Contoso in How a fictional but representative global

organization has implemented the

the Microsoft Microsoft Cloud

Cloud This topic is 1 of 7 in a series 1 2 3 4 5 6 7

The Contoso Corporation

The Contoso Corporation is a global business with headquarters in Paris, France. It is a Article version
conglomerate manufacturing, sales, and support organization with over 100,000 products. of this poster

Contoso s worldwide organization

Toronto
Edinburgh Novosibirsk
Detroit Montreal
Cologne
Chicago Boston
Tokyo
Minneapolis
Moscow
Dublin
Beijing
Silicon Valley Thames Valley
Munich
Los Angeles St. Louis New York Paris
Dubai
Irvine Philadelphia Mumbai
Dallas Reston Milan
Taipei
Charlotte
Tel Aviv
Atlanta Guangzhou
Mexico City

Houston Bangalore

Headquarters Sao Paulo

Singapore

Regional Hub
Johannesburg

Contoso s offices around the world follow a three tier design.

25% of Contoso s
Headquarters Regional hubs Satellite offices workforce is mobile-
only, with a higher
percentage of
The Contoso Corporation Regional hub offices serve a specific Satellite offices contain 80% sales and mobile-only workers
headquarters is a large corporate region of the world with 60% sales support staff and provide a physical
campus on the outskirts of Paris and support staff. Each regional hub
in the regional hubs
and on-site presence for Contoso
with dozens of buildings for is connected to the Paris customers in key cities or sub- and satellite offices.
administrative, engineering, and headquarters with a high-bandwidth regions. Each satellite office is
manufacturing facilities. All of WAN link. connected to a regional hub with a Providing better
Contoso s datacenters and it s high-bandwidth WAN link. support for mobile-
Internet presence are housed in the Each regional hub has an average of only workers is an
Paris headquarters. 2,000 workers. Each satellite office has an average of important business
250 workers. goal for Contoso.
The headquarters has 15,000
workers.

Elements of Contoso s implementation of the Microsoft cloud

Contoso s IT architects have identified the following elements when planning for the adoption of Microsoft s cloud offerings.

Networking Identity Security Management

Networking includes the connectivity to
Microsoft s cloud offerings and enough
bandwidth to be performant under peak
loads. Some connectivity will be over
local Internet connections and some will
be across Contoso s private network
infrastructure.
Microsoft Cloud Networking
for Enterprise Architects
Contoso uses a Windows Server AD forest
for its internal identity provider and also
federates with third-party providers for
customer and partners. Contoso must
leverage the internal set of accounts for
Microsoft s cloud offerings. Access to
cloud-based apps for customers and
partners must leverage third-party
identity providers as well.
Microsoft Cloud Identity for
Enterprise Architects
Security for cloud-based identities and
data must include data protection,
administrative privilege management,
threat awareness, and the
implementation of data governance and
security policies.
Microsoft Cloud Security for
Enterprise Architects
Management for cloud-based apps and
SaaS workloads will need the ability to
maintain settings, data, accounts, policies,
and permissions and to monitor ongoing
health and performance. Existing server
management tools will be used to
manage virtual machines in Azure IaaS.

September 2017 © 2016 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at [email protected].
 Contoso in How a fictional but representative global
organization has implemented the

the Microsoft Microsoft Cloud

Cloud This topic is 2 of 7 in a series 1 2 3 4 5 6 7

Contoso s IT infrastructure and needs

Contoso is in the process of transitioning from an on-premises, centralized IT infrastructure to a cloud-inclusive
one that incorporates cloud-based personal productivity workloads, applications, and hybrid scenarios.

Contoso s existing IT infrastructure

Contoso uses a mostly centralized on-premises IT infrastructure, with application datacenters in the
Paris headquarters.

