A decade of continuous innovation

Since its launch a decade ago, Office 365 has grown to over 300 million commercial paid seats. Along the way, we have continuously re-invested to meet the changing needs of our customers. Four years ago, we introduced Microsoft 365 to bring together the best of Office, Windows, and Enterprise Mobility and Security (EMS). That same year we added Microsoft Teams as the only integrated solution where you can meet, chat, call, collaborate, and automate business processes—right in the flow of work.

In fact, since introducing Microsoft 365 we have added 24 apps¹ to the suites—Microsoft Teams, Power Apps, Power BI, Power Automate, Stream, Planner, Visio, OneDrive, Yammer, and Whiteboard—and have released over 1,400 new features and capabilities in three key areas.

1. Communication and collaboration. Microsoft Teams is the new front end across work, life, and learning for more than 250 million monthly active users. We launched Teams in 2017 as the only integrated solution where you can meet, chat, call, collaborate, and automate business processes—with the power of the Office apps—all within the flow of work. In 2020 alone we released over 300 new capabilities including Together mode, background effects, large gallery view, raise hand, live reactions, breakout rooms, live captions with speaker attribution, and Fluid components, just to name a few.

We introduced a new category of collaborative applications in Teams, empowering people and organizations for hybrid work through deep integrations with Power Platform, Whiteboard, Lists, Planner, Shifts, Forms, and SharePoint. Companies like Adobe, Atlassian, Salesforce, SAP, ServiceNow, and Workday have built apps that deeply integrate with Teams, bringing business processes and functions directly into the flow of work.

We continue to innovate on both real-time and asynchronous collaboration. We introduced real-time collaboration in Word, Excel, and PowerPoint desktop apps while a growing set of capabilities like @mentions, assign tasks, modern comments, and auto-save have streamlined the collaboration experience. We’ve added and expanded OneDrive cloud storage and the Exchange Online mailboxes.

2. Security and compliance. The cybersecurity landscape is more complex than ever. With the accelerating volume, sophistication, and scale of cyberattacks, security and compliance are a priority for every organization. Since we first introduced Microsoft 365, we have added new attack surface reduction capabilities to help organizations defend against ransomware and other threats. We have added capabilities like data loss prevention (DLP) for email and documents, sensitivity labels, and message encryption to help keep important data within the organization. And we have added powerful compliance capabilities that help organizations reduce risk and respond to increasing regulatory requirements such as Content Search, eDiscovery, and core Litigation Hold. Built-in mobile device management (MDM) and other management tools like Microsoft Endpoint Manager help admins support remote and hybrid workforces.

3. AI and automation. Over the past decade, we have infused AI capabilities across our productivity and collaboration applications to help everyone achieve more. Across Microsoft 365, we have introduced AI-powered innovations to help users be better writers, designers, and presenters. Cloud-powered AI now automatically creates maps, charts, and tables in Excel, and sorts email and removes clutter in Outlook. And AI-powered real-time translation, captions, and transcription make collaboration and communication more accessible and engaging for everyone.

Extending audio conferencing capabilities

And today, we are announcing that we will add unlimited dial-in capabilities for Microsoft Teams meetings across our enterprise, business, frontline, and government suites over the next few months. Even as cloud connectivity increases, we know that people join Teams meetings while they are on the go or struggling with a bad internet connection. Currently included with Microsoft 365 E5 and Office 365 E5, we have come to see dial-in as an important part of the complete Teams experience. Available with subscription in over 70 countries and with interactive support in 44 languages and dialects, unlimited dial-in provides peace of mind that users will be able to join their Microsoft Teams meeting from virtually any device regardless of location.

New pricing

The pricing changes we are announcing today will go into effect in six months. On March 1, 2022, we will update our list pricing for the following commercial products: Microsoft 365 Business Basic (from $5 USD to $6 USD per user), Microsoft 365 Business Premium (from $ 20 USD to $ 22 USD), Office 365 E1 (from $8 USD to $10 USD), Office 365 E3 (from $20 USD to $23 USD), Office 365 E5 (from $35 USD to $38 USD), and Microsoft 365 E3 (from $32 USD to $36 USD). These increases will apply globally with local market adjustments for certain regions. There are no changes to pricing for education and consumer products at this time.

As leaders around the world look to empower their people for a more flexible, hybrid world of work, it’s clear that every organization will need a new operating model across people, places, and processes. We’re committed to building on the value we’ve delivered over the past decade to continuously provide innovation that helps our customers succeed and thrive today and well into the future.

¹At launch in June 2011, Office 365 included Word, Excel, PowerPoint, Outlook, Lync, Exchange, and InfoPath. We’ve since expanded to add other apps – in whole or in part – and entirely new capabilities including: Access, Bookings, Delve, Forms, GroupMe, Kaizala, Lens, Lists, OneDrive, OneNote Class Notebook, Planner, Power Apps, Power Automate, Power BI, Publisher, SharePoint, Staff Hub, Stream, Sway, Teams, To-Do, Visio, Whiteboard, and Yammer.

The post New pricing for Microsoft 365 appeared first on Microsoft 365 Blog.

Underpinning all of this innovation is the Microsoft Graph, our customers’ secure and compliant record of their productivity activity in the Microsoft Cloud. It helps developers create people-centered, cross-platform experiences by providing context about an organization’s work that flows across documents, apps, and devices. The Microsoft Graph powers the most important components of Microsoft 365, from “born in the cloud” experiences like Microsoft Teams, Microsoft Search, and MyAnalytics, to modern, cloud-connected collaboration in existing apps like Word, Excel, and PowerPoint. Read on for the latest updates to these experiences and the underlying developer technologies that make them possible.

Leverage the power of the open web with Microsoft Edge, whether you’re browsing or developing

In December, we announced our intention to adopt the Chromium open source project in the development of Microsoft Edge on the desktop. We’re excited to work with the larger Chromium open source community to create better web compatibility for our customers and less fragmentation of the web for all web developers. Today at Build, we’re announcing a host of new features for the next version of Microsoft Edge on Windows 10 that address some of the fundamental frustrations with browsers today, including:

• Internet Explorer mode—Internet Explorer mode integrates Internet Explorer directly into the new Microsoft Edge via a new tab. This allows businesses to run legacy Internet Explorer-based apps in a modern browser.
• Privacy Tools—Additional privacy controls which allow customers to choose from 3 levels of privacy in Microsoft Edge—Unrestricted, Balanced, and Strict. Depending on which option you pick, Microsoft Edge adjusts how third parties can track you across the web, giving customers more choice and transparency for a more personalized experience.
• Collections—Addressing the information overload customers feel with the web today, Collections allows you to collect, organize, share and export content more efficiently and with Office integration.

And for developers who have built Chromium compatible websites or extensions, we’re ensuring they’ll see the same compatibility in the Edge browser without additional work. These features and more will begin to roll out over time as we get closer to the broader launch of the next version of Microsoft Edge. To download the latest preview builds, visit the Microsoft Edge Insider site. For more detail on today’s announcements, please visit our developer blog.

A new class of shared, interactive web experiences powered by the Fluid Framework

We’re also committed to making the web more productive and collaborative for all browsers. Today we’re announcing the Fluid Framework, a developer technology for building a new class of shared, interactive experiences on the web. It offers three key capabilities. First, experiences powered by the Fluid Framework will support multi-person coauthoring on web and document content at a speed and scale not yet achieved in the industry. Second, it provides a componentized document model that allows authors to deconstruct content into collaborative building blocks, use them across applications, and combine them in a new, more flexible kind of document. Third, the Fluid Framework makes room for intelligent agents to work alongside humans to translate text, fetch content, suggest edits, perform compliance checks, and more. We’ll make this technology broadly available to developers and integrate it into Microsoft 365 experiences like Word, Teams, and Outlook to transform the way that you work with these tools. We will launch both the software developer kit and the first experiences powered by the Fluid Framework later this year.

Moving from commands to conversations: a new approach to intelligent agents

At Build this morning, we demonstrated a new approach to virtual agents that moves beyond the restrictions of self-contained commands to a truly conversational experience. The traditional approach to virtual agents relies on a manually curated set of skills or intents to map what a person says to the appropriate action in a back-end system. As a result, virtual agents today can’t combine skills or carry the context of one interaction into the next.

Last year, Microsoft acquired a company called Semantic Machines, bringing with it some of the world’s leaders in conversational AI. Together with Microsoft researchers, we’ve built breakthrough new conversational AI technology that will power a new class of multi-turn, multi-domain, and multi-agent experiences. Our technology builds up memory from turn to turn to let you get more done. It crosses skill boundaries, connecting together back-end services, both within Microsoft and externally. And it’s aimed towards a future where every organization has their own agents with their own unique contexts, just like they have their own websites and apps today, and where those agents can seamlessly interoperate.

This new conversational engine will be integrated into Cortana and made available to developers through the Bot Framework, as well as other Azure surfaces and beyond, powering conversational experiences across the company and our customer ecosystem.

Derive deep insights about effective work patterns with Microsoft Graph data connect

Data can be a powerful enabler of cultural change and new ways to work. Today we’re announcing the general availability of Microsoft Graph data connect, a service that helps organizations bring together productivity data from the Microsoft Graph with their own business data securely and at scale using Azure Data Factory. The Microsoft Graph is an incredible resource to help individuals and organizations understand how they work. But without data on the context and outcomes of their work—like sales or line of business performance—it’s an incomplete picture. By allowing organizations to maintain control of their data, while bringing it together in a secure and compliant way, data connect lets organizations derive deep insights about effective work patterns that they can promote throughout their organization. Visit this blog post to learn more about all of the Microsoft Graph announcements at Build 2019.

Use Microsoft Search to tap into your organization’s collective knowledge

Today we’re announcing the general availability of Microsoft Search, rolling out to customers now. The collective knowledge of your organization is one of its most powerful tools, and Microsoft Search provides the ability to tap into it without leaving the flow of your work. You’ll now find the Search box in the same prominent place across Microsoft 365 experiences you use daily, including Office, SharePoint, OneDrive, Outlook, Windows, and Bing. And through a deep connection to the Microsoft Graph, Microsoft Search will help you discover relevant people, content, commands, and activities from across Microsoft 365 where and when you need them—from your desktop at work to your mobile device when you’re on the move. Visit this blog post to learn more about Microsoft Search.

Minimize distractions and stay focused at work with MyAnalytics

In a modern workplace where back to back meetings and urgent requests are the norm, you might have difficulty finding the time, space, and concentration required to do your best work. This summer, we’re launching a preview of new Microsoft 365 capabilities to help you prioritize focus time—blocks of time reserved on your calendar for deep, uninterrupted work. Through the Microsoft Graph, Microsoft 365 experiences like Microsoft Teams will automatically protect scheduled focus times by holding notifications, so you can work without distractions. And to help you establish a focus time routine, MyAnalytics will offer a focus plan that gives you the flexibility to have daily focus time booked automatically based on your availability and surfaces AI-powered suggestions to book focus time for outstanding tasks as you work in Outlook.

Shareable video.

Act swiftly with Actionable Messages in Outlook and inline tasks in Word

Prompt action is essential in an increasingly fast-moving world. Available now, developers can build Actionable Messages for Outlook mobile by taking advantage of Adaptive Cards in Outlook. Actionable Messages enable people to take action now, without having to switch apps—making it faster to get things done. With an Actionable Message, you can approve expense reports, grant document access, book focus time, or answer quick surveys right from your inbox. In addition, you can now give others a digital tap on the shoulder with an @mention inline in a Word document assigning colleague a task, asking a question, or prompting a quick review without ever leaving the document. Look for inline tasks in Word Online in late summer.

Ideas in Word: your AI-powered editor in the cloud

Throughout Microsoft 365 we use AI to make people more productive by extending their capabilities and supporting their work. Today we’re announcing Ideas in Word, giving every Word user an AI-powered editor in the cloud. Ideas follows along as you write and provides intelligent suggestions to make your writing more concise, readable, and inclusive. It can even use machine learning to suggest a rewrite for a tricky phrase. Ideas will also help when you’re reading documents by providing estimated reading times, extracting key points, and decoding acronyms using data from the Microsoft Graph. A preview of Ideas is coming to Word Online this June. To learn more about AI in Office and throughout Microsoft, read the Microsoft AI blog.

