People say that the last part in a trilogy is the perfect way to close out a movie series. But what happens when the last movie was actually the prequel?

Microsoft has remastered existing guidance in “Entra ID vision” as a series of documents under the banner “Microsoft 365 guidance for UK Government”.  Following the release of the Information Protection guidance and the update to External Collaboration guidance, we have also remastered the one that kicked it off: Secure Configuration Blueprint.

Microsoft 365 Guidance for UK Government

The three-piece collection provides a common baseline which UK Government departments, and their partners, can use to enable secure use of Microsoft 365.

The goal of the Secure Configuration Blueprint is to create a secure foundation for a Microsoft 365 tenancy. It provides guidance using the “Good, Better, Best” approach targeted on feature availability by licence, offering policies and settings that protect your Microsoft 365 tenancy from the most common attacks.  It includes:

• Securing identities that access services, including privileged users.
• Protecting devices that your users use to access services.
• Configuration of services to require use of the above when accessing data.

The updated Secure Configuration Blueprint guidance is the base upon which the other pieces of guidance are built. But how have we got to where we are today?

Securing user devices

It all started as a result of understanding that device trust was key to protecting the data stored locally and in datacentres.

In 2004, on the back of some high-profile worm viruses, SQL Slammer (January 2003) and Blaster (August 2003), Microsoft worked closely with Communications-Electronics Security Group (CESG), now a part of the NCSC. This joint effort developed a set of security controls to take advantage of the security improvements in SP2 for Windows XP, including Windows Firewall on by default, Software Restriction Policies, and Automatic Updates enabled by default.

The outcome of this work was known as the “Government Assurance Pack” or GAP for short. GAP was revised and updated for Vista and Windows 7 and added BitLocker device encryption and AppLocker when those features were released.

Moving forward to 2014, and CESG moved to a model that evaluated all end-user devices, PC and mobile, against a common set of principles, the End User Device Security Principles. Windows 8 (8.1), Windows 10 and Windows 11 have all had End User Device (EUD) security guidance developed with CESG initially and then the NCSC when that was formed in October 2016.

By following the latest guidance provided by NCSC, organisations (including Government departments) can be confident that the devices used by their users to access and handle data are secure against common attacks.

Figure 1. Timeline leading to the updated Secure Configuration Blueprint guidance.

Securing cloud services

The UK Government introduced a “Cloud First” policy in 2013 for all technology decisions with the NCSC, publishing 14 Cloud Security Principles (originally in December 2013) to support Government as it started to adopt cloud services.

Historically, the focus of the guidance was on securing devices but, with the UK Government adopting a Cloud First policy, data was no longer being stored in on-premises datacentres and networks. Instead, it would increasingly be stored in Public Cloud services like Microsoft 365.

To address this, Microsoft worked with the NCSC to produce guidance for Microsoft Azure in October 2017, and in July 2019 we released the initial version of Office 365 Blueprint and a supporting document detailing how Office 365 met the NCSC 14 Cloud Security Principles.

As a result, in parallel to releasing Office 365 guidance, we also worked with NCSC to produce the first MDM (Mobile Device Management) End User Device (EUD) guidance for cloud-managed Windows 10 EUDs using Microsoft Intune. This guidance formed the base for Microsoft’s first cloud-based Privileged Access Workstation (PAW), allowing organisations to manage their risk in Microsoft 365 management. Microsoft recommends using a PAW for administrative access and managed EUDs for standard user access, both using Entra ID to secure access to cloud services – please refer to Protect Microsoft 365 and Securing Privileged Access.

Once the foundational guidance was released, and on the back of the challenges that the COVID-19 pandemic brought to UK Government departments, we worked with NCSC and Government Security Group and released the first iteration of our BYOD guidance in June 2020.

The rest is history, as they say. Working with Central Digital & Data Office (CDDO) and NCSC, the Cross-Government Collaboration guidance was released in 2021 and updated in 2023, along with the release of the Purview Information Protection guidance.

With that, UK Government departments have at their disposal guidance for how to securely configure their Entra ID and Microsoft 365 tenant, classify and protect their data, and use it to securely collaborate with not only other government departments but also industry partners.

But remember, if you don’t pay attention to the film, the sequels might be confusing. So, ensure that you implement the guidance in the Secure Configuration Blueprint before looking to adopt the External Collaboration or External Collaboration guidance.

Find out more

Read the Secure Configuration Blueprint

Guidance on protecting government data using Microsoft Purview

About the author

James has spent his entire IT career of 27 years specialising in the security arena, the last 22 of which have been for Microsoft. Based in the UK, he works in the key areas of security and identity in the public sector as a Security Technical Specialist. He is a regular contributor to Microsoft docs for Securing Privileged Access and was the lead architect for the Microsoft 365, External Collaboration, Information Protection, and BYOD guidance produced for Cabinet Office and NCSC.

