https://www.microsoft.com/en-us/microsoft-365/compare-microsoft-365-enterprise-plans. For information on Business SKUs look here – https://www.microsoft.com/en-us/microsoft-365/business#compareProductsRegion.|
|Where can I find the security center with the score?||https://security.microsoft.com/securescore|
|Can Global admin account be protected with conditional access?||Yes, you can target Conditional Access at a global admin.|
|Is there any policy to prevent a Global admin from changing the password of another global admin?||I would suggest you rework your group assignments to follow the best practice of least access, and reduce the number of global admins to remove this issue.|
|What’s the minimum 365 User licensing that gives you access to ATP?||ATP can be added to most M365 SKUs as an Addon. Check with your MS Licensing Partner, they should be able to provide that info for you.|
|Can I backup only parts of O365-Accounts? 300 members, but only 30 need backup (license costs)||Yes, you buy licenses per user, so you can subscribe to as many as needed (30).|
|Will an on-prem AD still be necessary in the short-term and the long-term future? I understood that for the moment the on-prem AD is mandatory for a Windows inhouse environment.||I certainly think on-prem AD will be around for quite a bit, but I would certainly recommend you start looking at a hybrid AD deployment at the very least. This will allow you to be prepared in either case.|
|What do you think of MS’s recommendations regarding passwords? Do you suggest changing the user’s password or not? Thank you!||It depends on your environment. For most use-cases, I think the new guidelines are fine, however, that changes if you’re in an environment that has strict compliance rules such as HIPPA, PCI, ITAR….etc.|
|Microsoft deploys new M365 security capabilities without hardly any notification.||Yes, regular updates happen weekly. If you subscribe to their team blog, you can see more of the highlights.|
|As an SME, what 365 licenses would you consider the minimum necessary for us to use Azure AD as an alternative to AADS? Would we have to use Microsoft 365 Business Premium or would Standard and Basic be workable?||This will depend on your particular use case, but I would say that Business Premium is the minimum starting point in comparison to ADDS|
|Checking all this is a time-consuming job. We have over 300 tenants, do you have any advice on how to effectively manage 300 tenants at a security level?||Take a look at this article by Sonia Cuff from the Azure Advocacy Team. She talks about using Azure Lighthouse and Arc for this: https://techcommunity.microsoft.com/t5/itops-talk-blog/managing-security-with-azure-lighthouse-and-azure-arc/ba-p/1032864|
|Is there a tool available to manage multiple tenants? We manage over 300 small tenants on security. We must log in on every tenant with an admin account or using our partner account.||Multi-tenant management is certainly a pain point. I would suggest reviewing the Azure Lighthouse series that Symon wrote. While it may not provide what you need today, the tool in evolving and is designed to make multi-tenant management easier for MSPs and CSPs – https://www.altaro.com/msp-dojo/onboard-azure-lighthouse/|
|How to force MFA authentication for Outlook Desktop Client? Needs Conditional Access and settings?||Review this article on Modern Authentication for a bit more info. this is the mechanism that is used to provide MFA with Installed Office Apps: https://docs.microsoft.com/en-us/microsoft-365/admin/security-and-compliance/enable-modern-authentication?view=o365-worldwide|
|What M365 subscription are you showing in the seminar?||It varies based on the screenshot but it’s a combination of E3 and E5. We’ll highlight licensing here shortly.|
|Can you point out where to turn on these ATP features?||We’ll plan on building some content around how to do this. Tough to answer in a single question. Stay tuned.|
|Which plan is required for Teams PBX use.||For information on Enterprise SKUs look here – https://www.microsoft.com/en-us/microsoft-365/compare-microsoft-365-enterprise-plans. For information on Business SKUs look here – https://www.microsoft.com/en-us/microsoft-365/business#compareProductsRegion.|
|My experience with MFA is that it affects mobile as well as desktop apps. Is there a way to discriminate to only affect mobile and web?||You can use Conditional Access to control MFA requirements based on Platform if you’d like.|