Microsoft Teams: a hub for all your teams’ apps

Microsoft Teams will also be a central topic in the Microsoft 365 presence at Build this year—both as an app and as a developer platform. It plays a crucial role as the hub for teamwork in Microsoft 365, and it’s now used by more than 500,000 organizations as a result. We continue to innovate with Teams, adding recent features like live captions, customized backgrounds, data loss protection, and a magical whiteboard camera. And today we’re announcing support for new policies that allow IT administrators to customize their users’ Teams experience by deploying and pinning third-party and line-of-business apps to specific roles or departments.

New developer tools for Microsoft 365

Finally, none of this would be possible without developers creating experiences for the future of work. Kevin Gallo, Corporate Vice President of the Microsoft Developer Platform, talks about the new developer tools across Microsoft 365 in more depth in this blog post. We’re delivering exciting new tools for developers, like the brand-new Windows Terminal that’s modernized to support how developers build today. The new React Native for Windows delivers a simple way for developers to write cross platform web code with a native feel. And Windows Subsystem for Linux 2 improves Linux compatibility, and can run Docker containers natively to simplify development.

We’re excited to share the latest updates to Microsoft 365 experiences and the developer platform. To see these technologies in action, watch the Vision Keynote, Microsoft 365 Tech Keynote, and a host of Microsoft 365 sessions on the Build 2019 site. We can’t wait to see what you build.

The post New people-centered experiences in Microsoft 365, the world’s productivity cloud appeared first on Microsoft 365 Blog.

Today, we’re sharing details of several new Microsoft 365 features to help you get ahead of these trends and deliver on privacy and compliance commitments in a simple, integrated, and intelligent way.

Simplify compliance and privacy management with the new specialized workspace

For compliance professionals, who need to protect and manage their organization’s data privacy risk, we’re announcing a dedicated workspace called the Microsoft 365 compliance center.

In the Microsoft 365 compliance center, you can easily access solutions to help you assess your compliance risk through Compliance Manager, protect data through features like Data Governance, and respond to regulatory obligations like Data Subject Requests. Along with the new Microsoft 365 security center, these specialized workspaces are designed for security and compliance professionals to centrally manage Microsoft 365 services with a unified experience and insights powered by artificial intelligence (AI).

Microsoft 365 compliance center shows actionable insights to help improve your GDPR and ISO compliance.

We’ll gradually roll out the new experience starting today. Read the Tech Community blog to learn more.

Safeguard sensitive data consistently across Mac, iOS, and Android

To help protect sensitive data consistently across various platforms, we’re announcing new Microsoft Information Protection capabilities that enable users to classify content and apply labels to documents and emails directly from Office apps on Mac (Word, PowerPoint, Excel, and Outlook) and Office mobile apps (Word, PowerPoint, and Excel on iOS and Android). For example, a user working on a Mac can assign a “Highly Confidential” label while working on an important Word document. This results in the application of the appropriate protection policy, such as adding encryption and access restrictions or adding visual markings. Learn more about new labeling capabilities in Office apps that help you protect sensitive information.

Classify content and apply labels to add encryption, access restrictions, or visual markings to documents and emails directly from Office apps on Mac, iOS, and Android.

Manage data governance processes with insights and granular controls

We’re also releasing expanded label analytics capabilities that enable customers to analyze and validate how sensitivity and retention labels are being used across both Office 365 data and non-Office 365 data. The new label analytics capabilities in the Microsoft 365 compliance center are currently in preview.

View Office 365 and non-Office 365 data classification and policies together from the new label analytics dashboard in the Microsoft 365 compliance center.

Other enhancements in Advanced Data Governance include the file plan manager, which helps customers migrate governance policy configurations. With the file plan manager, you can map complex retention schedules from your existing records management solution or on-premises repository into Office 365.

Read more about all these new updates in Advanced Data Governance.

Reduce risks with built-in eDiscovery capabilities

During litigation- and investigation-related tasks and workflows, keeping more content in place can help reduce costs and risks associated with handling sensitive data. New capabilities in Advanced eDiscovery can help you communicate with custodians (for example: employees related to a case or investigation), isolate case-related contents for processing within a static set, and use the new review and redact capability to modify sensitive portions of documents before exporting them as part of a legal matter. Watch our video and read more about these updates to Advanced eDiscovery.

Streamline compliance requirements for regulated customers in Microsoft Teams

Regulated industries, such as financial services, need the ability to monitor and audit communications for specific roles in their organization. Now, Supervision includes Microsoft Teams content and additional capabilities to flag sensitive data types and offensive language classifiers. Learn more about these updates in the Tech Community blog.

Monitor Teams content in the new integrated supervisory review experience.

To help regulated customers meet specific immutability and retention requirements, we’re also announcing the availability of a new SEC 17a-4 regulation compliance assessment completed by Cohasset for Exchange-based storage, including email, groups, chats, and other communication types. Learn more about updates to Advanced Data Governance in the Tech Community blog.

Learn more about the Microsoft cloud

Privacy and compliance are deeply ingrained in the culture at Microsoft and embedded in the practices that are at the core of how we build and deliver our products and services.

• Watch Microsoft executive leadership and a leading privacy analyst from Forrester Research share their insights on how organizations are investing in privacy as a differentiator with their customers.
• Read our online e-book on how Microsoft runs on trust.
• Learn more about the new Information Protection and Compliance offering in Microsoft 365 today.

The post Introducing new features in Microsoft 365 to help prepare for the next wave of privacy regulations appeared first on Microsoft 365 Blog.

A big driver of customer adoption of Microsoft 365 is the need for security and compliance solutions in an age of increasingly sophisticated cybersecurity threats, as well as complex information protection needs due to regulations like the General Data Protection Regulation (GDPR). To help address these needs, we are introducing two new Microsoft 365 security and compliance offerings that will be available for purchase on February 1, 2019.

• Identity & Threat Protection—This new package brings together security value across Office 365, Windows 10, and EMS in a single offering. It includes best of breed for advanced threat protection services including Microsoft Threat Protection (Azure Advanced Threat Protection (ATP), Windows Defender ATP, and Office 365 ATP including Threat Intelligence), as well as Microsoft Cloud App Security and Azure Active Directory. This offer will be available for $12 per user per month.*
• Information Protection & Compliance—This new package combines Office 365 Advanced Compliance and Azure Information Protection. It’s designed to help compliance and IT teams perform ongoing risk assessments across Microsoft Cloud services, automatically protect and govern sensitive data throughout its lifecycle, and efficiently respond to regulatory requests leveraging intelligence. This offer will be available for $10 per user per month.*

All the value in these new offers remains available as part of the full Microsoft 365 E5 suite, which also includes business analytics and our enterprise grade phone system and audio conferencing. The full Microsoft 365 E5 suite includes not only security and compliance capabilities, but also offerings in business analytics featuring Power BI, and communications with audio conferencing and advanced phone system value. Additionally, customers can continue to purchase security and compliance components on a standalone basis.

There are no price increases or service impacts associated with any of these changes. The new Identity & Threat Protection and Information Protection & Compliance offerings are designed to provide customers with simpler purchase, deployment, and adoption of these security and compliance workloads.

As we speak to customers about the future of work, we know security and compliance are some of the highest organizational priorities and we hope these new offerings will help them achieve their security and compliance goals.

*Pricing for Microsoft 365 E3 customers before volume discounts.

The post Introducing new advanced security and compliance offerings for Microsoft 365 appeared first on Microsoft 365 Blog.

Every day, everyone in the Microsoft Identity Division comes to work focused on helping you, our customers, make your employees, partners, and customers more productive and to make it easier for you to securely manage access to your enterprise resources.

So, I was pretty excited to learn that Microsoft was recently recognized as a 2018 Gartner Peer Insights Customers’ Choice for Access Management, Worldwide.

In the announcement, Gartner explained, “The Gartner Peer Insights Customers’ Choice is a recognition of vendors in this market by verified end-user professionals, taking into account both the number of reviews and the overall user ratings.” To ensure fair evaluation, Gartner maintains rigorous criteria for recognizing vendors with a high customer satisfaction rate.

Receiving this recognition is incredibly energizing. It’s a strong validation that we’re making a positive impact for our customers and that they value the innovations we added to Azure Active Directory (Azure AD) this year.

To receive this recognition, a vendor must have a minimum of 50 published reviews with an average overall rating of 4.2 stars or higher.

Here are few quotes from the reviews our customers wrote for us:

“Azure AD is fast becoming the single solution to most of our identity and access problems.”
—Enterprise Security Architect in the Transportation Industry. Read full review.

“Azure Active Directory is making great strides to become a highly available and ubiquitous directory service.”
—Chief Technology Officer in the Services Industry. Read full review.

“[Microsoft] has been a great partner in our implementing an identity solution [that] met the needs of our multiple agencies and provided us with a roadmap to continue to move forward with SSO and integration of our legacy and newly developed application. We were also able to set a standard for our SaaS application authentication and access.”
—Director of Technology in the Government Industry. Read full review.

Read more reviews for Microsoft.

Today, more than 90,000 organizations in 89 countries use Azure AD Premium and we manage over eight billion authentications per day. Our engineering team works around the clock to deliver high reliability, scalability, and satisfaction with our service, so being recognized as a Customers’ Choice is pretty motivating for us. It’s been exciting to see the amazing things many of our customers are doing with our identity services.

On behalf of everyone working on Azure AD, I want to say thank you to our customers for this recognition! We look forward to building on the experience and trust that led to us being named a Customers’ Choice!

The Gartner Peer Insights Customers’ Choice logo is a trademark and service mark of Gartner, Inc., and/or its affiliates, and is used herein with permission. All rights reserved. Gartner Peer Insights Customers’ Choice distinctions are determined by the subjective opinions of individual end-user customers based on their own experiences, the number of published reviews on Gartner Peer Insights, and overall ratings for a given vendor in the market, as further described here, and are not intended in any way to represent the views of Gartner or its affiliates.

Best Regards,

Alex Simons (@Twitter: @Alex_A_Simons)
Corporate VP of Program Management
Microsoft Identity Division

The post Microsoft named a 2018 Gartner Peer Insights Customers’ Choice for Access Management appeared first on Microsoft 365 Blog.

We heard our customers loud and clear—they want support for the Microsoft Authenticator app on Apple Watch. So, that’s why I’m thrilled to announce we are starting to roll out the public preview of the Microsoft Authenticator companion app for Apple Watch and plan to release to general availability within the next few weeks. This experience will allow you to approve sign-in notifications that require PIN or biometric on your Watch without having to use your phone.

The Microsoft Authenticator app on Apple Watch supports Microsoft personal, work, and school accounts that are set up with push notifications. All supported accounts automatically sync to the Watch.

Try it out

To test drive the app, upgrade to Microsoft Authenticator v. 6.0.0+ on your phone when it becomes available to you. If you want to try it out before it’s generally available, sign up to become a Microsoft Authenticator TestFlight user.

Once you have the upgrade installed, just follow these three steps:

1. Make sure your phone and Watch are paired.
2. Open the Microsoft Authenticator app on your Watch.

3. Under the account title, tap the Set up button. If there’s no Set up button next to your account, no action is required! You can now approve sign-in notifications on your Watch.

To see the full experience in action, sign in to your account using the Microsoft Authenticator. When a notification comes to your Watch, you can easily and quickly approve.

From a security standpoint, we still consider the experience on the Watch as two-step verification. The first factor is your possession of the Watch. The second factor is the PIN that only you know. When you put the Watch on your wrist in the morning, you will need to unlock it. As long as you don’t remove the Watch from your wrist and it stays within range of your phone, it will stay unlocked—so you don’t need to provide your PIN again.

If you have additional questions, please see our Microsoft Authenticator app FAQ page. Also, feel free to comment below—we would love to hear your feedback and suggestions.

Best regards,

Alex Simons (Twitter: @Alex_A_Simons)

Director of Program Management

Microsoft Identity Division

The post Microsoft Authenticator companion app for Apple Watch now in public preview appeared first on Microsoft 365 Blog.