In Contoso s DMZ, different sets of servers

Headquarters DMZ Internet provide:

• Remote access to the Contoso intranet

and web proxying for workers in the
Paris headquarters.
Remote access/ • Hosting for the Contoso public web site,
proxy Remote and from which customers can order
Application mobile-only products, parts, or supplies.
datacenters workers • Hosting for the Contoso partner
extranet for partner communication and
Public web site
collaboration.

On-premises
workers
Partner extranet

Internal firewall External firewall

Contoso s business needs

1 Adhere to regional regulatory
requirements
To prevent fines and maintain good relations
with local governments, Contoso must ensure
compliance with data storage and encryption
regulations.
2 Improve vendor and partner
management
The partner extranet is aging and expensive
to maintain. Contoso wants to replace it
with a cloud-based solution that uses
federated authentication.
3 Improve mobile workforce productivity,
device management, and access
Contoso s mobile-only workforce is
expanding and needs device management to
ensure intellectual property protection and
more efficient access to resources.

4 Reduce remote access infrastructure
By moving resources commonly accessed
by remote workers to the cloud, Contoso
will save money by reducing maintenance
and support costs for their remote access
solution.
5 Scale down on-premises datacenters
The Contoso datacenters contain hundreds
of servers, some of which are running
legacy or archival functions that distract IT
staff from maintaining high business value
workloads.
6 Scale-up computing and storage
resources for end-of-quarter processing
End-of-quarter financial accounting and
projection processing along with inventory
management requires short-term increases
in servers and storage.

Mapping Contoso s business needs to Microsoft s cloud offerings

SaaS Azure PaaS Azure IaaS
Software as a Service Platform as a Service Infrastructure as a Service

Office 365: Primary personal
and group productivity
applications in the cloud.
Dynamics 365: Use cloud-
based customer and vendor
management. Remove
partner extranet in the DMZ.
Intune/EMS: Manage iOS
and Android devices.
Host sales and support Move archival and legacy 5
1 3 5 documents and information 3 systems to cloud-based servers.
systems using cloud-based
apps.
Migrate low-use apps and data
2 out of on-premises datacenters.
5
Mobile applications are
cloud-based, rather than 3 4 Add temporary servers and
6
3 Paris datacenter-based. storage for end-of-quarter
processing needs.

September 2017 © 2016 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at [email protected].
 Contoso in How a fictional but representative global
organization has implemented the

the Microsoft Microsoft Cloud

Cloud This topic is 3 of 7 in a series 1 2 3 4 5 6 7

Networking
To adopt a cloud-inclusive infrastructure, Contoso s network engineers realized the fundamental
shift in the way that network traffic to cloud-based services travels. Instead of only optimizing
traffic to on-premises servers and datacenters, equal attention must be paid to optimizing traffic
to the Internet edge and across the Internet.

Contoso s networking infrastructure

Contoso has the following networking infrastructure.

Chicago
Tokyo
Thames Valley
Moscow

Beijing
New York

Irvine Dubai
Paris

Mexico City

Bangalore

Sao Paulo

Johannesburg

On-premises network Internet connectivity Internet presence

WAN links connect the Paris headquarters to regional
offices and regional offices to satellite offices in a
spoke and hub configuration.
Within each office, routers deliver traffic to hosts or
wireless access points on subnets, which use the
private IP address space.
Each office has its own Internet connectivity via a proxy
server.
This is typically implemented as a WAN link to a local ISP
that also provides public IP addresses for the proxy server.
Contoso owns the contoso.com public domain name.
The Contoso public web site for ordering products is a set of
servers in an Internet-connected datacenter in the Paris
campus.
Contoso uses a /24 public IP address range on the Internet.