The post Updated Microsoft 365 security and compliance guidance for the UK public sector appeared first on Microsoft Industry Blogs - United Kingdom.

For those looking for the full history behind the first release, please see the Cross Government Collaboration Blueprint – History Refresher content at bottom of this blog.

The story so far…

In June 2021, we partnered with the Central Digital and Data Office and the National Cyber Security Centre (NCSC) and set out to improve the collaboration experience for UK government organisations by creating a Cross-Government Collaboration Blueprint. The blueprint was created by focussing on key scenarios developed in consultation with several government organisations. It is designed to be used in conjunction with the other guidance we have published, which focuses on Secure Configuration, BYOD, and Information Protection (more on that later). Please be sure to check out those too, so you have the full ‘box set’.

Fast forward to today, we’ve given that ‘box set’ a new name that makes it clear how the guidance fits together, seen in this illustration:

We also updated the guidance based on real-world feedback and product evolution to include the following:

• Addition of Shared Channels guidance
• Updates that clarify Calendar Availability guidance
• Azure AD B2B updates
• Brand and naming updates to align with changes to Microsoft technology
• Teams 2.0 Release
• A statement in the Strategy regarding Google Federation

A notable recent development is the update to the Government Security Classification Policy (GSCP). Microsoft has partnered with Government Security Group, the Central Digital and Data Office and the National Cyber Security Centre (NCSC) to provide configuration guidance for those wishing to implement the OFFICIAL tier of the GSCP using Microsoft Purview Information Protection (MPIP), available as part of Microsoft 365. The guidance assists those wishing to classify and protect files, control who can access them, and allow greater control when sharing information between departments, partner organisations, and customers. You can read about the Microsoft 365 Guidance for UK Government: Information Protection in another blog post.

Download the documents

About the authors

James has spent his entire IT career of 25 years specialising in the security arena, the last 20 of which have been for Microsoft. Based in the UK, he works in the key areas of security and identity in the public sector as a Cyber Cloud Solutions Architect. He is a regular contributor to Microsoft docs for Securing Privileged Access and was the lead architect for the Office 365 and BYOD guidance produced for Cabinet Office and NCSC.

Steve is an experienced IT Professional with over 20 years’ experience, working with clients across the world in multiple industries to help them achieve their goals in digital transformation. Recently Steve has been aligned to public sector clients, leading them to get the most out of their investment in the Microsoft cloud.

Cross Government Collaboration Blueprint – history refresher

We started this work in 2021 by consulting a broad group of end users from across government, and we found that there was an inconsistent user experience when working with colleagues from other organisations due to differences in configuration. The guidance helps to address this, and it is important to keep up with the recent developments of Microsoft 365, which is why we have updated the guidance.

We determined that a baseline configuration for government organisations would enable a more consistent and secure approach to collaboration. The recommended configuration we’ve produced focuses on these key areas:

• Keeping control of documents and allowing real-time co-authoring by sharing links rather than sending documents as email attachments.
• Making it easier to arrange meetings by allowing people to share their calendar availability across government.
• Allowing people to work more effectively as a team by enabling instant messaging and other features of Microsoft Teams.

Crucially, we’ve recommended an open approach to collaboration by default, giving users the freedom to choose who they collaborate with. This is a move away from a more restrictive ‘allow list’ approach which can create barriers to collaboration.

Does this approach make it less secure? No. Here’s what the NCSC have said:

“By following the Secure Configuration Alignment and applying the cross-government collaboration guidance on top, it is the NCSC’s view that Microsoft 365 can be appropriately configured to protect an organisation’s data against the threat profile for the OFFICIAL classification when collaborating and sharing information between government departments. The NCSC expects that guidance related to collaboration and security is implemented in its entirety to avoid gaps and weaknesses leading to increased risk of a data breach.

“The NCSC believes that modern cross-organisation collaboration services that share access to information via its originating system will be more secure than traditional methods such as sending copies as email attachments to external organisations. By using modern collaboration practices, such as those described in this guidance, organisations have greater auditing and visibility of how their data is being handled and more options for owning who and where their information is handled.”

National Cyber Security Centre

The Blueprint is intended to be a baseline upon which individual organisations can build. For example, if an organisation identifies specific needs that aren’t met by the Blueprint, there is flexibility for them to go further and implement even tighter controls, while being mindful that this could impact on people’s collaboration experience.

Find out more

Visit the Microsoft for Government website

Guidance on protecting government data using Microsoft Purview

Explore Microsoft UK Industry blogs: Government

The post Microsoft 365 Guidance for UK Government: External Collaboration appeared first on Microsoft Industry Blogs - United Kingdom.

