Active Directory (Anglais)

Disaster recovery for Remote Desktop Services: New resources available

AD -

This post is authored byHaley Rowland, Program Manager, Remote Desktop Services.

We’ve published new documentation on how to protect the resources running in your RDS deployment and enable disaster recovery through a geo-redundant RDS deployment.

When you deploy Remote Desktop Services into your environment, it becomes a critical part of your infrastructure, particularly the apps and resources that you share with users. If the RDS deployment goes down due to anything from a network failure to a natural disaster, users can’t access those apps and resources, and your business is negatively impacted. To avoid this, you can configure a disaster recovery solution that allows you to failover your deployment – if your RDS deployment is unavailable, for whatever reason, there is a backup available to automatically take over.

To keep your RDS deployment running in the case of a single component or machine going down, we recommend configuring your RDS deployment for high availability. You can do this by setting up an RDSH farm and ensuring your Connection Brokers are clustered for high availability.

The disaster recovery solutions we recommend are to protect your deployment from catastrophic disaster, something that takes down your entire RDS deployment (including redundant roles configured for high availability). If such a disaster hits, having a disaster recovery solution built into your deployment will allow you to failover the entire deployment and quickly get apps and resources up and running for your users.

Use the following information to deploy disaster recovery solutions in RDS:

Leverage multiple Azure data centers to ensure users can access your RDS deployment, even if one Azure data center goes down (geo-redundancy)

Deploy Azure Site Recovery to provide failover for RDS components in site-to-site or site-to-Azure failovers

Azure Information Protection “Do not track” feature now in Preview

AD -

Hi everyone, and welcome to an important post for those of you who have been using the document tracking and revocation feature. We received feedback from some of you around privacy and compliance when using this feature and weve tried to address that with this release.

We are excited to release in preview the new Do not track feature which gives organizations flexibility to configure a group of users within their company who should not be tracked because of privacy or compliance reasons.

You can now configure Do not track for users by adding them to a mail enabled group email address from Azure AD (can be a cloud native or sync group). Once configured, you will no longer be able to track activities of users of this group. Admins can configure the feature for specific groups by running new PowerShell commands added to the admin tool.

Lets take a deeper look

In your organization due to privacy and/or compliance reasons if you have users who should not have document tracking activities tracked, add them to a group that is stored in Azure AD, and specify this group with the Set-AadrmDoNotTrackUserGroup cmdlet.

For the members of this group, activities related to documents that others have shared with them is not logged to the document tracking site. In addition, no email notifications are sent to the user who protected and shared the documents.

As you can see in example below, Bob is member of the AIPDonotTrack group.

We have a document shared with both Bob and Tim:

Bob and Tim both viewed the document but we can only see Tims document tracking activities, because Bob is in the AIPDonotTrack group.

A few questions you may have

I have added users to the Do not track group and yet I see their previous document tracking activity in the portal. Why?
This is expected behavior. You will see the users previous (prior to them getting added to Do not track group) document tracking activities in the portal in Timeline, Map pages. The List page on the other hand shows only most recent activity per user so that will not contain the Do not track users activity.

Will admins still be able to track Do not track users document tracking activities?
Yes, but that will be supported soon. Until then no user (including global admins) can view document tracking activities of Do not track users.

Can Do not track users still track and revoke their protected documents?
Absolutely. When you use this configuration in your company, all users including the Do not track user group can still use the document tracking site and revoke access to documents that they have protected.

We know this can be a lot to absorb, and we are here to help! Engage with us on Yammer, Twitter or send us an e-mail to

It really is very easy to get started with AIP. We have a lot of information available to help you, from great documentation to engaging with us via Yammer and e-mail. What are you waiting for? Get to it!

Thank you,

Dan Plastina on behalf of our enthusiastic Azure IP team.
Twitter: @DanPlastina
Useful links: (PDF)

How do your enterprise mobility and security solutions stack up?

AD -

Many of our customers have existing mobility and security solutions that are either legacy investments or focused point solutions that respond to specific needsvery few organizations are able to start from scratch. The complexity of coordinating multiple point solutions, combined with the leaner budgets and shrinking bandwidth of IT, can make it challenging to evaluate how your mobility strategy stacks up to current market options. So, we made it easier for you: take the Enterprise Mobility Assessment.

The Enterprise Mobility Assessment walks you through a series of focused questions that determine your existing levels of control and flexibility available to IT administrators through solutions for identity and access management, mobile device and application management, and data security and information protection. The assessment only takes about 10 minutes and can help you evaluate the strength of your enterprise mobility and security strategy across your environment.

Once you complete the assessment, youll receive a summary report that outlines how your current solutions compare to industry-leading technologies and documents your strengths, security and management gaps, as well as your potential areas of risk.

Youll also receive a consultation with a solutions specialist who can review your results and help you plan your next steps to address your specific mobility and security needs.

For current Enterprise Mobility + Security (EMS) customers, the assessment tool can help you identify opportunities to maximize the value of your investment. There are features and capabilities, like Conditional Access, that work across multiple solutions in EMS. You may be able to increase control and management for IT simply by deploying and using EMS solutions that you already own. If youre interested in deployment, check out FastTrack, a program included with many EMS licenses, that connects you to experts and resources to help you build your mobility and security strategy. And, of course, you can always connect to one of our experts.

Ping Access for Azure AD is now Generally Available (GA)!

AD -

Howdy folks,

Many of you already use Azure AD Application Proxy to provide single sign-on (SSO) and secure remote access to your users for web applications hosted on-premises. However, some of you also need Azure AD Application Proxy to support on-premises apps that use headers for authentication.

As you may remember from our public preview announcement, we’ve partnered with Ping Identity to make this happen.

Today, I’m happy to announce that PingAccess for Azure AD is now generally available! We’ve worked closely with our customers to validate this solution, which integrates Ping Access with Azure AD Application Proxy.

If you need to provide secure remote access to applications that use header-based authentication, now is a good time to look at this solution. If you’ve been waiting for general availability before deploying it to your production environment, now you’re good to go!

Configure your applications to use PingAccess for Azure AD with just four steps:

  1. Configure Azure AD Application Proxy Connectors
  2. Create an Azure AD Application Proxy Application
  3. Download & Configure PingAccess
  4. Configure Applications in PingAccess

Our Application Proxy + PingAccess documentation provides a detailed walkthrough for each of these steps. Try it out and tell us what you think! Please leave us a comment or reach out to us at with any feedback we look forward to hearing from you!

Best regards,

Alex Simons (Twitter: @Alex_A_Simons)

Director of Program Management

Microsoft Identity Division

Azure AD makes the "leader" quadrant in Gartner’s 2017 Magic Quadrant for Access Management!

AD -

Howdy folks,

I have great news to share with you today! Gartner released their 2017 Magic Quadrant for Access Management (AM MQ), which shows that Azure Active Directory is placed in the leaders quadrant and is positioned very strongly for completeness of vision.

The AM MQ is the evolution of the Identity and Access Management as a Service (IDaaS) MQ, which was discontinued last year, and Azure AD has been in the leaders quadrant two out of the three years the service has been generally available!