Contoso s app infrastructure 100%

60%
Contoso has architected its application and server
infrastructure for the following:
Satellite office Regional hub Paris campus
• Satellite offices use local caching servers to store
frequently-accessed documents and internal web
sites.
• Regional hubs use regional application servers for
the regional and satellite offices. These servers
synchronize with servers in the Paris headquarters.
• The Paris campus has the datacenters that contain
the centralized application servers that serve the
entire organization.
Caching server Regional Central
For users in satellite or regional hub offices, 60% of the application application
resources needed by employees can be served by servers datacenters
satellite and regional hub office servers. The additional
40% of resource requests must go over the WAN link
to the Paris campus.
Continued on next page
Contoso s network analysis
Here are the results of Contoso s analysis of the changes needed on their network to
accommodate the different categories of Microsoft s cloud offerings.

SaaS cloud offerings Azure PaaS Azure IaaS

Office 365, EMS, and Dynamics 365 Mobile applications Server-based workloads

Successful adoption of SaaS services by users
depends on highly-available and performant
connectivity to the Internet, or directly to
Microsoft cloud services.
For mobile users, their current Internet access is
assumed to be adequate.
For users on the Contoso intranet, each office
must be analyzed and optimized for throughput
to the Internet and round-trip times to
Microsoft s Europe datacenter hosting the
Office 365, EMS, and Dynamics 365 tenants.
To better support mobile workers, legacy
apps and some file sharing sites are being
reworked and deployed as Azure PaaS apps.
For optimum performance, Contoso plans to
deploy the new apps from multiple Azure
datacenters across the world. Azure Traffic
Manager to send client app requests, whether
they originate from a mobile user or a
computer in the office, to the nearest Azure
datacenter hosting the app.
The IT department will need to add PaaS
application performance and traffic
distribution to their network health
monitoring solution.
To move some legacy and archival servers
out of the Paris campus datacenters and add
servers as needed for quarter-end processing,
Contoso plans to use virtual machines
running in Azure infrastructure services.
The Azure virtual networks that contain these
servers must be designed for non-
overlapping address spaces, routing, and
integrated DNS.
The IT department must include these new
servers in their network management and
monitoring system.

Contoso s use of ExpressRoute

ExpressRoute is a dedicated WAN connection from your location to a Microsoft
peering location that connects your network to the Microsoft cloud network.
ExpressRoute connections provide predictable performance and a 99.9%
uptime SLA.
With an ExpressRoute connection, you are connected to the Microsoft cloud
network and all the Microsoft datacenter locations in the same continent. The
traffic between the cloud peering location and the destination Microsoft
datacenter is carried over the Microsoft cloud network.
With ExpressRoute Premium, you can reach any Microsoft datacenter on any
continent from any Microsoft peering location on any continent. The traffic
between continents is carried over the Microsoft cloud network.

Based on the analysis of current and future traffic to Microsoft s cloud offerings, Contoso has
performed a network assessment and implemented an any -to-any (MPLS-based) ExpressRoute
connection for access to Azure resources, with private and public peering relationships, from the
Paris headquarters to the Microsoft peering location in Europe.

Consistent performance for administration of Consistent performance for administration of

distributed Azure PaaS apps
All of Contoso s application developers and core infrastructure
IT administrators are in the Paris campus.
With Azure PaaS apps distributed to different Azure datacenters
around the world, Contoso needs consistent performance from
the Paris campus to administer the apps and their storage
resources, which consist of TB of documents.
servers in Azure IaaS
Contoso s datacenter administrators are in the Paris campus and
the servers to be deployed in Azure are an extension of the Paris
datacenter.
Contoso needs consistent performance to these new servers for
access to legacy apps and archival storage and for end-of-quarter
processing.

Contoso s path to cloud networking readiness

1 Optimize employee computers for
Internet access
Individual computers will be checked to
ensure that the latest TCP/IP stack, browser,
NIC drivers, and security and operating
system updates are installed.
2 Analyze Internet connection utilization
at each office and increase as needed
Each office will be analyzed for the current
Internet usage and WAN link bandwidth will
be increased if operating at 70% or above
utilization.
3 Analyze DMZ systems at each office for
optimal performance
Firewalls, IDSs, and other systems in the
Internet path will be analyzed for optimal
performance. Proxy servers will be updated
or upgraded as needed.

