Converting Active Directory Groups to Cloud-Only with ADGMS
If you find yourself creating and maintaining on-premises groups just so they will synchronize to your Azure tenant, it’s time to free yourself from this time-consuming and potentially risky outdated practice by converting them to cloud only. Converting your groups to cloud-only will eliminate your dependence on legacy Active Directory Domain Services environments and enable you to delegate their management without resorting to custom Active Directory permissions, outdated management interfaces and even VPN or remote access solutions if your administrators are a part of today’s remote workforce. Remember all those distribution groups that your users were able to manage before their mailboxes were migrated to Exchange Online? By converting those groups to cloud-only, your users can once again manage them themselves! This eliminates the need for custom group management tools or for your helpdesk to manage membership on their behalf. So now that we’ve agreed it makes sense to convert your synced groups to cloud-only, what are your options… There are a variety of methods available to convert your groups to cloud-only, however they vary in cost and complexity, ranging from manual re-creation, which can be time-consuming and prone to error, building your own Graph API or PowerShell scripts, which require a significant understanding of Microsoft Exchange, Active Directory, PowerShell as well as rigorous testing to ensure a functional solution, or, worst case, searching the internet and re-using scripts built by others with potentially harmful results. To help simplify and ensure the safety of this process, the IMS team offers a turn-key managed solution called Active Directory Group Modernization Service, or ADGMS. ADGMS is a cloud-based, automated solution that connects to and monitors your Entra tenant, automatically re-creating groups whenever they are moved out of scope of your Entra ID Connect or Entra Cloud Sync solution. ADGMS maintains each group’s membership, including any nesting, as well as it’s email addresses, send and receive restrictions, manager or owner and even extended attributes, and ADGMS uses all this data to instantly re-create the group as cloud-only. Additionally, ADGMS provides reports on all the nested groups in your tenant, helping to identify any cases where you have circular or self-nesting that might otherwise impact mail-flow and management. These reports are then used to create your group modernization strategy by ensuring you re-create your groups in the correct order. The beauty of ADGMS is that it’s 100% automatic and customer-driven. Once ADGMS is enabled, you control the quantity and speed of your group modernizations, and the ADGMS solution handles all the heavy lifting, and because ADGMS maintains all the email routing addresses, your users won’t even realize that the group has been converted to cloud-only. It is important to note, that while ADGMS can help radically change your cloud administration model, it does not support modernization of security groups by default. That said, based on the tens of thousands of groups already modernized with ADGMS, we have found that most legacy mail-enabled security groups primarily exist in Entra for the purposes of email routing and not securing cloud resources. In those cases, the group can be modernized into a cloud-only distribution group, and the on-premises group mail-disabled and left as a security-only group. How to take advantage of ADGMS If you are interested in reducing your administrative burden when it comes to on-premises groups currently synchronizing to Entra and leveraging a proven managed solution for migration of those groups to cloud-only resources, be sure to contact the IMS team for more information about ADGMS. Learn more about IMS and start hassle-free migrations and its capabilities today on our YouTube Channel Want to speak with an expert? Reach out to us at imssales@microsoft.com to connect with a sales representative.
General Availability: Dynamic watermarking for sensitivity labels in Word, Excel, and PowerPoint
In today's digital age, protecting sensitive information is more critical than ever. Sensitivity labels from Microsoft Purview Information Protection offer highly effective controls to limit access to sensitive files and to prevent users from taking inappropriate actions such as printing a document, while still allowing unhindered collaboration. However, these controls don't prevent users from taking pictures of sensitive information on their screen or of a presentation being shared either online or in-person, and some forms of screen-shotting can't be blocked with existing technology. This loophole presents an easy way to bypass protections that sensitivity labels enforce on a document, and these pictures can end up in the wrong hands of competitors or the public. Dynamic Watermarking helps address this gap in document security by deterring unauthorized sharing and enabling traceability of leaks. What is Dynamic Watermarking? Dynamic watermarking is a feature that overlays watermarks containing user-specific information on documents. These watermarks are visible when the document is viewed, edited, or shared in Word, Excel, or PowerPoint, deterring leaks and making it easier to trace any unauthorized dissemination of sensitive information. This feature can be configured by the compliance admin on any sensitivity label with admin-defined permissions via the Microsoft Purview compliance portal or PowerShell. When the setting is enabled for a label, files with that label will render dynamic watermarks when opened in Word, Excel, and PowerPoint. Key Features User-Specific Watermarks: Watermarks display the UPN (usually email address) of the user currently viewing the document. Watermark Customizability: Watermarks can be configured to also include the device date-time, enabling admins to know