Microsoft 365Business Premiumadvanced security and management capabilities

• Many topics have links to docs.microsoft.com content.• This training uses the new Microsoft 365 portals.• Most docs articles use the old portals. The old portals still work, but it is

recommended to use the new portals.• The docs articles are still useful for use cases and steps are similar in the new

portals.• All slides with step lists are hidden. Un-hide relevant slides as necessary.• If you have a demo environment, it would be better to use this rather than

the pre-recorded demos.

Trainer prep guide

What are Microsoft 365 Business Premium advanced security and management capabilities?

Microsoft 365 Business Premium service description• Best in class productivity comes

with Microsoft 365 Business Standard.

• Includes:• Office apps• Email and calendaring• Teamwork and communication• File storage

• Microsoft 365 Business Premium adds advanced security, device management, and Azure Active Directory Premium P1.

Microsoft 365 subscriptions and security capabilities

Microsoft 365 security features

Microsoft 365 Business Premium includes a range of security features including:• Device and application management in the Microsoft 365 admin center• Microsoft Defender for Office 365• Microsoft Defender Antivirus• Microsoft Intune• Conditional access

Microsoft 365 security features

Microsoft 365 Admin Center security features• Set application management

settings for Android or iOS devices

• Set application protection settings for Windows 10 devices

• Set device protection settings for Windows 10 devices

• Remove company data from devices

• Reset Windows 10 devices to their factory settings

Microsoft Defender for Office 365 Plan 1 is included with Microsoft 365 Business Premium and consists of:• Safe Attachments for email to check attachments in messages as an

additional layer of protection in addition to Exchange Online Protection.• Safe Links to scan URLs in email messages.• Safe Attachments for SharePoint, OneDrive, and Microsoft Teams to help

detect and block existing files that are identified as malicious in team sites and document libraries.

• Anti-phishing in Defender for Office 365 protection to block messages from impersonated email addresses.

• Real-time detections to help your security operations team investigate and respond to threats efficiently.

Microsoft Defender for Office 365

Microsoft Defender Antivirus

As well as notifying users, with Microsoft 365 Business Premium, you can see threat detections in the Microsoft 365 admin center.

You can also see if any devices need antivirus detection and if any devices are not in compliance with your security policies.

• Cloud-based solution to provide mobile device management and mobile application management.

• Can co-manage with Configuration Manager and Intune.

Microsoft Intune

Conditional Access

Protect against connections from unexpected sources such as locations, networks, apps and users.

Allows you to require multi-factor authentication.

Can require apps to use Intune app protection and block apps that use legacy authentication.

Microsoft 365 compliance features

• Automatically detect sensitive information, for example:• Bank account information

• Health records

• Proprietary corporate data

• Implement data loss prevention (DLP) by defining and applying DLP policies.• Microsoft 365 uses deep content analysis including machine learning to detect

content that matches your DLP policies.• DLP policies can monitor:

• Microsoft 365 services such as Teams, Exchange, SharePoint, and OneDrive

• Office applications such as Word, Excel, and PowerPoint

• Windows 10 endpoints

• Non-Microsoft cloud apps

• On-premises file shares and on-premises SharePoint

Data loss prevention

Exchange Online Archiving

Microsoft 365 Business Premium includes Exchange Online Archiving, which has the following features:

• Archive mailbox

• Deleted item recovery

• Retention policies

• In-Place Hold and Litigation Hold

• In-Place eDiscovery

• Documents often get sent both inside and outside an organization.• Sensitivity labels can encrypt or watermark documents and protection

persists outside the organization.• Need to have set up sensitivity labels in the Microsoft 365 compliance

center at https://compliance.microsoft.com:• In Information protection, create the labels that you need.

• Create Label policies to publish one or more labels to your users’ Office apps.

• Create auto-labeling policies to automatically apply sensitivity labels to email messages or OneDrive and SharePoint files.

Sensitivity labels

Microsoft 365 Business Premium setup

• Before you start setup you need to know:• List of users to add to Microsoft 365.• How to notify users of their user ID and password bearing in mind that they won’t have access to

email.

