Great content delivered right to your mailbox

Thank you! Check your inbox for our monthly recap!

Let’s be honest, mobility and the principle of bringing your own device (BYOD) is probably giving you a headache. You’re being forced to evolve in a complex landscape that includes user privacy, device management, application deployment and much more. Most cloud-based apps are a double-edged sword: they’re a joy for your users while being a nightmare for you.


Worried you missed a spot in your clients’ security? Take our security assessment and build your offering on the right foundation


Microsoft 365 makes digital transformation safer

The on-premises world of data accessibility—through enterprise-controlled devices and limited connectivity channels—is outdated. The line between laptops and mobile devices is blurrier than ever. Android and iOS devices are scaling up their processing power to match entry level laptops, providing high performance for running productivity applications. This comes with its share of challenges, especially for the security of your content. Employees’ interactions with external users, devices, apps, and data have become increasingly more complex, generating new blind spots for you.

Managing identities and devices, protecting information and addressing new cyberattacks have turned into complex platforms. These require governance planning concerning security and identity management. Microsoft Enterprise Mobility + Security (EMS) was designed to help manage and protect users, devices, apps and data. This integrated suite of products enables companies to manage who has access to corporate resources, while protecting and securing business and customer information on all devices, anywhere, in real-time.

The following three features demonstrate how Microsoft EMS can help secure your Microsoft 365 tenants, and in turn protect your information and investments.


3 Microsoft Enterprise Mobility + Security features that protect your Microsoft 365 tenants

1) Identity management

Your users want single sign-on authentication for multiple applications and honestly, we all hate remembering multiple IDs and passwords. This is why you use on-premises identity management technologies like Microsoft Active Directory. Given the extent of Microsoft 365 usage, if you connected every SaaS application directly to your on-premises identity management technology, you would end up having every cloud application connected to your Active Directory. This would result in chaos.

Fortunately for you, there’s a simpler approach. You can use a cloud solution for identity management: Azure Active Directory (AD) Premium. Your on-premises directory service is still essential, but you can connect it to Azure AD and it will connect directly to each SaaS application. Azure AD currently provides single sign-on to more than 2,000 cloud applications, including Microsoft 365,, Box and ServiceNow. This service does more than just single sign-on authentication, it also offers the following features:

Built-in multi-factor authentication (MFA)

With multi-factor authentication, your users are required to provide a password and another piece of information, such as a code that was sent to their mobile phone, to sign in.

Risk-based conditional access

Conditional access offers an intelligent assessment of granting or blocking access. It’s enforcing multi-factor authentication based on factors such as group membership, application sensitivity, device state, location and sign-in risk.

Privileged access management

Privileged access management provides additional control over user identities that require privileged access, including the ability to discover, restrict, and monitor them.

Secure remote access

Secure remote access enables protected access to on-premises applications published with Azure AD without having to use a virtual private network (VPN). Azure Active Directory Premium features multi-factor authentication, access control based on device health, user location and identity. It also provides security reports, audits, and alerts.

Cross-organizational collaboration

Cross-organizational collaboration makes it easier to grant vendors, contractors, and partners with risk-free access to in-house resources with Azure AD B2B collaboration.

How Microsoft EMS protects the identity of your users using Advanced Threat Analytics:

With ATA, EMS can detect and flag suspicious activity, alerting security staff when an account might have been compromised.


2) Device management

Managing mobile devices such as phones and tablets has become essential for most organizations. Mobile device management (MDM) is a feature that lets you manage devices through the Security and Compliance center in Microsoft 365. You can also manage the applications on those devices through a subset of MDM, known as mobile application management (MAM).

Microsoft Intune is another feature of Microsoft Enterprise Mobility + Security that provides more advanced features and benefits such as:

Mobile application management (without enrollment)

Mobile application management without enrollment gives you the flexibility to control Office Mobile and other applications on your users’ iOS, Android, and Windows devices without enrolling their device on Intune.

Multi-identity management

Multi-identity management enables users to access both their personal and work accounts using the same Office mobile apps, while only applying the MAM policies to their work account. This provides employees with a seamless experience while they are on the go.

Selective wipe of corporate data

Selective wipes of corporate data remove apps, email, data, management policies, and networking profiles from user devices remotely, while leaving personal data intact.

Unified endpoint management solution

The unified endpoint management solution lets you manage your organization’s mobile devices and desktop PCs from the same administrative environment. This is made possible through the tight integration Microsoft has created between Intune and System Center Configuration Manager.

Self-service capabilities

Self-service capabilities enable users to perform tasks like updating passwords and joining and managing groups via a single portal to help save your IT helpdesk time and money. This applies across all iOS, Android, and Windows devices in your mobile ecosystem.

How to enroll a device to Microsoft EMS:

EMS can automatically enroll a device, then enforce policies for accessing applications.


3) Information protection

With Microsoft 365 applications such as OneDrive, SharePoint & Exchange, important questions around security and identity management are raised:

  • Who is allowed to access a particular document?
  • What kind of access is permitted: reading, writing, or something else?
  • How do you make sure the data is protected from it’s creation, and that the protection travels with the data wherever it goes?

Having this kind of control was important even before mobile devices and cloud computing. Today, in a mobile-first, cloud-first world, with users and applications spread all over the planet, it matters even more. Azure Information Protection provides many benefits, including:

Classify, label and protect data

Classifying, labeling and protecting data at the time of creation or being able to modify it later is a key feature. You can use policies to classify and label data in intuitive ways based on its source, context and content. The classification can be fully automated, user-driven or based on a recommendation. Once data is classified and labeled, protection can be applied automatically on that basis.

Simple and intuitive controls

You need to provide your users with simple and intuitive controls that protect their data but don’t hinder their productivity. Data classification and protection controls are integrated into Office and other common applications. This simple one-click option is made to secure data that users are working on. In-product notifications provide recommendations to help users make the right decisions.

Visibility and control over shared data

Document owners can track activities on shared data and revoke access when necessary. You can use logging and reporting to monitor and analyze shared data.

Cloud and on-premises data protection

Protect data whether it is stored in the cloud or on-premises and choose how your encryption keys are managed with Bring Your Own Key options.

Below is a representation of how Microsoft EMS prevents your users from downloading (either accidentally or intentionally) the content to unapproved applications. It also prevents them from sending sensitive information to unauthorized users.

EMS protects corporate information by letting it be used and copied only within a managed environment and by embedding access controls directly into encrypted files.


Increase productivity while remaining secure, anywhere

Microsoft EMS lets you empower your people to be productive on the devices they love while protecting your company’s assets. By moving what were on-premises services to the cloud, EMS helps your organization be more productive, better managed, and more secure in today’s digital transformation. By integrating these services with one another, you’re providing a complete solution.

Written by The Sherweb Team Collaborators @ Sherweb

As a value-added cloud solutions provider, Sherweb is dedicated to providing more for its partners, direct customers and extended network. The Sherweb Blog is just one example of how we make this happen, and our team members frequently collaborate on content to ensure it's as beneficial as possible for our readers. If you like what you see here, we strongly encourage you to subscribe!