precisely when leaked information was captured, as well as a custom string. Cross-Platform Support: Available on Word, Excel, and PowerPoint for the web, Windows, Mac, iOS, and Android. Seamless Integration: Configurable on sensitivity labels with admin-defined permissions via the Microsoft Purview compliance portal or PowerShell. Enhanced Security: Prevents users from accessing documents with labels configured for dynamic watermarking on Word, Excel, and PowerPoint clients that cannot render dynamic watermarks. Benefits & Differentiators Although there are existing security solutions that may offer different aspects of dynamic watermarking, Microsoft provides the most comprehensive offering with the following differentiators: Broad support in many views (e.g., slide view, notes view, etc.) so it’s not the only the primary application view that’s protected for more comprehensive coverage. Ability to set dynamic watermarking for a sensitivity label and have it apply to all Word, Excel, and PowerPoint files with that sensitivity label (rather than a separate setting), making it easier for admins to apply dynamic watermarking across applications and files all at once. Ability to edit (and coauthor) a watermarked file. Coauthoring enables users to collaborate on Word, Excel, and PowerPoint files that are labeled with sensitivity labels across Web, Windows, Mac, iOS, and Android. Cross-platform support: Web, Windows, Mac, iOS, and Android. When a user attempts to open a file with dynamic watermarks on a version of Office that doesn’t support the feature, they will see an access denied message. Users who don’t have an Office client installed that is capable of dynamic watermarking should use Office for the web to work with watermarked files. Get Started with Dynamic Watermarking When setting up a label in the Purview compliance portal, you can select “Use Dynamic Watermarking” when configuring encryption. You can also configure dynamic watermarking on a sensitivity label using the Set-Label cmdlet in PowerShell. Learn more about configuring sensitivity labels for dynamic watermarking here. For dynamic watermarking for Word, Excel, and PowerPoint, this will require a Microsoft 365 E5, Microsoft 365 E5 Compliance, Microsoft Information Protection and Governance E5, Microsoft Enterprise Mobiity and Security E5, or Microsoft Security and Compliance for Frontline Workers F5 license. These license requirements are necessary to configure dynamic watermarks and apply labels configured for dynamic watermarking. There is no licensing requirement for users to open files with dynamic watermarks. To view the minimum versions needed to open files with dynamic watermarks on all platforms, see Minimum versions for sensitivity labels in Microsoft 365 Apps | Microsoft Learn.Co-authoring on Microsoft Information Protection encrypted documents is now generally available
With hybrid work here to stay, organizations are increasingly looking for ways to facilitate seamless collaboration among workgroups and across organizations while keeping their data secure and compliant. Today, we’re announcing a unique capability from Microsoft Information Protection in Microsoft 365 that empowers you to do just that.Empowering compliance in a complex regulatory landscape with Microsoft Purview Compliance Manager
As organizations increasingly adopt AI-driven solutions and multi-cloud environments, managing compliance across diverse and evolving regulatory frameworks has become critical. At Microsoft Ignite 2024, we are thrilled to showcase the latest innovations in Microsoft Purview Compliance Manager—designed to empower businesses to navigate complex regulations, like the EU AI Act, GDPR, DORA, NIS2, and more. Whether your organization is focused on data privacy, industry-specific standards, or AI governance, Compliance Manager provides the tools to help you proactively manage compliance, streamline risk mitigation and help ensure operational resilience. Let’s explore how these new features can support your compliance journey. Here’s What’s New in Compliance Management at Microsoft Ignite 2024 This year, Microsoft Purview Compliance Manager introduces powerful new capabilities designed to help organizations tackle today’s complex compliance landscape. With tools addressing AI governance and global data privacy regulations, Compliance Manager offers enhanced support for navigating regulatory requirements with greater ease and efficiency.' New Features: Custom Templates for Tailored Compliance Flexibility is key in the regulatory landscape. With Custom Templates, organizations can now modify compliance frameworks to match specific regulatory and operational needs. This feature empowers teams to configure regulations, making Compliance Manager a uniquely adaptable solution for your compliance management journey. Expanded Coverage with Key Global AI Regulations Compliance Manager regulatory scope has broadened to support both AI and other essential global frameworks, now covering the EU AI Act, NIST AI Risk Management Framework, and ISO standards 42001 and 23894. Beyond AI, we’ve added support for key regulations like DORA, NIST CSF 2.0, Indonesia’s PDP law, and Qatar’s Cloud Computing regulations, providing up-to-date support to address new and evolving requirements. EUAI Act Assessment. Pre-Deployment Compliance Tool For regulated industries, compliance validation has often been a roadblock to efficient cloud adoption. Our new Pre-Deployment Compliance Tool enables customers to assess the regulatory alignment of Azure services prior to production deployment. This feature helps accelerate the path to compliant cloud solutions, reducing validation time from weeks to hours. Compliance History Report for Enhanced Tracking Monitoring compliance trends is easier than ever with the new Compliance History Report. This tool provides a timeline view of your compliance score, making it simple to track progress, understand