Gartner 2017 Magic Quadrant for Access Management

We have worked with Gartner to make complimentary copies of the report available, which you can access here.

This amazing placement validates our vision of providing a complete identity and access management solution for employees, partners, and customers, all backed by world-class identity protection based on Microsofts Intelligent Security Graph.

Gartners analysis says a lot about our commitment to the identity and access management space. More importantly, though, it says a lot about our customers, implementation partners, and ISV partners who have worked with us, sharing their time and energy every day to ensure the products and services we build meet their needs and position them to thrive in a world increasingly driven by cloud technology.

We promise to continue delivering innovative capabilities to address your needs in the identity and access management space and to further improve our position in the leaders quadrant of the Gartner AM MQ.

Best regards,

Alex Simons (Twitter: @Alex_A_Simons)

Director of Program Management

Microsoft Identity Division

The New Intune and Conditional Access Admin Consoles are GA

AD -

There are a handful of topics that consistently come up whenever I meet with our customers and partners and one of the most common has to do with how to balance productivity for end users with the need for security and control of company data. The tension between these two needs is the stage upon which an even bigger challenge constantly looms: Every IT team on earth being asked to do more with less at a time when technology keeps accelerating and the landscape of their own industry shifts beneath their feet.

The request I get in these meetings is very clear and consistent: We need efficient solutions that make it easier to manage and control growing complexity; can you help us reduce the complexity we are dealing with?

This is where we bring in the good news: Managing Intune and Conditional Access together with Azure AD just got a lot easier for our rapidly growing community of IT Professionals. As of today, we have reached two important milestones for Microsoft Intune and for EMS Conditional Access capabilities: Both new admin experiences are now Generally Available in the Azure portal!

Heres how Intunes redesign helps your organization

Intunes move to the Azure portal is, in technical terms, a really big deal. Not only did the Intune console change, but all of the components of the EMS console experience have now come together. The process of migrating capabilities into the new portal was an incredible opportunity to reimagine the entire admin experience from the ground up and what we are shipping today is an expression of our unique vision for mobility management shaped by needs of our over 45K unique paying customers.

I love the progress weve made here because Intune on Azure is great for our existing customers because they can now manage all Intune MAM and MDM capabilities in one consolidated admin experience, and they can leverage all of Azure AD seamlessly within one experience. Awesome.

There is actually a whole lot more going on behind the scenes of the new administrative experience. Not only have the administrative experiences converged, but we also converged Intune and Azure Active Directory onto a common architecture and platform. Converging the architectures dramatically simplifies the work we do to support it, the work you do to use it, and it enables some incredible end-to-end scenarios across Identity and Enterprise Mobility Management.

Here are the 3things you need to know about Intune on Azure:
  1. Its built to leverage Azures hyper scale
    The Azure platform provides huge increases in elasticity and reliability for Intune, and it provides the foundation for nearly unlimited scale. The new admin experience will also run on any browser on any device form-factor. Now you can manage Intune from anywhere even from your phone!
    The redesigned architecture and new console bring nearly unlimited scale to the service. We currently have customers that are rapidly growing to 100,000s of devices in a single tenant. No problem! One customers has shared that they associated a sophisticated policy to ~200,000 users and what took hours in the past was done in less than 3 minutes. Now, because this is built into the Azure console, you get all the rich role-based administration for delegation of authority.
  1. Its optimized for cross-EMS workflows
    With Intunes move to Azure and the Azure Portal, we now share a console experience with other core EMS services like Azure Active Directory and Azure Information Protection. Having the collective power of these services living side-by-side makes them more effective and easier to manage across identity and access management, MDM and MAM, and information protection workloads.
    For example: If youve just finished creating a set of conditional access policies to control access to data using Intune in the same portal environment, youre now just a click away from adding additional app protection policies that ensure that your data is protected after its been accessed and is in use on mobile devices.
    The Intune transition to Azure also delivers deep integration with Azure Active Directory groups, which can represent both users and devices as native, dynamically targeted groups that are fully federated with an organizations on-premises Active Directory.
  1. You can simplify, automate, and integrate management with Microsoft Graph
    Built on the Microsoft Graph API, the new Intune experience also opens the door for broader systems integration and automation. This means that our customers can now simplify, automate and integrate workflows across Intune and the other services they are using however they see fit. For more information about what you can do with this, I really recommend this post. Microsoft Graph API capabilities are currently in preview; expect a GA announcement for this functionality in the coming quarter.

If you havent tried Intune on Azure, we invite you to jump into this new experience with us. To check it out for yourself, log into the Microsoft Azure portal right now. Were always listening and learning from your feedback, and we want to hear what you think! Since we put this into preview in December there have been more than 100k paying and trial tenants provisioned!

Conditional Access the new admin experience in the Azure portal

The new conditional access admin experience is also Generally Available today. Conditional access in Azure brings rich capabilities across Azure Active Directory and Intune together in one unified console. We built this functionality after getting requests for more integration across workloads and fewer consoles. The experience were delivering today does exactly that.

Organizations everywhere face the challenge of enabling users on an ever-expanding array of mobile devices, while the data they are tasked with protecting is moving outside of their network perimeter to cloud services and all of this happens while the severity and sophistication of attacks are dramatically accelerating. IT teams need a way to quantify the risks around the identity, device, and app being used to access corporate data while also taking into consideration the physical location and then grant or block access to corporate apps/data based upon a holistic view of risk across these four vectors. This is how you win.

Conditional access allows you to do this and ensure that only appropriately authenticated and validated users, from the compliant devices, from approved apps, and under the right conditions have access to your companys data. The functionality at work here is technologically incredible, but its not always obvious how granular and powerful these controls really are. The new conditional access experience on Azure now makes the power of this technology crystal clear by showcasing the deep controls you have at every level in one consolidated view:

Now you can easily step through a consolidated flow that allows you to set granular policies that define access at the user, device, app and location levels. Over the last 6 months, as I have shown this integrated experience to 100s of customers, the most common comment has been: Now I completely see what Microsoft has been talking about how Identity management/protection has needed to work with Enterprise Mobility Management to protect our data. Microsofts Intelligent Security Graph is also integrated here, delivering a dynamic risk based assessment into the conditional access decision.

You can also control access to resources based on a users sign-in risk via the vast data in. Once your policies are set, users operating under the right conditions are granted real-time access to apps and data however, as conditions change, intelligent controls kick in to make sure that your data stays secure. These controls include:

  • Challenging a user with MFA to prove that they are who they say they are.
  • Prompting the user to enroll their device in Intune.
  • Guiding the user to make adjustments to their device to meet your orgs security requirements
  • Blocking access all together or even wiping a device.
  • Granting different access privileges when using a native app (Word) vs. a web app (Word Online)

We believe Microsoft is uniquely positioned to deliver solutions that are this comprehensive and sophisticated yet remain simple to operate. With EMS, these types of functionalities are possible because were building them together, from the ground up, to deliver on our commitment for secure and mobile productivity.

