ra2 studio - Fotolia


Microsoft EMS features to know in Office 365, Exchange

The Microsoft EMS adds capabilities such as document encryption and threat detection to Office 365, but a subscription may not be necessary for every organization.

The Enterprise Mobility Suite from Microsoft is a combination of products primarily aimed at organizations that have migrated to or are planning to migrate to Office 365. Microsoft EMS features include mobile device management, advanced identity tools, document encryption and tools to help detect threats.

Device management

Just a few years ago, there was a clear difference between mobile devices and desktop devices. Tablets have blurred the line, with Apple and Android devices scaling up to tablet size from smartphones, Windows 8 and above scaling down to tablet size, and Windows 10 providing a common platform across phone, tablet and the desktop.

With Microsoft EMS. Intune is Microsoft's answer to the problem of managing all these end-user devices. Intune provides core mobile device management (MDM) functionality, such as ensuring the device's continued security, managing profiles for email and VPN access, restricting the functionality for the user, deploying applications to devices and providing sandboxing of applications to allow personal and corporate applications to coexist.

Securing and managing devices is critical to most organizations, because the loss of data could result in heavy fines, breach of legislation or loss of revenue.

In addition to base MDM features, Intune works with Exchange Online and Exchange Server on premises to ensure that only managed devices can connect to Exchange. This is called conditional access and allows admins to create policies to ensure that only compliant devices, such as those connected and reporting their status, can receive email.

Without Microsoft EMS. If you don't add Intune to your Office 365 subscription, all is not lost. You can still utilize the fairly capable functionality provided with Exchange Online ActiveSync to enforce device PINs or remotely wipe devices. These features are only aimed at ActiveSync emails and do not cover non-email usage, and will not provide any visibility into the current device status.

Office 365 MDM fills the gap between ActiveSync's base functionality and Intune. Office 365 MDM is based on Intune and uses the same management applications on each device. It includes functionality to ensure corporations can manage mobile email policies for Exchange Online users, along with advanced features such as conditional access.

What you don't get is the application deployment and management capabilities of Microsoft EMS. If you want to deploy and manage Outlook for iPad, for example, evaluate the full Intune provided with EMS.

Information rights management

You can use information rights management (IRM) functionality to encrypt files and documents and enforce restrictions on what a recipient can do with a message. The IRM technology in Office 365 and EMS, Azure Rights Management Services (RMS), is natively supported by modern versions of Microsoft Office. It can help protect email and other files, such as images, via the RMS sharing application. Azure RMS uses AES 128-bit encryption to encrypt files. Rather than require users to maintain keys, Azure RMS grants access based on the Azure Active Directory (AD) identity.

With Microsoft EMS. If you purchase EMS, you'll get the Azure RMS Premium version. This adds additional functionality enabling on-premises file servers to use File Classification Infrastructure (FCI) to automatically apply RMS to files. To make use of this functionality, the FCI deploys the RMS connector, connecting the Windows servers to the Azure RMS infrastructure.

Powerful end-user functionality is also included with the EMS version of RMS. Users can choose to revoke access to documents at any time -- handy if the wrong version of a document was sent or the person with access no longer has a need to access the content. The ability to track usage is also included. This is particularly handy when the document is being distributed to a wide audience.

Without Microsoft EMS. You get most of the functionality you'll need in Office 365 without adding EMS. The Office 365 integrated RMS that comes with the E3 plan includes the core functionality required to protect Office 365 data. For example, that means administrators can define templates to prevent reply-all to email messages, stop forwarding, remove the ability to print or copy a document, or edit. Users can elect to use the templates as-is or create their own combination of protection settings.

In addition to protecting files and email in the Office clients, the ability to protect email messages in Exchange Server is baked in. As an administrator, transport rules can be configured to protect mail using RMS if needed. Within SharePoint Online similar functionality can also be configured. Documents are not encrypted within SharePoint Online but certain document libraries can be configured so that when a document is downloaded, it will automatically be protected by RMS at the time of access.

If you are running Office 365 in hybrid mode, with on-premises Exchange or SharePoint servers, the included RMS Connector applies the same protection.

In addition to RMS, another IRM technology is included, Office 365 message encryption. This provides the ability to configure a transport rule to protect certain messages using HTTPS-based encryption. A protected message sent by email has the content removed and replaced by a link to a specific Office 365 portal. The message contents can then be read securely, protected by a HTTPS channel.

Azure Active Directory

The service that stores user information for Office 365 is known as Azure AD. This is often synchronized to the local on-premises Active Directory using a tool known as Azure AD Connect. Password hashes can be synced to Azure AD along with user details, or an on-premises installation of Active Directory Federation Services can be used to ensure that the user IDs mirrors in Azure AD use the local AD to verify passwords.

With Microsoft EMS. EMS adds Azure AD Premium. This adds a range of functionality, including self-service password reset with write-back to the local AD for all users, multifactor authentication for all Azure services and even on-premises applications with advanced controls, self-service group management, advanced reports and alerts and security controls to restrict where logins can occur from. The reports within Azure AD Premium allow security teams to identify user logins from unusual places and potentially uncover compromised accounts.

Azure AD Premium also includes licensing for additional tools. Microsoft Identity Manager (MIM) -- formerly Forefront Identity Manager -- allows for advanced on-premises identity management. If you have a compatible HR system, you can connect it to MIM and use it to provision accounts or keep the accounts up to data with current information.

Azure AD Connect Health adds in additional functionality to ensure your on-premises Active Directory remains healthy. Installed alongside Azure AD Connect, the health module provides alert management, performance and usage patterns.

Cloud App Discovery is useful when attempting to expand the list of applications managed by Azure AD. Installed on user desktops, Cloud App Discovery monitors the cloud-based services users' access to provide detailed analysis helping administrators discover which existing applications could be brought under the control of Azure AD.

Without Microsoft EMS. Office 365 comes with Azure AD Free. This provides all the out-of-the-box capabilities for synchronizing directories with local AD, customization of login pages and for Cloud IDs --logins that are not synchronized with a local AD domain -- self-service password reset and multifactor authentication when logging into Office 365.

In addition to using your Azure AD with Office 365, you can also use applications with support for login with Azure AD identities -- including Salesforce and Dropbox.

Advanced Threat Analytics

Advanced Threat Analytics (ATA) is a component within Microsoft EMS that has no equivalent or basic version in Office 365. ATA is firmly aimed at on-premises Exchange deployments. ATA runs on on-premises servers and reports into the cloud. It looks at the daily behavior within your organization and detects malicious threats or security issues.

These Microsoft EMS features provide a lot of additional functionality on top of the core Office 365 capabilities. Pay attention to what you do get -- many organizations find that the out-of-the-box capabilities of Office 365 are good enough. Like any technology, understand if you truly need it before you buy.

Next Steps

How IT benefits from Intune

New features in Azure AD Connect

Microsoft adds MDM to Office 365

Dig Deeper on Office 365 and Microsoft SaaS setup and management