Azure Active Directory hybrid identity design considerations – overview | Microsoft Docs


Office 365 Encryption

In Office 365 content is encrypted using several strong encryption, protocols, and technologies.

This article is a high-level look at Encryption using all default settings. It is in no way a comprehensive walk-through of all the available options for RMS, OME, IRM, or Forced TLS (this will not cover S/MIME digital ID encryption). It is intended to provide a quick start to additional encryption technologies in Office 365.

In Office 365 content is encrypted using several strong encryption, protocols, and technologies that include Transport Layer Security/Secure Sockets Layer (TLS/SSL), Internet Protocol Security (IPSec), and Advanced Encryption Standard (AES).

But . . . is that all? Of course not! There’s much more you can add to protect your emails and files in Office 365. We’ll discuss these in a successive order in the way we encounter in them in many organizations.

Azure RMS (E3/EM+S E3 or higher required) with IRM

The first enhanced layer of encryption available is added by enabling Azure RMS for your tenant. By default, this feature is off. By activating Azure RMS you open the door to several other technologies we’ll discuss in a moment.

First, locate and select Home > Settings > Services & add-ins > Microsoft Azure Information Protection and select the link for Microsoft Azure Information Protection. Azure RMS is a requirement for AIP.

Click on Activate to enable RMS for your tenant. You will see the screen below afterwards.

After activation, a few lines of PowerShell are required to configure Information Rights Management.


“RMS Online”



That provides the options in Outlook for users to apply RMS templates and protect messages. It also allows you to enable Information Rights Management in the SharePoint Administration console and apply rights protection to individual lists and libraries as needed.

When composing a new message in outlook, select the Options tab and the Permissions button to encrypt your message. The image below shows the default RMS templates. The default template, Unrestricted access, allows all operations on the message. The others are restricted as follows:

  • Do Not Forward – recipient cannot forward, print, or copy the message
  • Confidential\All Employees – recipient can Read and Edit
  • Highly Confidential\All Employees – recipient can only Read

The question of the hour for this process is usually, “What is the experience for the recipient?” Using Outlook without the reading pane, the message will appear like the image below. The red icon indicates that IRM protection is in place for this message.

Using the reading pane when an IRM message comes in, the recipient will see the message below indicating that the message is encrypted and cannot be displayed unless opened.

Every time you open a rights protected message, your computer will download the necessary IRM components to decrypt. It is a temporary operation and is usually very fast. It will look like this:

Great, you say, I can see my message. But what if you don’t have RMS on your local network or an Azure RMS subscription with RMS activated? This is no problem. Visit this Azure Information Protection site and enter your email address and Microsoft will verify if your account is sufficiently authorized already or you need to download the RMS for Individuals/Azure Information Protection client. For an excellent look at the Azure Information Protection client, visit my colleage, Pixie Vee’s, wordpress blog here. Once the client is installed you’ll be able to use the account you tested to open IRM protected emails, documents, etc.

Office 365 Message Encryption (OME) (E3/EM+S E3 or higher required)

Office 365 Messgae Encryption allows administrators to configure Exchange online mail flow rules to apply encryption based on Conditions and Exceptions. Please make a big note here: although I won’t mention it in this section, be aware that the same settings can be used to automatically apply to IRM protection as well. So, what are those settings? Let’s talk about it.

Office 365 Message Encryption goes a step further than IRM protection for emails by encrypting the email and attaching the original text as an html attachment. This will require the recipient to sign in with their Microsoft account, or get a one-time use code to open the email.

Here’s a quick look at configuring one of these very flexible and comprehensive mail flow rules. From the Exchange Admin Center:

As you can see below you can also choose to use Apply rights protection or Require TLS. For this example we’re using OME.

The finished product is a rule that uses OME to encrypt all messages to external users if the phrase “Highly Confidential” is located anywhere in the subject or body of the individual message. Mail flow rules check every email that is sent.

But, again, you ask me, “What is the user experience?” I need to know!

Here is a sample composed message that will have OME applied when it is sent to this external user. Please note the use of the words “Highly Confidential” in the subject line.

The recipient will see the image below.