You can access the new conditional access console in the menu within both the Intune and Azure AD blades. To see this functionality in action, check out this Endpoint Zone episode.

Whats Next

Our commitment to ongoing innovation means we never stop listening, shipping and reaching for whats next. Looking ahead, well continue to release new features and enhancements at a steady pace throughout the year. From this point forward, all new Intune and conditional access features will be delivered in the new portal, so keep an eye out.

Also: Dont hesitate to let us know what you think; our dialog with customers is our most valuable development input.

One last note: This is a really significant day for all of us. I am so pleased with the work that has been done here at Microsoft on the architecture and administrative experiences. Im happy for the team and what has been accomplished. I am so pleased with the feedback that has come in from so many customers about the richness and vibrancy of the new admin experience as well as how performant the services are. And, at the risk of sounding redundant, Im happy to hear how much this has simplified your work while delivering incredible new, unique value such as the integrated Conditional Access.



How Fileless malware challenges classic security solutions

AD -

This post is authored by Itai Grady, Security Researcher, Advanced Threat Analytics R&D.

A bank in Poland previously discovered unknown malware running on several of its computers, exposing a wave of attacks that affected organizations from at least 31 countries.

Whats unique about this attack, is the usage of a piece of sophisticated malicious software, that managed to reside purely in the memory of a compromised machine, without leaving a trace on the machines file system. Fileless malware allows attackers to evade detection from most end-point security solutions which are based on static files analysis (Anti-Viruses).

Fileless malware is not a new phenomenon. Throughout the past few years, an evolution of Fileless malware has been observed.

Initially, malware developers were focused on disguising the malwares network operation, be it communication with their command and control servers or data exfiltration. This was accomplished by mimicking the traffic of different Messengers applications and HTTP header spoofing to evade network security solutions (firewalls/IDS).

Lateral movement as non-malware

The latest advancement in Fileless malware shows the developers focus shifted from disguising the network operations to avoiding detection during the execution of lateral movement inside the victims infrastructure.

In-order to avoid detection, the malware that was used during the above-mentioned attack used standard Windows tools to complicate the detection. Usage of such tools in malware is also known as Non-Malware attacks.

Some of the tools that the new malware used were:

  • SC.exe – A tool for remote management and creation of services.
  • netsh.exe – for network tunneling and other network configuration manipulations.
  • Powershell – used for running complex commands and the use of standard APIs for collecting information on the victims network and remote code executions (such as WMI).

These latest developments in Fileless malware indicates that attackers are extending the malwares capabilities to avoid detection during the lateral movement stage (spreading across the victims network).

Behavioral analytics and Fileless malware

Since most security solutions are based on detecting signatures and known malicious behaviors on the operating system, malware that adopts the above techniques are very hard to identify.

A new type of security solution could address these challenges a solution which relies on analyzing the behavior of the users and computers in the environment.

Behavioral analytics systems are designed to tackle various, and previously unknown, advanced attacks. The systems monitor and learn the behavior of entities in the organization (users, computers or services) and sends out alerts when it detects abnormal behavior that might point to malicious intent.

These solutions are usually not based on one endpoint machine, since once a machine is compromised, the security solution(s) is compromised as well.

UEBA systems have the potential to detect Fileless malware in different stages of an advanced attack.


For Fileless malware to spread, some critical information of the victims network needs to be collected. The malware needs information on its location in the network, the users roles, permissions, existing sessions, machines, their privileged groups, etc.

This data is used to discover valuable machines and accounts in the network, and map different routes to them.

There are many techniques an attacker can use to perform reconnaissance.

Some of the more interesting methods are the usage of standard queries to Active Directory and machines in the network (i.e. DNS queries, SAMR protocol, SMB session enumeration etc.), so that if the organization has a UEBA security system that monitors such requests, and identifies abnormal ones, the malware and attack campaign can be detected prior to the infection of other machines in the organization.

Lateral Movement

When there is a new target for the malware, and a route to it, the malware starts to move laterally inside the network.

Moving laterally might be done using various techniques, most of which have legitimate purposes, and therefore might not be detected by endpoint security solutions.

Behavioral analytics solutions can recognize an anomaly in the behavior of the compromised user (or computer) such as accessing an abnormal resource, logging on to a new computer, working from an unusual location, working during unusual hours, etc.

Security systems that monitor the network traffic might also be able to detect common attack techniques for lateral movement, such as Pass-The-Hash, Over-pass-the-hash and Pass-The-Ticket.

Whats next?

Fileless malware will only become smarter and more common. Regular signature-based techniques and tools will have a harder time to discover this complex, stealth-oriented type of malware.

More and more attacks will leave little to no tracks in the file system and in the network, and will force organizations to start detecting attacks based on their user and entity behavior.

Advanced Threat Analytics is an on-premises product and part of the Enterprise Mobility + Security Suite or Enterprise CAL Suite. Start a trial or deploy it now by downloading a 90-day evaluation version.

Ask your questions and join the discussion with our team on the Microsoft Advanced Threat Analytics Tech Community site!

New in Intune: TeamViewer integration for Android

AD -

Remote assistance on Android devices just got better with Intune and TeamViewers expanded integration. With the combination of Intune and TeamViewer, your helpdesk team can now start a remote assistance session with your end users on Android devices, making it easier than ever to help users with training, support issues, or step-by-step walkthroughs of device or application usage.



The TeamViewer Quick Support device application can be pre-installed through Intune for a streamlined device experience. Even if the TeamViewer application isnt installed on the device, the Intune Company Portal will walk users through the process of installing the TeamViewer Quick Support application during their first remote assistance session. The integration with TeamViewer allows you to utilize all the features of TeamViewer, including chat, file transfer, and device details.

A TeamViewer license is required to take advantage of this functionality. Please visit the TeamViewer site for more information about TeamViewer and licensing options, and for additional information about using Intune with TeamViewer visit our documentation page.

Azure AD Conditional Access now supports Microsoft Teams & the Azure Portal

AD -

Howdy folks,

Quick blog post today.

Many of you have asked when you’ll be able to use Conditional Access policies with Microsoft Teams and the Azure Portal. I’m happy to let you know that support for both services is now available. Nitika Gupta from my team has written a blog post with the details. You’ll find it below.

Best regards,

Alex Simons (Twitter: @Alex_A_Simons)

Director of Program Management

Microsoft Identity Division


Hi folks,

I’m Nitika Gupta, a Program Manager in the Identity Security and Protection team at Microsoft. I’m excited to share that Microsoft Teams and Azure portal now support Azure AD Conditional Access.

Till now, the only way to secure access to Azure portal was to require Multi-Factor Authentication all the time for an administrative account. This addressed the security need but came in the way of productivity. With this announcement, customers can require Multi-Factor Authentication only for access to Azure portal. Leveraging the power of Conditional Access, customers can allow access to Azure portal only under certain conditions (sign-in risk, location, device) and from trusted devices.

To create a policy for Azure portal, you can simply select “Microsoft Azure Management” under Cloud apps.