The last few months have been some VERY exciting times in the world of identity and security standards. Due to the efforts of a broad set of experts across the industry, we’ve made incredible progress in finalizing a broad set of new and improved standards that will improve both the security and user experiences of a generation of cloud services and devices.

One of the most important of these improvements is the Token Binding family of specifications which is now well on its way towards final ratification at the Internet Engineering Task Force (IETF). (If you want to learn more about token binding, watch this great presentation by Brian Campbell.)

At Microsoft, we believe that the Token Binding can greatly improve the security of both enterprise and consumer scenarios by making high identity and authentication assurance broadly and simply accessible to developers around the world.

Given how positive we believe this impact can be, we have been and continue to be deeply committed to working with the community for creation and adoption of the token binding family of specifications.

Now that the specifications are close to ratification, I’d like to issue two calls to action:

1. Begin experimenting with token binding and planning your deployments.
2. Contact your browser and software vendors, asking them to ship token binding implementations soon if they aren’t already.

And I’m happy to report that Microsoft is just one of many industry voices saying that token binding is an important solution whose time has come.

For more on why token binding matters, I’ll turn things over to Pamela Dingle – a leading industry voice who many of you already know – who is now Microsoft’s Director of Identity Standards on the Azure AD team.

Best Regards,

Alex Simons (Twitter: @Alex_A_Simons)

Director of Program Management

Microsoft Identity Division

—————————————————————————————————————————–

Thanks Alex and hi everybody,

I share Alex’s excitement! Years of time and effort have been put into the specifications you will see celebrated as new RFC standards in a very short time. The time is right for architects to dig in to the specific identity and security advantages that Token Binding represents.

What is so great about token binding, you might ask? Token binding makes cookies, OAuth access tokens and refresh tokens, and OpenID Connect ID Tokens unusable outside of the client-specific TLS context in which they were issued. Normally such tokens are “bearer” tokens, meaning that whoever possesses the token can exchange the token for resources, but token binding improves on this pattern, by layering in a confirmation mechanism to test cryptographic material collected at time of token issuance against cryptographic material collected at the time of token use. Only the right client, using the right TLS channel, will pass the test. This process of forcing the entity presenting the token to prove itself, is called “proof of possession”.

It turns out that cookies and tokens can be used outside of the original TLS context in all sorts of malicious ways. It could be hijacked session cookies or leaked access tokens, or sophisticated MiTM. This is why the IETF OAuth 2 Security Best Current Practice draft recommends token binding, and why we just recently doubled the rewards on our identity bounty program. By requiring proof of possession, we turn the opportunistic or pre-meditated use of cookies or tokens in ways they were not intended into something difficult and expensive for an attacker to attempt.

Like any proof of possession mechanism, token binding grants us the ability to build defense in depth. We can work hard to never lose a token, but we can also verify just to be safe. Unlike other proof of possession mechanisms such as client certificates, token binding is self-contained and transparent to the user, with most of the heavy lifting done by the infrastructure. We hope that this eventually means anyone can choose to operate at a high level of identity assurance, but we expect to see strong demand from the government and financial verticals at the beginning, as they have immediate regulatory requirements to do proof of possession. As one example, anyone who requires NIST 800-63C AAL3 categorization requires this kind of technology.

Token binding represents a long road. We are three years in, and while the ratification of the specifications is an exciting milestone, as an ecosystem we still have a lot to build, and this specification needs to work across vendors and platforms to be successful. We are very excited over the coming months to start sharing in depth the security benefits and best practices that have come from our embrace of this functionality, and we hope you will join us in advocating for this technology wherever you need it.

Cheers,

— Pam

The post It’s time for token binding appeared first on Microsoft 365 Blog.

Some great news to share with you today! For the second year in a row, Gartner has positioned Microsoft in the Leaders Quadrant in the 2018 Magic Quadrant for Access Management, Worldwide, based on our completeness of vision and ability to execute in the access management market. Find out why in a complimentary copy of the report here.

According to Gartner, Leaders show evidence of strong execution for anticipated requirements related to technology, methodology, or means of delivery. Leaders also show evidence of how access management plays a role in a collection of related or adjacent product offerings.

Furthest in Vision in Leaders Quadrant

Microsoft is positioned the furthest in completeness of Vision in the Leaders Quadrant, for the second straight year. We believe our jump up in Execution also illustrates how important it is for us to execute on a strategy that can help organizations where they are at today and prepare them for the identity needs of tomorrow.

At Microsoft, we champion conditional access policies and threat protection for identities as critical capabilities for a world-class identity and access management solution. As part of a rich ecosystem with Windows 10, Office 365 and EMS, we’ve worked hard to integrate security policies across products to give you visibility and control over the full user experience. We’ve also taken in the insights and feedback from our customers this year to improve the experience and make it even easier to get all your identities in one place. We are committed to providing innovative and comprehensive identity and access management solutions for your employees, partners, and customers.

We could not have continued to be a leader in this space without the input and support from our customers and partners – thank you!

Best Regards,

Alex Simons (Twitter: @Alex_A_Simons)

Director of Program Management

Microsoft Identity Division

Important note:

This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Microsoft.

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

The post Vision + Execution: Microsoft named a leader again in Gartner MQ for Access Management appeared first on Microsoft 365 Blog.

For years, we have been at Build talking about the huge opportunity with Windows and Office as developer platforms. In fact, today we have 135 million commercial monthly active users of Office 365 and nearly 700 million Windows 10–connected devices.

But Microsoft’s mission is fundamentally dependent on how well we TOGETHER can harness the power of both Windows and Office in the Microsoft 365 platform.

Microsoft 365 brings together Office 365, Windows 10, and Enterprise Mobility + Security (EMS) as a complete, intelligent, and secure solution to empower employees.

In case you’re not already familiar, Microsoft 365 brings together Office 365, Windows 10, and Enterprise Mobility + Security (EMS) as a complete, intelligent, and secure solution to empower employees. As the largest productivity platform in the world, it’s a vital part of the intelligent edge—and it enables developers to create beneficial experiences that work elegantly across many different device types and many different computing “senses”—including vision and voice.

Today, many of you would consider yourselves Windows or Office developers. Or web developers who target Windows and Office users. Or even mobile developers asking how you might align a mobile experience with other devices. When you leave Build 2018 this week, we hope you consider yourselves Microsoft 365 developers.

New Microsoft 365 experiences empower customers to achieve more

This week, we’re introducing a set of features and updates across a variety of devices and platforms and a better blending between web and application environments for users and developers. Last year at Build, you heard us talk about our commitment to meeting our customers where they are—across platforms. We’re expanding this work to not only bring more Microsoft 365 services across platforms and into applications, but to better connect customers’ existing PC experiences with their phones, helping to increase engagement for developers. These announcements include:

• A new way to connect your phone to your PC with Windows 10 that enables instant access to text messages, photos, and notifications. Imagine being able to quickly drag and drop your phone’s photos into a document on your PC in one swift movement—without having to take your phone out of your pocket. This new experience will begin to roll out in the Windows Insider Program soon.

A new way to connect your phone to your PC with Windows 10 that enables instant access to text messages, photos, and notifications.

• The updated Microsoft Launcher application on Android that will support Enterprise customers with easy access to line of business applications via Microsoft Intune. Microsoft Launcher on Android will also support Timeline for cross-device application launching. Today, your Microsoft Edge browsing sessions on your iPhone or iPad are included in the Timeline experience on your Windows 10 PC. Tomorrow, we’ll show how later this year you’ll be able to access that same timeline on your iPhone with Microsoft Edge.

The updated Microsoft Launcher application on Android will support Enterprise customers with easy access to line of business applications via Microsoft Intune.

Timeline is coming to Microsoft Launcher on Android and to Microsoft Edge on iPhone and iPad.

• Updates to Sets, an easier way to organize your stuff and get back to what you were doing. With Sets, what belongs together stays together, making it easier and faster to create and be productive. As developers, your Universal Windows Platform (UWP) application will work with Sets from the start, helping to keep your customers engaged. And with a few simple changes, your Win32 or web applications are supported within Sets as well.

Updates to Sets, an easier way to organize your stuff and get back to what you were doing.

• Microsoft 365 support of Adaptive Cards, helping developers create rich interactive content within conversations. As a result, end users can approve expense reports or comment on an issue in GitHub directly within an Outlook email or Teams chat. Building on Adaptive Cards, we’re also bringing payments to Outlook. With Microsoft Pay, you’ll be able to quickly and securely pay bills and invoices right from your inbox. Several Microsoft partners will announce support for Microsoft Pay at Build.

Microsoft 365 support of Adaptive Cards helps developers create rich interactive content within conversations.

New opportunities for developers with Microsoft 365

Core to the Microsoft 365 platform is the Microsoft Graph. It helps developers connect the dots between people, conversations, schedules, and content within the Microsoft Cloud. We encourage you to tap into the power of the Microsoft Graph to gain unprecedented context and insights to build smarter apps. Tomorrow, we will talk about new opportunities with the Microsoft Graph and new tools with Microsoft 365 that give you the flexibility to design and create in the languages and frameworks of your choice, empowering you to create smarter ways for people to work. These announcements include:

• New and updated Microsoft Teams APIs in the Microsoft Graph and support for organization-specific applications in Teams, allowing developers to create tailored, intelligent experiences based on the unique needs of a business or industry. Companies can also publish custom apps to the Teams app store.
• Deeper SharePoint integration into Microsoft Teams, enabling people to pin a SharePoint page directly into a Teams channel to enable deeper collaboration. Developers can use modern script-based frameworks like React within your projects to add more pieces that can be added and organized within SharePoint pages.
• Updates helping you support the Fluent Design System, so you can create immersive, deeply engaging experiences with Microsoft’s updated design language. Now every organization can make beautiful solutions that empower your customers to do more. With UWP XAML Islands, you can access the more capable, flexible, powerful XAML controls regardless which UI stack you use—whether it’s Windows Forms, WPF, or native Win32.

• .NET Core 3.0, which allows developers to use the latest version of .NET and have your application run in a standalone .NET environment, so you can build amazing app experiences that don’t impact your broader organizational infrastructure. This allows desktop developers to take advantage of side-by-side install of their applications. That means that system-wide updates of .NET will not impact running applications.
• MSIX, a complete containerization solution providing a simple way to convert large catalogs of applications. It inherits all the great features from UWP, including reliable, robust installation and updating, as well as a managed security model and support for both enterprise management and the Microsoft Store.
• New Azure Machine Learning and JavaScript custom functions that let developers and organizations create your own powerful additions to Excel’s catalog of formulas.
• Windows Machine Learning, a new platform, which enables developers to easily develop Machine Learning models in the intelligent cloud—and then deploy them offline and in high-performance to the PC platform.

If you are a developer maintaining Windows desktop applications, you can now use all of these modern tools with your existing investment across Win32, WPF, and Windows Forms applications. I’ll also share tomorrow our commitment to maximize your opportunity with Microsoft Store by providing up to 95 percent share of the revenue for your consumer apps, excluding games. For more details on the updates to Microsoft Store, check out this blog post. For more detail on the developer opportunities I’ve mentioned here, check out Kevin Gallo’s blog post.

Some of the things we’re talking about at Build this week are available for developers to use and try out now, while other experiences will come during the next year.

All of the things we’re talking about give you the power to build applications the way you want, with the most flexibility to make the right choices for your end users. This is an exciting time: Microsoft 365 enables you to achieve more with your current skillset and your current tools. And that in turn empowers you to help your users achieve more.

Thank you for building with us. I can’t wait to see what you’ll build in 2019!

The post Microsoft 365 empowers developers to build intelligent apps for where and how the world works appeared first on Microsoft 365 Blog.

Many of you probably already use Azure Active Directory (Azure AD) B2B collaboration to work closely with your external partners. Since we launched Azure AD B2B capabilities a year ago, more than 800,000 organizations have used Azure AD B2B to collaborate with their partners, adding 8 million guest user accounts. Pretty amazing right?!

One of the most frequent pieces of feedback we’ve received is that you need B2B collaboration to work for all your apps, even if you have a hybrid configuration where you have apps on-premises and apps in the cloud. For example, you might already use B2B collaboration to invite your partners to access apps in Azure or Office 365, using their external credentials. But, you have high-value on-premises apps that your organization is not ready to move to the cloud just yet.