|If you have half your org on M365E3 and half on Business Basic, how does the file and security aspects work with the BB users?||The Business Basic users would not have access to the same security features that the E3 users would have. If you want them to have certain advanced features you could look at upgrading them to a different SKU or adding on an EMS license or Azure AD Premium P1 or P2 depending on the need. Again, make sure you do an internal cost comparison based on your specific use case. Your MS Rep or partner can help with this exercise.|
|Does the Compliance Center take in consideration of Third Party Products that may be addressing some of these checks? For example, non-Microsoft spam filter?||I do not know for sure, but I doubt that it will be able to support this. If it is a part of the solution catalog, it may be covered.|
|Should I upgrade my subscription to Microsoft 365 Business Premium (formerly Microsoft 365 Business)?||It depends on your particular organization. I would look at both options, and do a feature/cost comparison and then make the decision based on that info.|
|What’s the difference between Office 365 ATP and Microsoft 365 ATP? Everything I see references Office 365 ATP as being included in Microsoft 365.||They are the same things. Microsoft is going through a confusing rebranding right now. O365 is being merged under M365.|
|If there a difference between Azure Active Directory that is used in the Essentials Experience role?||I’d suggest reviewing this page for more info: https://docs.microsoft.com/en-us/windows-server-essentials/get-started/what-s-new-19|
|My organization uses an on-premises AD and I’ve been trying to convince my boss that we should switch to Azure AD. In your opinion, what are the biggest 3 security selling points for Azure AD when compared to an on-premises AD? Thank you!||Hard to limit myself to just three. That said, I’ll attempt it. First, all the new features are developed cloud-first now at Microsoft, so all the latest and greatest will be in Azure AD at First. Azure AD allows you to provide identity services for a large range of services including integrated third-party applications. Finally, advanced services such as Azure PIM and Azure Identity Protection are just really powerful advanced identity features that just aren’t available in on-prem AD.|
|Can I get rid of local AD completely if I decide to use Azure AD?||Generally, this is possible, provided that all of your resources are connected to Azure. Many companies (including mine), use only Azure AD.|
|If you have time could you elaborate this a bit? We have a document management system (not sharepoint) that authenticates users via AD. How do I connect that local service to Azure AD? VPN?||The application needs to support modern auth via Azure AD. Check with your doc management system vendor on this. You could use Azure ADDS via a VPN just like you would on-prem AD though. However, that may not be supported by your vendor so again check with them. I hope that helps!|
|Does Altaro Backup solutions have PowerShell modules to allow users to automate backup functions?||Not a PowerShell module but there is a restAPI you can leverage with Invoke-Webrequest.. Info at altaro.com/api|
|Are there tools available to Azure AD join machines that are presently domain joined on-premises, en masse?||This document may help: https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-plan|
|How does the password complexity work, when on-prem password policy is in conflict with AAD policy?||If passthrough authentication is enabled the local policy would take precedence|
|What else is being synchronized through AAD Connect? Just passwords or certain policies too?||Lots of stuff! The full list can be found here – https://docs.microsoft.com/en-us/azure/active-directory/hybrid/whatis-azure-ad-connect|
|We support multiple tenants that we normally access through MS Partner portal for management. Is there a way to create visibility for all clients on one page, or we have to go into each client > ATP individually?||I do not know for sure, but I do not think this is possible yet. I suspect that once Azure Arc is extended to M365, that will be supported in the future.|
|What is the best authentication type for a small company? (password hash or pass-through auth)||It depends on your company and users. I would suggest you work through this document to help determine the way forward – https://docs.microsoft.com/en-us/azure/active-directory/hybrid/choose-ad-authn|
|Do you have a good comparison sheet with detailed plans for the different sku’s?||For information on Enterprise SKUs look here – https://www.microsoft.com/en-us/microsoft-365/compare-microsoft-365-enterprise-plans. For information on Business SKUs look here – https://www.microsoft.com/en-us/microsoft-365/business#compareProductsRegion.|
|Are there different licensing costs for M365 for education environments?||Yes, M365 does have education pricing. I’m afraid I don’t have the link or details, but their pricing webpage has a separate link.|