The policy will impact all the Azure management endpoints (classic Azure portal, Azure portal, Azure Resource Manager provider, classic Service Management APIs, as well as PowerShell).

While configuring a policy for Azure portal, be cautious! A bad configuration might lead to you locking yourself out.

And making news is also Microsoft Teams, one of the newest members of the Office 365 family, which is now available as its own Cloud app for IT admins to configure Conditional Access policies on. This allows organizations to secure the data in Teams and prevent leakage on untrusted devices.

The policy applies to Teams app on Windows, macOS, iOS, Android and Windows Phone. It’s important to note that Conditional Access policies created for Exchange Online and SharePoint Online cloud apps also affect Microsoft Teams as the Teams clients rely heavily on these services for core productivity scenarios such as meetings, calendars and files.


We would love to hear your feedback! If you have any suggestions for us, questions, or issues to report, please leave a comment at the bottom of this post, or tweet with the hashtag #AzureAD.


Nitika Gupta


How Microsoft EMS can support you in your journey to EU GDPR compliance – Part 1

AD -

How to provide persistent data protection on-premises and in the cloud

In the previous blog we discussed the challenges and complexity that stored data, be it structured, logs, or unstructured data pose for GDPR compliance and how Microsoft EMS can help you address the key data protection challenges. As a part of our GDPR webcast, we have also showcased how information protection capabilities across Windows, Office and Azure can help you in your journey to GDPR compliance. In this blog, we will dive deeper into the data lifecycle and how Azure Information Protection can help you provide persistent data protection both on-premises and in the cloud.

The realm of discovery

GDPR is a new data protection law that aims to protect personal data from potential abuse. For organizations that need to be compliant, it is important to understand that not all data falls under the purview of the GDPR. The first step in GDPR compliance is to discover personal data, as only that limited set is subject to the GDPR. A great discovery process turns the challenge of protecting personal data from an unbounded, unknown risk into a scoped, targeted, and manageable problem.

The discovery of personal data in an ongoing process that spans the entire data lifecycle from the time content is created, through multiple updates, until the time it is deleted. The regulation applies to all historical data as well as to new content created after the GDPR comes into effect. Thus, the discovery strategy for companies must be two-fold:

  • Regularly scan the known data stores to identify personal data. This is a scheduled activity that targets existing data stores for discovery. Large organizations tend to have tens to hundreds of these unstructured data stores SharePoint sites, File Servers, user devices like desktops and laptops, archived mailboxes, tapes etc.
  • Identify personal data at the time of creation or update. By tapping into important sources of data entering existence, personal data can be discovered at the source. This is applicable to emails processed by your mail server, to documents and emails being created/updated by users, and a variety of tools being used to handle data.

Azure Information Protection helps with the discovery process in a number of ways:

  1. It provides built-in rules that identify personal data. Customers can add more rules that can identify personal data not covered by the default rule set.
  2. It will provide a scanner tool that can run scheduled scans of designated data repositories (preview coming soon).
  3. It provides plugins for Office applications (Word, Excel, PowerPoint, Outlook) to identify personal data as emails and documents get created, opened, or updated.
  4. It provides an SDK for 3rd party applications to integrate with, and bring the discovery process into the application.

Once data is discovered, Azure Information Protection can follow-up with additional actions:

  • The most common action is labelling the data is tagged and can therefore be identified later by other tools, applications, and users. Once a document or email is tagged with a label it can be tracked and monitored through its lifecycle. For example, Microsoft Cloud App Security can read files labeled by Azure Information Protection and quarantine it if it is being shared outside the organization without adequate security controls.
  • The second most common action is protection the data is encrypted, and access is controlled by administrator-defined policies.
  • Content marking can also be applied, such as watermarks, headers, and footers.
  • The audit logs generated from the discovery process enables organizations to report on their compliance activities.
Protection as the first line of defense

The GDPR highlights the need for protection of personal data held by organizations. Depending on the circumstances and content sensitivity, encryption may be appropriate. And auditable access policies, access tracking and complete information about how the data has been shared can also help ensure that data is protected. With the increasing number of cybersecurity attacks, holistic data protection is the only way to ensure that personal data is not misused.

Azure Information Protection helps with data protection in a few ways:

  1. Identity-based access to encrypted data. Administrators have fine-grained control over which users have access to encrypted data and can update this access on the fly. Conditional access policies enforced through Intune and Azure AD Premium can control the environmental constraints under which content relevant to GDPR is opened.
  2. Tracking of protected documents to users and administrators. Reporting on any unauthorized access attempts is possible and this feeds into the GDPR requirements of data breach reporting and notification.
  3. The ability to revoke future accesses to the document. In case there is a suspected breach this acts as a mitigation step.
  4. Integration in to Office applications (Word, Excel, PowerPoint, Outlook) and protection can be set manually by the user as well.
  5. An SDK for 3rd party applications to integrate with, and bring the protection process into the application. Microsoft Cloud App Security can quarantine files with personal data but are not protected and can also encrypt the files as they pass through.

With Azure Information Protection, you get a well-integrated, holistic service helping you in your compliance journey to the GDPR.

I encourage you to:

In the next blog, we will discuss how to grant and restrict access to data with Azure Active Directory.

Thank you for attention and support!

Dan Plastina

Post Enterprise Mobility + Security Tweet Chat Q&A

AD -

A few weeks ago, the Enterprise Mobility Team hosted a Tweet Chat about managing mobility for Office365. It was great to have this dialogue with folks across our community, and a few people asked for our team to summarize the Q&A. So, here are the questions we received during the Tweet Chat. If you have additional questions related to Conditional Access, please tweet them to us @MSFTMobility, we are always happy to help.


What options does Microsoft offer for managing Office mobile apps?

  • Various options exist for this, please refer to this link for an overview and further info on enhancing your mobile productivity.
Whats the difference between MDM and MAM?

  • These are 2 of the four layers of security and management. Read more about Mobile Device Management and Mobile Application Management in our eBook Controlling the Uncontrollable.
How can I project and manage apps on non-enrolled devices with Intune?

How can I configure Application Protection policies for Office Mobile Apps with Intune?

  • You can do this from within the Office 365 admin portal. Our document here can show you how to control access to features in the OneDrive and SharePoint mobile apps.
How can I define policies for Multi-Identity capabilities with Intune?

  • This can now be done through the Azure Portal experience for admins. Find out how to configure app protection policies in the Azure portal.
Is there a way to set up risk based policies for Conditional Access to Office apps?

How can I set up policies for automatic classification with Azure Information Protection?

  • Use our quick start tutorial to learn this and enabling other functionality for Azure Information Protection.
What are the right set of labels for my company?

  • Refer to our Top 5 tips for accelerating information protection video or the Ready, set, protect blog series to find out our recommendations for labels.
What actions can be triggered based on data classification?

  • You can trigger encryption with permissions or include visual markings such as watermarks and header-footer. Policies can also be set in other systems such as a DLP engine or CASB solution to read labels set by AIP and take protection actions.
Is it possible to configure policies specific to groups or departments?