Today, I’m excited to let you know that we’re releasing a public preview that lets you give Azure AD B2B users access to on-premises apps, without needing to manually create on-prem accounts for them!

These on-premises apps can use SAML-based authentication or Integrated Windows Authentication (IWA) with Kerberos constrained delegation (KCD). This means employees in companies you partner with can use the same work accounts and credentials they use every day and now they can easily and securely access all the cloud and on-premises apps you make available to them. And to top it off, you can use conditional access policies and lifecycle management policies in Azure AD to protect your resources just like you can for employees.

To get start, I’d recommend taking a look at the docs. It’s not hard to enable your employees and partners to collaborate seamlessly even in a hybrid configuration! 

And as always, connect with us for any feedback, discussions, and suggestions. You know we’re listening! 

Best Regards,
Alex Simons (@Twitter: @Alex_A_Simons)
Director of Program Management
Microsoft Identity Division 

The post Azure AD B2B collaboration for hybrid organizations appeared first on Microsoft 365 Blog.

As long as we’ve had passwords, people have tried to guess them. In this blog, we’re going to talk about a common attack which has become MUCH more frequent recently and some best practices for defending against it. This attack is commonly called password spray.

In a password spray attack, the bad guys try the most common passwords across many different accounts and services to gain access to any password protected assets they can find. Usually these span many different organizations and identity providers. For example, an attacker will use a commonly available toolkit like Mailsniper to enumerate all of the users in several organizations and then try “P@$$w0rd” and “Password1” against all of those accounts. To give you the idea, an attack might look like:

This attack pattern evades most detection techniques because from the vantage point of an individual user or company, the attack just looks like an isolated failed login.

For attackers, it’s a numbers game: they know that there are some passwords out there that are very common. Even though these most common passwords account for only 0.5-1.0% of accounts, the attacker will get a few successes for every thousand accounts attacked, and that’s enough to be effective.

They use the accounts to get data from emails, harvest contact info, and send phishing links or just expand the password spray target group. The attackers don’t care much about who those initial targets are—just that they have some success that they can leverage.

The good news is that Microsoft has many tools already implemented and available to blunt these attacks, and more are coming soon. Read on to see what you can do now and in the coming months to stop password spray attacks.

Four easy steps to disrupt password spray attacks

Step 1: Use cloud authentication

In the cloud, we see billions of sign-ins to Microsoft systems every day. Our security detection algorithms allow us to detect and block attacks as they’re happening. Because these are real time detection and protection systems driven from the cloud, they are available only when doing Azure AD authentication in the cloud (including Pass-Through Authentication).

Smart Lockout

In the cloud, we use Smart Lockout to differentiate between sign-in attempts that look like they’re from the valid user and sign-ins from what may be an attacker. We can lock out the attacker while letting the valid user continue using the account. This prevents denial-of-service on the user and stops overzealous password spray attacks. This applies to all Azure AD sign-ins regardless of license level and to all Microsoft account sign-ins.

Tenants using Active Directory Federation Services (ADFS) will be able to use Smart Lockout natively in ADFS in Windows Server 2016 starting in March 2018—look for this ability to come via Windows Update.

IP Lockout

IP lockout works by analyzing those billions of sign-ins to assess the quality of traffic from each IP address hitting Microsoft’s systems. With that analysis, IP lockout finds IP addresses acting maliciously and blocks those sign-ins in real-time.

Attack Simulations

Now available in public preview, Attack Simulator as part of Office 365 Threat Intelligence enables customers to launch simulated attacks on their own end users, determine how their users behave in the event of an attack, and update policies and ensure that appropriate security tools are in place to protect your organization from threats like password spray attacks.

Things we recommend you do ASAP:

1. If you’re using cloud authentication, you’re covered
2. If you’re using ADFS or another hybrid scenario, look for an ADFS upgrade in March 2018 for Smart Lockout
3. Use Attack Simulator to proactively evaluate your security posture and make adjustments

Step 2: Use multi-factor authentication

A password is the key to accessing an account, but in a successful password spray attack, the attacker has guessed the correct password. To stop them, we need to use something more than just a password to distinguish between the account owner and the attacker. The three ways to do this are below.

Risk-based multi-factor authentication

Azure AD Identity Protection uses the sign-in data mentioned above and adds on advanced machine learning and algorithmic detection to risk score every sign-in that comes in to the system. This enables enterprise customers to create policies in Identity Protection that prompt a user to authenticate with a second factor if and only if there’s risk detected for the user or for the session. This lessens the burden on your users and puts blocks in the way of the bad guys. Learn more about Azure AD Identity Protection here.

Always-on multi-factor authentication

For even more security, you can use Azure MFA to require multi-factor authentication for your users all the time, both in cloud authentication and ADFS. While this requires end users to always have their devices and to more frequently perform multi-factor authentication, it provides the most security for your enterprise. This should be enabled for every admin in an organization. Learn more about Azure Multi-Factor Authentication here, and how to configure Azure MFA for ADFS.

Azure MFA as primary authentication

In ADFS 2016, you have the ability use Azure MFA as primary authentication for passwordless authentication. This is a great tool to guard against password spray and password theft attacks: if there’s no password, it can’t be guessed. This works great for all types of devices with various form factors. Additionally, you can now use password as the second factor only after your OTP has been validated with Azure MFA. Learn more about using password as the second factor here.

Things we recommend you do ASAP:

1. We strongly recommend enabling always-on multi-factor authentication for all admins in your organization, especially subscription owners and tenant admins. Seriously, go do this right now.
2. For the best experience for the rest of your users, we recommend risk-based multi-factor authentication, which is available with Azure AD Premium P2 licenses.
3. Otherwise, use Azure MFA for cloud authentication and ADFS.
4. In ADFS, upgrade to ADFS on Windows Server 2016 to use Azure MFA as primary authentication, especially for all your extranet access.

Step 3: Better passwords for everyone

Even with all the above, a key component of password spray defense is for all users to have passwords that are hard to guess. It’s often difficult for users to know how to create hard-to-guess passwords. Microsoft helps you make this happen with these tools.

Banned passwords

In Azure AD, every password change and reset runs through a banned password checker. When a new password is submitted, it’s fuzzy-matched against a list of words that no one, ever, should have in their password (and l33t-sp3@k spelling doesn’t help). If it matches, it’s rejected, and the user is asked to choose a password that’s harder to guess. We build the list of the most commonly attacked passwords and update it frequently.

Custom banned passwords

To make banned passwords even better, we’re going to allow tenants to customize their banned password lists. Admins can choose words common to their organization—famous employees and founders, products, locations, regional icons, etc.—and prevent them from being used in their users’ passwords. This list will be enforced in addition to the global list, so you don’t have to choose one or the other. It’s in limited preview now and will be rolling out this year.

Banned passwords for on-premises changes

This spring, we’re launching a tool to let enterprise admins ban passwords in hybrid Azure AD-Active Directory environments. Banned password lists will be synchronized from the cloud to your on-premises environments and enforced on every domain controller with the agent. This helps admins ensure users’ passwords are harder to guess no matter where—cloud or on-premises—the user changes her password. This launched to limited private preview in February 2018 and will go to GA this year.

Change how you think about passwords

A lot of common conceptions about what makes a good password are wrong. Usually something that should help mathematically actually results in predictable user behavior: for example, requiring certain character types and periodic password changes both result in specific password patterns. Read our password guidance whitepaper for way more detail. If you’re using Active Directory with PTA or ADFS, update your password policies. If you’re using cloud managed accounts, consider setting your passwords to never expire.

Things we recommend you do ASAP:

1. When it’s released, install the Microsoft banned password tool on-premises to help your users create better passwords.
2. Review your password policies and consider setting them to never expire so your users don’t use seasonal patterns to create their passwords.

Step 4: More awesome features in ADFS and Active Directory

If you’re using hybrid authentication with ADFS and Active Directory, there are more steps you can take to secure your environment against password spray attacks.

The first step: for organizations running ADFS 2.0 or Windows Server 2012, plan to move to ADFS in Windows Server 2016 as soon as possible. The latest version will be updated more quickly with a richer set of capabilities such as extranet lockout. And remember: we’ve made it really easy to upgrade from Windows Server 2012R2 to 2016.

Block legacy authentication from the Extranet

Legacy authentication protocols don’t have the ability to enforce MFA, so the best approach is to block them from the extranet. This will prevent password spray attackers from exploiting the lack of MFA on those protocols.

Enable ADFS Web Application Proxy Extranet Lockout

If you do not have extranet lockout in place at the ADFS Web Application proxy, you should enable it as soon as possible to protect your users from potential password brute force compromise.

Deploy Azure AD Connect Health for ADFS

Azure AD Connect Health captures IP addresses recorded in the ADFS logs for bad username/password requests, gives you additional reporting on an array of scenarios, and provides additional insight to support engineers when opening assisted support cases.

To deploy, download the latest version of the Azure AD Connect Health Agent for ADFS on all ADFS Servers (2.6.491.0). ADFS servers must run Windows Server 2012 R2 with KB 3134222 installed or Windows Server 2016.

Use non-password-based access methods

Without a password, a password can’t be guessed. These non-password-based authentication methods are available for ADFS and the Web Application Proxy:

1. Certificate based authentication allows username/password endpoints to be blocked completely at the firewall. Learn more about certificate based authentication in ADFS
2. Azure MFA, as mentioned above, can be used to as a second factor in cloud authentication and ADFS 2012 R2 and 2016. But, it also can be used as a primary factor in ADFS 2016 to completely stop the possibility of password spray. Learn how to configure Azure MFA with ADFS here
3. Windows Hello for Business, available in Windows 10 and supported by ADFS in Windows Server 2016, enables completely password-free access, including from the extranet, based on strong cryptographic keys tied to both the user and the device. This is available for corporate-managed devices that are Azure AD joined or Hybrid Azure AD joined as well as personal devices via “Add Work or School Account” from the Settings app. Get more information about Hello for Business.

Things we recommend you do ASAP:

1. Upgrade to ADFS 2016 for faster updates
2. Block legacy authentication from the extranet.
3. Deploy Azure AD Connect Health agents for ADFS on all your ADFS servers.
4. Consider using a password-less primary authentication method such as Azure MFA, certificates, or Windows Hello for Business.

Bonus: Protecting your Microsoft accounts

If you’re a Microsoft account user:

• Great news, you’re protected already! Microsoft accounts also have Smart Lockout, IP lockout, risk-based two-step verification, banned passwords, and more.
• But, take two minutes to go to the Microsoft account Security page and choose “Update your security info” to review your security info used for risk-based two-step verification
• Consider turning on always-on two-step verification here to give your account the most security possible.

The best defense is… following the recommendations in this blog

Password spray is a serious threat to every service on the Internet that uses passwords but taking the steps in this blog will give you maximum protection against this attack vector. And, because many kinds of attacks share similar traits, these are just good protection suggestions, period. Your security is always our utmost priority, and we’re continually working hard to develop new, advanced protections against password spray and every other type of attack out there. Use the ones above today and check back frequently for new tools to defend against the bad guys out there on the Internet.

I hope you’ll find this information useful. As always, we’d love to hear any feedback or suggestions you have.

Best Regards,

Alex Simons (Twitter: @Alex_A_Simons)

Director of Program Management

Microsoft Identity Division

The post Azure AD and ADFS best practices: Defending against password spray attacks appeared first on Microsoft 365 Blog.

Updates in Microsoft 365—currently rolling out—help protect sensitive data and include:

• Compliance Manager general availability for Azure, Dynamics 365, and Office 365 Business and Enterprise customers in public clouds.
• Compliance Score availability for Office 365.
• Azure Information Protection scanner general availability.

In addition to the updates announced today, capabilities in Microsoft 365 help to:

• Protect sensitive data in apps and across cloud services.
• Support data protection across platforms.
• Provide a consistent labeling schema experience (in preview).

We’re also going to expand sensitive data types to include a GDPR template to consolidate sensitive data types into a single template.

These Microsoft 365 updates and capabilities are designed to provide you with an information protection strategy to help with GDPR compliance.

