Microsoft EMS in Plain English

This is (hopefully) an easy-to-understand explanation of Microsoft Enterprise Mobility + Security and some of the security benefits it brings when implemented in your Microsoft cloud tenant. It is meant to give you an overview of what’s included and why it is important.

An explanation of EMS – Microsoft Enterprise Mobility + Security

EMS is a bundle of various security products in the Microsoft Cloud platform and is included as part of Microsoft 365. The purpose of EMS is to provide a comprehensive solution around security in the cloud. EMS is an important complement to Office 365. EMS is available in two sizes, EMS E3 and EMS E5, and is licensed per user.

EMS protects in the following ways:

  • Secure identity and access
  • Managed mobile devices and apps
  • Information protection
  • Identity-driven security and protection against advanced threats

Secure Identity and Access – Azure AD Premium

Azure AD Premium provides tools and security features to protect and manage the user’s identity.

Multi-Factor Authentication (MFA) – Traditionally, usernames and passwords have been used as factors to prove that you are who you say you are when authenticating to an IT service. The problem with usernames and passwords is that they are easy to guess and open for remote use. This is by far the most common cause of breached security.

To increase security and make it almost impossible to carry out account-based attacks remotely, more factors are introduced. In addition to the username and password, something that you know, you also ask for something that you have. This can for example, be a mobile phone connected to your organization or a physical token (looks like a USB flash drive) that must be presented in order for the sign-in to be approved.

Possible factors:

  • The Microsoft Authenticator app that approves the sign-in at the touch of a button
  • One-time pass codes via SMS
  • Automatic phone call where you accept by pressing #
  • Hardware tokens (physical USB keys)

Conditional access – With conditional access, we can set certain requirements when the user logs in based on different conditions.

Examples of conditions are:

What cloud service does the user sign in to?

  • From which device does the user sign in?
  • Is the device managed and compliant with that organization’s security policy?
  • With what type of app does the user sign in?
  • From where does the user sign in?

Then we can approve or block the sign-in with different requirements:

  • Should we require MFA?
  • Should we require the device to comply with the organization’s security policy?
  • Should we just block the login completely?

The big win with conditional access is that we can demand different levels of security depending on the circumstances. This enables enhanced security and an improved user experience.

In addition to these identity protections, Azure AD Premium includes self-service around password change, license management based on groups, hybrid identity solutions (synchronized with on-premises IT environment), and much more.

Managed Mobile Devices and Apps – Intune

More and more users are carrying around devices containing organizational data. It is important to protect these devices so that the data does not fall into the wrong hands in case of theft or a lost device.

Intune is a solution for managing your organization’s mobile devices, computers, and business apps. This cloud service is tightly integrated with Azure AD and supports iOS, Android, Windows 10, and Mac. Intune lets you control devices, settings and apps, monitor them remotely, and remotely perform actions such as factory reset and wipe. Devices and apps can be encrypted and protected with PIN, fingerprint, and face recognition.

Intune makes sure that enrolled devices meet the security requirements of your organization and takes action if this is not the case. Intune can be used on both corporate owned devices and personal devices, often called BYOD devices.

Intune can also replace traditional Windows 10 management based on Group Policy or SCCM. Windows updates can be managed from the cloud as a service, and Windows AutoPilot can be used to install new devices that are sent directly from the manufacturer to the end user without passing through the IT department.

Information Protection – Microsoft Information Protection

Microsoft Information Protection is a name for the various tools available in Microsoft 365 and Azure around information classification and protection.

The tools can be used to:

  • Discover Information
  • Classify the information
  • Protect the information
  • Monitor the information

This can be done on devices, in apps, in cloud services, and on on-premises servers. The information classifications are built according to the needs and policies of the organization and are then applied to files and e-mails. Examples of information classifications are Open, Internal and Confidential. Classification can be made mandatory if required.

A confidential document can be protected with encryption and marked with watermarks. The protection follows the file even if it leaves the organization in an email or on a USB thumb drive. Only approved users can open the file and all access is logged and can be tracked via maps and logs. Access to files can later be revoked.

EMS E5 includes tools to automatically classify information based on rules.

Identity-driven Security and Protection Against Advanced Threats – Azure Advanced Threat Protection, Microsoft Cloud App Security

When identities, devices and information have been protected, you have a good preventive protection. But it is also important to get an overall picture of the organization’s threat scenario and look at the threats that comes from both outside and inside the organization.

Azure Advanced Threat Protection – Analyzes on-prem network traffic to find threats and ongoing attacks and blocks them in real time. Attacks can be analyzed at a granular level, and you’ll see the flow and steps taken to try to access your organization’s information.

Microsoft Cloud App Security – Provides a holistic view of your organization’s use of cloud apps, including unmanaged apps that employees use on their own initiative, called Shadow IT. Microsoft Cloud App Security can be used to detect these apps, prevent them from being used, or allow certain activity inside them. Microsoft has a database of thousands of risk-assessed apps based on different scenarios, and this data can be used to see which apps are appropriate to use and not (e.g. to comply with the GDPR). The goal is to avoid information to be stored outside corporate control and thus risk data leakage.

Please follow me here, on LinkedIn and on Twitter!

@DanielChronlund