  • Yes! Discover how to configure the Azure Information Protection policy for specific users by using scoped policies.
Is there a way to bulk label existing data on file servers?

  • Sure thing. Read more about bulk classification and labeling for data in our blog.
Is it possible to track files shared with AIP and revoke access is case of unexpected sharing?

Can you tell me what Enterprise Mobility Suite capabilities can be enabled from within the Office 365 admin console?

  • Some examples include Azure Multi-Factor Authentication, Conditional Access, and App Protection policy for OneDrive.
Can Enterprise Mobility Suite wipe data from a device if it is compromised?

  • Microsoft Intune supports both selective and complete wipe. Learn how with this helpful documentation.
I’d like to know how we can connect SAP applications using Azure AD, Intune? Any demo available?

  • Check out our tutorial: Azure Active Directory integration with SAP NetWeaver.
Does MDM-WE handle activating Office apps on Mobile device automatically once user enrolls into Microsoft Intune?

  • Yes, its a part of app policy configuration. Learn how to protect app data using app protection policies with Microsoft Intune here.
What’s the time frame to provide Intune\Netscaler Conditional access for apps like the Intune managed browser?

  • We are actively working towards this. Please stay tuned to our social channel for updates
Is leveraging Enterprise Mobility Suite on top of my current IDAM (Identity & Access Management) solution possible?

  • Yes, thats possible however you will have to set up Azure AD tenant and use Azure AD Connect to set up syncs.
If we install Intune-WE on top of our MDM (Mobile Iron), login to Intune, then install Word from App Store, would Wordbe Auto-Activated?

Should I take the 70-398? If not, where do I start?

  • It depends on your job role. More detailsincluding who this exam is for are available here.
Is it possible to have Intune client and SCCM client on a single machine and be managed by SCCM/Intune Hybrid Config?

  • Running both the SCCM agent and InTune agent on the same box isn’t supported. Installing the InTune agent doesn’t uninstall the SCCM agent. Uninstall the SCCM agent before installing the InTune agent.
Are there any good resources for getting up to speed with Intune\Graph API?

Can Intune be connected to all devices e.g: IoT enabled and integrated with an ERP Solution?

  • Intune supports all Windows, Android, iOS devices. The App Protection policies cover apps like SAP.
Does Azure AD recommend Best Practices for Security Policies which can be implemented without any changes?


We truly enjoyed answering your questions. Be sure to follow @MSFTMobility and stay tuned for updates for the next Tweet Chat topic.

Were looking forward to chatting with you!

If you are not a Twitter user but would like to participate, please create an account so you can join us next time!

Update 1705 for Configuration Manager Technical Preview Branch – Available Now!

AD -

Hello everyone! We are happy to let you know that update 1705 for the Technical Preview Branch of System Center Configuration Manager has been released. Technical Preview Branch releases give you an opportunity to try out new Configuration Manager features in a test environment before they are made generally available. This month’s new preview features include:

Configuration Manager Console
  • High DPI console support – With this release, issues with how the Configuration Manager console scales and displays different parts of the UI when viewed on high DPI devices (like a Surface Book) should be fixed.
Application Lifecycle and Content
  • Removing Network Access Account (NAA) requirement for Client Peer Cache – In this release, we are removing the NAA requirement, so that peer cache source computers no longer use the NAA to authenticate download requests from peers.
Clients and User Discovery
  • Azure Active Directory (AD) Onboarding – Create a connection between Configuration Manager and Azure AD. Install and register Configuration Manager clients with Azure AD identity. Enable Configuration Manager on-premises services like Management Point or cloud services like Cloud Management Gateway to have the capability to authenticate with devices and user identities in Azure Active Directory. By using Azure AD, devices will not need client authentication certificates for HTTPS.
  • Azure Active Directory (AD) User Discovery – Now you can enable user object discovery from Azure AD.
Software Updates and Compliance
  • Configure and deploy Windows Defender Application Guard policies – You can now create and deploy Windows Defender Application Guard policies to Windows 10 clients that help protect your users by opening untrusted web sites in a secure container.
  • Improved end user experience for Office Updates – Improvements have been made to the end user experience for Office updates which includes improved toast notifications, business bar notifications, and an enhanced countdown experience.
Core Infrastructure
  • Configuration Manager Update Reset Tool – We are adding a new tool to reset and restart in-console updates when they have problems downloading or replicating.
  • SQL Always On asynchronous-commit mode replica support – Configuration Manager now supports SQL Always On secondary replicas that run under asynchronous-commit mode for disaster recovery scenarios.
  • Operations Management Suite (OMS) added to Azure Services Wizard – You can now use Azure Services Wizard to connect Configuration Manager to Log Analytics in OMS to sync device collection data.

Update 1705 for Technical Preview Branch is available in the Configuration Manager console. For new installations please use the 1703 baseline version of Configuration Manager Technical Preview Branch available on TechNet Evaluation Center.

We would love to hear your thoughts about the latest Technical Preview! To provide feedback or report any issues with the functionality included in this Technical Preview, please use Connect. If there’s a new feature or enhancement you want us to consider for future updates, please use the Configuration Manager UserVoice site.


The System Center Configuration Manager team

Configuration Manager Resources:

Documentation for System Center Configuration Manager Technical Previews

Try the System Center Configuration Manager Technical Preview Branch

Documentation for System Center Configuration Manager

System Center Configuration Manager Forums

System Center Configuration Manager Support

Download the Configuration Manager Support Center

We’ve made the Azure AD App Proxy even better!

AD -

Howdy folks,

I’ve blogged before about how the Azure AD Application Proxy is our “hidden gem”. Many of our customers don’t even know it exists, but once they discover it they LOVE it! It’s not uncommon for customers to have 300+ internal applications connected to it and one of our largest customers (a customers with over 100k seats of Azure AD deployed) is about to go live using it to make their entire intranet available to mobile employees!

I’m excited to share a few feature updates that will make it even easier for you to onboard to Azure AD Application Proxy, and use it with a wider range of applications.

I’ve invited Program Manager Harshini Jayaram to share the details in a blog post, which you’ll find below. Try out these updates and let us know what you think! We’re eager to hear from you.

Best regards,

Alex Simons (Twitter: @Alex_A_Simons)

Director of Program Management

Microsoft Identity Division


Hi folks,

I’m excited to share these changes to Azure AD Application Proxy onboarding and application control. They will simplify your remote access story whether you are new to the feature or are one of the many customers already using it.

Easier onboarding

Onboarding and management are now much simpler with fewer required ports and additional connection options.

You can now deploy Azure AD Application Proxy by opening only two standard outbound ports: 443 and 80. Azure AD Application Proxy continues to only use outbound connections so you still don’t need any components in a DMZ. For details, please see our configuration documentation.

Now it is also easier to restrict outbound access from the Azure AD Application Proxy Connector. If supported by your external proxy or firewall, you can now open your network by DNS instead of IP range. Azure AD Application Proxy services only require connections to * and *

All these features are available with the newest Connector version. To learn how to manually upgrade your Connector or how the automatic updates will roll out, please see our Connector update documentation. If you already have the newest Connector, you can close all ports other than 443 and 80 and reduce your overhead.