“GDPR is coming. But with Microsoft’s information protection solutions, we will have a more efficient way to handle compliance.”
—Erlend Skuterud, chief information security officer for Yara

Assess and manage compliance risk with Compliance Manager

Because achieving organizational compliance can be very challenging, we suggest organizations periodically perform risk assessments to understand their compliance posture. Compliance Manager is a cross–Microsoft Cloud services solution designed to help organizations meet complex compliance obligations like the GDPR. The Compliance Manager is now generally available for Azure, Dynamics 365, and Office 365 Business and Enterprise customers in public clouds.

“Compliance Manager really adds great additional value for Microsoft Cloud services by providing insights on the relationships between regulation, processes, and technology,” stated IT manager Nick Postma from Abrona, a Dutch healthcare organization that helps clients on their journey to becoming strong and confident members of society through social partnerships.

Perform risk assessments with Compliance Score

Compliance Score—a Compliance Manager feature—enables you to perform ongoing risk assessments on Microsoft Cloud services with a risk-based score reference, giving you visibility into your compliance performance. Each control is assigned a risk weight based on the level of risk involved due to control failure, and as you implement and assess controls, you’ll see your score change. Compliance Score is currently available for Office 365 and will be rolling out to other Microsoft Cloud services soon.

Learn more about the key capabilities and updates for Compliance Manager and Compliance Score at our Tech Community blog.

Protect sensitive data on-premises

Azure Information Protection scanner addresses hybrid and on-premises scenarios by allowing you to configure policies to automatically discover, classify, label, and protect documents in your on-premises repositories such as File servers and on-premises SharePoint servers. The scanner can be configured to periodically scan on-premises repositories based on company policies. Azure Information Protection scanner is now generally available.

Read “Azure Information Protection scanner” to learn more. To deploy the scanner in your own environment, follow instructions in this technical guide.

Protect sensitive data in apps and across cloud services

Since data travels through many locations—across devices, apps, cloud services, and on-premises—it is important to build the protection into the file so this protection persistently stays with the data itself. Azure Information Protection provides persistent data protection by classifying, labeling, and protecting sensitive files and emails.

Microsoft Cloud App Security (MCAS) can read files labeled by Azure Information Protection and set policies based on the file labels. For example, a file labeled as Confidential, with an associated policy of “do not forward or copy,” cannot leave your network via file sharing apps like Box.net or Dropbox. In addition, the service scans and classifies sensitive files in cloud apps and automatically applies AIP labels for protection—including encryption. To learn more about this feature, read “Automatically apply labels to sensitive files in cloud apps” and the related technical documentation.

Support for data protection across platforms

As part of our information protection vision, our goal is to cover all major device platforms. Building on our efforts to support non-Windows platforms, we are now previewing the ability to label and protect sensitive data natively, with no plugins required, in Office applications running on Mac devices. This enables Mac users to easily classify, label, and protect Word, PowerPoint, and Excel documents in a similar manner that you are used to with the Azure Information Protection client on Windows. Considering that a significant amount of sensitive information is in PDF format, as part of our ongoing partnership, we are in the process of working with Adobe to have the same consistent labeling and protection of PDFs available in Adobe Reader.

To learn more about these new information protection capabilities, visit the Enterprise Mobility + Security blog.

Consistent labeling schema experience now in preview

We are previewing a consistent labeling schema that will be used across information protection solutions in Microsoft 365. To start, this means that the same default labels will be used across both Office 365 and Azure Information Protection—eliminating the need to create labels in two different places.

The consistent labeling model also helps ensure that sensitive labels—regardless of where they were created—are recognized and understood across Microsoft 365, including Azure Information Protection, Office 365 Advanced Data Governance, Office 365 Data Loss Prevention, and Microsoft Cloud App Security. Learn more about the preview of the consistent labeling experience.

“Microsoft’s information protection capabilities help you protect and manage your sensitive data throughout its lifecycle—inside and outside the organization,” stated an analyst from KuppingerCole, an international and independent analyst organization headquartered in Europe.

Detect and classify personal data relevant to GDPR

The ability to automatically classify personal data is a critical part of helping you achieve your GDPR goals. Today, we have over 80 out-of-the-box sensitive information types that can be used to detect and classify your data.  Soon we will provide a GDPR sensitive information type template to help detect and classify personal data relevant to GDPR. The upcoming GDPR sensitive information type template will help consolidate our sensitive data types into a single template—as well as add several new personal data types to detect (such as addresses, telephone numbers, and medical information).

To learn more about the current sensitive information types, read “What the sensitive information types look for.” To learn more about how to create and customize your own sensitive information types, read “Create a custom sensitive information type.”

For sensitive emails, Microsoft 365 enables users to collaborate on protected messages with anyone inside or outside the organization via Office 365 Message Encryption. To provide more flexibility over controlling and protecting personal information shared in sensitive emails, we are rolling out the new encrypt-only policy in Office 365 Message Encryption starting today. Read further about this and other updates in our Tech Community blog.

Get started on your GDPR journey with Microsoft 365

The Microsoft Cloud is uniquely positioned to help you meet your GDPR compliance obligations. Our cloud solution is built for power, scale, and flexibility. Microsoft 365 brings together Office 365, Windows 10, and Enterprise Mobility + Security—offering a rich set of integrated solutions that help you assess and manage your compliance risk by leveraging Artificial Intelligence (AI) to protect your most important data and streamline your processes with a sophisticated and holistic solution set.

No matter where you are in your GDPR efforts, the Microsoft Cloud and our intelligent compliance solutions in Microsoft 365 can help you on your journey to GDPR compliance. Learn more about how Microsoft can help you prepare for the GDPR and take our free online GDPR assessment. Get started with your organization’s information protection planning by downloading our free white paper and eBook.

—Alym Rayani, director of the Microsoft 365 team

The post Microsoft 365 provides an information protection strategy to help with the GDPR appeared first on Microsoft 365 Blog.

I hope you’ll find today’s post as interesting as I do. It’s a bit of brain candy and outlines an exciting vision for the future of digital identities.

Over the last 12 months we’ve invested in incubating a set of ideas for using Blockchain (and other distributed ledger technologies) to create new types of digital identities, identities designed from the ground up to enhance personal privacy, security and control. We’re pretty excited by what we’ve learned and by the new partnerships we’ve formed in the process. Today we’re taking the opportunity to share our thinking and direction with you. This blog is part of a series and follows on Peggy Johnson’s blog post announcing that Microsoft has joined the ID2020 initiative. If you haven’t already Peggy’s post, I would recommend reading it first.

I’ve asked Ankur Patel, the PM on my team leading these incubations to kick our discussion on Decentralized Digital Identities off for us. His post focuses on sharing some of the core things we’ve learned and some of the resulting principles we’re using to drive our investments in this area going forward.

And as always, we’d love to hear your thoughts and feedback.

Best Regards,

Alex Simons (Twitter: @Alex_A_Simons)

Director of Program Management

Microsoft Identity Division

———-

Greetings everyone, I’m Ankur Patel from Microsoft’s Identity Division. It is an awesome privilege to have this opportunity to share some of our learnings and future directions based on our efforts to incubate Blockchain/distributed ledger based Decentralized Identities.

What we see

As many of you experience every day, the world is undergoing a global digital transformation where digital and physical reality are blurring into a single integrated modern way of living. This new world needs a new model for digital identity, one that enhances individual privacy and security across the physical and digital world.

Microsoft’s cloud identity systems already empower thousands of developers, organizations and billions of people to work, play, and achieve more. And yet there is so much more we can do to empower everyone. We aspire to a world where the billions of people living today with no reliable ID can finally realize the dreams we all share like educating our children, improving our quality of life, or starting a business.

To achieve this vision, we believe it is essential for individuals to own and control all elements of their digital identity. Rather than grant broad consent to countless apps and services, and have their identity data spread across numerous providers, individuals need a secure encrypted digital hub where they can store their identity data and easily control access to it.

Each of us needs a digital identity we own, one which securely and privately stores all elements of our digital identity.  This self-owned identity must be easy to use and give us complete control over how our identity data is accessed and used.

We know that enabling this kind of self-sovereign digital identity is bigger than any one company or organization. We’re committed to working closely with our customers, partners and the community to unlock the next generation of digital identity-based experiences and we’re excited to partner with so many people in the industry who are making incredible contributions to this space.

What we’ve learned

To that end today we are sharing our best thinking based on what we’ve learned from our decentralized identity incubation, an effort which is aimed at enabling richer experiences, enhancing trust, and reducing friction, while empowering every person to own and control their Digital Identity.

1. Own and control your Identity. Today, users grant broad consent to countless apps and services for collection, use and retention beyond their control. With data breaches and identity theft becoming more sophisticated and frequent, users need a way to take ownership of their identity. After examining decentralized storage systems, consensus protocols, blockchains, and a variety of emerging standards we believe blockchain technology and protocols are well suited for enabling Decentralized IDs (DID).
2. Privacy by design, built in from the ground up.
   Today, apps, services, and organizations deliver convenient, predictable, tailored experiences that depend on control of identity-bound data. We need a secure encrypted digital hub (ID Hubs) that can interact with user’s data while honoring user privacy and control.
3. Trust is earned by individuals, built by the community.
   Traditional identity systems are mostly geared toward authentication and access management. A self-owned identity system adds a focus on authenticity and how community can establish trust. In a decentralized system trust is based on attestations: claims that other entities endorse – which helps prove facets of one’s identity.
4. Apps and services built with the user at the center.
   Some of the most engaging apps and services today are ones that offer experiences personalized for their users by gaining access to their user’s Personally Identifiable Information (PII). DIDs and ID Hubs can enable developers to gain access to a more precise set of attestations while reducing legal and compliance risks by processing such information, instead of controlling it on behalf of the user.
5. Open, interoperable foundation.
   To create a robust decentralized identity ecosystem that is accessible to all, it must be built on standard, open source technologies, protocols, and reference implementations. For the past year we have been participating in the Decentralized Identity Foundation (DIF) with individuals and organizations who are similarly motivated to take on this challenge. We are collaboratively developing the following key components:
   

• Decentralized Identifiers (DIDs) – a W3C spec that defines a common document format for describing the state of a Decentralized Identifier
  
• Identity Hubs – an encrypted identity datastore that features message/intent relay, attestation handling, and identity-specific compute endpoints. 
  
• Universal DID Resolver – a server that resolves DIDs across blockchains 
  
• Verifiable Credentials – a W3C spec that defines a document format for encoding DID-based attestations.   
  

6. Ready for world scale:
   To support a vast world of users, organizations, and devices, the underlying technology must be capable of scale and performance on par with traditional systems. Some public blockchains (Bitcoin [BTC], Ethereum, Litecoin, to name a select few) provide a solid foundation for rooting DIDs, recording DPKI operations, and anchoring attestations. While some blockchain communities have increased on-chain transaction capacity (e.g. blocksize increases), this approach generally degrades the decentralized state of the network and cannot reach the millions of transactions per second the system would generate at world-scale. To overcome these technical barriers, we are collaborating on decentralized Layer 2 protocols that run atop these public blockchains to achieve global scale, while preserving the attributes of a world class DID system.
   
7. Accessible to everyone:
   The blockchain ecosystem today is still mostly early adopters who are willing to spend time, effort, and energy managing keys and securing devices. This is not something we can expect mainstream people to deal with. We need to make key management challenges, such as recovery, rotation, and secure access, intuitive and fool-proof.
   

Our next steps

New systems and big ideas, often make sense on a whiteboard. All the lines connect, and assumptions seem solid. However, product and engineering teams learn the most by shipping.

Today, the Microsoft Authenticator app is already used by millions of people to prove their identity every day. As a next step we will experiment with Decentralized Identities by adding support for them into to Microsoft Authenticator. With consent, Microsoft Authenticator will be able to act as your User Agent to manage identity data and cryptographic keys. In this design, only the ID is rooted on chain. Identity data is stored in an off-chain ID Hub (that Microsoft can’t see) encrypted using these cryptographic keys.

Once we have added this capability, apps and services will be able to interact with user’s data using a common messaging conduit by requesting granular consent. Initially we will support a select group of DID implementations across blockchains and we will likely add more in the future.

