Microsoft 365 Access

-->

Applies to

Achieve what matters to you with Word, Excel, PowerPoint, and more. What will you do with your next 365? Safely store and access your files and photos on all your devices. Your Microsoft account comes with 5GB of storage and the option to add more when you need it. Find, lock, or erase a. Collaborate for free with online versions of Microsoft Word, PowerPoint, Excel, and OneNote. Save documents, spreadsheets, and presentations online, in OneDrive. When automation is not possible: You can create rules for dynamic membership on security groups or Microsoft 365 Groups, but what if the HR data is not in Azure AD or if users still need access after leaving the group to train their replacement? You can then create a review on that group to ensure those who still need access should have.

The modern security perimeter of your organization now extends beyond your network to include users accessing cloud-based apps from any location with a variety of devices. Your security infrastructure needs to determine whether a given access request should be granted and under what conditions.

365

This determination should be based on the user account of the sign-in, the device being used, the app the user is using for access, the location from which the access request is made, and an assessment of the risk of the request. This capability helps ensure that only approved users and devices can access your critical resources.

This series of articles describes a set of identity and device access prerequisite configurations and a set of Azure Active Directory (Azure AD) Conditional Access, Microsoft Intune, and other policies to secure access to Microsoft 365 for enterprise cloud apps and services, other SaaS services, and on-premises applications published with Azure AD Application Proxy.

Identity and device access settings and policies are recommended in three tiers: baseline protection, sensitive protection, and protection for environments with highly regulated or classified data. These tiers and their corresponding configurations provide consistent levels of protection across your data, identities, and devices.

These capabilities and their recommendations:

  • Are supported in Microsoft 365 E3 and Microsoft 365 E5.
  • Are aligned with Microsoft Secure Score as well as identity score in Azure AD, and will increase these scores for your organization.
  • Will help you implement these five steps to securing your identity infrastructure.

Microsoft Access is now included as part of Microsoft 365 Family or Personal, Microsoft 365 Apps for business and Microsoft 365 Business Standard subscriptions. How soon you'll see Access as part of your installation depends upon the Microsoft 365 update channel your admin designated for your subscription. Access a former user's OneDrive documents. If you remove a user's license but don't delete the account, you can give yourself access to the content in the user's OneDrive. If you delete the user's account, you have 30 days by default to access the former user's OneDrive data. Learn how to set the OneDrive retention for deleted users.

If your organization has unique environment requirements or complexities, use these recommendations as a starting point. However, most organizations can implement these recommendations as prescribed.

Watch this video for a quick overview of identity and device access configurations for Microsoft 365 for enterprise.


Note

Microsoft also sells Enterprise Mobility + Security (EMS) licenses for Office 365 subscriptions. EMS E3 and EMS E5 capabilities are equivalent to those in Microsoft 365 E3 and Microsoft 365 E5. See EMS plans for the details.

Intended audience

These recommendations are intended for enterprise architects and IT professionals who are familiar with Microsoft 365 cloud productivity and security services, which includes Azure AD (identity), Microsoft Intune (device management), and Microsoft Information Protection (data protection).

Customer environment

The recommended policies are applicable to enterprise organizations operating both entirely within the Microsoft cloud and for customers with hybrid identity infrastructure, which is an on-premises Active Directory Domain Services (AD DS) forest that is synchronized with an Azure AD tenant.

Many of the provided recommendations rely on services available only with Microsoft 365 E5, Microsoft 365 E3 with the E5 Security add-on, EMS E5, or Azure AD Premium P2 licenses.

Microsoft 365 Access Banking

For those organizations who do not have these licenses, Microsoft recommends you at least implement security defaults, which is included with all Microsoft 365 plans.

Caveats

Your organization may be subject to regulatory or other compliance requirements, including specific recommendations that may require you to apply policies that diverge from these recommended configurations. These configurations recommend usage controls that have not historically been available. We recommend these controls because we believe they represent a balance between security and productivity.