The guidance assists those wishing to classify and protect files, control who can access them, and allow greater control when sharing information between departments, partner organisations, and customers.

A spokesman from the Government Security Group said: ”The Government Security Classifications policy (GSCP) sets out the administrative system used by HM Government (HMG) and our partners to appropriately protect information and data assets against prevalent threat actors. The GSCP was updated in 2023.

“This gave us a significant opportunity in UK government to modernise and standardise how organisations apply technical controls in line with security classifications. Microsoft 365 is widely used across UK government, so we partnered directly with Microsoft to define a standard approach to applying sensitivity labels and data loss prevention features of Microsoft 365 in line with the GSCP.

“The resulting technical guidance provides a baseline from which organisations can select the most relevant elements and tailor them for their specific use cases. Our objective is that this will be an enabler for the GSCP and that it will also create a better user experience for civil servants and our partners.”

Building on the Government’s Secure Configuration Blueprint

This guidance builds upon the Microsoft 365 Guidance for UK Government: Secure Configuration Blueprint for the UK Public Sector, which outlines how to configure a Microsoft 365 tenant for use at OFFICIAL (which includes OFFICIAL-SENSITIVE), and sits alongside the Cross Government Collaboration guidance and the Bring Your Own Device guidance.

Figure 1. Relationship with other NCSC and Microsoft guidance.

The guidance draws on experience gained working right across UK government and the public sector industry and incorporates existing best practice that has previously been published by Microsoft.

We determined that a baseline configuration for government organisations would enable a more consistent and secure approach to configuring classification and protection policies by providing a starting point for technology and compliance professionals alike. The recommended configuration we’ve produced focuses on these key areas:

• Increasing visibility of where data is located to data governance teams.
• Providing protection that follows documents as they are accessed internally or when shared externally by assigning the relevant GSCP label.
• Providing visual labels that indicate how a document should be handled.
• Providing visual labels for Microsoft Teams and SharePoint to control whether external users are allowed access to content stored within them.
• Complementing the Cross Government Collaboration Blueprint to mark and protect documents as they are shared and co-authored between Government departments and partners.

Important note about this guidance

This guidance has been written as a starting point and organisations should consider how they may wish to supplement it with additional controls, as appropriate for the environment and risk appetite.

The blueprint guidance has been structured to follow a Microsoft-recommended three-phase approach for implementation: ‘Crawl, Walk, and Run’.

Figure 2. Microsoft’s recommended three-phase approach to implementation.

With the ‘Crawl, Walk, Run’ approach, changes can be introduced in phases across your organisation, focusing on small sets of users first and then expanding to broader audiences. This will allow you to deploy quickly whilst minimising disruption and help you establish a baseline of user behaviour before introducing tighter restrictions. It will also help you identify early potential conflicts or compatibility issues between different tools, so you can address them before they have further impact.

Using the visual indication provided with sensitivity labels is a small, but important benefit of the capability that sensitivity labels can provide. The guidance is based on an outcomes-based approach which aims to reduce the likelihood of accidental data loss or oversharing.

The guidance looks to provide ‘outcomes-based’ controls that use the features available in Microsoft Purview Information Protection to restrict access to content based on the label selected.  The sensitivity labels are broken down into two distinct areas: content labels and container labels.

Content labels

Content labelling applies the label directly to documents and emails. This stamps the data with label metadata, which is maintained wherever the data resides.

Figure 3. How content labelling relates to data, controls and policy.

Content labels are used to provide visual indicators for the scope where the document or email should be accessed.

Figure 4. Access areas that may be denoted by content labels.

Container labels

Container labels apply to a workload (e.g. SharePoint, Teams or M365 group) where content is stored.  The labels are used to define whether External Guest users are allowed to access the container and collaborate with internal member users.

Figure 5. Container labels define access permissions for External Guest users.

Container labelling applies the sensitivity label at the container. Container labels are named differently from the data labels as they serve a different function – namely to control access to the containers. These labels provide a visual representation of the Privacy level, Public or Private, and whether external guest users are allowed to be members of the Team or SharePoint site, Internal or External.

Find out more

Microsoft for critical infrastructure

Microsoft 365 Guidance for UK Government: External Collaboration

UK OFFICIAL and UK NHS Regulatory Compliance built-in initiative

About the author

James has spent his entire IT career of 27 years specialising in the security arena, the last 22 of which have been for Microsoft. Based in the UK, he works in the key areas of security and identity in the public sector as a Security Technical Specialist. He is a regular contributor to Microsoft docs for Securing Privileged Access and was the lead architect for the Microsoft 365, Cross Government Collaboration and BYOD guidance produced for Cabinet Office and NCSC.

The post Guidance on protecting government data using Microsoft Purview appeared first on Microsoft Industry Blogs - United Kingdom.