Free Webinar: Data Explosion in Your Organization?

We’re facing a data explosion – changes in the way we do business have resulted in a rapid increase in the amount of data and information being collected throughout your business. As this data grows, so do the problems of managing it all. Where, or what, can you turn to for help?

More details from the event page:

“In this webinar, AIIM’s chief evangelist John Mancini and Nishan DeSilva from Microsoft will discuss the latest ways Office 365 is providing the tools to develop and implement a modern records management strategy to take charge of the data explosion, including:

Improved Findability: How to find and retain important data while eliminating ROT (redundant, outdated and trivial information) – with classification, archiving, retention, disposition, supervision, and more
New Approaches to Governance: Where the Office 365 governance capabilities are today and what’s in store for the future, highlighted by the newest features and scenarios available
Increased Business Intelligence: How machine learning algorithms can automatically or manually detect, classify sensitive data mapping to enterprise taxonomies

In addition, Nishan DeSilva will share customer use case stories that illustrate these modern approaches to the latest functionality found in Office 365. Hear how information professionals are succeeding with governing their data in Office 365. And envision how you can succeed, too.”

Free Webinar: Data Explosion in Your Organization?

We’re facing a data explosion – changes in the way we do business have resulted in a rapid increase in the amount of data and information being collected throughout your business. As this data grows, so do the problems of managing it all. Where, or what, can you turn to for help?

More details from the event page:

“In this webinar, AIIM’s chief evangelist John Mancini and Nishan DeSilva from Microsoft will discuss the latest ways Office 365 is providing the tools to develop and implement a modern records management strategy to take charge of the data explosion, including:

Improved Findability: How to find and retain important data while eliminating ROT (redundant, outdated and trivial information) – with classification, archiving, retention, disposition, supervision, and more
New Approaches to Governance: Where the Office 365 governance capabilities are today and what’s in store for the future, highlighted by the newest features and scenarios available
Increased Business Intelligence: How machine learning algorithms can automatically or manually detect, classify sensitive data mapping to enterprise taxonomies

In addition, Nishan DeSilva will share customer use case stories that illustrate these modern approaches to the latest functionality found in Office 365. Hear how information professionals are succeeding with governing their data in Office 365. And envision how you can succeed, too.”

Free Webinar: Data Explosion in Your Organization?

We’re facing a data explosion – changes in the way we do business have resulted in a rapid increase in the amount of data and information being collected throughout your business. As this data grows, so do the problems of managing it all. Where, or what, can you turn to for help?

More details from the event page:

“In this webinar, AIIM’s chief evangelist John Mancini and Nishan DeSilva from Microsoft will discuss the latest ways Office 365 is providing the tools to develop and implement a modern records management strategy to take charge of the data explosion, including:

Improved Findability: How to find and retain important data while eliminating ROT (redundant, outdated and trivial information) – with classification, archiving, retention, disposition, supervision, and more
New Approaches to Governance: Where the Office 365 governance capabilities are today and what’s in store for the future, highlighted by the newest features and scenarios available
Increased Business Intelligence: How machine learning algorithms can automatically or manually detect, classify sensitive data mapping to enterprise taxonomies

In addition, Nishan DeSilva will share customer use case stories that illustrate these modern approaches to the latest functionality found in Office 365. Hear how information professionals are succeeding with governing their data in Office 365. And envision how you can succeed, too.”

Updates to Microsoft Secure Score, New API and Localization

We love that the community has great discussions on Microsoft Secure Score. One of the topics we hear from you and other organizations is on the Secure Score API. This is a great way to programmatically access Secure Score data. Over the past year and a half, we have received a lot of feedback on the API and the Microsoft 365 Security Engineering team is pleased to announce the availability and preview of the new Microsoft 365 Secure Score API.

As part of building the new API we also wanted to provide it in other languages. In doing this work for the API, it also gave us localization of the Secure Score interface. The localization of the interface is starting to roll out.

What’s new?