score changes, and address recurring issues, helping teams build a more proactive approach to compliance management. These new capabilities make Microsoft Purview Compliance Manager an essential asset for addressing complex regulatory requirements, supporting responsible AI, and empowering your organization to manage compliance confidently. Addressing Today’s Compliance Challenges with Microsoft Purview Compliance Manager Compliance Manager is tailored to help organizations address key regulatory challenges by providing a unified solution for managing, monitoring, and enhancing compliance efforts. Here are the primary challenges it helps solve: Navigating Complex Regulatory Landscapes: With an ever-growing set of regulations, Compliance Manager provides guidance and tools to monitor and respond to these evolving requirements. Data Privacy and Security Risks: Compliance Manager's automated tools help to identify risks and enforce privacy best practices, mitigating potential exposures and protecting sensitive data. Scaling Compliance Efforts: Compliance Manager enables scalability, helping organizations address both regional and industry-specific needs while maintaining a consistent compliance posture. AI Governance and Accountability: The EU AI Act and similar regulations are driving the need for transparent, accountable AI governance. Compliance Manager supports organizations in establishing ethical frameworks, tracking AI systems, and compliance with principles of fairness, transparency, and accountability. View your compliance score and recommended actions. Key Capabilities of Microsoft Purview Compliance Manager Microsoft Purview Compliance Manager offers a robust suite of features to streamline and automate compliance management across cloud environments: Unified Compliance Dashboard: A centralized dashboard offers real-time visibility into compliance scores, risk mitigation efforts and control implementation. This enables organizations to efficiently manage compliance across the data estate. Automated Compliance Checks: Compliance Manager reduces the time and effort required for compliance checks through automated assessments that recommend actions based on risk levels, helping you stay ahead of compliance demands. Multi-Cloud Support: Compliance Manager extends beyond Microsoft 365, offering support for Azure services, Amazon Web Services and Google Cloud services, providing a unified view of compliance across your digital ecosystem. AI Compliance suggested actions and workflow management for implementation of appropriate controls: With pre-built assessments and recommended actions aligned with AI governance requirements, Compliance Manager helps organizations adopt AI responsibly by providing specific insights to help implement controls aligned to regulatory requirements. How Compliance Manager Supports the EU AI Act and Other Key Regulations Microsoft Purview Compliance Manager simplifies regulatory alignment for critical frameworks, such as the EU AI Act, by providing: Pre-Built Assessment Templates: These templates guide organizations through EU AI Act requirements, identifying gaps and recommending corrective actions to facilitate compliance workflows. Continuous Monitoring: Ongoing monitoring of AI systems supports alignment with responsible AI principles, such as transparency, fairness, and accountability. AI Governance Capabilities: Compliance Manager supports audit trails for AI use, helping customers ensure that AI-driven decisions comply with legal standards and corporate policies. Accelerating Cloud Innovation with Purview Compliance Manager’s Pre-deployment Compliance Tool Pre-deployment Compliance Tool, one of the latest features in Purview Compliance Manager, is a game changer designed to accelerate cloud adoption for regulated industries. This tool enables Microsoft customers to validate complex service compliance requirements during pre-deployment, streamlining the path to cloud adoption and reducing compliance process time with automation. Begin Your Compliance Journey: Try Microsoft Purview Compliance Manager for Free To experience the full capabilities of Microsoft Purview Compliance Manager, start a free trial and explore how it can simplify and automate your compliance efforts. Steps to Begin Your Trial: Start Your Free Trial: Sign up at aka.ms/PurviewTrial to begin your free trial of Microsoft Purview Compliance Manager premium assessments. Learn More: Visit the Microsoft Learn page for resources, best practices, and tutorials on setting up Compliance Manager.Accelerate AI adoption with next-gen security and governance capabilities
Generative AI adoption is accelerating across industries, and organizations are looking for secure ways to harness its potential. Today, we are excited to introduce new capabilities designed to drive AI transformation with strong security and governance tools.NIST CSF 2.0 - Protect (PR) - Applications for Microsoft 365 (Part 1)
This blog and series will look to apply the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) 2.0 and, specifically, the Protect (PR) Function to Microsoft 365. Though the discussion will endeavor to focus primarily on Microsoft 365, topics may venture into Microsoft Azure topics periodically by the nature of each solution. Part 1 or any subsequent blogs in the series will not be an exhaustive review of all possible applications of NIST CSF 2.0, nor exhaustive of the technologies mentioned and their abilities to manage cybersecurity risks. Other applicable Functions or Categories found in NIST CSF 2.0 will be evoked throughout in the true spirit of the framework. PR as a function is intended to cover “safeguards to manage the organization’s cybersecurity risks” and contains five Categories. The prior CSF publication included six categories, but two were significantly edited and renamed. Let’s first dive into Identity Management, Authentication, and Access Control (PR.AA).