We've done our best to account for a wide variety of organizational protection requirements, but we're not able to account for all possible requirements or for all the unique aspects of your organization.

Three tiers of protection

Most organizations have specific requirements regarding security and data protection. These requirements vary by industry segment and by job functions within organizations. For example, your legal department and administrators might require additional security and information protection controls around their email correspondence that are not required for other business units.

Each industry also has their own set of specialized regulations. Rather than providing a list of all possible security options or a recommendation per industry segment or job function, recommendations have been provided for three different tiers of security and protection that can be applied based on the granularity of your needs.

  • Baseline protection: We recommend you establish a minimum standard for protecting data, as well as the identities and devices that access your data. You can follow these baseline recommendations to provide strong default protection that meets the needs of many organizations.
  • Sensitive protection: Some customers have a subset of data that must be protected at higher levels, or they may require all data to be protected at a higher level. You can apply increased protection to all or specific data sets in your Microsoft 365 environment. We recommend protecting identities and devices that access sensitive data with comparable levels of security.
  • Highly regulated: Some organizations may have a small amount of data that is highly classified, constitutes trade secrets, or is regulated data. Microsoft provides capabilities to help organizations meet these requirements, including added protection for identities and devices.

This guidance shows you how to implement protection for identities and devices for each of these tiers of protection. Use this guidance as a starting point for your organization and adjust the policies to meet your organization's specific requirements.

It's important to use consistent levels of protection across your data, identities, and devices. For example, if you implement this guidance, be sure to protect your data at comparable levels.

The Identity and device protection for Microsoft 365 architecture model shows you which capabilities are comparable.

Microsoft 365 access key


View as a PDF Download as a PDF Download as a Visio

Additionally, see the Deploy information protection for data privacy regulations solution to protect information stored in Microsoft 365.

Security and productivity trade-offs

Implementing any security strategy requires trade-offs between security and productivity. It's helpful to evaluate how each decision affects the balance of security, functionality, and ease of use.

The recommendations provided are based on the following principles:

  • Know your users and be flexible to their security and functional requirements.
  • Apply a security policy just in time and ensure it is meaningful.

Services and concepts for identity and device access protection

Microsoft 365 for enterprise is designed for large organizations to empower everyone to be creative and work together securely.

This section provides an overview of the Microsoft 365 services and capabilities that are important for identity and device access.

Azure AD

Azure AD provides a full suite of identity management capabilities. We recommend using these capabilities to secure access.

Capability or featureDescriptionLicensing
Multi-factor authentication (MFA)MFA requires users to provide two forms of verification, such as a user password plus a notification from the Microsoft Authenticator app or a phone call. MFA greatly reduces the risk that stolen credentials can be used to access your environment. Microsoft 365 uses the Azure AD Multi-Factor Authentication service for MFA-based sign-ins.Microsoft 365 E3 or E5
Conditional AccessAzure AD evaluates the conditions of the user sign-in and uses Conditional Access policies to determine the allowed access. For example, in this guidance we show you how to create a Conditional Access policy to require device compliance for access to sensitive data. This greatly reduces the risk that a hacker with their own device and stolen credentials can access your sensitive data. It also protects sensitive data on the devices, because the devices must meet specific requirements for health and security.Microsoft 365 E3 or E5
Azure AD groupsConditional Access policies, device management with Intune, and even permissions to files and sites in your organization rely on the assignment to user accounts or Azure AD groups. We recommend you create Azure AD groups that correspond to the levels of protection you are implementing. For example, your executive staff are likely higher value targets for hackers. Therefore, it makes sense to add the user accounts of these employees to an Azure AD group and assign this group to Conditional Access policies and other policies that enforce a higher level of protection for access.Microsoft 365 E3 or E5
Device enrollmentYou enroll a device into Azure AD to create an identity for the device. This identity is used to authenticate the device when a user signs in and to apply Conditional Access policies that require domain-joined or compliant PCs. For this guidance, we use device enrollment to automatically enroll domain-joined Windows computers. Device enrollment is a prerequisite for managing devices with Intune.Microsoft 365 E3 or E5
Azure AD Identity ProtectionEnables you to detect potential vulnerabilities affecting your organization's identities and configure automated remediation policy to low, medium, and high sign-in risk and user risk. This guidance relies on this risk evaluation to apply Conditional Access policies for multi-factor authentication. This guidance also includes a Conditional Access policy that requires users to change their password if high-risk activity is detected for their account.Microsoft 365 E5, Microsoft 365 E3 with the E5 Security add-on, EMS E5, or Azure AD Premium P2 licenses
Self-service password reset (SSPR)Allow your users to reset their passwords securely and without help-desk intervention, by providing verification of multiple authentication methods that the administrator can control.Microsoft 365 E3 or E5
Azure AD password protectionDetect and block known weak passwords and their variants and additional weak terms that are specific to your organization. Default global banned password lists are automatically applied to all users in an Azure AD tenant. You can define additional entries in a custom banned password list. When users change or reset their passwords, these banned password lists are checked to enforce the use of strong passwords.Microsoft 365 E3 or E5