• If you have a domain name and will be using Microsoft email, you need the domain registration information.

• Decide whether to migrate all at once or gradually:• Running the Microsoft 365 setup wizard will migrate everything.

• You can add users so that they can install apps, set up Microsoft Teams, and move content to OneDrive or SharePoint in independent actions. You can then go to https://admin.microsoft.com and use the Setup page to move your domain and email.

Subscription setup

• Ensure all Windows devices are running at least Windows 10 Pro version 1703.

• There is a free upgrade included with Microsoft 365 Business Premium for devices running Windows 7 Pro, Windows 8 Pro, or Windows 8.1 Pro.

• If you have a new device, during setup choose Set up for an organization.• If you have an existing Windows 10 Pro device, go to Settings, select

Access work or school, and select Connect. Under Alternate actions, choose Join this device to Azure Active Directory. The device will be upgraded to Windows 10 Business.

Device setup

Mobile device setup• For an iPhone, open the App Store,

install Microsoft Office apps and sign in using your work email address.

• For Android, open the Play Store, install Microsoft Office apps, sign in using your work email address, and, when prompted, follow the prompts to install the Intune Company Portal.

• Once you have installed Outlook or Office onto a mobile device, the emails and files will be protected by Microsoft 365.

Increase security and compliance with Microsoft 365 Business Premium

Introduction to security and complianceSecurity and compliance has multiple facets.

Security:

• Anti-malware• Anti-phishing• Anti spam• Conditional Access

Compliance:

• Data loss prevention• Email retention

• Secure Score gives you a score to represent your organization’s security posture and tips to improve security and, therefore, the score.

• Recommendations are given for products that you have licensed.• Points are given for the

following actions:• Performing recommended

security related tasks.

• Configuring security featurescorrectly.

• Points are given regardless ofwhether a Microsoft or third-party solution is used.

• To access Secure Score, go to https://security.microsoft.com.

Assess security protection with Secure Score

Anti-malware

To increase malware protection in email, you should block attachments with file types commonly used in malware attacks.

The Microsoft 365 Defender portal includes anti-malware policies that can be directly implemented or edited, as required.

Anti-phishing

Custom domains can be the victims of phishing attacks, for example when a malicious attacker impersonates another person in an email.

The Microsoft 365 Defender portal includes an anti-phishing wizard to create an anti-phishing policy.

Protect users with Safe Links

Another form of phishing attack is to include links to malicious websites in emails or files. By only including a link, rather than attaching a malicious file, malicious links can evade many forms of virus protection.

The Microsoft 365 Defender portal includes safe links policies to protect you from this form of attack.

• Spam involves mass emailing which could be for marketing purposes or could be an attempt to spread malware.

• Spam could come from outside your organisation, but could also come from a user in your organisation sending outbound spam, perhaps in an over-enthusiastic marketing campaign.

• The Microsoft 365 Defender portal includes anti-spam policies to protect against inbound and outbound spam.

Anti-spam

Safe attachments policy

Attachments are commonly sent by email and it is hard to know whether the attachment contains malware.

The Microsoft 365 Defender portal includes safe attachments policies to block attachments that contain malware.

• Available with Azure Active Directory P1 license.• Included with Microsoft 365 Business Premium license.

• Includes policies to protect Active Directory resources no matter where users are.

• Can block access based upon:• User or group membership

• IP Location information• Device platform or state

• Specific applications• Real-time and calculated risk detection

Conditional Access

Conditional Access

• Access can be granted based upon:

• Require multi-factor authentication• Require device to be marked as compliant• Require Hybrid Azure AD joined device• Require approved client app• Require app protection policy (preview)

Application proxy

• Provide access to internal intranet sites to authorized users from the Internet.

• Users can be pre-qualified.

• Internal intranet servers are not exposed to DDoS attacks.

Data loss prevention (DLP) policies protect against the loss of sensitive information. Microsoft 365 Business Premium includes over 40 ready-to-use templates for common regulatory policies including the Gramm-Leach-Bliley Act (GLBA), United States Personally Identifiable Information (U.S. PII), and General Data Protection Regulation (GDPR).