The new API is based on much of your feedback and has a host of changes to enable new scenarios. At a high level they are:

Integrated into the Security Graph API, allowing easier permission scoping.
Support for filtering methods such as $top=2 or explicit control access.
Dual entities, an entity for bringing back just the score data and an entity for bringing back control metadata such as Title, Descriptions and Threats etc.

Patch support, allowing you to flag controls as 3^rd Party or Ignore.
New fields, such as “assignedTo” and “tenantNote”.
Support for delegated admin rights.
Available in the Microsoft Graph Explorer.
Localization will start to appear over the next few weeks. The first languages will be Czech, Danish, Dutch, French, German, Hungarian, Italian, Japanese, Korean, and Spanish.

Why did we use the security API and connect with Microsoft Intelligent Security Graph?

The Intelligent Security Graph is a unified platform for combatting cyberthreats. It powers real-time threat protection for Microsoft products and services and supports an ecosystem of integrated solutions.

The security API in Microsoft Graph makes it easy to connect with those solutions in the Intelligent Security Graph. It allows you to more readily realize and enrich the value of these solutions.

We see three common business scenarios driving consumption of the Secure Score API through the Microsoft Intelligent Security Graph:

Monitor, track and report on your configuration baseline and score in downstream reporting tools.
Integrate the data into compliance or cybersecurity insurance applications.
Integrate Secure Score data into your SIEM or CASB to drive a hybrid or multi-cloud framework for security analytics.

Getting Started

Acquiring the Secure Score data from the API requires you to setup a few pre-requisites.

First, you should choose your consumption model. If you plan to have a non-user-interactive application to retrieve data from the API, you should opt for the Service-To-Service Authentication model. Reference information about this model is located at https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-protocols-oauth-service-to-service.

If your application will require an administrator to provide their logon credentials each time you pull data from the API, you should opt for the user OAuth model. Reference information about this model is located here. If you are a CSP application developer partner you can also find information here.

Second, you will need to register your application in Azure Active Directory in order to call the API. You need to grant the SecurityEvents.Read.All and SecurityEvents.ReadWrite.All permission scopes. See here for further details.

Now you’re ready to access the API. For more details on how to use it, head over to:

https://developer.microsoft.com/en-us/graph/docs/api-reference/beta/resources/security-api-overview

https://developer.microsoft.com/en-us/graph/docs/api-reference/beta/resources/securescores

We hope you all enjoy the new API and start using it right away. For those of you who are currently using the original API, we recommend that you migrate to the new one before January 31^st, 2019 as we will deprecate it at that time.

If you have any questions, thoughts, comments on the new API please share them with us below.

Thanks for continuing to use Microsoft Secure Score!

Updates to Microsoft Secure Score, New API and Localization

The following is provided from Microsoft Security and Compliance blogs at TechCommunity:

We love that the community has great discussions on Microsoft Secure Score. One of the topics we hear from you and other organizations is on the Secure Score API. This is a great way to programmatically access Secure Score data. Over the past year and a half, we have received a lot of feedback on the API and the Microsoft 365 Security Engineering team is pleased to announce the availability and preview of the new Microsoft 365 Secure Score API.

As part of building the new API we also wanted to provide it in other languages. In doing this work for the API, it also gave us localization of the Secure Score interface. The localization of the interface is starting to roll out.

What’s new?

The new API is based on much of your feedback and has a host of changes to enable new scenarios. At a high level they are:

Integrated into the Security Graph API, allowing easier permission scoping.
Support for filtering methods such as $top=2 or explicit control access.
Dual entities, an entity for bringing back just the score data and an entity for bringing back control metadata such as Title, Descriptions and Threats etc.

Patch support, allowing you to flag controls as 3^rd Party or Ignore.
New fields, such as “assignedTo” and “tenantNote”.
Support for delegated admin rights.
Available in the Microsoft Graph Explorer.
Localization will start to appear over the next few weeks. The first languages will be Czech, Danish, Dutch, French, German, Hungarian, Italian, Japanese, Korean, and Spanish.

Why did we use the security API and connect with Microsoft Intelligent Security Graph?

The Intelligent Security Graph is a unified platform for combatting cyberthreats. It powers real-time threat protection for Microsoft products and services and supports an ecosystem of integrated solutions.