Here are the components of identity and device access, including Intune and Azure AD objects, settings, and subservices.

Microsoft Intune

Intune is Microsoft's cloud-based mobile device management service. This guidance recommends device management of Windows PCs with Intune and recommends device compliance policy configurations. Intune determines whether devices are compliant and sends this data to Azure AD to use when applying Conditional Access policies.

Intune app protection

Intune app protection policies can be used to protect your organization's data in mobile apps, with or without enrolling devices into management. Intune helps protect information, making sure your employees can still be productive, and preventing data loss. By implementing app-level policies, you can restrict access to company resources and keep data within the control of your IT department.

This guidance shows you how to create recommended policies to enforce the use of approved apps and to determine how these apps can be used with your business data.

Microsoft 365

This guidance shows you how to implement a set of policies to protect access to Microsoft 365 cloud services, including Microsoft Teams, Exchange Online, SharePoint Online, and OneDrive for Business. In addition to implementing these policies, we recommend you also raise the level of protection for your tenant using these resources:

  • Recommendations that apply to baseline security for your tenant.

  • Recommendations that include logging, data governance, admin access, and threat protection.

Windows 10 and Microsoft 365 Apps for enterprise

Windows 10 with Microsoft 365 Apps for enterprise is the recommended client environment for PCs. We recommend Windows 10 because Azure is designed to provide the smoothest experience possible for both on-premises and Azure AD. Windows 10 also includes advanced security capabilities that can be managed through Intune. Microsoft 365 Apps for enterprise includes the latest versions of Office applications. These use modern authentication, which is more secure and a requirement for Conditional Access. These apps also include enhanced security and compliance tools.

Applying these capabilities across the three tiers of protection

The following table summarizes our recommendations for using these capabilities across the three tiers of protection.

Protection mechanismBaselineSensitiveHighly regulated
Enforce MFAOn medium or above sign-in riskOn low or above sign-in riskOn all new sessions
Enforce password changeFor high-risk usersFor high-risk usersFor high-risk users
Enforce Intune application protectionYesYesYes
Enforce Intune enrollment for organization-owned deviceRequire a compliant or domain-joined PC, but allow bring-your-own devices (BYOD) phones and tabletsRequire a compliant or domain-joined deviceRequire a compliant or domain-joined device

Device ownership

The above table reflects the trend for many organizations to support a mix of organization-owned devices, as well as personal or BYODs to enable mobile productivity across the workforce. Intune app protection policies ensure that email is protected from exfiltrating out of the Outlook mobile app and other Office mobile apps, on both organization-owned devices and BYODs.

We recommend organization-owned devices be managed by Intune or domain-joined to apply additional protections and control. Depending on data sensitivity, your organization may choose to not allow BYODs for specific user populations or specific apps.

Deployment and your apps

Prior to configuring and rolling out identity and device access configuration for your Azure AD-integrated apps, you must:

  • Decide which apps used in your organization you want to protect.

