Listed below are few important topologies one must be aware of while working on Office 365.
- Active Directory Federated Services (ADFS)
On-premises security token service (STS) that provides simplified, secure identity federation and Web single sign-on (SSO) capabilities for users who want to access applications within an AD FS-secured enterprise, in federation partner organizations, or in the cloud. Federated identities with Modern Authentication-enabled clients interoperates with EvoSTS, which is the Azure AD STS.
ADFS indirectly supports CA scenarios, as it offers a set of controls known as client access filtering that allow the creation of perimeter network-based policies for IP range filtering, accessed workload, or client type (browser v/s rich client).
- Multi-Factor Authentication (MFA)
Protects access of data and applications by requiring a second form of authentication. Strong authentication is available through a range of verification options.
- Azure Active Directory Premium
All CA scenarios that leverage Azure AD, Azure AD Premium adds feature-rich enterprise-level identity management capabilities and enables hybrid users to seamlessly access on-premises and cloud capabilities. It includes everything you need for information worker and identity administrators in hybrid environments across application access, self-service identity and access management, identity protection, and security in the cloud.
- Azure Rights Management Services (RMS)
Uses encryption, identity, and authorization policies to protect files and email. Information protection applied by using Azure RMS stays with the files and emails independently of the location, allowing customers to remain in control of their data even when this data is in motion.
- Conditional Access (CA)
CA allows customers to selectively allow or disallow access to Office 365 based on attributes such as device enrollment, network location, group membership, etc.
- Device-based CA restricts access to devices that are managed by the organization and are in a healthy state. Device-based CA is a feature of Intune. Users must enroll their devices in Intune and validate that the device meets the organization's access rules regarding device health and security.
- There are other CA scenarios that do not require device enrollment, such as restrict access only from specific locations. These scenarios do not require Intune and are provided through Azure AD Premium access control features.
- Data Loss Prevention (DLP)
Helps identify and monitor sensitive information, such as private identification numbers, credit card numbers, or standard forms used in your organization. DLP Policies enable you to notify users that they are sending sensitive information and to block the transmission of sensitive information.
- Microsoft Enterprise Mobility + Security (EMS)
Provides identity and access management, MDM, MAM and Azure RMS. Intune is a part of EMS.
- Microsoft Intune (Intune)
Intune is a cloud-based service that helps you manage Windows PCs, and iOS, Android, and Windows mobile devices. Intune also helps protect corporate applications and data. You can use Intune alone or you can integrate it with Microsoft System Center Configuration Manager 2012 R2 to extend your management capabilities.
- Mobile Application Management (MAM)
Controls how corporate-managed applications work and interact with other managed applications and unmanaged applications (e.g., provides the ability to restrict user actions such as copy, paste, download, etc.). Available through Intune.
- Mobile Device Management (MDM)
Provides the ability to configure mobile device policies, such as enforcing complex PINs or passwords, blocking devices that have been jail broken or rooted from syncing email, and disabling Bluetooth etc., available through Office 365 MDM and Intune.
- Modern Authentication
Provides OAuth-based authentication for Office clients against Office 365 using Active Directory Authentication Library (ADAL). It replaces the Microsoft Office Sign-In Assistant, and allows for CA policies, so that the administrators can define granular applications and device-based controls for corporate resources.
Thanks for reading this post ….Good luck with Office 365 !!!