The security API in Microsoft Graph makes it easy to connect with those solutions in the Intelligent Security Graph. It allows you to more readily realize and enrich the value of these solutions.

We see three common business scenarios driving consumption of the Secure Score API through the Microsoft Intelligent Security Graph:

Monitor, track and report on your configuration baseline and score in downstream reporting tools.
Integrate the data into compliance or cybersecurity insurance applications.
Integrate Secure Score data into your SIEM or CASB to drive a hybrid or multi-cloud framework for security analytics.

Getting Started

Acquiring the Secure Score data from the API requires you to setup a few pre-requisites.

First, you should choose your consumption model. If you plan to have a non-user-interactive application to retrieve data from the API, you should opt for the Service-To-Service Authentication model. Reference information about this model is located at https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-protocols-oauth-service-to-service.

If your application will require an administrator to provide their logon credentials each time you pull data from the API, you should opt for the user OAuth model. Reference information about this model is located here. If you are a CSP application developer partner you can also find information here.

Second, you will need to register your application in Azure Active Directory in order to call the API. You need to grant the SecurityEvents.Read.All and SecurityEvents.ReadWrite.All permission scopes. See here for further details.

Now you’re ready to access the API. For more details on how to use it, head over to:

https://developer.microsoft.com/en-us/graph/docs/api-reference/beta/resources/security-api-overview

https://developer.microsoft.com/en-us/graph/docs/api-reference/beta/resources/securescores

We hope you all enjoy the new API and start using it right away. For those of you who are currently using the original API, we recommend that you migrate to the new one before January 31^st, 2019 as we will deprecate it at that time.

If you have any questions, thoughts, comments on the new API please share them with us below.

Thanks for continuing to use Microsoft Secure Score!

The above was provided from Microsoft Security and Compliance blogs at TechCommunity

Updates to Microsoft Secure Score, New API and Localization

We love that the community has great discussions on Microsoft Secure Score. One of the topics we hear from you and other organizations is on the Secure Score API. This is a great way to programmatically access Secure Score data. Over the past year and a half, we have received a lot of feedback on the API and the Microsoft 365 Security Engineering team is pleased to announce the availability and preview of the new Microsoft 365 Secure Score API.

As part of building the new API we also wanted to provide it in other languages. In doing this work for the API, it also gave us localization of the Secure Score interface. The localization of the interface is starting to roll out.

What’s new?

The new API is based on much of your feedback and has a host of changes to enable new scenarios. At a high level they are:

Integrated into the Security Graph API, allowing easier permission scoping.
Support for filtering methods such as $top=2 or explicit control access.
Dual entities, an entity for bringing back just the score data and an entity for bringing back control metadata such as Title, Descriptions and Threats etc.

Patch support, allowing you to flag controls as 3^rd Party or Ignore.
New fields, such as “assignedTo” and “tenantNote”.
Support for delegated admin rights.
Available in the Microsoft Graph Explorer.
Localization will start to appear over the next few weeks. The first languages will be Czech, Danish, Dutch, French, German, Hungarian, Italian, Japanese, Korean, and Spanish.

Why did we use the security API and connect with Microsoft Intelligent Security Graph?

The Intelligent Security Graph is a unified platform for combatting cyberthreats. It powers real-time threat protection for Microsoft products and services and supports an ecosystem of integrated solutions.

The security API in Microsoft Graph makes it easy to connect with those solutions in the Intelligent Security Graph. It allows you to more readily realize and enrich the value of these solutions.

We see three common business scenarios driving consumption of the Secure Score API through the Microsoft Intelligent Security Graph:

Monitor, track and report on your configuration baseline and score in downstream reporting tools.
Integrate the data into compliance or cybersecurity insurance applications.
Integrate Secure Score data into your SIEM or CASB to drive a hybrid or multi-cloud framework for security analytics.

Getting Started

Acquiring the Secure Score data from the API requires you to setup a few pre-requisites.

First, you should choose your consumption model. If you plan to have a non-user-interactive application to retrieve data from the API, you should opt for the Service-To-Service Authentication model. Reference information about this model is located at https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-protocols-oauth-service-to-service.

