Last week at Microsoft Ignite, more than 25,000 IT professionals converged in Orlando Florida to learn about Microsoft’s technology advancements, skill up across new products, and meet with Microsoft experts. For EMS we unveiled a wave of new capabilities, presented more than 45 sessions, and met with thousands of customers. I wanted to take a moment and package up all the great information we shared and things we learned from all of you.
We continued to hear from you about the tectonic shifts in IT, with the move towards mobility and use of the cloud for employees, against a backdrop of the rising number of cybersecurity attacks. We passionately believe and continued to observe throughout the whole week, that IT is uniquely positioned to be the champion of change for this new work experience and digital transformation.
Our vision is to empower you and your organization to achieve more in this digital transformation journey while helping you continue to protect your corporate resources. With Microsoft Enterprise Mobility + Security (EMS), we are committed to an integrated experience across identity, mobility, and security solutions that work across platforms, devices, operating systems, and SaaS apps. I’d like to summarize the announcements we made last week:
Protect at the front door: raising the bar with conditional access
In June we announced the general availability of the new conditional access admin experience in the Azure portal. This new experience delivers powerful simplicity to support admins across EMS; including Azure Active Directory and Microsoft Intune. And conditional access is powered by the Microsoft Intelligent Security Graph –which processes billions of signals to determine user sign-in risk levels. With the new conditional access console experience, you can now create policies that protect at the user, app, location, device, and risk level in minutes. Last week customers of all sizes told us it’s changing the game for them.
But what we’ve delivered to date is only the beginning. At Ignite we announced the expansion to secure a whole new wave of scenarios for our customers:
Controlling and limiting access to cloud apps
With Azure Active Directory Conditional Access, access context, continuous cybersecurity threat intelligence, and the risk signals are put to work to help you control access in real-time. Now, we are expanding conditional access capabilities to Microsoft Cloud App Security to provide better protection of your data in the cloud apps.
Watch the Ignite Session: Productivity and protection for your employees, partners, and customers with Azure Active Directory.
Uniquely integrated with Azure AD conditional access, Cloud App Security can help you to perform real-time monitoring and control over your cloud applications. The activities performed within the user sessions in SaaS apps can be limited and controlled based on the conditions such as user identity, location, device and detected sign-in risk level. For example, you can allow access to SaaS apps from an unfamiliar location or unmanaged device while blocking the download of the sensitive documents.
Watch the Ignite session: Bring visibility, data control and threat protection to cloud apps with Cloud App Security.
We also announced that our new conditional access for Azure Information Protection allows organizations to apply access policies to some of their most important data. Policy can be applied to require a user to MFA when accessing Azure Information Protection protected documents, or just when they are off the corporate network or they have been flagged as having an elevated risk. This allows all conditions and controls to be used, also providing the option to require a managed device when accessing protected content.
Watch the Ignite session: Discover what’s new in Azure Information Protection and learn about the roadmap and strategy.
New conditions and custom controls
Watch the Ignite session: Ensure users have the right access with Azure Active Directory.
Pass-through Authentication is now generally available as an Azure AD sign-in method – an alternative to Password Hash Sync. It is for organizations who can’t (or don’t want to) permit users’ passwords, even in hashed form, to leave their internal boundaries. It allows users to sign into both on-premises and cloud applications using the same passwords. This feature provides users a better experience, helps reduce IT helpdesk calls and protects user accounts with Conditional Access policies. It works by securely validating users’ passwords directly against Active Directory using a lightweight on-premises agent.
Watch this video: Azure AD Pass-through Authentication and Seamless Single Sign-on.
Protect sensitive data anywhere
Employees are using more SaaS apps, creating more data, and working across multiple devices. While this has enabled people to do more, it has also increased the risk of data loss – it is estimated that 58% of workers have accidentally shared sensitive data with the wrong person. At Microsoft Ignite we announced several new EMS capabilities to help protect your data throughout its lifecycle, from creation to deletion.
Discovering and identifying data is a critical first step. To help you detect the types and locations of your data Azure Information Protection scanner will now be able to scan on-premises repositories such as file servers and SharePoint servers to detect sensitive information and automatically classify, label, and protect it based on your company policies. We also announced that now we provide a new and enhanced Cloud App Discovery experience in Azure AD powered by Microsoft Cloud App Security. You can discover more than 15,000 cloud apps without any agents on user devices and get ongoing analytics. These capabilities are now available to all Azure AD P1 and EMS E3 customers.
Another critical capability customers need is a consistent and integrated classification, labeling, and protection approach across information protection technologies, enabling persistent protection of your data – everywhere.
