Enterprise Mobility and Security Blog

RSS

Hey y’all, Mark Morowczynski here with another Friday mailbag. I realize we’ve been sort of slacking on these for the last 2 months but we are looking to finish the calendar year strong. Key word being looking. We’ll continue last week’s topic of things to consider with international deployments. Let’s dive in.

 

Question 1:

Your documentation states that Azure AD Premium is not supported in China. I am a US customer but have 200 employees located in China. Will my users in China not be able to get the Azure AD Premium functionalities such as MFA, SSPR, and Azure App Proxy?

Answer 1:

We hear this question frequently for customers who operate in China but, I’m going to borrow some words from Brjann Brekkan, (another member on our team) for this response:

Azure AD Premium and its capabilities is not currently available in Tenants hosted in our Mainland China Azure AD instance such as when a company signs up for Office 365 or Azure operated by our partner 21Vianet. A company with Tenant in our Global Azure AD instance, hosted in our global datacenters, has access to Azure AD Premium services and all employees in that Tenant, including those in China, can leverage the services.

Question 2:

I have multiple brands within my company. Some of the companies I’ve acquisitioned are in different countries and have their own IT staff that manages their identities. Is there a way I can limit admin access based on location? (e.g. Help Desk in France supports users only in France)

Answer 2:

Today this can be done with Administrative Units. There are some caveats though:

  • The only resources that Administrative Units can be applied to is users
  • Configuring these can only be done through PowerShell (there is no GUI as of today)
  • Administrative Units are not dynamic (meaning you must manually add new users as they become qualified to be a member of the scoped group or a member of the role that you have defined)

Even with these caveats, this is still a very powerful tool for scoping and decreasing surface area from a risk perspective. Remember, this is a defense in depth type strategy. Privileged accounts are high value targets – shrink your surface area as much as possible!

Question 3:

I’m concerned about charges that may occur for my users that operate outside of the US. Will Microsoft charge my users long distance fees for SMS/Phone calls? Where is the SMS/Phone calls coming from with Azure MFA and SSPR?

Answer 3:

Azure AD phone calls come from the United States – which is why the caller ID phone number must be a US number. However, text messages may come from US (+1), UK (+44) or other countries. It may vary for each authentication based on the destination and the provider we use to send each text message.

We do not charge the end user or tenant for processing calls/SMS for countries outside of the United States. Some providers may charge for receiving long-distance SMS/Phone calls but this is purely based on the user’s carrier (This is no different than requiring a phone plan to receive SMS or voice calls). We do have other options available for both SSPR and MFA that do not require SMS/Phone calls (e.g. Azure Authenticator app for MFA and Q/A gate for SSPR) but does require internet connectivity.

Fun Fact: For Azure MFA, you can change the Caller ID Phone Number but this is only from US phone numbers only.

 

clip_image001

 

Question 4:

Within my company, we own multiple brands; we are looking to customizing the feel of our O365 Portal/Access Panel page. It only gives me one option to brand my tenant – what are other customers doing?

Answer 4:

Yes, each image has an independent upload for branding as seen on the Large Illustration below. Most companies that have deployed Azure AD and own multiple brands usually do one of two things

  1. Use an icon from their parent company that represents their company as a whole (a recognizable image for all brands)
  2. Use the “Large Illustration/Background Color” image and incorporate multiple brands on this same image. This allows a unified company representation on your main log on page for the cloud. This image is seen in the top left corner of the screenshot below.

 

clip_image001[8]

 

Image Options to Upload

clip_image001[10]

 

Question 5:

I operate in multiple countries and I’m about to deploy multiple Microsoft cloud services. Where can I get started with reading up on Microsoft’s documentation on how data is managed from a global perspective?

Answer 5:

I recommend visiting Microsoft’s Trust Center to learn more about how Microsoft helps secure your data. Here are a few links to get you started:

Please let us know if you have any additional feedback. Also, join myself or one of my team members in a live discussion on our Webinar platform that we host – covering a variety topics. Join the conversation here. I look forward to chatting with ya’ll!

 

We hope you’ve found this post and this series to be helpful. For any questions you can reach us at
AskAzureADBlog@microsoft.com, the Microsoft Forums and on Twitter @AzureAD, @MarkMorow and @Alex_A_Simons

 

-Chad Hasbrook, Mark Morowczynski, Shawn Bishop, Yossi Banai,  Damien Gallot, Brjann Brekkan, Ariel Gordon, and Dan Mace.