Enable access to more applications

You can now also use Azure AD Application Proxy with applications that take up to 180 seconds to respond to a request. Use the new Backend Application Timeout setting in the Azure Portal to publish these applications by changing the value from “Default” (85 seconds) to “Long” (180 seconds. This setting is in the “Application Proxy” menu for your application.

If your application consistently responds in less than 85 seconds, we recommend keeping the default. This ensures the Application Proxy Connector does not consume unnecessary resources.

Tell us what you think!

We hope you’re as excited as we are about these changes! As always, we’d love to hear from you with any questions or feedback, so please leave a comment here or in the Admin Portal Forum. You can also reach us directly at


Harshini Jayaram (Twitter: @ShiniJayaram)

Program Manager II

Azure AD Application Proxy

Microsoft Visio Viewer App now enabled with Intune MAM for iOS!

AD -

Diagrams help visually communicate informationthey are excellent tools for demonstrating relationships between parts, simplifying complex ideas, articulating process, and explaining how things work. And they often contain sensitive company data that you want to protect.

If your users are creating or viewing diagrams in their work, theyre most likely using Microsoft Visio, and if thats the case then this news is for youthe latest update to the Visio Viewer app now includes support for Intune MAM. Enable your users to access and interact with Visio files on iOS devices with the peace of mind that your data is protected by Intune.


Access and interact with your Visio diagrams on the go – process diagrams, cross functional flowcharts, network diagrams, org charts, timelines, floor layouts, UML diagram and many more.


This update supports the full set of Intune MAM capabilities, including our app-level data protection policies that can be applied with or without MDM device enrollment. These app protection policies allow you to set policies that enable app encryption, app access control, app- level selective wipe and the ability to restrict actions such as copy/paste/save as. Find more details on Intune MAM policies in our documentation.

The Visio Viewer app is now available for management in the Intune console and accessible in the App Store. Visit the Whats New in Microsoft Intune page for more on this and other recent developments in Intune.

Azure Information Protection Documentation Update for May 2017

AD -

Hi everybody

Our technical writer, Carol Bailey, is letting you know whats new and hot in the docs for May.

Reminders: Follow us on Twitter (@DanPlastina) and join in our peer community

Dan (on behalf of the Information Protection team)

The Documentation for Azure Information Protectionhas been updated on the web and the latest content has a May2017(or later) date at the top of the article.

Updates for this month include the supporting documentation for templates moving to the Azure portal. Miss the announcements? See Azure Information Protection unified administration now in Previewand Azure Information Protection unified administration phase two. We also have great news if you were one of the many customers who requested a .msi version of the client to install – this is now available to download but please do read the accompanying documentation in the admin guide for restrictions and additional steps needed for this deployment.

The sharp-eyed among you might havenoticed a new feature appearing on the Microsoft Docs site: Download PDF. You’ll see this option at the bottom of the table of contents, on the left. This is a nice option for people who want to more easily reuse the online documentation, read documentation in sequence, or search just the documentation for Azure Information Protection. This feature was first implemented for Azure documentation, and now it’s our turn. Unfortunately, we’ve had a few teething problems that stopped it from working when it first went live, but these should be fixed very soon. Give it a try and remember that the design and functionality of the Docs site has its own feedback sitewhere you can post requests/issues and vote on other peoples’ requests.

Have feedback about the documentation content for Azure Information Protection? We value customer feedback and try to incorporate it whenever possible. If you have feedback about our documentation, let us know by emailing

Whats new in the documentation for Azure Information Protection, May 2017

Documentationarticles that have significant technical changes since the last update (April 2017):

Requirements for Azure Information Protection

– Updated the client devices supported to include Windows Server versions (Windows Server 2012 R2 and Windows Server 2012, and Windows Server 2016 for PowerShell only).

Azure Active Directory requirements for Azure Information Protection

– Updated the Scenarios that have specific requirements section, for an entry that can stop a deployment in its tracks:Users’ UPN value doesn’t match their email address

Frequently asked questions for Azure Information Protection

– New entry:What is the role of identity management for Azure Information Protection?A reminder that securing your data relies on good identity management and that Azure Information Protection is not designed to protect against compromised accounts or malicious users.

Preparing users and groups for Azure Information Protection

– Substantially revised for more detailed information about how users and groups are used for Azure Information Protection, and how to verify that these accounts will work as intended for this service.

Activating Azure Rights Management

– Removed the references and links to using the Office 365 classic portal now that the new portal is GA. Just in case you’re still using the classic portal, the instructions for this are still published but when support for the old Office 365 portal stops, this article will be redirected to How to activate Azure Rights Management from the Office 365 admin center.

Configuring Azure Information Protection policy

– Updated to include information that you can sign in to the Azure portal by using a security admin account as an alternative to a global admin account, information about the different subscription levels of support for options that you can configure (not yet enforced), and a note about waiting up to 15 minutes for the downloaded policy to be fully functional.

How to create a new label for Azure Information Protection

– Updated withinformation about how to change the label color (the default is black for a new label) by using the hex triplet code option.

How to configure a label for Rights Management protection

– Updated for the new Custom (Preview)option, that lets you create new custom templates in the Azure portal, with many of the configuration options that are currently in the Azure classic portal. Unlike configuration in the Azure classic portal, you can also specify external users, external groups, and all users in another organization.

Configuring and managing templates in the Azure Information Protection policy

– New article to support the new preview feature for managing existing templates and converting them to labels. Note that this feature is temporarily unavailable in the portal but will be re-enabled again soon.

Azure Information Protection client administrator guide

– Updated to include new instructions for the recent addition of the .msi version of the client. For more information, seeHow to install the Azure Information Protection client for users. In addition, the specific version that is supported for the Microsoft Online Services Sign-in Assistant (version 7.250.4303.0) is added to the general prerequisites because later versions that might be installed are not supported and must be uninstalled before you install the client on computers that run Office 2010.

Custom configurations for the Azure Information Protection client

– This information was previously in a section in the admin guide after the installation instructions, and is now in its own article. Use this information for exceptions and advanced configurations that you might need for specific scenarios or a subset of users.

File types supported by the Azure Information Protection client

– New section added, File sizes supported for protection, which lists the maximum file sizes supported for Office documents and all other documents. Note that the currently documented 1 GB file size restriction for all other documents is a temporary restriction that will be removed with a later version of the Azure Information Protection client. If you try to protect files larger than this size with the current GA version of the client (, the file might become corrupted.

RMS protection with Windows Server File Classification Infrastructure (FCI)

– Updated to make the prerequisites clearer. The script is also updated (to version 3.3) to include theDoNotPersistEncryptionKey parameter for better performance and to prevent the server’s local disk from filling up with files that start with “EUL”. For more information about this parameter, see the updated description in the cmdlet help for Protect-RMSFile.


User provisioning from Workday to Azure AD is now in Public Preview!

