Overview of Advanced Deployment Guides & Assistance
As you most probably know, there are Advanced deployment guides available for you on your Microsoft 365 tenant. These are basically deployment guides that help you to configure different settings and onboard services based on your requirements and scenarios. Advanced deployment guides are accessible from Training, guides & assistance card on the Microsoft 365 tenant.
When you visit the Advanced deployment guides & assistance section you will notice several suggestions based on the current configuration of your tenant. When you scroll down a bit on the main page of advanced deployment guides & assistance, you will see the advanced deployment guides available.
There are 40+ guides available in 8 different categories as:
- Identity and authentication
- Security and compliance
- Endpoint management
- Microsoft Edge browser deployment and security
- Communication and conferencing with Microsoft Teams
- Email migration and security
- Microsoft 365 productivity apps
Our focus for this post will be on “Set up your Zero Trust security model” guidance under Security and compliance category.
Set up your Microsoft Zero Trust security model
The first item under Security and compliance category is the Set-up Microsoft Zero Trust security model advanced guidance. This guidance checks on the licensing available on the tenant and shows the existing license base and if an additional licensing is required or not. In our environment, we are covered end to end with Microsoft 365 E5 licensing in place.
Set up your Microsoft Zero Trust security model guidance has two main sections as Standard pillars and Advanced pillars. Standard pillar covers configuration guidance regarding Identity, Endpoints, Data and Apps pillars while Advanced pillar covers guidance regarding Infrastructure and Network pillars.
When you click on any pillar you will be presented with the details of this pillar such as where this pillar fits in the security model, which advanced deployment guides are available in this pillar alongside with an assignment tracking field which can be used as an integrated project management solution for the tasks in mentioned pillar. You can assign these tasks to an administrator or an operator with required privileges, define a due date and update the progress status and move forward.
You can use the links in get started section to take necessary actions based on the advanced deployment guide. For the identity security pillar; we can start configuring MFA, setting up MDI, plan for our passwordless deployment and setup fundamental Azure AD features.
To be an example and a common best practice, I’d like to continue with Configure multifactor authentication guidance.
Creating MFA Policies Automatically by Advanced Deployment Guide
When a guidance is started; it will check the licensing available and the existing configuration in the tenant and will provide options accordingly. In the first page of guidance, we are presented with the information such as what MFA is and why it is important. It will also give us insights based on current configuration.
When moved forward within the configure MFA guidance, it will show conditional access policy templates such as Require MFA For Admins, block all legacy sign-ins that don’t support MFA, Require MFA for external accounts and Require MFA for internal users – Advanced risk detection. Each template has its details available when hovered on tooltip at the right side of the template.
These tooltips will be useful to understand what each template enforces in terms of conditional access policies.
When the configuration is saved using the Save Configuration button on the configure Adaptive MFA using conditional access page, a message stating the configuration is saved and enforced will be seen.
We then will be able to move forward in the deployment guide. As you notice, insight about the tenant configuration is changed already to “Adaptive MFA Using Conditional Access” is on and we have an option to click on Manage Conditional Access button to review the Conditional Access policies made by the Advanced Deployment Guide itself.
It is possible to click on Manage Conditional Access button on the final page of the guidance and make changes to those policies as needed.
There can be different number of policies created in conditional access policies based on the selections made in templates in the advanced deployment guide. In my case, I can see 10 different policies are created and turned on.
Microsoft 365 has different wizard-like experiences called Advanced Deployment Guides. IT Admins can utilize these experiences to have configurations applied in an easy way. When it comes to securing digital estate, Zero Trust model has its own digital guidance that comprises of different experiences in different pillars such as identity, endpoints, apps, data.