  • Analyze this list of apps to determine the sets of policies that provide appropriate levels of protection.

    You should not create separate sets of policies each for app because management of them can become cumbersome. Microsoft recommends that you group your apps that have the same protection requirements for the same users.

    For example, you could have one set of policies that include all Microsoft 365 apps for all of your users for baseline protection and a second set of policies for all sensitive apps, such as those used by human resources or finance departments, and apply them to those groups.

Once you have determined the set of policies for the apps you want to secure, roll the policies out to your users incrementally, addressing issues along the way.

For example, configure the policies that will be used for all your Microsoft 365 apps for just Exchange Online with the additional changes for Exchange. Roll these policies out to your users and work through any issues. Then, add Teams with its additional changes and roll this out to your users. Then, add SharePoint with its additional changes. Continue adding the rest of your apps until you can confidently configure these baseline policies to include all Microsoft 365 apps.

Similarly, for your sensitive apps, create the set of policies and add one app at a time and work through any issues until they are all included in the sensitive app policy set.

Microsoft recommends that you do not create policy sets that apply to all apps because it can result in some unintended configurations. For example, policies that block all apps could lock your admins out of the Azure portal and exclusions cannot be configured for important endpoints such as Microsoft Graph.

Steps to configure identity and device access

  1. Configure prerequisite identity features and their settings.
  2. Configure the common identity and access Conditional Access policies.
  3. Configure Conditional Access policies for guest and external users.
  4. Configure Conditional Access policies for Microsoft 365 cloud apps─such as Microsoft Teams, Exchange Online, and SharePoint─and Microsoft Cloud App Security policies.

After you have configured identity and device access, see the Azure AD feature deployment guide for a phased checklist of additional features to consider and Azure AD Identity Governance to protect, monitor, and audit access.

Next step

Microsoft 365 Access Runtime

-->

Azure Active Directory (Azure AD) access reviews enable organizations to efficiently manage group memberships, access to enterprise applications, and role assignments. User's access can be reviewed on a regular basis to make sure only the right people have continued access.

Here's a video that provides a quick overview of access reviews:

Why are access reviews important?

Azure AD enables you to collaborate with users from inside your organization and with external users. Users can join groups, invite guests, connect to cloud apps, and work remotely from their work or personal devices. The convenience of using self-service has led to a need for better access management capabilities.

  • As new employees join, how do you ensure they have the access they need to be productive?
  • As people move teams or leave the company, how do you make sure that their old access is removed?
  • Excessive access rights can lead to compromises.
  • Excessive access right may also lead audit findings as they indicate a lack of control over access.
  • You have to proactively engage with resource owners to ensure they regularly review who has access to their resources.
Microsoft 365 access code

When should you use access reviews?

  • Too many users in privileged roles: It's a good idea to check how many users have administrative access, how many of them are Global Administrators, and if there are any invited guests or partners that have not been removed after being assigned to do an administrative task. You can recertify the role assignment users in Azure AD roles such as Global Administrators, or Azure resources roles such as User Access Administrator in the Azure AD Privileged Identity Management (PIM) experience.
  • When automation is not possible: You can create rules for dynamic membership on security groups or Microsoft 365 Groups, but what if the HR data is not in Azure AD or if users still need access after leaving the group to train their replacement? You can then create a review on that group to ensure those who still need access should have continued access.
  • When a group is used for a new purpose: If you have a group that is going to be synced to Azure AD, or if you plan to enable the application Salesforce for everyone in the Sales team group, it would be useful to ask the group owner to review the group membership prior to the group being used in a different risk content.
  • Business critical data access: for certain resources, it might be required to ask people outside of IT to regularly sign out and give a justification on why they need access for auditing purposes.
  • To maintain a policy's exception list: In an ideal world, all users would follow the access policies to secure access to your organization's resources. However, sometimes there are business cases that require you to make exceptions. As the IT admin, you can manage this task, avoid oversight of policy exceptions, and provide auditors with proof that these exceptions are reviewed regularly.
  • Ask group owners to confirm they still need guests in their groups: Employee access might be automated with some on premises Identity and Access Management (IAM), but not invited guests. If a group gives guests access to business sensitive content, then it's the group owner's responsibility to confirm the guests still have a legitimate business need for access.
  • Have reviews recur periodically: You can set up recurring access reviews of users at set frequencies such as weekly, monthly, quarterly or annually, and the reviewers will be notified at the start of each review. Reviewers can approve or deny access with a friendly interface and with the help of smart recommendations.