4 Add ExpressRoute for the Paris campus
Provides consistent access to Azure
resources for administration of Azure PaaS
and IaaS workloads
5 Create and test an Azure Traffic
Manager profile for Azure PaaS apps
Test an Azure Traffic Manager profile that
uses the performance routing method to
gain experience in distributing Internet
traffic to regional locations.
6 Reserve private address space for Azure
VNets
Based on the numbers of projected short
and long-term servers in Azure IaaS,
reserve private address space for Azure
VNets and their subnets.

Cloud networking Microsoft Cloud Networking

for Enterprise Architects
Network planning and performance
tuning for Office 365
ExpressRoute

resources http://aka.ms/cloudarchnetworking http://aka.ms/tune https://azure.microsoft.com/services/

expressroute/

September 2017 © 2016 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at [email protected].
 Contoso in How a fictional but representative global
organization has implemented the

the Microsoft Microsoft Cloud

Cloud This topic is 4 of 7 in a series 1 2 3 4 5 6 7

Identity
Microsoft provides an Identity as a Service (IDaaS) across its cloud offerings. To adopt a cloud-inclusive
infrastructure, Contoso s IDaaS solution must leverage their on-premises identity provider and include
federated authentication with their existing trusted, third-party identity providers.

Contoso s Windows Server AD forest

Chicago
Moscow Tokyo

Thames Valley Beijing

Dubai
New York
Irvine Paris

Mexico City

Bangalore

Headquarters Sao Paulo

Regional Hub
Johannesburg

Contoso uses a single Windows Server Active Directory (AD) forest for contoso.com with seven domains, one for each region of the world. The headquarters,
regional hub offices, and satellite offices contain domain controllers for local authentication and authorization.
Contoso wants to use the accounts and groups in the contoso.com forest for authentication and authorization for its cloud -based apps and workloads.

Contoso s federated authentication infrastructure

Contoso allows:

DMZ Internet • Customers to use their Microsoft, Facebook, or Google

Mail accounts to sign in to their public web site.
• Vendors and partners to use their LinkedIn, Salesforce, or
Google Mail accounts to sign in to the partner extranet.
Active Directory Federation Services (AD FS) servers in the
Customers and DMZ authenticate customer credentials for access to the
Public web site Partner extranet
partners public web site and partner credentials for access to the
partner extranet.
When Contoso transitions its public web site to an Azure
Web App and partner extranet to Dynamics 365, they want
to continue to use these third-party identity providers for
their customers and partners.
AD FS
This will be accomplished by configuring federation between
Contoso Azure AD tenants and these third-party identity
providers.

External firewall

Continued on next page

Directory synchronization for Contoso s Windows Server AD forest
Contoso has deployed the Azure AD Connect tool on a cluster of servers
Headquarters Microsoft cloud in its Paris datacenter. Azure AD Connect synchronizes changes to the
contoso.com Windows Server AD forest with the Azure AD tenant shared
by Contoso s Office 365, EMS, Dynamics 365, and Azure subscriptions.
For more information about subscriptions, licenses, user accounts, and
tenants, see topic 5.
Contoso has configured federated authentication, which provides single
sign-on for Contoso s workers. When a user that has already signed in to
Azure AD Azure the contoso.com Windows Server AD forest accesses a Microsoft SaaS or
Connect server AD tenant PaaS cloud resource, they will not be prompted for a password.
The traffic for the directory synchronization travels over the ExpressRoute
ExpressRoute
connection from the headquarters campus to the Microsoft cloud
network.

Geographical distribution of Contoso authentication traffic

To better support its mobile and remote workforce, Contoso has deployed sets of authentication servers in its regional office s. This infrastructure distributes the
load and provides redundancy and higher performance when authenticating user credentials for access to Microsoft cloud offeri ngs that use the common Azure
AD tenant.
To distribute the load of authentication requests, Contoso has configured Azure Traffic Manager with a profile that uses the performance routing method, which
refers authenticating clients to the regionally closest set of authentication servers.