When they double click on the attachment, the default browser will open to the following page:

The message will open in the browser.

Forced TLS

In much the same way that mail flow rules mix and match conditions and actions for Rights protection and OME, you could also use a mail flow rule to enforce TLS between sender and recipient. However, if you know that your partner, let’s say it’s a connection to your bank, uses TLS, you can force messages to use TLS and specify certificate names, or different MX, among other options with the partner. You can also force Exchange to only receive TLS encrypted messages from partners. You can do this using a connector. If you’ve created a mail flow rule with specific conditions and exceptions for using TLS, you can also configure a connector to use that mail flow rule. Here’s an example of a test connector that does not use a mail flow rule.

This blog is supposed to be easily digestible bits of the larger picture, but in this case, just the overview is fairly intense and required a bit longer entry to really give the basic idea of using encryption in Office 365. Thanks for reading!

Office 365 Decisions: it’s only Email and SharePoint

Create an Office 365 tenant, synchronize active directory, migrate mail and sites and you’re all set, right?

This post was previously published here.

Create an Office 365 tenant, synchronize active directory, migrate mail and sites and you’re all set, right? While consulting in the Office 365 space I continue to encounter clients who are either misinformed or completely uninformed about the breadth of decisions that are required to implement this cloud solution. Office 365 is not a single decision (i.e. let’s move to the cloud), rather a vast array of decisions most of which affect not only your IT staff but your end users and budgets as well. At Centric Consulting, we ask all of the questions required to help our clients successfully implement a cloud solution like Office 365; some of those questions are listed below to show the diversity of topics an implementation effort of this scale requires.


Which Office 365 features are you planning to use?

Some of the available features that will require decisions are as follows:

  • Office current version
  • Exchange
  • Skype
  • SharePoint
  • Mobile Device and Application Management
  • Information Retention and Management
  • Azure Active Directory
  • Multi-factor authentication
  • External Sharing
  • Sway
  • Rights Management
  • Outlook Groups


Is your network prepared?

Does your network have the capacity to migrate existing mailboxes and identities to the cloud while continuing day-to-day business without performance issues? Will that still be the case when users begin to synchronize their OneDrives, too? Before you start migrating users, be certain your network is prepared by using Microsoft’s tools for Planning and Performance.


How will you manage identities?

In most cases Centric Consulting has found that companies are synchronizing their on-premises Active Directory, but is that enough? If users have to sign in multiple times they will not use the solution; be prepared for federation. Standard Azure Active Directory may not provide all the features you need for identity and security management. A third-party identity provider solution can also be used to federate with Office 365.


How will you manage mobile and application access?

We have also found that most of our clients cannot meet their company’s security requirements surrounding mobile device management using the default settings in Office 365. Look to Microsoft’s Enterprise Mobility Suite for enhanced mobile security features.


Who will support Office 365?

The most underestimated and under-planned-for category of decisions is around who will support what parts of the Office 365 platform. Read what administration roles are available at the platform level alone to get a better idea of this undertaking. Along with help desk, business analyst roles, developers and other subject matter experts the support organization will require retraining or repurposing of existing staff and/or new hires, some of whom are difficult to find.


How will your users learn?

Most companies discover the questions they forgot to answer when their users locate and begin to use features for which no one planned. In order to avoid shadow training and hacks that users will find on their own, as well as the security of the company’s data, plan for training: not once, but continuously. The Office 365 platform is more fluid than static, and changes realized by the support team can be passed on to the training team for dissemination to users.


How will you manage change?

As mentioned, Office 365 is in a nearly constant state of flux with platform updates anticipated quarterly and additional feature updates on varying schedules. Managing the Office 365 Roadmap and the administration console message center are a requirement along with a governing body. A governance or steering committee will review current policies and the need for new policies. This committee should meet on a regular basis and include stakeholders not only from IT but from the businesses as well. This is vital to the overall management of the platform as well as user satisfaction.


I will repeat that this is in no way a comprehensive list of questions, nor will it get you on your way to purchasing, configuring or supporting Office 365. Rather, this is meant to illustrate the breadth of questions that need to be answered and some of the topics that need to be discussed before deciding to make a leap into the cloud.