If your application will require an administrator to provide their logon credentials each time you pull data from the API, you should opt for the user OAuth model. Reference information about this model is located here. If you are a CSP application developer partner you can also find information here.

Second, you will need to register your application in Azure Active Directory in order to call the API. You need to grant the SecurityEvents.Read.All and SecurityEvents.ReadWrite.All permission scopes. See here for further details.

Now you’re ready to access the API. For more details on how to use it, head over to:

https://developer.microsoft.com/en-us/graph/docs/api-reference/beta/resources/security-api-overview

https://developer.microsoft.com/en-us/graph/docs/api-reference/beta/resources/securescores

We hope you all enjoy the new API and start using it right away. For those of you who are currently using the original API, we recommend that you migrate to the new one before January 31^st, 2019 as we will deprecate it at that time.

If you have any questions, thoughts, comments on the new API please share them with us below.

Thanks for continuing to use Microsoft Secure Score!

Updates to Microsoft Secure Score, New API and Localization

We love that the community has great discussions on Microsoft Secure Score. One of the topics we hear from you and other organizations is on the Secure Score API. This is a great way to programmatically access Secure Score data. Over the past year and a half, we have received a lot of feedback on the API and the Microsoft 365 Security Engineering team is pleased to announce the availability and preview of the new Microsoft 365 Secure Score API.

As part of building the new API we also wanted to provide it in other languages. In doing this work for the API, it also gave us localization of the Secure Score interface. The localization of the interface is starting to roll out.

What’s new?

The new API is based on much of your feedback and has a host of changes to enable new scenarios. At a high level they are:

Integrated into the Security Graph API, allowing easier permission scoping.
Support for filtering methods such as $top=2 or explicit control access.
Dual entities, an entity for bringing back just the score data and an entity for bringing back control metadata such as Title, Descriptions and Threats etc.

Patch support, allowing you to flag controls as 3^rd Party or Ignore.
New fields, such as “assignedTo” and “tenantNote”.
Support for delegated admin rights.
Available in the Microsoft Graph Explorer.
Localization will start to appear over the next few weeks. The first languages will be Czech, Danish, Dutch, French, German, Hungarian, Italian, Japanese, Korean, and Spanish.

Why did we use the security API and connect with Microsoft Intelligent Security Graph?

The Intelligent Security Graph is a unified platform for combatting cyberthreats. It powers real-time threat protection for Microsoft products and services and supports an ecosystem of integrated solutions.

The security API in Microsoft Graph makes it easy to connect with those solutions in the Intelligent Security Graph. It allows you to more readily realize and enrich the value of these solutions.

We see three common business scenarios driving consumption of the Secure Score API through the Microsoft Intelligent Security Graph:

Monitor, track and report on your configuration baseline and score in downstream reporting tools.
Integrate the data into compliance or cybersecurity insurance applications.
Integrate Secure Score data into your SIEM or CASB to drive a hybrid or multi-cloud framework for security analytics.

Getting Started

Acquiring the Secure Score data from the API requires you to setup a few pre-requisites.

First, you should choose your consumption model. If you plan to have a non-user-interactive application to retrieve data from the API, you should opt for the Service-To-Service Authentication model. Reference information about this model is located at https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-protocols-oauth-service-to-service.

If your application will require an administrator to provide their logon credentials each time you pull data from the API, you should opt for the user OAuth model. Reference information about this model is located here. If you are a CSP application developer partner you can also find information here.

Second, you will need to register your application in Azure Active Directory in order to call the API. You need to grant the SecurityEvents.Read.All and SecurityEvents.ReadWrite.All permission scopes. See here for further details.

Now you’re ready to access the API. For more details on how to use it, head over to:

https://developer.microsoft.com/en-us/graph/docs/api-reference/beta/resources/security-api-overview

https://developer.microsoft.com/en-us/graph/docs/api-reference/beta/resources/securescores

We hope you all enjoy the new API and start using it right away. For those of you who are currently using the original API, we recommend that you migrate to the new one before January 31^st, 2019 as we will deprecate it at that time.