Looking ahead

We are humbled and excited to take on such a massive challenge, but also know it can’t be accomplished alone. We are counting on the support and input of our alliance partners, members of the Decentralized Identity Foundation, and the diverse Microsoft ecosystem of designers, policy makers, business partners, hardware and software builders. Most importantly we will need you, our customers to provide feedback as we start testing these first set of scenarios.

This is our first post about our work on Decentralized Identity. In upcoming posts we will share information about our proofs of concept as well as technical details for key areas outlined above.

We look forward to you joining us on this venture!

Key resources:

• Follow-us at @AzureAD on Twitter
  
• Get involved with Decentralized Identity Foundation (DIF)
  
• Participate in W3C Credentials Community Group
  

Regards,

Ankur Patel (@_AnkurPatel)

Principal Program Manager

Microsoft Identity Division

The post Decentralized digital identities and blockchain: The future as we see it appeared first on Microsoft 365 Blog.

Azure AD Conditional Access (CA) has really taken off. Organizations around the world are using it to ensure secure, compliant access to applications. Every month, Conditional Access is now used to protect over 10K organizations and over 10M active users! It’s amazing to see how quickly our customers have put it to work!

We’ve received lot of feedback about the user impact of Conditional Access. Specifically, with this much power at your fingertips, you need a way to see how CA policies will impact a user under various sign-in conditions.

We heard you, and today I am happy to announce the public preview of the “What If” tool for Conditional Access. The What If tool helps you understand the impact of the policies on a user sign-in, under conditions you specify. Rather than waiting to hear from your user about what happened, you can simply use the What If tool.

Get started

Ready to start playing with the tool? You can simply follow these steps:

• Go to Azure AD Conditional access
• Click on What If

• Select the user you want to test

• [Optional] Select app, IP address, device platforms, client app, sign-in risk as needed
• Click on “What If” and view the policies that will impact the user sign-in

Sometimes the question that you’re trying to answer is not “What policies will apply” but “Why is a policy not applying?” The tool can help you with that too! Switch to the “Policies that will not apply” tab and you can view the policy name and, more importantly, the reason why a policy didn’t apply. Isn’t that cool?

Want to learn more about the What If tool?

Tell us what you think

This is just a start. We’re already working to deliver more innovation in this area. As always, we’d love to hear any feedback or suggestions you have on this preview, or anything about Azure AD Conditional Access. We’ve even created a short survey on the What If tool for you to participate in.

We look forward to hearing from you!

Best regards,

Alex Simons (Twitter: @Alex_A_Simons)

Director of Program Management

Microsoft Identity Division

The post Public preview: “What If” tool for Azure AD conditional access policies appeared first on Microsoft 365 Blog.

The evolution of technology and cloud innovation are democratizing data and in turn fueling digital transformation. Embracing every facet of this digital transformation offers organizations an opportunity to better engage with customers, empower employees, and optimize the creation and delivery of products and services. However, with the increased use of personal data to customize user experiences, new compliance laws—such as the General Data Protection Regulation (GDPR)—are a logical policy component of our technology landscape. Microsoft 365 offers a complete cloud solution to help you with GDPR compliance, while Compliance Manager helps you assess and manage your compliance risk.

Compliance promotes innovation by building customer trust in technology

At its core, the GDPR strengthens personal privacy rights for individuals in the EU and requires organizations to provide individuals control over their personal data. To build and maintain the trust needed to manage customer relationships through technology, organizations need tighter controls over what personal data they hold and how they manage and protect this data. Systems and processes need to be modernized to prevent the unlawful use of data, accommodate personal data requests by individuals, and provide notifications of breaches in a timely manner.

Businesses are looking to the cloud for added value

Our research suggests that companies not only see the long-term value of building trust by protecting customer data, but in fact believe their investments in compliance will positively impact other areas of their business—like productivity and collaboration.* When IT decision makers in Europe and the U.S. were asked to identify their top concern in achieving GDPR compliance, “protecting customer data” was the #1 response while avoiding fines ranked #8. More than half of respondents said the GDPR brings added benefits like collaboration, productivity, and security. Cloud solutions like Microsoft 365 are a big reason that businesses see opportunity in compliance. Of those surveyed, 41 percent said they are likely to move more of their company’s infrastructure to the cloud to become compliant. And among leading cloud vendors, Microsoft was identified as most trusted by a wide margin (28 percent), followed by IBM (16 percent), Google (11 percent), and Amazon (10 percent). All told, 92 percent of IT decision makers in companies that store data primarily in the cloud identified as being confident in their GDPR readiness, compared with just 65 percent of those who prefer to store data on-premises.

Microsoft 365 is a complete cloud solution for GDPR compliance

The Microsoft Cloud is uniquely positioned to help you meet your GDPR compliance obligations, with the largest certified compliance portfolio, services architected to be secure by design, and the most extensive global datacenter footprint in the industry.

Our cloud solution is built for power, scale, and flexibility. Microsoft 365 brings together Office 365, Windows 10, and Enterprise Mobility + Security—offering a rich set of integrated solutions that leverage AI to help you assess and manage your compliance risk, protect your most important data, and streamline your processes.

Assess and manage your compliance risk with Compliance Manager Preview

Because achieving organizational compliance can be very challenging, understanding your compliance risk should be your first priority. Today, we’re making that easier with the preview of Compliance Manager.

Compliance Manager is a cross–Microsoft Cloud services solution designed to help organizations meet complex compliance obligations like the GDPR. It performs a real-time risk assessment that reflects your compliance posture against data protection regulations when using Microsoft Cloud services, along with recommended actions and step-by-step guidance. Learn more about Compliance Manager and how to access the preview.

Protect your most sensitive data

Beyond understanding your compliance risk, protecting both personal data and other sensitive content is key.

Microsoft information protection solutions provide an integrated classification, labeling, and protection experience, enabling more persistent governance and protection of sensitive data wherever it is—across devices, apps, cloud services, and on-premises.

For example, Office 365 Advanced Data Governance leverages machine assisted insights to help you automatically classify, set policies, and protect the data in Office 365 that is most important to your organization.

Azure Information Protection scanner addresses hybrid and on-premises scenarios by allowing you to configure policies to automatically label and protect documents on a Windows Server file share. Read “Azure Information Protection scanner in public preview” to learn more about the scanner.

Microsoft also provides external threat protection solutions to prevent and detect cyber-attacks across workloads—whether on devices using Windows 10, on-premises and Azure-based infrastructure, or with our cloud services like Office 365.

One of these solutions, Windows Defender Advanced Threat Protection, is built into Windows 10 and helps spot most advanced targeted attacks by giving visibility into threats on your device, insights into the scope of the threat, and one-click response capabilities to isolate the threat immediately.

Streamline your processes

The GDPR requires organizations to be able to identify and locate personal data. Having a scalable investigation and audit-ready processes in place to meet requirements is paramount.

Content Search, a feature of Office 365 eDiscovery, makes it easy to search Office 365 for data related to individuals. Since the results of this search could result in large quantities of data or data that is confidential to the organization, machine learning in Advanced eDiscovery can be used to minimize the data so that you are only providing the relevant data in accordance with the GDPR.

Finally, Customer Lockbox provides an audit trail showing when personal data is accessed during service operations.

Get started today on your GDPR journey with Microsoft

No matter where you are in your GDPR efforts, the Microsoft Cloud and our intelligent compliance solutions in Microsoft 365 can help you on your journey to GDPR compliance.

—Ron Markezich

*Online survey conducted by YouGov PLC between 10/31/2017 and 11/8/2017. Sample size: 1,542 IT decision makers.

The post Microsoft 365 helps businesses increase trust and innovation through compliance with Compliance Manager Preview appeared first on Microsoft 365 Blog.

Today at Microsoft Ignite, we unveiled a new vision for empowering Firstline Workers in the digital age and introduced Microsoft 365 F1—a new offering that brings together Office 365, Windows 10, and Enterprise Mobility + Security to deliver a complete, intelligent solution to empower all workers.

The modern workplace requires companies to meet new employee expectations, connect a more distributed workforce, and provide the tools that allow all employees to create, innovate, and work together to solve customer and business problems. A truly modern workplace brings out the best in employee ingenuity, creates a culture of innovation and action, and welcomes and empowers all workers from the executive team to the Firstline Workforce.

Firstline Workers comprise the majority of our global workforce. Numbering two billion people worldwide, they are the people behind the counter, on the phone, in the clinics, on the shop floor, and in the field. They are often the first to engage customers, the first to represent a company’s brand, and the first to see products and services in action. They form the backbone of many of the world’s largest industries, and without them, the ambitions of many organizations could not be brought to life.

We see an opportunity for technology to give Firstline Workers a more intuitive, immersive, and empowering experience. Microsoft is in a unique position to help companies tap into the potential of their Firstline Workforce with our commercial product offerings, spanning Microsoft 365, Dynamics 365, Microsoft IoT, Microsoft AI, and Microsoft HoloLens and the Windows Mixed Reality ecosystem.

The introduction of Microsoft 365 F1 represents a significant next step towards our vision of involving the Firstline Workforce in digital transformation by empowering every worker with technology.

Transforming the Firstline Worker experience

Microsoft 365 F1 includes the capabilities and tools to enable every worker to turn their ideas into action. It fosters culture and community, with Skype Meeting Broadcast for interactive townhall meetings and Yammer to help employees find and share best practices across the company.

Microsoft 365 F1 makes it easy to train and upskill employees, with Microsoft Stream to share dynamic, role-based content and video, and SharePoint to easily distribute onboarding and training materials and manage institutional knowledge in one secure place.

It supports firstline productivity and digitizes business processes, with Microsoft StaffHub, a purpose-built app for Firstline Workers to manage their workday and Microsoft PowerApps and Flow to automate everyday activities. Today, we’re announcing new capabilities coming to StaffHub, including the ability for employees to clock in/out and track tasks. We are also making it easier for employees to stay connected in StaffHub, by integrating messaging with Microsoft Teams, the hub for teamwork, and highlighting corporate announcements made in Yammer. Finally, we’re enabling customers to connect StaffHub to workforce management systems and other tools with the availability of general APIs.

Microsoft 365 F1 streamlines IT management, minimizes cost, and extends security to all employees and endpoints. Azure Active Directory provides management of employee identity and access; Microsoft Intune helps secure devices; and new features in Windows 10 simplify the management of Firstline Workers’ experiences, supporting locked down single purpose devices with Windows Assigned Access and automated deployment with Windows AutoPilot.

Finally, we recognize the importance of providing Firstline Workers streamlined and secure devices that minimize total cost of ownership. Today, we’re announcing new commercial devices with Windows 10 S from our OEM partners HP, Lenovo, and Acer. Starting as low as $275, these devices benefit from cloud-based identity and management and are ideal for firstline environments.

We are incredibly excited about our opportunity to empower Firstline Workers and we are just getting started!

To learn more about our vision, please visit our new Firstline Worker page and see the table below to learn what’s included in Microsoft 365 F1.

—Bryan Goode

The post All workers welcome with Microsoft 365 appeared first on Microsoft 365 Blog.

Building on our vision for the modern workplace, today at the Microsoft Ignite conference in Orlando, we’re announcing the expansion of Microsoft 365 as well as a number of new product capabilities that empower everyone to be creative and work together, securely.

Expanding Microsoft 365 to new audiences

In July, we announced Microsoft 365, which brings together Office 365, Windows 10, and Enterprise Mobility + Security, delivering a complete, intelligent, and secure solution to empower employees. It represents a fundamental shift in how we design, build, and bring our products to market to address customer needs for a modern workplace. Starting October 1, 2017, we are bringing Microsoft 365 to several new audiences.

Microsoft 365 Education—A new offer that combines capabilities across Office 365 for Education, Windows 10, Enterprise Mobility + Security, and Minecraft: Education Edition, to provide students, faculty, and staff everything they need to create and work together securely in the classroom. Microsoft 365 Education is offered in two plans—Microsoft 365 A3 and Microsoft 365 A5. In addition, we’re excited to announce a new Microsoft 365 plan for non-profit organizations.