The Microsoft 365 compliance portal includes DLP policy templates to enable you to apply common regulatory policies.

Data loss prevention

• Some users and some organizations need to keep emails for a number of years for legal reasons.

• You might need to recover data after a security breach.• You might need to recover deleted items.• The Microsoft 365 compliance portal includes retention policies to enable you to

ensure that specific users, groups of users, or all users, have emails retained for a defined period of time.

Email retention

• Archive mailboxes can provide additional storage for users who might need to store messages for compliance reasons.

• Once archive mailboxes are enabled, messages will be moved to the archive mailbox based on the retention settings.

Archive mailboxes

Walkthrough

Increase threat protection with Microsoft 365 Business Premium

Introduction to threat protection

Threat protection includes threats from ransomware, viruses and the automatic forwarding of emails.

• Ransomware attacks typically encrypt files or lock computers and ask for “ransom” to restore access. In addition to protecting against malware it is good practice to warn users that files might contain macros.

• With Microsoft 365 Business Premium you can protect against ransomware by creating a rule to warn against opening attachments in the Exchange admin center.

Protect against ransomware

• Consider using Microsoft Defender Antivirus• Available for Windows and Android.

• Microsoft Defender for Endpoint is available for Mac, Linux, and iPhone

• If your Windows 10 devices are enrolled in Intune and you have less than 800 devices, threats are listed at https://admin.microsoft.com. You can access threats by selecting Health and selecting Threats & antivirus.

Protect against viruses

The Microsoft Defender Antivirus card and Active threats page are being rolled out in phases, so you may

not have immediate access to them.

Manage threat detections

The Microsoft 365 admin center lists detected threats and detected threats by device.

A common hacking technique is to set up auto-forwarding for a compromised account. Some or all messages can then be sent to a third-party to gain confidential information.You can create a rule to prevent auto-forwarding in Exchange admin center.

Stop auto-forwarding for email

Manage devices and app data with Microsoft 365 Business Premium

Introduction to managing devices and app data

Because most personal computing devices are now mobile, whether they are laptops or cell-phones, it is important to implement policies to protect sensitive data on these devices. Furthermore, it might be necessary to wipe all of the data on a device if it is lost or stolen.

• You can manage mobile devices in the Windows 365 admin center.• Can apply app management policies for Windows 10, Android, and iOS

devices.• Policies can protect files when devices are physically away from an

organization.• Policies can protect files if a device is lost or stolen.• Policies can restrict how users can access Office files. For example, you could

require authentication with a fingerprint or pin, before opening Office apps.• You can remove company data from mobile devices.• You can reset Windows 10 devices to their factory settings.

Managing mobile devices

• A Microsoft 365 Business Premium subscription gives you a license to modify any Intune settings that map to settings available in Microsoft 365 Business Premium policies including all Android and iOS settings.

• Most settings can be modified directly from the Microsoft 365 admin center.

How do protection features in Microsoft 365 Business Premium map to Intune settings?

Walkthrough

Set up devices with AutoPilot

Windows AutoPilot enables you to set up and pre-configure devices in a consistent and automated way. This ensures that all devices have your prescribed set of software and settings which will improve your security posture.• Windows AutoPilot is a feature that is available with Microsoft 365 Business

Premium which allows you to automatically set up new Windows 10 devices.• Devices must have Windows 10, version 1703 or later and must not have

been through the Windows out-of-box experience.• You create one or more profiles and assign profiles to device lists.• Profiles are applied to devices the next time the device user signs in.

Introduction to setting up devices with Windows AutoPilot

To enable AutoPilot, you must perform the following steps:• Create a profile that defines the configuration that you want to apply to new

devices.• Create AutoPilot devices that list the serial number of every device that you

wish to enrol in AutoPilot.• Assign the relevant profile to each device.

Enabling AutoPilot

Before you go

USOCPEnablement@Microsoft.com

Aka.ms/MWS.SMBAka.ms/MWS.SMB.Learning

yammer.com/msuspartner

Programs eligibility might vary; Terms and conditions apply.

Please fill out surveyAka.ms/SMB.Survey