Authentication process example:

Client computer Office 365 1. The client computer initiates communication with a web page in the
tenancy in Office 365 tenancy in Europe (such as sharepoint.contoso.com).
Europe
2. Office 365 sends back a request to send proof of authentication. The
request contains the URL to contact for authentication.
Traffic manager 3. The client computer attempts to resolve the DNS name in the URL to
an IP address.
Auth Auth Auth 4. Azure Traffic Manager receives the DNS query and responds to the
servers servers servers client computer with the IP address of a web application proxy server in
the regional office that is closest to the client computer.
Regional office 1 Regional office 2 Regional office 3

5. The client computer sends an authentication request to a web

application proxy server, which forwards the request to an AD FS server.
6. The AD FS server requests the user credentials from the client computer.
Regional office DMZ
7. The client computer sends the user credentials without prompting the
user.

Auth 8. The AD FS server validates the credentials with a Windows Server AD

request domain controller in the regional office and returns a security token to the
client computer.
Windows Server AD FS servers Web app
AD domain proxies 9. The client computer sends the security token to Office 365.
controllers
10. After successful validation, Office 365 caches the security token and
sends the web page requested in step 1 to the client computer.

Internal firewall

Redundancy for the headquarters authentication infrastructure in Azure IaaS

To provide redundancy for the remote and mobile workers of the Paris headquarters that
contains 15,000 workers, Contoso has deployed a second set of application proxies and AD FS
Headquarters DMZ servers in Azure IaaS.
When the primary authentication servers in the headquarters DMZ become unavailable, IT
staff switch over to the redundant set deployed in Azure IaaS. Subsequent authentication
requests from Paris office computers use the set in Azure IaaS until the availability problem is
corrected.
AD FS servers Web app
proxies
Central To switch over and switch back, Contoso
application Virtual network updates the Azure Traffic Manager profile for the
datacenters Paris region to use a different set of IP addresses
for the web application proxies:
Internal
• When the DMZ authentication servers are
firewall
available, use the IP addresses of the servers
AD FS servers Web app in the DMZ.
Gateway proxies
ExpressRoute • When the DMZ authentication servers are
not available, use the IP addresses of the
Deploy high availability federated authentication for Office 365 in Azure servers in Azure IaaS.

Identity and Device Protection for Synchronizing your directory with

Cloud identity Microsoft Cloud Identity for
Enterprise Architects Office 365 Office 365 is easy
resources http://aka.ms/cloudarchidentity https://aka.ms/o365protect_device http://go.microsoft.com/fwlink/p/?LinkId=524281

September 2017 © 2016 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at [email protected].
 Contoso in How a fictional but representative global
organization has implemented the

the Microsoft Microsoft Cloud

Cloud This topic is 5 of 7 in a series 1 2 3 4 5 6 7

Subscriptions, licenses, and user accounts

To provide a consistent use of identities and billing for all cloud offerings, Microsoft provides an
organization/subscriptions/licenses/user accounts hierarchy.
Organization Subscriptions
The business entity that is using Microsoft For Microsoft SaaS cloud offerings (Office
cloud offerings, typically identified by a 365, Intune/EMS, and Dynamics 365), a
public DNS domain name, such as subscription is a specific product and a
contoso.com. purchased set of user licenses.
For Azure, a subscription allows for billing
of consumed cloud services to the
organization.
Licenses User accounts
For Microsoft SaaS cloud offerings, a User accounts are stored in an Azure AD
license allows a specific user account to tenant and can be synchronized from an
use cloud services. on-premises identity provider such as
Windows Server AD.
For Azure, software licenses are built into
service pricing, but in some cases you will
need to purchase additional software
licenses.