If you have any questions, thoughts, comments on the new API please share them with us below.

Thanks for continuing to use Microsoft Secure Score!

Updates to Microsoft Secure Score, New API and Localization

We love that the community has great discussions on Microsoft Secure Score. One of the topics we hear from you and other organizations is on the Secure Score API. This is a great way to programmatically access Secure Score data. Over the past year and a half, we have received a lot of feedback on the API and the Microsoft 365 Security Engineering team is pleased to announce the availability and preview of the new Microsoft 365 Secure Score API.

As part of building the new API we also wanted to provide it in other languages. In doing this work for the API, it also gave us localization of the Secure Score interface. The localization of the interface is starting to roll out.

What’s new?

The new API is based on much of your feedback and has a host of changes to enable new scenarios. At a high level they are:

Integrated into the Security Graph API, allowing easier permission scoping.
Support for filtering methods such as $top=2 or explicit control access.
Dual entities, an entity for bringing back just the score data and an entity for bringing back control metadata such as Title, Descriptions and Threats etc.

Patch support, allowing you to flag controls as 3^rd Party or Ignore.
New fields, such as “assignedTo” and “tenantNote”.
Support for delegated admin rights.
Available in the Microsoft Graph Explorer.
Localization will start to appear over the next few weeks. The first languages will be Czech, Danish, Dutch, French, German, Hungarian, Italian, Japanese, Korean, and Spanish.

Why did we use the security API and connect with Microsoft Intelligent Security Graph?

The Intelligent Security Graph is a unified platform for combatting cyberthreats. It powers real-time threat protection for Microsoft products and services and supports an ecosystem of integrated solutions.

The security API in Microsoft Graph makes it easy to connect with those solutions in the Intelligent Security Graph. It allows you to more readily realize and enrich the value of these solutions.

We see three common business scenarios driving consumption of the Secure Score API through the Microsoft Intelligent Security Graph:

Monitor, track and report on your configuration baseline and score in downstream reporting tools.
Integrate the data into compliance or cybersecurity insurance applications.
Integrate Secure Score data into your SIEM or CASB to drive a hybrid or multi-cloud framework for security analytics.

Getting Started

Acquiring the Secure Score data from the API requires you to setup a few pre-requisites.

First, you should choose your consumption model. If you plan to have a non-user-interactive application to retrieve data from the API, you should opt for the Service-To-Service Authentication model. Reference information about this model is located at https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-protocols-oauth-service-to-service.

If your application will require an administrator to provide their logon credentials each time you pull data from the API, you should opt for the user OAuth model. Reference information about this model is located here. If you are a CSP application developer partner you can also find information here.

Second, you will need to register your application in Azure Active Directory in order to call the API. You need to grant the SecurityEvents.Read.All and SecurityEvents.ReadWrite.All permission scopes. See here for further details.

Now you’re ready to access the API. For more details on how to use it, head over to:

https://developer.microsoft.com/en-us/graph/docs/api-reference/beta/resources/security-api-overview

https://developer.microsoft.com/en-us/graph/docs/api-reference/beta/resources/securescores

We hope you all enjoy the new API and start using it right away. For those of you who are currently using the original API, we recommend that you migrate to the new one before January 31^st, 2019 as we will deprecate it at that time.

If you have any questions, thoughts, comments on the new API please share them with us below.

Thanks for continuing to use Microsoft Secure Score!

Privileged access management in Office 365 is now Generally Available

Having privileged access to an application is all that’s needed to execute commands with malicious intent to inflict damage to or exfiltrate data from an organization. Such high privileges can be misused to create fake accounts, grant excessive permissions, exfiltrate sensitive data, cause damage to infrastructure, wipe out or hold data for ransom, and set rules and policies that make it extremely hard to detect and restore state back. In fact, it’s estimated that 80% of security beaches involve privileged credentials¹. Therefore, privileged accounts commonly become lucrative attack vectors for both internal and external attackers.

On top of this, organizations are constantly evolving (acquisitions, divestitures, entering new markets, ect.) – making it challenging to monitor and manage privileged accounts and respond to various compliance requirements regarding privileged access to sensitive data at scale.