AD -

Howdy folks,

We have some great news to share today! Customers can now use the public preview of Azure Active Directory’s cloud-based user provisioning service to orchestrate user provisioning from Workday to on-premises Azure Active Directory, Windows Server Active Directory, and more!

Since we began building our Workday integratios, we’ve worked hand in hand with our private preview customers and received lots of feedback that account provisioning from Workday needs to be solved end-to-end. When a new employee is hired, they need to be provisioned into Azure Active Directory, Windows Server Activity Directory, Office 365, and third-party apps. And when their employee account in Workday changesa name change, title change, manager change, or terminationthose changes need to be synchronized to all these systems. Additionally, key user attributes like email addresses need to be automatically written back to Workday when mailboxes are provisioned or updated in your organization’s email system.

With the public preview of Workday Inbound Provisioning to Azure Active Directory, customers can now do all of this from the cloud! Azure AD’s cloud-based user provisioning service can extract and query users from Workday and synchronize them directly to either on-premises Active Directory or to Azure Active Directory for cloud-only users. The provisioning service can synchronize directly to on-premises Active Directory using a new thin client that is deployed alongside Azure AD Connect.

By using Azure AD Connect and our existing library of SaaS app connectors in conjunction with these new features, customers can now achieve end-to-end user provisioning from Workday to their identity systems and SaaS apps.

This feature is available in public preview today for all customers using Azure AD Premium P1. To get started, check out our Tutorial for Configuring Workday for Inbound Synchronization which guides you through configuring and deploying a solution using the new Azure management portal.

Please take this new preview for a spin and let us know what you think. And, as always, we’d like to say a special thank you to our partners at Workday for helping us make this feature a reality for our mutual customers!

Best regards,

Alex Simons (Twitter: @Alex_A_Simons)

Director of Program Management

Microsoft Identity Division

Breaking down EMS Conditional Access: Part 3

AD -

This post is the third of a three-part series detailing Conditional Access from Microsoft Enterprise Mobility + Security. Today we are re-publishing the third installment with the white paper Protect your data at the front door with conditional access.

Through this blog series, weve taken a closer look at conditional access with Enterprise Mobility + Security and the innovations that can help you define and inform your policies with different layers of controls for user/location, applications, and devices. Most of the scenarios weve discussed have addressed user-based vulnerabilities, but its important to take into consideration the broader threat landscape and its complex risks.

Risk-based conditional access

Although attacks are increasingly sophisticated, each one leaves revealing traces, a calling card. This data can be used to find patterns that will help us protect against attacks. But processing such tremendous volume is no small taskso we got to work. Every month we update more than 1 billion PCs, service more than 450 billion authentications, and analyze more than 200 billion emails for malware and malicious websites. We see just about every kind of attack there is, and we push the data directly into our Microsoft Intelligent Security Graph.

The graph pulls together all of the telemetry and signals that come in from the hundreds of cloud services operated by Microsoft, extensive and ongoing research, and data from partnerships with industry leaders and law enforcement organizations. This graph is unique to Microsoft. We apply our machine learning and data analytics to identify suspicious and anomalous activities that characterize modern sophisticated attacks. The graph makes it possible for us to deliver recommendations and automated actions that protect, detect, and respond across different attack vectors.

You can use the Microsoft Intelligence Graph to inform your conditional access policies to protect against risk events by blocking access when risk is detected.

Leaked credentials

Microsoft security researchers search for credentials that have been posted on the dark web, which usually appear in plain text. Machine learning algorithms compare these credentials with Azure Active Directory credentials and report any match as leaked credentials.

Impossible travel or atypical locations

Machine intelligence detects when two sign-ins originate from different geographic locations within a window of time too short to accommodate travel from one to the other. This is a pretty good indicator that a bad actor succeeded in logging on.

Machine intelligence also flags sign-ins at atypical locations by comparing them against past sign-ins of every user. Sign-ins from familiar devices or sign-ins from or near familiar locations will pass.

s from potentially infected devices

The Microsoft Intelligent Security Graph maintains a list of IP addresses known to have been in contact with a bot server. Devices that attempt to contact resources from these IP addresses are possibly infected with malware and are therefore flagged.

s from anonymous IP addresses

People who want to hide their devices IP address, often with malicious intent, frequently use anonymous proxy IP addresses. A successful sign-in from an anonymous IP address is flagged as a risky event. If the risk score is medium, a risk-based conditional access policy can require MFA as additional proof of identity.

s from IP addresses with suspicious activity

Multiple failed sign-in attempts that occur over a short period of time, across multiple user accounts, and that originate from a single IP address, also trigger a risk event. Traffic patterns that match those of IP addresses used by attackers are a strong indication that accounts are either already compromised or will be very soon, although the traffic pattern may also originate from an IP address shared with multiple devices via a router or similar device.

Beyond access control

Microsoft Enterprise Mobility + Security (EMS) delivers innovative security technologies that provide a holistic, identity-driven approach to mobility, identity, and security in a mobile-first, cloud-first world.

While our risk-based conditional access helps protect your data at the front door, EMS also gives you visibility into user, device, and data activity on-premises and in the cloud, and includes solutions that allow you to protect your corporate data from user mistakes with stronger controls and enforcement.


To get a full picture of conditional access from EMS, download our white paper today.

Azure AD Privileged Identity Management Approval Workflows are now in Public Preview!

AD -

Howdy folks,

I am thrilled to be able to share some news today. We’ve just turned on the public preview of some major updates to the Azure AD Privileged Identity Management service:

  • A new, improved user experience
  • New approval workflow for improved role security
  • Audit History for everyone in temporary role assignments

The redesigned user experience, Audit History, and Approval Workflow are available now for current Azure AD P2 customers (paid and trial). Don’t have PIM? Get your free trial of Enterprise Mobility + Security E5.

Read on for more details about this exciting new preview!For those of you unfamiliar with PIM for Azure AD, this feature helps you:

  • Discover and manage privileged role assignments in your directory at scale
  • Reduce the risk of permanent assignments by allowing users to activate their roles Just-In-Time (JIT)
  • Easily review role assignments for compliance, internal audit, or general lifecycle management
  • Detect potential rists and fix them with a click of a button via preconfigured alerts and activity logs
  • Provide contractors and vendors the ability to self-activate administration privileges at any time

Strengthen the security of your organization’s applications with Approval Workflow!

This preview allows organizations to require approval for any directory role or Global Administrator role requests, and also define the users who can approve or deny these access requests.

Requesting a role that requires approval is simple. Select the role, provide your reason for access, validate your identity with multi-factor authentication (if required), and click activate. You will receive an email when your role is approved.

Approvers are automatically notified to view and approve pending requests, either individually or in bulk, via the Azure Portal or API.


View all temporary role assignments with the new “My Audit History

When you request to activate a role that requires approval, it’s critical that you have a way to view the status of the request. So we are introducing My Audit History, a new viewin the updated user interface that lets you see status and activation history for all your temporary role assignments.

Try it out!