Contoso s structure
Organization The Contoso Corporation is identified by its public
domain name contoso.com.
Office 365

Enterprise E3 Subscriptions and licenses The Contoso Corporation is using the

5,000 licenses following:
Enterprise E5
• The Office 365 Enterprise E3 product with 5,000 licenses
200 licenses
• The Office 365 Enterprise E5 product with 200 licenses
• The EMS product with 5,000 licenses
• The Dynamics 365 product with 100 licenses
Intune/EMS • Multiple Azure subscriptions based on regions
5,000 licenses

User accounts A common Azure AD tenant contains the list

Azure of user accounts and groups used by all of Contoso s
AD tenant subscriptions, with the exception of dev/test Azure
User accounts synched
from contoso.com subscriptions.
Windows Server AD
100 licenses
forest
Tenants:
• For SaaS cloud offerings, the tenant is the regional location that houses the
servers providing cloud services. Contoso chose the European region to host
its Office 365, EMS, and Dynamics 365 tenants.
• Azure PaaS services and apps and IaaS IT workloads can have tenancy in any
Regional Azure
Azure datacenter across the world.
subscriptions
Contoso • An Azure AD tenant is a specific instance of Azure AD containing accounts
Corporation and groups. The common Azure AD tenant that contains the synchronized
contoso.com accounts for the Contoso Windows Server AD forest provides IDaaS across
Microsoft s cloud offerings.

Subscriptions, licenses, accounts, and tenants for Microsoft s cloud offerings

Contoso s Azure subscriptions Contoso has designed the following hierarchy for their
Azure subscriptions:

Enterprise • Contoso is at the top, based on its Enterprise

Agreement Contoso Agreement with Microsoft.
• There are a set of accounts corresponding to the
different regions of the Contoso Corporation around
Account
(region) EUR NAM ASA Others the world, based on the domains of Contoso s
Windows Server AD forest.
Sales.Production Sales.Production Sales.Production • Within each region, there are one or more
subscriptions based on the region s development,
Admin.Production IT.Production IT.Production testing, and production deployment needs.

Subscriptions
IT.Development
Each Azure subscription can be associated with a single
Azure AD tenant that contains user accounts and groups
for authentication and authorization to Azure services.
IT.Testing
Production subscriptions use the common Contoso Azure
AD tenant.
IT.Production

September 2017 © 2016 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at [email protected].
 Contoso in How a fictional but representative global
organization has implemented the

the Microsoft Microsoft Cloud

Cloud This topic is 6 of 7 in a series 1 2 3 4 5 6 7

Security
Contoso is serious about their information security and protection. When transitioning their IT
infrastructure to a cloud-inclusive one, they made sure that their on-premises security requirements
were supported and implemented in Microsoft s cloud offerings.

Contoso s security requirements in the cloud

Strong authentication to
Cloud resource access must be authenticated and, where possible, leverage multi-factor authentication.
cloud resources

Encryption for traffic across No data sent across the Internet is in plain text form. Always use HTTPS connections, IPsec, or other end -to-end data
the Internet encryption methods.

Encryption for data at rest in

All data stored on disks or elsewhere in the cloud must be in an encrypted form.
the cloud

ACLs for least privilege

Account permissions to access resources in the cloud and what they are allowed to do must follow least -privilege guidelines.
access

Contoso s data sensitivity classification

Using the information in Microsoft s Data Classification Toolkit, Contoso performed an analysis of their data and determined the
following levels.