One way to address these risks and complexities is to operate on the principle of Zero Standing Access, which means users do not have privileges by default, and when permissions are provided, it’s at the bare minimum with just enough access to perform the specific task.

Microsoft operates on this principle for data center access, or also known as service provider access to customer content, through Lockbox and Customer Lockbox. In fact, Microsoft goes a step further than traditional PAM solutions by eliminating standing privileged access to your data within your organization.

We believe that operating on the principle of zero standing access with just in time and just enough access to perform a privileged task is key to effectively manage accounts with privileged access.

Therefore, we are excited to announce that we are extending the security rigor that Microsoft uses for data center access, to enable customers to enforce Zero Standing Access for privileged admin access within your organization, with privileged access management in Office 365, which is generally available today.

To understand how it works – read further below.

How it works

Privileged access management in Office 365 goes beyond traditional access control capabilities by enabling access governance more granularly for specific tasks.

It’s based on the principle of Zero Standing Access, which means users who need privileged access, must request permissions for access, and once received it is just-in-time and just-enough access to perform the job at hand.

Therefore, Zero Standing Access, combined with access governance, can be an effective deterrent to misuse of privileged access by:

Requiring users to elevate permissions to execute tasks that may expose sensitive data.
Providing Just-Enough-Access (JEA) to specific tasks, coupled with Just-In-Time access so access is only allowed for a specific period of time.
Removing the dependency on having a set of privileged accounts with standing access.

The approval workflow can be enumerated in following steps:

(0) First, set up designed approvers and the privileged access management policy

First the global admin needs to set up a privileged access management group for authorizing privileged tasks within the Microsoft 365 admin center. Once the group is created members need to be added as well.

Once the members have been added to the group, under Settings then Security & privacy turn on privileged access management in Office 365 to require approvals for privileged tasks, and select the approval group. Once turned on, you can configure the specific access policy – in this example, an access policy has been added to prevent users from executing journal rules without Manual-approval so that users can’t send copies of sent and received emails to a shadow mailbox without immediate detection.

However, Auto-approval is practical for high-volume tasks such as password resets, but in this case, members of the Privileged Access Approver group will be responsible for reviewing and approving tasks of this nature.

(1) Admin requests privileged access to execute high risk task

Once a policy is in place, an admin is now required to request permissions for privileged access through the Microsoft 365 admin center.

Typically, the admin will know that they need to elevate permissions when they try to execute the command and the system prohibits the admin from running the task because they have insufficient permissions to execute this command.

To request access, the admin must go to the Microsoft 365 Admin center, where privileged access management in Office 365 is managed, under Settings then Security & privacy, to make a new request. Once a request is made, and additional information is provided, such as the type of request, for what workload, task, and the duration.

(2) Designated approver reviews request and takes action

Since the policy requires a manual approval, the request is sent to the designated approval group. The notification message provides the details of the request including who is requesting access, what task they want to execute, for how long and the reason why. All this information is available to help the designated approver decide if the request is appropriate.

To approve or deny the request, the designated approver must log into the Microsoft 365 admin center to take action.

(3) Admin receives notification and takes action for specific amount of time

If the request is appropriate and the designated approver receives an email notification of the request being approved, the requesting user gets access to the privileged tasks and can execute the task for the specified amount of time.

(4) Privileges expire access is no longer available

With privilege access management, each request expires after a specified length of time to reduce the risk of a malicious user stealing access. After the access period has expired, the requester doesn’t have any privileged access to the task anymore.

Managing access governance and responding to compliance obligations

With privileged access management in Office 365, access within an organization is governed, and all instances related to the capability will generate logs and security events. This can be extremely useful to monitor and build alerting on.

Event logs – with information about requests, duration, approvals, and actions performed – are audit ready, and can be aggregated and presented as evidence to meet growing compliance requirements.

Privileged access management is available in the Microsoft 365 Admin Center, and organizations can now also manage Customer Lockbox requests, and Data Access requests from Azure Managed Apps from a single management pane for privileged access to your Microsoft 365 data.