|Does is protect e-mail spoofing?||Generally yes, ATP will detect mismatched sender domains, different reply-all addresses, etc.|
Questions about Altaro Office 365 Backup
|Can you search for 1 e-mail in the restore?||Yes, with item-level restore this is possible.|
|Can Altaro users choose the data center location the data is backed up to? e.g. a UK/EU data center?||Currently, all data is backed up to the Azure / Europe / Netherlands datacenter.|
|Where is the backup data stored (GDPR)?||Altaro uses the Azure / Europe / Netherlands datacenter, which is GDPR compliant.|
|is Altaro Backup different from Altaro Office 365 backup ???||Altaro Backup is our range of backup solutions – one of which is Office 365 Backup.|
|Does Altaro O365 Backup restore to PST preserves its folder structure?||Yes, it saves the .PST file as the same format/structure as a regular .PST export.|
|Does it also backup SP and OneDrive?||It does. For full details visit: https://www.altaro.com/office-365-backup/|
|Is the Altaro cloud-hosted on Azure or an alternative platform (e.g. AWS)?||Azure 🙂|
|Can Altaro Backup backup Teams and chats etc?||Not yet. Altaro Office 365 Backup supports OneDrive and Exchange mailboxes currently, however, we have more features in the works including Teams backup.|
|In Altaro, can users themselves log in and restore their data?||Only admins have access to the Altaro O365 Portal, but if you add user access to this, they could perform the backup themselves. For security reasons, I probably wouldn’t recommend giving them access.|
|Hi, can we store Office 365 backups on our own local storage or is it only purely online storage?||All backups go to Altaro’s cloud (running in Azure, so data is protected). You can manually copy the .PST or .ZIP file locally, but this is an additional step.|
|Does Altaro 365 backup Sharepoint as well?||Yes, it does.|
|Can you use Altaro to backup M365 mailboxes to local storage alongside Altaro cloud?||By default, it gets stored in Altaro cloud so you don’t have to worry about storage (and it has unlimited capacity). You can copy the .PST or .ZIP file locally, but this is an additional manual step.|
|What kind of retention is available for Office 365 backup on Altaro?||All backups are saved indefinitely in the Altaro cloud (provided you have an active license).|
|For how long are the backups kept?||The backups are kept forever (provided that you retain your Altaro license) with no storage maximums. M365 limits you to 10 GB/user|
|Does Altaro Office 365 Backup only offer an online option, or are any offline options available too?||Currently, support cloud backup to a GDPR compliant Azure Datacenter in the EU. As the product develops further there may be additional options later on.|
|And can I backup to an offline NAS storage?||Altaro Backups will be automatically saved to the Altaro Cloud (running in Azure). If you wanted to take an additional copy, you can download the .PST or .ZIP file and store it locally, but this would be an additional manual step.|
|I am using Altaro backup for vim. Does the same license include Office 365 backup too, or do I need to purchase it separately? In case of purchasing it separately, is the license per-user based?||Altaro Backup licenses are acquired directly through Altaro. They are independent of the O365 license. Yes, it is licensed per user.|
|We are an MSP. Can we completely host the Office 365 backup (backup storage and management portal) on our own?||Currently no, but it is something we are open to discussing. Let’s make sure we connect.|
Poll 1 Results: What Challenges do you Encounter when Deploying Office/Microsoft 365 Security?
Multiple choice with multiple answers permitted
Poll 2 Results: Which of the following Security Features is Most Important to You?
Multiple choice with just one answer permitted
About the Webinar
The COVID-19 pandemic has caused a surge in remote work but also hackers looking to exploit the vulnerabilities of new users. Are you doing everything you can to protect your company’s Office/Microsoft 365 environment? Watch this on-demand webinar where Microsoft MVP Andy Syrewicze and Altaro Technical Consultant Symon Perriman demo the security features in the Office 365 stack that every administrator should be using. Features covered include:
- Azure AD
- EMS Suite
- Office 365 Secure Score
- Licensing for Security Features
- And More!
After this webinar, you’ll be armed with the knowledge needed to keep your remote workers secure, no matter where they’re working from in the world.
Not a DOJO Member yet?
Join thousands of other IT pros and receive a weekly roundup email with the latest content & updates!