Active Directory Synchronization Strategies for Office 365

How do you select the correct synchronization and authorization strategy for Office 365?

A couple of the questions we get asked frequently are, “What is the difference between a cloud account and an on-premises account,” and “What type of cloud authentication should I use?” These are valid questions in light of the many, and often confusing, options available.

The account differentiation is clear:

  • A cloud account is a user account whose entire lifecycle is in the cloud, where provisioning, deprovisioning, and any user or admin maintenance takes place
  • An on-premises account is a user account whose lifecycle is managed completely on-premises, in active directory or a third-party identity provider
  • A hybrid account is a user account whose lifecycle begins on-premises where it is created, managed, and synchronized to Office 365, but depending on the type of synchronization, may have some administration tasks performed in the cloud and synchronized back to on-premises

What isn’t always clear is the synchronization type. Azure AD Connect allows a number of different options to keep users from having to enter credentials while working on the corporate network and entering them again when connecting to Office 365. Here are the types of synchronization available for use with Office 365.

  • Cloud Only – usually used in smaller organizations with little to no on-premises network and no desire to add infrastructure
  • Password Synchronization with Password Hash – any size organization with on-premises Active Directory willing to synchronize passwords (via hash) with Office 365
  • Password Synchronization with Pass-Thru Authentication – any size organization with on-premises Active Directory and wanting authentication to be performed on-premises and security tokens only passed to Office 365
  • Federation – usually larger organizations with ADFS already in place, willing to put the additional infrastructure in place, or using a third-party identity provider.

Hopefully these will help you understand what types of accounts and what types of synchronization are available, if at a high level.

A paper released earlier this year by Microsoft France further illustrates the synchronization options through the table below.
Table courtesy of Microsoft France; Authors: Philippe Beraud, Jean-Yves Grasset (Microsoft France); Contributors/Reviewers: Daniel Pasquier (Microsoft France), Philippe Maurent (Microsoft Corporation)

I hope this helps and thank you for stopping by. Come see us @Centric Consulting on Twitter or the Centric Website.

Operational Cloud Transformation

The very popular phrase “digital workplace transformation” is without doubt underselling the actual task.

The very popular phrase “digital workplace transformation” is without doubt underselling the actual task. You cannot undergo this transformation using the same knowledge with which you currently operate, and realize a high degree of success.

“We can’t solve problems using the same kind of thinking we used when we created them.”

-Albert Einstein

Depending on the size of your organization, you are likely to remain in large part a hybrid operation between cloud and on-premises technology. That’s fine, but if you are a large or global organization, this is not the whitewater you want to raft alone and without a helmet. You will need help, and that is not fake news.

Supporting the essential offerings in Office 365 — Exchange, SharePoint, Skype — is not altogether different from supporting the local server versions you currently use. Transitioning them is easy and secure without much customized knowledge.

But Office 365, like others, is a platform; supporting or transitioning those three applications isn’t really that important in the overall corporate transformation. Those applications are all intersected by other, more collaborative pieces of SaaS: Teams, OneDrive, Delve, etc. being the most notable. You know the ingress and egress of data in your organization but those endpoints triple and quadruple in a cloud offering and will continue to include your existing shadow IT.

Here’s just the beginning on who and what will need to be involved if your transformation is to succeed:

  • Local infrastructure – Active Directory, Server, Firewall, Network, Email, SharePoint, Skype
  • Local Software – Office versions, internally developed, 3rd party for HR and the like
  • Human Resources
  • Legal
  • Corporate Communications, Governance, and Policymakers
  • Corporate Security
  • Business Unit Representation
  • Training and Development
  • Office 365 Platform team
  • Office 365 Strategy and Operations teams

That’s just to get started. The overall transformation is a business-wide endeavor and requires much more than a few members of your technical IT staff and a couple of weeks to make you successful. You aren’t just updating or moving operations, you are transforming them and impacting everyone in the organization in ways that you may not even be aware of yet.

To be successful, you will have to merge your skilled, current staff with a team of skilled Office 365 transformation staff. My colleagues and I have been transforming businesses to digital operations for many years. Let me know if we can help you too.

Thank you for stopping by!