Microsoft 365 F1—A new Microsoft 365 Enterprise plan designed to maximize the impact of the Firstline Worker. Numbering two billion worldwide, these are the individuals behind the counter, on the phone, in the clinics, on the shop floor, and in the field who form the backbone of many of the world’s largest industries. This new plan helps foster culture and community, train and upskill employees, digitize business processes, and deliver real-time expertise while minimizing risk and cost. We’re also adding new product capabilities to StaffHub and Windows 10 to keep everyone connected, automate device deployment, and manage single purpose devices.

We also recognize the importance of providing Firstline Workers with streamlined and secure devices that reduce total cost of ownership. Today, we’re announcing new commercial devices with Windows 10 S from our OEM partners HP, Lenovo, and Acer, with availability starting later this year. Starting as low as $275 (ERP), these devices benefit from cloud-based identity and management and are ideal for firstline environments.

New capabilities to unlock employee creativity

Work today has quickly shifted from simple execution of routine tasks to creative problem solving. Microsoft 365 provides the tools people need to express their ideas effectively, build on the work and expertise of others, and create compelling content.

New intelligent capabilities in Excel—We’re harnessing the power of AI to make Excel more powerful. Coming in early 2018, Excel will understand new data types, beyond text and numbers, and augment that data based on public and enterprise information. For example, Excel will know that “India” is a country and “MSFT” is a stock. Insights—a new service coming to Office Insiders this year—also uses AI to find and recommend patterns, helping you derive additional insights from complex data.

Intelligent, personalized search—New search capabilities enable you to discover people and information from across your organization and beyond. We’ve made improvements to help you quickly find the content and expertise you need across SharePoint and Office.com, and you can even search for people and content directly from your Windows taskbar. Bing for business, now in private preview, brings internal sites and content into Bing search results to help you find the right information and resources. Wherever you start your search—you get consistent, personalized results powered by the Microsoft Graph.

LinkedIn profile integration—Today, we’re announcing the ability to view LinkedIn profiles in Microsoft apps and services. This new experience, rolling out now to first release customers, provides rich insights about the people you’re working with—inside and outside your organization—right from within Office 365.

See LinkedIn profile information from Microsoft apps and services.

The universal toolkit for teamwork

One of the hallmarks of the modern workplace is the shift from individual productivity to dynamic teamwork. Microsoft 365 addresses the complete set of needs you have across your organization by providing a universal toolkit for teamwork with a broad set of purpose-built apps, all on a secure platform.

Intelligent communications with Microsoft Teams—Today, we’re announcing a new vision for intelligent communications to transform calling and meeting experiences by bringing comprehensive voice and video capabilities into Teams, along with cognitive and data services, and insights from the Microsoft Graph. As a result, Teams will evolve as the primary client for intelligent communications in Office 365, replacing the current Skype for Business client over time.

Enhanced content sharing with OneDrive and SharePoint—The new unified sharing experience, now in Windows, Mac, web, and mobile, will come to the Office apps in the coming weeks. The new experience provides a simple, consistent, and secure way to share and control access to files across Office 365. And you can now securely share files with people outside your organization who don’t have a Microsoft account. In addition, you can customize the look and layout of SharePoint pages, add dynamic content from over 100 new web parts and connectors, as well as share those pages on SharePoint sites or as a tab in Teams.

Cross-org connections with Yammer—We continue to invest in Yammer as the best way to connect with people across your organization. Today, we’re announcing deeper integration with SharePoint, new group insights for community managers, and enterprise-grade compliance with local data residency.

Yammer group insights show trends for group members and non-members.

Simplifying IT management

In the modern workplace, the role of IT has never been more important. Microsoft 365 is designed to meet business needs and minimize total cost of ownership across the IT lifecycle, from deployment to management and ongoing servicing. Only Microsoft delivers a complete solution for your entire productivity infrastructure.

Simplifying management—Beginning in early 2018, Lenovo, HP, Panasonic, Fujitsu, and Toshiba will join Surface in supporting Windows Autopilot on new Windows 10 devices, automating new device deployment and configuration. This fall, we’ll also introduce new capabilities in Microsoft Intune to manage Windows 10 devices with Office 365 ProPlus, configure Windows Defender Advanced Threat Protection, and deploy Win32 apps.

New migration capabilities—To help customers on their transition to the cloud, this fall, we’ll introduce co-management, a new set of capabilities to help customers migrate to cloud-based management of Windows 10 devices with Microsoft Intune. We’re also announcing FastTrack for Microsoft 365, which provides planning, guidance, and assistance to help IT professionals drive adoption and usage across Microsoft 365.

New proactive insights—Office 365 Usage Analytics, generally available in early 2018, will enable IT professionals to analyze and visualize service-wide usage data in Power BI. On the desktop, we’re updating Windows Analytics this fall with new update compliance and device health capabilities to help proactively identify and address new issues that may impact user experience and productivity.

The new usage analytics dashboard uses Power BI to unlock rich insights about service adoption.

Intelligent security and compliance updates

As employees embrace a new culture of work across devices and cloud apps, their interactions can become more difficult to secure. Updates to Microsoft 365 provide broad security capabilities, powered by Microsoft’s Intelligent Security Graph, to help protect people and sensitive data from new, sophisticated threats, and to help you meet compliance obligations.

Expanding conditional access—To help you better secure the “front door” of your organization, we’re expanding conditional access capabilities. To secure sessions inside SaaS apps and protect sensitive documents, we are integrating across Azure Active Directory, Microsoft Cloud App Security, and Azure Information Protection as well as extending multi-factor authentication to include third-party support.

The Microsoft Cloud App Security dashboard.

Information protection—Microsoft 365 helps you detect, classify, protect, and monitor your data, regardless of where it is stored or shared. Today, we’re announcing the integration of Azure Information Protection with Office 365 Message Encryption, which makes it easier to send protected emails and documents to recipients using consumer email services such as Outlook.com and Gmail.

Phishing protection and automatic remediation—Today, we’re unveiling new threat protection capabilities built on the Microsoft Intelligent Security Graph. New Office 365 Advanced Threat Protection features help mitigate content phishing, domain spoofing, and impersonation. We’re also announcing a limited preview of Azure Advanced Threat Protection to help detect attacks on user identity sooner, and the integration of our recent Hexadite acquisition into Windows Defender Advanced Threat Protection to automatically help investigate, assess, and remediate threats.

Compliance Manager—We’re also announcing the upcoming preview of Compliance Manager, a tool to help organizations meet compliance obligations like the EU’s General Data Protection Regulation (GDPR). It performs a real-time risk assessment with a score that reflects your compliance position against data protection regulations when using Microsoft Cloud services, along with recommended actions and step-by-step guidance.

Compliance Manager helps organizations meet compliance obligations.

With over 700 sessions at Ignite this week, there’s plenty more news to come. If you didn’t register before the event sold out, you can still be part of Microsoft Ignite online.

—Kirk Koenigsbauer

The post Advancing intelligence, management, and security to empower the modern workplace appeared first on Microsoft 365 Blog.

Today I am excited to let you know that we’ve just enabled Guest Access in Microsoft Teams, built on the B2B collaboration features of Azure AD!

You can now enable partner collaboration in Teams for interactions across chat, apps, and file sharing, all with the ease of use and enterprise-grade protection Azure Active Directory has long enabled for your employees.

Now anyone with an Azure Active Directory account in any organization can be invited as a guest user in Microsoft Teams!

Customers have already created more than 8 million guest users using the B2B features of Azure AD and we’re only getting started. Adding support for Microsoft Teams has been a top customer request, so we’re excited to turn on this new capability to keep the momentum going. I hope you’ll give it a try today!

So, go ahead, log in to Teams today and invite your partners to work with you.

And as always, connect with us for any feedback, discussions, and suggestions. You know we’re listening!

Best Regards,

Alex Simons (@Twitter: @Alex_A_Simons)

Director of Program Management

Microsoft Identity Division

P.S.: We are already working to add additional Azure AD capabilities in Teams, including support for external users with any corporate or consumer email account. Look for more news on that soon!

The post Azure AD B2B collaboration in Microsoft Teams appeared first on Microsoft 365 Blog.

With all the breaches of cloud identity services over the last few years, we get a lot of questions about how we secure customer data. So today’s blog is a dive into the details of how we protect customer data in Azure AD.

Datacenter and Service Security

Let’s start with our datacenters. First, all of Microsoft’s datacenter personnel must pass a background check. All access to our datacenters is strictly regulated and every entry and exit are monitored. Within these datacenters, the critical Azure AD services that store customer data are located in special locked racks—their physical access is highly restricted and camera-monitored 24 hours a day. Furthermore, if one of these servers is decommissioned, all disks are logically and physically destroyed to avoid data leakage.

Next, we limit the number of people who can access the Azure AD services, and even those who do have access permissions operate without these privileges day-to-day when they sign in. When they do need privileges to access the service, they need to pass a multi-factor authentication challenge using a smartcard to confirm their identity and submit a request. Once the request is approved, the users privileges are provisioned “just-in-time”. These privileges are also automatically removed after a fixed period of time and anyone needing more time must go through the request and approval process again.

Once these privileges are granted, all access is performed using a managed admin workstation (consistent with published Privileged Access Workstation guidance). This is required by policy, and compliance is closely monitored. These workstations use a fixed image and all software on the machine is fully managed. To minimize the surface area of risks, only selected activities are allowed, and users cannot accidentally circumvent the design of the admin workstation since they don’t have admin privileges on the box. To further protect the workstations, any access must be done with a smartcard and access to each one is limited to specific set of users.

Finally we maintain a small number (fewer than five) of “break glass” accounts. These accounts are reserved for emergencies only and secured by multi-step “break glass” procedures. Any use of those accounts is monitored, and triggers alerts.

Threat detection

There are several automatic checks we do regularly, every few minutes to ensure things are operating as we expect, even as we are adding new functionality required by our customers:

• Breach detection: We check for patterns that indicate breach. We keep adding to this set of detections regularly. We also use automated tests that trigger these patterns, so we are also checking if our breach detection logic is working correctly!
  
• Penetration tests: These tests run all the time. These tests try to do all sorts of things to compromise our service, and we expect these tests to fail all the time. If they succeed, we know there is something wrong and can correct it immediately.
  
• Audit: All administrative activity is logged. Any activity that is not anticipated (such as an admin creating accounts with privileges) causes alerts to be triggered that cause us to do deep inspection on that action to make sure it not abnormal.
  

And did we say we encrypt all your data in Azure AD? Yes, we do – we use BitLocker to encrypt all Azure AD identity data at rest. What about on the wire? We do that as well! All Azure AD APIs are web-based using SSL through HTTPS to encrypt the data. All Azure AD servers are configured to use TLS 1.2. We allow inbound connections over TLS 1.1 and 1.0 to support external clients. We explicitly deny any connection over all legacy versions of SSL including SSL 3.0 and 2.0. Access to information is restricted through token-based authorization and each tenant’s data is only accessible to accounts permitted in that tenant. In addition, our internal APIs have the added requirement to use SSL client/server authentication on trusted certificates and issuance chains.

A final note

Azure AD is delivered in two ways, and this post described security and encryption for the public service delivered and operated by Microsoft. For similar questions about our National Cloud instances operated by trusted partners, we welcome you to reach out to your account teams.

(Note: As a simple rule of thumb, if you manage or access your Microsoft Online services through URLs ending with .com, this post describes how we protect and encrypt your data.)

The security of your data is a top priority for us and we take it VERY seriously. I hope you found this overview of our data encryption and security protocol reassuring and useful.

Best regards,

Alex Simons (Twitter: @Alex_A_Simons)

Director of Program Management

Microsoft Identity Division

[updated 10/3/2017 to add specific version information about our use of TLS and SSL]

The post How we secure your data in Azure AD appeared first on Microsoft 365 Blog.

Conditional access is one of athe fastest growing services in EMS and we are constantly getting feedback from customers about new capabilities they would like us to add to it. One of the most frequently requested is support for macOS. Customers want to have one consistent system for securing user accessing to Office 365 on all the platforms their employees are using.

So I’m excited to share that Azure Active Directory and Intune now support macOS platform for device-based conditional access! Administrators can now restrict access to Intune-managed macOS devices using device-based conditional access according to their organization’s security guidelines.