I hope you’ll try out these new features and let us know what you think. Visit our documentation for more information or send us feedback directly we’re always listening.

Best regards,

Alex Simons (Twitter: @Alex_A_Simons)

Director of Program Management

Microsoft Identity Division

How Microsoft EMS can support you in your journey to EU GDPR compliance

AD -

Hi everyone,

By now most of you will, at the very least, have heard of the GDPR, the EUs new law for data protection. GDPR stands for General Data Protection Regulation. Simply put, it aims to protect personal data from potential abuse. As Microsofts Chief Privacy Officer, Brendon Lynch mentioned inhis blog The new General Data Protection Regulation (GDPR) is the most significant change to European Union (EU) privacy law in two decades. Today, Im kicking off a blog series which will frame how we think Microsoft Enterprise Mobility + Security (EMS) products can help you as we head towards May 25, 2018 when the GDPR comes in to effect.

At Microsoft, we have both committed to being GDPR compliant as well as providing guidance to you on how you can use our technologies on your GDPR journey. For example, in the whitepaper Beginning your GDPR Journey we outlined four key steps that can help you start today Discover (understand what data you have that is in the scope for the GDPR), Manage (Govern how personal data is used and accessed), Protect (Establish security controls to prevent, detect, and respond to vulnerabilities and data breaches), and Report (Keep required documentation, manage data requests, and provide breach notifications). At the core of this approach is the data, which is where EMS can help you, and where we will dive deeper in this blog post.

GDPR covers all classes of your stored data, be it structured, logs or unstructured data. All classes have their own challenges but the structured side is more evident to you given, well, the more structured nature of the problem space. For the sake of todays blog, well presume you have a better idea on how to address those data stores.

The logs data stores are also somewhat structured but here we find an added complexity: logs related to security often have required retention periods for compliance purposes. If you find yourself in this situation, I would encourage you to review each log type carefully with your internal legal counsel; its not sufficient for IT to proclaim your log as related to security and thus deem yourself compliant. Given the potential fines associated with GDPR this could be a very costly mistake!

For unstructured data, life had been progressively getting way, way harder. For those who have been following our information protection efforts, youll certainly recall this image. In summary, most organizations have shifted from having their data entirely on-premises to now having it often being out of your control data is shared with others, sent around in email, given to external vendors (lawyers, marketing, HR, etc). In short, our saying of For data to be useful, it WILL travel is most certainly a good cause for concern. Its worth saying that GDPR is not the only reason to protect personal and sensitive data; we all have this type of data and it should be protected.

What GDPR is doing is putting a date (and price tag) on getting this done as-soon-as-possible. You have practices to protect your data today, but now you need to put additional emphasis for reviewing your current approach and making sure you are following the industry best practices.

To be clear, we at Microsoft have the exact same challenges and were in this with you!

OK, so what will it take to get ready? To address this question, first we should start with shedding light on the data lifecycle and explain how we can help you protect your data through several different scenarios throughout this lifecycle. We need to consider what protective measures we should take from when data is created or modified, to when a user wants to access it, when data moves to mobile and cloud apps and even when it gets breached.

In this blog series, you will see how Microsoft EMS solutions can support you in this journey to EU GDPR compliance step-by-step with addressing the following key scenarios:

  • How to provide persistent data protection on-premises and in the cloud
  • How to grant and restrict access to data
  • How to protect data in mobile devices and applications
  • How to gain visibility and control of data in cloud apps
  • How to detect data breaches before they cause damage


After explaining how EMS technologies can help you with these different use cases, we will share resources to get started with our trial and deployment programs. If you already have EMS and need help with deployment, our FastTrack program can assist!

In the next blog in the series, well start discussing how to protect data persistently on-premises and in the cloud with Azure Information Protection. Before then, wed recommend that you learn more about these products (if you are not familiar with them) and learn more about the GDPR law (if you have yet to do so).

I encourage you to:

Until next time, thank you for your attention and support!

Dan Plastina

Azure Information Protection unified administration phase two

AD -

Hi everyone, we have another awesome and important update for you today. On April 26, we introduced you to the first version of our unified AIP admin experience, enabling you to manage protection settings on labels without needing to create RMS templates via the classic portal. This was our first step to providing one unified portal to manage all classification, labeling and protection settings.

Today we begin the publishing of the next iteration in this process which will bring additional features to the new Azure portal:

  • A new quick start experience (available today in Public Preview)
  • Manage existing Azure RMS templates (available today in Public Preview)
  • Multi-language labels (Private Preview now open)
  • License enforcement will begin in June
A new Quick Start experience

A small but important addition, we have added a new Quick Start page that provides you with easy access to great resources, such as the latest AIP video, links to important sources of documentation, client downloads and our Yammer group.

Manage existing Azure RMS templates

You can now manage existing RMS templates that are not linked to any label via Azure portal. You will find them under the Templates container on the Global policy view:

You can manage the settings on these templates exactly like you do with the protection settings on labels.
Note: all other settings that are available for labels are not accessible until you promote the template to be a label. You can do this conversion using the context menu:

Once the template is promoted to a label (or sublabel) you can define other label options like visual marking and conditions.

If you link a template to an existing label, it will be removed from the templates container and you manage it within the label that it is assigned to.

We look forward to you trying this out and letting us know how you get on, your feedback helps us deliver the best outcomes.

Multi-language Support (Private Preview)

Multi-language support enables you to translate all customizable text fields presented to users in the AIP clients to all supported languages (the same set that is currently supported in the classic portal for Azure RMS templates).

You can add multi-language to your deployment using the localization settings:

To determine which language to display, the AIP clients check the environment locale settings. The Office add-in looks at the Office UI language, the Explorer Extension looks at the Windows display language. In the event that a language is set outside the supported list, the client will display the default language text.

If you are interested in participating in the Private Preview and provide feedback on the multi-language support, please connect with us on Yammer.

License enforcement

We received plenty of feedback from you that you wanted to ensure you did not activate features of AIP that you are not licensed for. A fair ask! So we will be enforcing licensing in the coming month. Here is what will happen:

  • Tenants with only an Office license that include RMS (Office E3 or E5) will be able to manage protection settings (and templates) only.
  • Tenants with AIP P1 (EMS E3) licenses will not be able to add AIP P2 (EMS E5) features automation conditions, email attachment checking or HYOK policies.

If you have already enabled features for which you are not licensed, they will continue to work (to ensure no impact on your users) but you will not be able to add new settings for these features. You can edit the setting to remove the configuration.


We always appreciate your feedback, and invite you to engage with us in our Yammer group. Please note that the classic portal is scheduled to be closed by the end of June 2017, so its very important to try the new portal and provide us with feedback in order to enable us to provide you the best experience.

Thank you,

Dan Plastina on behalf of our enthusiastic Azure IP team.
Twitter: @DanPlastina
Useful links: (PDF)

It really is very easy to get started. We have a lot of information available to help you, from great documentation to engaging with us via Yammer and e-mail. What are you waiting for? Get to it!


S'abonner à Philippe BARTH agrégateur - Active Directory (Anglais)