Exchange Online

Azure Authentication, Identity, and Access Management Best Practices (The Series)

Carlos A Lopez (Twitter: @CLopezDC) Cloud Security, Exchange, Exchange Online, Hybrid Migration, Microsoft Security, Office365

Over the years, I have seen how authentication processes have been evolving into what it is and what we know today. My clients already in the cloud or looking into adopting the cloud are constantly asking me about the “Best Practices” to secure their Microsoft cloud adoption. This is why I have decided to write this blog post series of Microsoft Cloud authentication, Identity and Access Management.

Network firewalls used to be considered the perimeter defense of the network. But with cloud services, that perimeters keep getting more porous, and that perimeter defense can’t be as effective as it was before the explosion of BYOD devices and cloud applications.

Today, enterprises are starting to understand that identity needs to be the primary perimeter for security. This is a shift from the traditional focus on network security. Azure Active Directory (Azure AD) is the Azure solution for identity and access management. Azure AD is a multitenant, cloud-based directory and identity management service from Microsoft. It combines core directory services, application access management, and identity protection into a single solution.

Best Practice

  1. Centralized Identity Management (Best Practice 1/10)
  2. Enable single sign-on for the Microsoft Cloud (Best Practice 2/10)
  3. Enable Conditional Access (Best Practice 3/10)
  4. Enable self-service Password reset with Azure AD Premium (Best Practice 4/10)
  5. Enable Conditional Access for cloud access. (Best Practice 5/10)
  6. Enforce multi-factor verification for users (Best Practice 6/10)
  7. Use role-based access control (Best Practice 7/10)
  8. Turn on Azure AD Privileged Identity Management (Best Practice 8/10)
  9. Define at least two emergency access accounts. (Best Practice 9/10)
  10. Ensure all critical admin roles have a separate account for administrative tasks (Best Practice 10/10)

Exchange Online Multi-Geo for data at-rest

Carlos A Lopez (Twitter: @CLopezDC) Azure, Exchange Online, Office365

Multinational companies with offices around the world often have a need to store their employee data at-rest in specific regions, in order to meet their data residency requirements. Multi-Geo enables a single Office 365 tenant to span across multiple Office 365 datacenter geographies (geos), which gives you the ability to store Exchange data, at-rest, on a per-user basis, in your chosen geos. The two main consideration are the following:

  1. Multi-Geo is currently available to customers with a minimum of 2,500 Office 365 services subscriptions and will have to be directly requested to Microsoft.
  2. The only available Geos are: Australia, Asia Pacific, Canada, European Union, France, India, Japan, Korea, United Kingdom, and United States.

Top 10 reason why you should use a Hybrid Migration over a Staged migration (Exchange Online)

Carlos A Lopez (Twitter: @CLopezDC) Exchange Online, Hybrid Migration, Office365

I published this lists few years ago. But I think is still very relevant, that is why I decided to review it and put it on the top again. This is by far my preferred migration method.

  1. Secure mail routing between on-premises and Exchange Online organizations. Require TLS authentication
  2. A unified global address list (GAL), also called a “shared address book.”
  3. Free/busy and calendar sharing will continue working between on-premises and Exchange Online.
  4. Centralized control of inbound and outbound mail flow. Costumer can configure all inbound and outbound Exchange Online messages to be routed through the on-premises Exchange organization.
  5. A single Microsoft Office Outlook Web App URL for both the on-premises and Exchange Online organizations. User will continue visiting OWA and they will get redirected from there to the cloud if needed.
  6. The ability to move existing on-premises mailboxes to the Exchange Online organization without interrupting the end-user.
  7. Exchange Online mailboxes can also be moved back to the on-premises organization if needed.
  8. Centralized mailbox management (Cloud and on-premises mailboxes) using the on-premises Exchange admin center (EAC).
  9. Message tracking, MailTips, and multi-mailbox search between on-premises and Exchange Online organizations will continue working
  10. No need to reconfigure the end-users’ profile. User will keep rules, signature and .n2k files in their outlook.