29
Full and In-depth Office 365 Integration, per tenant/customer
C
Chisholm Wildermuth
I know this is a big ask, and wont be easy to implement (or quick), but it's becoming increasingly complex to manage many different Office 365 tenants. I have seen requests to include CSP billing, etc which is great but what I think we ultimately need is an RMM which fully assists with Office 365/Azure tenant management.
Step 1 on the list would be management of Alerts, issues, security problems, etc.
Regardless of anything else, I think this is of paramount concern. We shouldn't have a client calling us to tell us that they are locked out of their Office 365 account, only to discover malicious behavior from a strange location has locked them out. We should have a ticket on this, so we can research and resolve proactively (that is what we are supposed to be doing, right??) Alerts for mailboxes that are nearly full, compliance /data-leakage/PHI issues, etc.
Now, step 2 would of course be managing all of those policies, and being able to create groups and policies (similar to Group Policy haha) that would allow us to apply and change these setting or rules for many clients all at once. When new security options come out, or changes to security needs occur in Office 365, we want to be able to update the "default", or some sub-policy of the default, and have it apply to all of the tenants below. Conversely, if these policies change we need options to handle: Alert, Alert & Fix/Remediate, Alert & ignore (probably with some kind of escalation/approval).
Like I said, I know this is asking a lot, and I know there are some third party vendors which already do the mass policy management/changes... but the primary ask for sure, is management of alerting for each tenant, so we can take actions on issues well before they become a problem.
M
Muhammad Ibrahim
I'll tell you what we do for something like this, because actually global admins by default get alerted for a set of pre-defined alerts. However usually we dont assign Licences to global admins or loginto that email box.
So across all our tenants we now do this:
1) Create a shared Mailbox in the tenant
2) Go to users, assign it global admin roles
3) Block sign in
4) Setup email forwarding to our own msp sharedmailbox
5) Create a security policy to allow external email forwarding in security/compliance admin centre
Now in our own shared mailbox we have there collated all tenants admin alerts :)
This is one thing we do, secondly we have integrated 365 with a SIEM and setup monitoring to alert us for MFA failures. We do block other countries from logging in as well via conditional access policies.
C
Chisholm Wildermuth
Muhammad Ibrahim: We do something similar (for a lot of products, not just O365), but I think ultimately moving to true integrations and away from random emails is ideal. We get a LOT of emails from dozens of products, and creating rules to parse or manage all of those becomes a challenge. It's definitely a viable work-around... but as I mentioned above, I'd almost rather be able to connect a tenant to SuperOps, and have it create/generate all of our standards for us (i.e. all of those shared mailboxes, etc). I'm not even opposed if it starts out with PowerShell scripts (as long as we have some way to pull variables from other parts of SuperOps so we can standardize a script), but of course having something a little more graphical is always nice.
Part of the issue is that, even with onboarding docs etc, there seem to be things that are missed I.e. maybe the shared account gets created, but someone forgets to block sign-in, etc. Or, as I also mentioned above, security options and values and choices in O365 are constantly changing so something that made sense to do 5 years ago, is completely wrong today. We just need a better way to standardize on the security and alerting and management.
Of course, if you can take an integration this far, there's almost no reason why you couldn't then also have SuperOps generating O365 accounts for you, or bringing in and linking all user accounts to "Requesters", etc. I think once you got the ball rolling, you could do a LOT to integrate the two products. Even to the point that "Requesters" could SSO into SuperOps with their AzureAD accounts.
We have similar options with our current RMM although implementations are lacking, and across various products I see different levels of support for "integration"....sometimes it's just as simple as linking O365 accounts with users, and other times it's more management of the tenant, and less about bringing users across. No one really seems to get it "all" right.
M
Muhammad Ibrahim
Chisholm Wildermuth: Theres definitely a need, Maybe SuperOps could integrate with someone like Augmentt for this.
Theres also a free azure app you can deploy called CIPP (Sponsored by multiple RMMs etc)
SuperOps already some level of Azure integration, although i've not checked it out personally yet.
D
Doug Hall
Sounds perfect.
A blend on tickets, rmm, and CIPP.