Technical Guide, Office 365 UK Blueprint – BYOD
Total Page:16
File Type:pdf, Size:1020Kb
Technical Guide Office 365 UK Blueprint – BYOD Access Patterns Prepared for UK Government 06/2020 Version 1.0 Final Prepared by Microsoft Services UK Prepared for UK Government MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, our provision of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. The descriptions of other companies’ products in this document, if any, are provided only as a convenience to you. Any such references should not be considered an endorsement or support by Microsoft. Microsoft cannot guarantee their accuracy, and the products may change over time. Also, the descriptions are intended as brief highlights to aid understanding, rather than as thorough coverage. For authoritative descriptions of these products, please consult their respective manufacturers. © 2014 Microsoft Corporation. All rights reserved. Any use or distribution of these materials without express authorization of Microsoft Corp. is strictly prohibited. Microsoft and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. ii Technical Guide, Office 365 UK Blueprint – BYOD Access Patterns, Version 1.0, Final Prepared by Microsoft Services UK "UK Blueprint for BYOD Use - v1.0.docx", Template Version 1809 Table of Contents 1 Blueprint Summary ............................................................................................................................... 5 2 Blueprint Overview ............................................................................................................................... 9 2.1 Requirements ................................................................................................................................................. 9 2.2 Deployment Scenarios ............................................................................................................................. 10 Office 365 Apps on Android or iOS devices ................................................................. 10 Office 365 Web Application access on PC or Mac ...................................................... 11 Office 365 desktop client access using a Virtual Desktop client ............................. 12 3 Blueprint Components ...................................................................................................................... 14 3.1 Azure AD ....................................................................................................................................................... 14 Multi-factor Authentication ............................................................................................. 14 Identity Protection ............................................................................................................. 15 Conditional Access ............................................................................................................. 16 3.2 Microsoft Intune ......................................................................................................................................... 18 App Protection Policies ..................................................................................................... 18 App Configuration Policies ............................................................................................... 19 Device Enrolment Restrictions ......................................................................................... 19 3.3 Microsoft Cloud App Security ............................................................................................................... 20 Session Controls ................................................................................................................. 20 Access Controls ................................................................................................................... 20 3.4 Office 365 ...................................................................................................................................................... 20 3.5 Windows Virtual Desktop ....................................................................................................................... 21 4 Blueprint Design Details ................................................................................................................... 23 4.1 Common Configuration .......................................................................................................................... 23 Azure AD Groups ................................................................................................................ 23 Azure MFA ............................................................................................................................ 24 Enrolment Restriction Policy ............................................................................................ 25 Common scenario definition ............................................................................................ 26 Prepared for UK Government Common Configuration policies ..................................................................................... 27 4.2 Good Configuration Design ................................................................................................................... 33 Good scenario definition .................................................................................................. 33 Good Configuration Policies ............................................................................................ 35 4.3 Better Configuration Design .................................................................................................................. 49 Better Use Cases ................................................................................................................. 49 Better Configuration Policies ........................................................................................... 52 4.4 Best Configuration Design ..................................................................................................................... 63 Best scenario definition..................................................................................................... 64 Best Configuration Policies .............................................................................................. 67 Page 4 Technical Guide, Office 365 UK Blueprint – BYOD Access Patterns, Version 1.0, Final Prepared by Microsoft Services UK "UK Blueprint for BYOD Use - v1.0.docx" Prepared for UK Government 1 Blueprint Summary This document came out of the need to support UK Public Sector and Commercial organisations ability to provide additional capabilities to their employees to facilitate remote working by allowing personal unmanaged devices to connect to Office 365 services in a way that helps them meet their obligations and leverages the features and capabilities that are present within the service. It draws on broad experience across UK government, industry and draws heavily on already existing “best practice”. This guidance is not designed to suggest that nothing else is required as “we do not need to do anything else as we have followed the NCSC and Microsoft’s guidance”. Rather the controls described in this document are intended to help the reader understand why the specific security controls are used and provide step by step configuration guidance allowing organisations to understand how the features and capabilities in Azure AD, Microsoft Intune and Office 365 can be used to ensure that a common bar has been achieved when allowing Bring Your Own Device (BYOD) to access their Office 365 tenant. To support this effort this blueprint has been developed to support the use of Bring Your Own Device (BYOD) scenarios where organisations are not able to provide corporate laptop or mobile devices. Important This blueprint is for configuring end users and not administrators access to Office 365 from BYOD. Administrative accounts should not use BYOD devices to perform administrative tasks from nor will be using O365 productivity applications. The technical controls that are described in this document have been grouped into three categories, good, better, and best. The rationale for the groupings is described below: • Good o Forms the minimum level of configuration that all organisations should meet o Available with Microsoft 365 E3 license o Can be implemented using simple configuration tasks o Browser based access for PC and Mac o Approved apps for Mobile Devices (smart phones / pads) o Use of Conditional Access with MFA and Restricted Session Controls in Exchange Online and SharePoint Online o Highest residual risk • Better Page 5 Technical Guide, Office