Level 1: Low business value Level 2: Medium business value Level 3: High business value

Data is encrypted and available only to Level 1 plus strong authentication and data Level 2 plus the highest levels of encryption,
authenticated users loss protection authentication, and auditing

Provided for all data stored on premises and in cloud-
based storage and workloads, such as Office 365. Data
is encrypted while it resides in the service and in transit
between the service and client devices.
Examples of Level 1 data are normal business
communications (email) and files for administrative,
sales, and support workers.
Strong authentication includes multi-factor
authentication with SMS validation. Data loss
prevention ensures that sensitive or critical
information does not travel outside the on-premises
network.
Examples of Level 2 data are financial and legal
information and research and development data for
new products.
The highest levels of encryption for data at rest and in
the cloud, compliant with regional regulations,
combined with multi-factor authentication with smart
cards and granular auditing and alerting.
Examples of Level 3 data are customer and partner
personally identifiable information and product
engineering specifications and proprietary
manufacturing techniques.

Data classification toolkit

Mapping Microsoft cloud offerings and features to Contoso s data levels

SaaS Azure PaaS Azure IaaS

• Require HTTPS or IPsec for server

Level 1: Low • HTTPS for all connections • Support only HTTPS connections
access
business value • Encryption at rest • Encrypt files stored in Azure
• Azure disk encryption

• Use Azure Key Vault for

Level 2: Medium • Azure AD multi-factor
business value
encryption keys • MFA with SMS
authentication (MFA) with SMS
• Azure AD MFA with SMS

• Azure Rights Management

Level 3: High System (RMS) • Azure RMS
• MFA with smart cards
business value • Azure AD MFA with smart cards • Azure AD MFA with smart cards
• Intune conditional access

Continued on next page

Contoso s information policies
Access Data retention Information protection

Level 1: Low
• Allow access to all 6 months Use encryption
business value

• Allow access to Contoso

Level 2: Medium employees, subcontractors, and
2 years Use hash values for data integrity
business value partners
• Use MFA, TLS, and MAM

• Allow access to executives and

leads in engineering and
Level 3: High Use digital signatures for non-
manufacturing 7 years
business value repudiation
• RMS with managed network
devices only

Contoso s path to cloud security readiness

1 Optimize administrator accounts for the
cloud
Contoso did an extensive review of the
existing Windows Server AD administrator
accounts and set up a series of cloud
administrator accounts and groups.
2 Perform data classification analysis into
three levels
Contoso performed a careful review and
determined the three levels, which was used
to determine the Microsoft cloud offering
features to protect Contoso s most valuable
data.
3 Determine access, retention, and
information protection policies for data
levels
Based on the data levels, Contoso
determined detailed requirements, which
will be used to qualify future IT workloads
being moved to the cloud.

Contoso s use of Office 365 security best practices

Dedicated global administrator
accounts
There are three, dedicated global
administrator accounts with very strong
passwords. Signing in with a global
administrator account is only done for specific
administrative tasks and the passwords are
only known to designated staff.
Secure email flow and mailbox audit
logging
Exchange Online Protection and Advanced
Threat Protection (ATP) protect against
unknown malware, viruses, and malicious
URLs transmitted through emails. Mailbox
audit logging helps determine who has
logged into user mailboxes, sent messages,
and other activities performed by the mailbox
owner, a delegated user, or an administrator.
Advanced Security Management (ASM)
Policies for alerts so that IT administrators are
notified of unusual or risky user activity, such
as downloading large amounts of data,
multiple failed sign-in attempts, or sign-ins
from unknown or dangerous IP addresses
More information

Multi-factor authentication (MFA) for

important user accounts
Global administrator accounts (to prevent
credential compromise) and user accounts for
managers (to prevent phishing attacks) have
MFA enabled.
More information
Office 365 Email Anti-Spam Protection
Advanced threat protection for safe
attachments and safe links
Enable mailbox auditing in Office 365
Data Loss Prevention (DLP)
DLP policies for Exchange Online, SharePoint
Online, and OneDrive help prevent users from
accidentally or intentionally sharing the data.
More information

Information Protection for Security in a Cloud-Enabled World

Cloud security Microsoft Cloud Security for
Enterprise Architects Office 365 Microsoft Virtual Academy Course
resources http://aka.ms/cloudarchsecurity http://aka.ms/o365infoprotect http://aka.ms/securecustomermva

September 2017 © 2016 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at [email protected].
 Contoso in How a fictional but representative global
organization has implemented the

the Microsoft Microsoft Cloud

Cloud This topic is 7 of 7 in a series 1 2 3 4 5 6 7

Enterprise scenarios
With the networking, identity, and security infrastructure in place, Contoso began to address its
business needs with enterprise cloud scenarios.