This is the first step towards enabling customers to protect their sensitive data though the principle of Zero Standing Access, with Just-in-Time & Just-Enough-Access. Stay tuned for further updates here on TechCommunity blog.

Get Started Today!

Privileged access management in Office 365 is now generally available and rolling out to customers with Office 365 E5 and Advanced Compliance SKUs.

You can get started by reviewing the below resources:

FAQ

Q: What SKUs do I need to use privileged access management in Office 365?

A: This is offered in the Office 365 E5 or the Advanced Compliance SKU.

Q: Which Office 365 services are supported with privileged access management in Office 365?

A: Privileged access management in Office 365 applies to tasks available in Exchange Online. We are working to expand privileged access management capabilities to other Office 365 workloads.

Q: How is this different from the Azure Active Directory Privileged Identity Management (AAD PIM)?

A: Azure AD Privileged Identity Management (PIM) and privileged access management (PAM) in Office 365 together provide a robust set of controls for protecting privileged access to your corporate data. With Azure AD PIM, customers can secure admin roles to ensure protection across Office 365 and Azure clouds. PAM in Office 365 can provide another granular layer of protection by controlling access to tasks within Office 365.

Q: What permissions do I need to turn this feature on?

A: You need to be a Global or Tenant administrator to be able to turn this feature on. Soon we will enable a new user Role that also will be able to perform these actions.

Q: How is privileged access management in Office 365 related to Customer Lockbox?

A: Customer Lockbox allows a level of access control for organizations around accessed to data by their service provider, i.e. Microsoft. Privileged access management in Office 365, allows granular access control within an organization for all Office 365 privileged tasks.

Q: Is there an API that can be used to work with third party SIEM systems?

A: We do plan on providing even more granular reporting as well as an API that enables you to integrate with your third-party solutions.

^{1Forrester Wave: Privileged Identity Management, Q3 2016}

^{2Gartner Top 10 Security Projects for 2018}

Privileged access management in Office 365 is now Generally Available

Having privileged access to an application is all that’s needed to execute commands with malicious intent to inflict damage to or exfiltrate data from an organization. Such high privileges can be misused to create fake accounts, grant excessive permissions, exfiltrate sensitive data, cause damage to infrastructure, wipe out or hold data for ransom, and set rules and policies that make it extremely hard to detect and restore state back. In fact, it’s estimated that 80% of security beaches involve privileged credentials¹. Therefore, privileged accounts commonly become lucrative attack vectors for both internal and external attackers.

On top of this, organizations are constantly evolving (acquisitions, divestitures, entering new markets, ect.) – making it challenging to monitor and manage privileged accounts and respond to various compliance requirements regarding privileged access to sensitive data at scale.

One way to address these risks and complexities is to operate on the principle of Zero Standing Access, which means users do not have privileges by default, and when permissions are provided, it’s at the bare minimum with just enough access to perform the specific task.

Microsoft operates on this principle for data center access, or also known as service provider access to customer content, through Lockbox and Customer Lockbox. In fact, Microsoft goes a step further than traditional PAM solutions by eliminating standing privileged access to your data within your organization.

We believe that operating on the principle of zero standing access with just in time and just enough access to perform a privileged task is key to effectively manage accounts with privileged access.

Therefore, we are excited to announce that we are extending the security rigor that Microsoft uses for data center access, to enable customers to enforce Zero Standing Access for privileged admin access within your organization, with privileged access management in Office 365, which is generally available today.

To understand how it works – read further below.

How it works

Privileged access management in Office 365 goes beyond traditional access control capabilities by enabling access governance more granularly for specific tasks.

It’s based on the principle of Zero Standing Access, which means users who need privileged access, must request permissions for access, and once received it is just-in-time and just-enough access to perform the job at hand.

Therefore, Zero Standing Access, combined with access governance, can be an effective deterrent to misuse of privileged access by:

Requiring users to elevate permissions to execute tasks that may expose sensitive data.
Providing Just-Enough-Access (JEA) to specific tasks, coupled with Just-In-Time access so access is only allowed for a specific period of time.
Removing the dependency on having a set of privileged accounts with standing access.