With the public preview of macOS device-based conditional access, you’ll be able to:

• Enroll and manage macOS devices using Intune
• Ensure macOS devices adhere to your organization’s compliance policies
• Restrict access to applications in Azure AD to only compliant macOS devices

Get started with macOS conditional access public preview in two simple steps:

Configure compliance requirements for macOS devices in Intune

Use the Intune service in Azure Portal to create a device compliance policy for macOS devices in a few easy clicks:

Configure compliance requirements for device health, properties, and system security per your organization’s requirements.

For more details, go to https://aka.ms/macoscompliancepolicy.

(Important Note: for Conditional Access on macOS to work, the device will need to have the Intune Company Portal app installed).

Restrict access to Azure AD applications for macOS devices

Create a targeted conditional access policy for macOS to protect the Azure AD Applications. Go to conditional access under Azure AD service in Azure portal to create a new policy for macOS platform.

For more details on conditional access policies, go to Conditional Access in Azure Active Directory.

After you’ve taken these steps, macOS users covered in the policy will be able to access Azure AD connected applications only if their Mac conforms to your organization’s policies.

Supported OS versions, applications, and browsers

In the public preview, the following OS versions, applications, and browsers are supported on macOS:

Operating Systems

• macOS 10.11+

Applications

The following Office 2016 for macOS applications are supported:

• Outlook v15.34 and later
• Word v15.34 and later
• Excel v15.34 and later
• PowerPoint v15.34 and later
• OneNote v15.34 and later

Browsers

• Safari

Try it out today and let us know what you think! We look forward to hearing from you.

Best regards,

Alex Simons (Twitter: @Alex_A_Simons)

Director of Program Management

Microsoft Identity Division

The post Azure AD and Intune now support macOS in conditional access! appeared first on Microsoft 365 Blog.

Today at Inspire, Satya Nadella unveiled Microsoft 365, which brings together Office 365, Windows 10 and Enterprise Mobility + Security, delivering a complete, intelligent and secure solution to empower employees. It represents a fundamental shift in how we will design, build and go to market to address our customers’ needs for a modern workplace.

The workplace is transforming—from changing employee expectations, to more diverse and globally distributed teams, to an increasingly complex threat landscape. From these trends, we are seeing a new culture of work emerging. Our customers are telling us they are looking to empower their people with innovative technology to embrace this modern culture of work.

With more than 100 million commercial monthly active users of Office 365, and more than 500 million Windows 10 devices in use, Microsoft is in a unique position to help companies empower their employees, unlocking business growth and innovation.

To address the commercial needs from the largest enterprise to the smallest business, we are introducing Microsoft 365 Enterprise and Microsoft 365 Business.

Microsoft 365 Enterprise is designed for large organizations and integrates Office 365 Enterprise, Windows 10 Enterprise and Enterprise Mobility + Security to empower employees to be creative and work together, securely.

Microsoft 365 Enterprise:

• Unlocks creativity by enabling people to work naturally with ink, voice and touch, all backed by tools that utilize AI and machine learning.
• Provides the broadest and deepest set of apps and services with a universal toolkit for teamwork, giving people flexibility and choice in how they connect, share and communicate.
• Simplifies IT by unifying management across users, devices, apps and services.
• Helps safeguard customer data, company data and intellectual property with built-in, intelligent security.

Microsoft 365 Enterprise is offered in two plans—Microsoft 365 E3 and Microsoft 365 E5. Both are available for purchase on August 1, 2017.

Microsoft 365 Enterprise is built on the foundation of the highly successful Secure Productive Enterprise, which grew seats by triple digits in the last year. Going forward, Microsoft 365 Enterprise replaces Secure Productive Enterprise to double-down on the new customer promise of empowering employees to be creative and work together, securely.

Microsoft 365 Business is designed for small- to medium-sized businesses with up to 300 users and integrates Office 365 Business Premium with tailored security and management features from Windows 10 and Enterprise Mobility + Security. It offers services to empower employees, safeguard the business and simplify IT management.

Microsoft 365 Business:

• Helps companies achieve more together by better connecting employees, customers and suppliers.
• Empowers employees to get work done from anywhere, on any device.
• Protects company data across devices with always-on security.
• Simplifies the set-up and management of employee devices and services with a single IT console.

Microsoft 365 Business will be available in public preview on August 2, 2017. It will become generally available on a worldwide basis in the fall (CYQ3) of 2017, priced at US $20 per user, per month.

As a part of our commitment to small-to-medium sized customers, we’re also announcing the preview of three tailored applications that are coming to Office 365 Business Premium and Microsoft 365 Business:

• Microsoft Connections—A simple-to-use email marketing service.
• Microsoft Listings—An easy way to publish your business information on top sites.
• Microsoft Invoicing—A new way to create professional invoices and get paid fast.

Today, we are also announcing that Microsoft’s mileage tracking app, MileIQ, is now included with Office 365 Business Premium.

Satya also discussed how Microsoft 365 represents a significant opportunity for partners to grow their businesses. Microsoft 365 will drive growth by enabling our more than 64,000 cloud partners to differentiate their offerings, simplify their sales processes and increase their revenue.

According to two Forrester Total Economic Impact™ Studies (commissioned studies conducted by Forrester Consulting), Microsoft 365 Enterprise and Microsoft 365 Business increase average partner margins by an estimated 35 percent and 20 percent, respectively, over three years. Partners can learn more and explore training, sales and deployment resources on the Microsoft 365 partner site.

We are incredibly enthusiastic about Microsoft 365 and how it will help customers and partners drive growth and innovation. To learn more about Microsoft 365, please visit Microsoft.com/Microsoft-365.

—Kirk Koenigsbauer 

The post Introducing Microsoft 365 appeared first on Microsoft 365 Blog.

To address the needs of organizations of all sizes, we introduced Microsoft 365 Enterprise for large customers, and Microsoft 365 Business for small and medium-sized businesses. They provide a comprehensive set of productivity and security capabilities while simplifying delivery and management for IT.

As part of this, EMS protects across users, devices, apps and data and is specifically designed to work together with Office 365 and Windows 10 to enable security that does not compromise user experience. EMS also secures and manages across thousands of SaaS applications, on-premises apps, as well as safeguarding data across iOS and Android devices. Most recently we integrated the management experience for IT into a single easy to use console. All this adds up to an intelligent security solution to support your organization’s digital transformation.

In the 3 years that EMS has been available, over 46 thousand organizations have chosen EMS and our install base has seen 12 consecutive quarters of triple digit Y/Y growth. These customers have chosen EMS to secure their move to a new culture of work.

Plante Moran, one of the largest certified public accounting and business advisory firms in the United States, chose EMS to enable productivity and security:

“We were using Good for Enterprise to manage and secure mobile email access, but that was just managing email, not devices,” says Sean Bulger, End User Systems Administrator at Plante Moran. “We wanted to go beyond that, so our professional staff could access all kinds of information, not just email, from any place and any device, while maintaining a strong level of security.”

G&J Pepsi-Cola Bottlers uses EMS to centrally manage and protect devices and an expanding portfolio of on-premises and cloud-based applications and services:

“We needed to provide single sign-on for ADP [payroll services], for Oracle, for Meraki, for all of these software-as-a-service solutions that we have. We also needed to secure our mobile devices and push applications to them. We’ve completely transformed the way our business operates.”
Eric McKinney, Cloud Services Manager at G&J

Gränges, a leading global manufacturer, relies on research and development to stay a leader and data security is a high priority. That’s why the Swedish manufacturer turned to Microsoft Enterprise Mobility + Security (EMS).

“We sleep better at night knowing that the information is not accessible for parties who shouldn’t access it. It’s important for us to be sure that we can secure business critical data that we don’t want to share with everybody else.”
Bilal Chebaro: Chief Information Officer, Gränges

If you’re in Washington DC this week attending Microsoft Inspire do come see some of our sessions or visit us at our booth.

The post Microsoft 365 and Enterprise Mobility + Security appeared first on Microsoft 365 Blog.

Making room for a broader IT impact

As CIOs are playing an extended role in the business, the function of IT is also flexing to become more strategic and business focused. To make room for this expanded responsibility, IT organizations are undergoing efforts to optimize traditional IT operations and services—with a focus on increasing agility, reducing costs, and maintaining security. Organizations are also looking to empower employees with a more connected and holistic approach to managing access while protecting corporate resources. This focus on greater agility and better experience for employees, while maintaining security and holding down costs, is one of the key drivers of Enterprise Mobility + Security’s (EMS) market success.

EMS has rapidly become a leading choice because it delivers what customers tell us they need most to transform their businesses – a comprehensive yet flexible born in the cloud service that meets a broad set of mobility and security needs in an integrated way. EMS led on bringing identity and access management together with mobile device and application management. EMS has kept pace with industry shifts and customer feedback by incorporating new security solutions such as advanced threat analytics and cloud access security. EMS has also shown it can reduces overhead by addressing customer needs in one place; avoiding the pain of integrating point solutions from many different vendors.

A new EMS experience delivers increased IT Pro productivity

Over the last few months, we have turned the dial further and introduced new administrator experiences for Azure Active Directory, Microsoft Intune, conditional access, and Azure Information Protection in the new Azure portal. This collective move delivers a unified admin experience for these core EMS services that boosts IT Pro productivity and helps you get more out of EMS. The new console simplifies the configuration and management of powerful cross product workflows, such as conditional access, allowing you to define complex access management policies across Azure AD and Intune within a single interface. It also delivers deep integration with Azure Active Directory groups, which can represent both users and devices as native, dynamically targeted groups that are fully federated with an organization’s on-premises Active Directory.

Identity is at the core of mobility strategies and we often find our customers first workload to deploy is Azure AD. This new environment makes it easy for you to scale your Azure AD groups and policies to protect at deeper levels using Intune and Azure Information Protection. Let’s say you defined a set of Azure AD and conditional access policies to protect your Office mobile apps, you can now easily find your way to Intune to set device and app protection policies to ensure your data remains protected even after it’s been accessed. From there, you click into Azure Information Protection to set encryption policies that protect your data no matter where it travels. You can even create a custom dashboard in Azure that allows you to monitor and control everything at a glance from any device.

Our goal with EMS has always been to empower IT with a holistic and innovative set of tools that protect at the user, device, app and data levels without compromising productivity – streamlining management of mobility and security workflows in the process. This is the driving force behind our move to a unified EMS admin experience, and we are sure that your IT organization will reap the benefits.

Moving forward, we’ll release all new features and enhancements for Azure AD, Intune and Azure Information Protection within the new experience on Azure. You can check out our new admin experience by logging into the Microsoft Azure portal today.

The post Enabling a more strategic role for IT with Microsoft Enterprise Mobility + Security appeared first on Microsoft 365 Blog.

I have great news to share with you today! Gartner released their 2017 Magic Quadrant for Access Management (AM MQ), which shows that Microsoft is placed in the leaders quadrant for our completeness of vision and ability to execute.

The AM MQ is a new MQ. It is a separate entity from the discontinued IDaaS MQ and this is the first time it has been published. Azure Active Directory is the product evaluated in the report.

Gartner 2017 Magic Quadrant for Access Management

We have worked with Gartner to make complimentary copies of the report available, which you can access here

Our opinion is that Microsoft’s amazing placement validates our vision of providing a complete identity and access management solution for employees, partners, and customers, all backed by world-class identity protection based on Microsoft’s Intelligent Security Graph. 

We believe that Gartner’s analysis says a lot about our commitment to the identity and access management space. More importantly, though, Microsoft believes it says a lot about our customers, implementation partners, and ISV partners who have worked with us, sharing their time and energy every day to ensure the products and services we build meet their needs and position them to thrive in a world increasingly driven by cloud technology.

We promise to continue delivering innovative capabilities to address your needs in the identity and access management space and to further improve our position in the leaders quadrant of the Gartner AM MQ.

Best regards,

Alex Simons (Twitter: @Alex_A_Simons)

Director of Program Management

Microsoft Identity Division

The post Azure AD makes the Leaders quadrant in Gartner’s 2017 Magic Quadrant for Access Management! appeared first on Microsoft 365 Blog.