To provide you better and unified data protection in cloud apps, we are taking the integration between Microsoft Cloud App Security and Azure Information Protection to the next level. Leveraging Microsoft’s Information Protection capabilities, Microsoft Cloud App Security can scan, classify sensitive data stored in cloud apps and apply Azure Information Protection labels automatically for protection including encryption.
Finally, we announced the general availability of improvements to Office 365 message encryption, which makes it easier to share protected emails with anybody – inside or outside of your organization. Recipients can view protected Office 365 emails on a variety of devices, using common email clients or even consumer email services such as Gmail and Outlook.com. Watch this session to learn more about these enhancements – Protect and control your sensitive emails with new Office 365 Message Encryption capabilities
Watch the Ignite session: Protecting complete data lifecycle using Microsoft information protection capabilities.
Detect threats and recover from attacks
The nature of IT security has changed as the frequency and severity of the cybersecurity attacks have grown dramatically. These breaches also reflect a new approach – targeted attacks by compromising credentials across cloud and on-premises, leveraging those credentials to access and steal data in your hybrid environment.
To help you detect these attacks we announced the limited preview of a brand-new service – Azure Advanced Threat Protection for users – that brings our on-premises identity threat detection capabilities to the cloud and integrates them with the Microsoft Intelligent Security Graph. Powered by the graph, our Advanced Threat Protection (ATP) products have a unified view of security event data so your security operations analysts can investigate an incident from endpoint to end-user to email.
Traditional security tools have a high rate of “false positive” identifications and sifting through them to locate the important and relevant alerts can be overwhelming. Azure ATP for users reduces false positives and provides clear attack information on a simple timeline for fast triaging with an end-to-end investigation experience. Leveraging the depth and breadth of Microsoft’s vast amount of security intelligence, Azure ATP for users help you protect your identities both on-premises and in the cloud.
Watch this session from Ignite: Learn about Microsoft Advanced Threat Analytics Futures.
Modernizing management of Windows 10
Digital transformation also requires organizations to modernize their IT infrastructure, policies and processes to lower costs, simplify device and app management, and provide a better experience for both users and IT Pros. We designed Microsoft 365 for this reason, and we are excited to announce new improvements to make it easier for customers to realize full benefits of Microsoft 365 by enhancing the ability to deploy and manage Windows 10 and Office 365 ProPlus from the cloud.
First, we are enabling a bridge to modern management for existing System Center Configuration Manager (ConfigMgr) customers with co-management that allows managing Windows 10 devices by both ConfigMgr agent and Intune MDM at the same time. For example, customers will be able to transition the management of VPN profiles, OS updates, and conditional access checks from ConfigMgr to Intune while continuing to use ConfigMgr for other workloads. Over time, customers will be able to move more workloads to Intune. This unique ability enables customers to start their journey to cloud-based management in small manageable steps with lower risk while maintaining the control they expect.
We are also excited to announce Intune Management Extension that provides additional Windows 10 management functionality in addition to what is currently available through the MDM channel. This new feature allows our customers to automate actions on the endpoint by having the ability to run PowerShell scripts from the cloud.
To round out our capabilities for managing the broad spectrum of devices our customers choose we announced integration between Jamf and Intune. Jamf is one of the most widely used solutions for macOS management. Jamf will integrate with Intune’s device compliance engine to provide an automated compliance management solution for macOS devices accessing applications connected with Azure AD authentication.
Watch the Ignite Session: Microsoft 365: Modern management and deployment.
We have made it easier than ever to get end-to-end security and management solutions up and running. FastTrack for Microsoft 365 now provides deployment services for key security scenarios, giving you the resources, tools, and support you need from Microsoft engineers.
FastTrack for Microsoft 365 can work with you directly, work with your existing partner, or help you get matched with a trusted Microsoft partner to deploy comprehensive security solutions. And the best part is this isn’t a one-time benefit. It is a repeatable resource that you can use to ensure you have the help and resources you need.
You can go to fasttrack.microsoft.com and get help to deploy Microsoft products to address some of the most common security scenarios including:
- Working securely from anywhere, anytime on almost any device enabling a flexible workstyle
- Protect your data on files, apps and devices within and across orgs
- Detect and protect against external threats
- Protect your users and their accounts
- Securely collaborate on documents in real time
Microsoft Ignite was a huge week for us on the EMS team. We are thankful to be able to spend time with customers and very honored to be an important part of digital transformation for so many companies around the world. Thank you to all of you who could attend Microsoft Ignite in person or who have watched the recorded content so far.