Note

If you are ready to try Access reviews take a look at Create an access review of groups or applications

Microsoft 365 Access Runtime Download

Where do you create reviews?

Depending on what you want to review, you will create your access review in Azure AD access reviews, Azure AD enterprise apps (in preview), or Azure AD PIM.

Microsoft Access 365 Tutorial Pdf

Access rights of usersReviewers can beReview created inReviewer experience
Security group members
Office group members
Specified reviewers
Group owners
Self-review
Azure AD access reviews
Azure AD groups
Access panel
Assigned to a connected appSpecified reviewers
Self-review
Azure AD access reviews
Azure AD enterprise apps (in preview)
Access panel
Azure AD roleSpecified reviewers
Self-review
Azure AD PIMAzure portal
Azure resource roleSpecified reviewers
Self-review
Azure AD PIMAzure portal

License requirements

Using this feature requires an Azure AD Premium P2 license. To find the right license for your requirements, see Comparing generally available features of the Free, Office 365 Apps, and Premium editions.

How many licenses must you have?

Your directory needs at least as many Azure AD Premium P2 licenses as the number of employees who will be performing the following tasks:

  • Member users who are assigned as reviewers
  • Member users who perform a self-review
  • Member users as group owners who perform an access review
  • Member users as application owners who perform an access review

For guest users, licensing needs will depend on the licensing model you’re using. However, the below guest users’ activities are considered Azure AD Premium P2 usage:

  • Guest users who are assigned as reviewers
  • Guest users who perform a self-review
  • Guest users as group owners who perform an access review
  • Guest users as application owners who perform an access review

Azure AD Premium P2 licenses are not required for users with the Global Administrator or User Administrator roles who set up access reviews, configure settings, or apply the decisions from the reviews.

Microsoft 365 Account

Azure AD guest user access is based on a monthly active users (MAU) billing model, which replaces the 1:5 ratio billing model. For more information, see Azure AD External Identities pricing.

Microsoft 365 Access Shared Mailbox

For more information about licenses, see Assign or remove licenses using the Azure Active Directory portal.

Example license scenarios

Here are some example license scenarios to help you determine the number of licenses you must have.

ScenarioCalculationNumber of licenses
An administrator creates an access review of Group A with 75 users and 1 group owner, and assigns the group owner as the reviewer.1 license for the group owner as reviewer1
An administrator creates an access review of Group B with 500 users and 3 group owners, and assigns the 3 group owners as reviewers.3 licenses for each group owner as reviewers3
An administrator creates an access review of Group B with 500 users. Makes it a self-review.500 licenses for each user as self-reviewers500
An administrator creates an access review of Group C with 50 member users and 25 guest users. Makes it a self-review.50 licenses for each user as self-reviewers.*50
An administrator creates an access review of Group D with 6 member users and 108 guest users. Makes it a self-review.6 licenses for each user as self-reviewers. Guest users are billed on a monthly active user (MAU) basis. No additional licenses are required. *6

* Azure AD External Identities (guest user) pricing is based on monthly active users (MAU), which is the count of unique users with authentication activity within a calendar month. This model replaces the 1:5 ratio billing model, which allowed up to five guest users for each Azure AD Premium license in your tenant. When your tenant is linked to a subscription and you use External Identities features to collaborate with guest users, you'll be automatically billed using the MAU-based billing model. For more information, see Billing model for Azure AD External Identities.

Next steps