This is a blog series that responds to common questions we receive from customers about deployment of Microsoft 365 security solutions. In this series you’ll find context, answers, and guidance for deployment and driving adoption within your organization. Check out Protecting user identities, the fourth blog in our eight-blog series on deploying Intelligent Security Scenarios.
Your users can create, edit, and share a single document securely, even when working with multiple stakeholders, both inside and outside of your company. With Microsoft security solutions, users can identify, classify, track, and protect documents to prevent leaks and block access by unauthorized readers. These security measures travel with the document, making it easy and much less risky for stakeholders to download files.
How can I make it easier for groups of people to securely work on the same document?
Provide a common, secure identity for your employees, by first importing their user identities into Azure Active Directory (Azure AD). Then integrate your on-premises directories with Azure AD using Azure AD Connect, which allows you to create a common, secure identity for your users for Microsoft Office 365, Azure, and thousands of other software as a service (SaaS) applications that are integrated with Azure AD.
To make it easy for your employees to work securely with users from other organizations, enable Azure AD B2B collaboration capabilities. Now you can provide access to documents, resources, and applications to your partners while maintaining complete control over your own corporate data (see Figure 1). For your customers, Azure AD B2C lets you build identities on Windows, Android, and iOS devices, or for the web, and allow your customers’ users to sign in with their existing social accounts or personal emails.
Figure 1. Azure AD B2B collaboration enables organizations using Azure AD to work securely with users from other organizations while maintaining control over their own corporate data.
How can I protect organizational data when my users view, edit, and share documents?
Azure Information Protection enables you to configure policies and “label” a document to control who can see, edit, or share it. For example, a user could apply a “Confidential” label to a sensitive document that would then prevent it from being shared externally. You can also track who opened a document and where, and then determine what that person can do with the document after it’s opened.
With Microsoft Data Loss Prevention (DLP) in Microsoft Exchange, you can take your information protection one step further and create rules that automatically identify sensitive content and apply the appropriate policy. For example, you can identify any document containing a credit card number that’s stored in any OneDrive for Business site, or you can monitor just the OneDrive sites of specific people.
In addition to DLP, OneDrive for Business offers its own set of options for protecting and controlling the flow of organizational information. For example, you can block file syncing on unmanaged devices, audit actions on OneDrive for Business files, and use mobile device management policies to manage any device that connects to your organization’s OneDrive for Business account. You can control as much or as little of your employee permissions as you need to.
How can I protect email?
The same Microsoft DLP capabilities above can be applied to email on Exchange Online to better control data in email and prevent accidental data leaks. Use Office 365 Message Encryption for email sent via Outlook.com, Yahoo!, Gmail, and other email services. Email message encryption helps you make sure that only intended recipients can view message content. Office 365 administrators can define message flow rules to determine the conditions for encryption. For example, a rule can require the encryption of all messages addressed to a specific recipient.
Deployment tips from our experts
Start by provisioning employee identities in Azure AD. Identity is the foundation for secure collaboration. Your first step is to import employee identities into Azure AD and then integrate your on-premises directories with Azure Active Directory using Azure AD Connect.
Protect documents and emails. Help protect information through access control, classification, and labeling that extend to shared documents and external stakeholders with Azure Information Protection. Then define message flow rules in Office 365 Message Encryption to determine the conditions for email encryption.
Plan for success with Microsoft FastTrack. FastTrack comes with your subscription at no additional charge. Whether you’re planning your initial rollout, needing to onboard your product, or driving user adoption, FastTrack is your benefit service that is ready to assist you. Get started at FastTrack for Microsoft 365.
Want to learn more?
For more information and guidance on this topic, check out the white paper “Collaborate and share documents securely in real-time.” You can find additional security resources on Microsoft.com.
Coming soon! ”Productive and Secure,” the sixth installment of our Deploying Intelligent Scenarios series. In November, we will kick off a new series, “Top 10 Security Deployment Actions with Microsoft 365 Security.”
More blog posts from this series
- Tips for getting started on your security deployment
- Accelerate your security deployment with FastTrack for Microsoft 365
- First things first: Envisioning your security deployment
- Now that you have a plan, it’s time to start deploying
- New FastTrack benefit: Deployment support for co-management on Windows 10 devices
- Assessing Microsoft 365 security solutions using the NIST Cybersecurity Framework
- Enable your users to work securely from anywhere, anytime, across all of their devices
- Protect your data in files, apps, and devices
- Cybersecurity threats: How to discover, remediate, and mitigate
- Protecting user identities