Moving historical transaction data to the cloud

Contoso's enterprise storage system stores a large amount of historical
On-premises
transaction data for adherence with regulatory requirements and for Azure PaaS
marketing research and BI analysis of spending trends. Contoso also needs
network
to restore archived data from magnetic tape, a time-intensive process. The
hardware in Contoso's enterprise storage system was nearing its end of life Local Eligible data
and replacing it would be very expensive.

As part of its business need to scale down its on-premises datacenters, SQL Server 2016 Smart query Azure SQL Stretch
Contoso chose to upgrade to SQL Server 2016 because of the Stretch processing Database
Database hybrid feature and its seamless integration with Azure. Stretch
Database allows Contoso to move the cold data in its tables from on- T-SQL queries
premises to cloud storage, freeing up local disk space and reducing
maintenance. Both hot and cold data are in the same tables and are always
available to applications and their users and for maintenance, such as
backups and restores.

Contoso used these steps to move their historical data to the cloud: Stretch Database

1 Analyze databases 3 Migrate cold data to the cloud

Performed an analysis of the tables in the databases that they
intended to move to the cloud and fixed any issues. The new
Stretch Database Advisor gave them a full overview of what they
can expect from all features in SQL Server 2016, including which
tables have cold data that could be stretched.
Using SQL Management Studio, they identified the databases to
stretch and the tables to migrate to instances of Stretch
Database in Azure. Over time and in the background, SQL Server
2016 moved the historical data to stretch databases in Azure.

2 Upgrade
Updated existing SQL servers in the Paris headquarters
datacenter to SQL Server 2016.

Here is the resulting configuration for one server running SQL Server 2016 in
the Paris headquarters:

Users access the data through existing apps and queries. Access
Headquarters Azure PaaS policies remain the same.

Moving forward, there is no need for tape backups. Maintenance

consists of backing up and restoring hot data.

Users After implementing stretch database, Contoso:

• Reduced its on-premises data storage needs by 85%.

• Made the update of the enterprise storage system and reliance
on magnetic tape archives unnecessary.
• Reduced its daily running costs significantly.
App server

SQL Server 2016

Azure SQL Stretch
Database
Datacenter ExpressRoute

Continued on next page

Secure SharePoint Online team sites for sensitive and highly
confidential assets
The executive leadership of Contoso want to use Office 365 and Sensitive protection Highly confidential
store their files in a single location for collaboration, regardless
of where an executive might be. Similarly, Contoso s research
departments—with divisions in Paris, Moscow, New York, Beijing, Isolated site in which access is Isolated site.
and Bangalore—would like to transition their on-premises digital controlled by SharePoint
assets to the cloud for easier access and more open groups and permission levels. Members cannot share the
collaboration across teams. site with others.
Members cannot share the site
However, in both of these cases, access to these resources must with others. Other users cannot request
be restricted to the subset of people who are allowed to view or
access.
change them, with ongoing permissions for the site administered
Other users can request access.
by IT staff.

Additionally, even if some resources are intentionally or Default Office 365 label applied to files: Default Office 365 label applied to files:
unintentionally distributed, they must be encrypted and have Sensitive Highly Confidential
permissions to prevent those who do not have access to view or
change their contents.
Data Loss Prevention (DLP) policy: Warn DLP policy: Block users from sending
Security and SharePoint administrators in Contoso s IT users when sending files with the Sensitive files with the Highly Confidential Office
department decided to use sensitive protection and highly- Office 365 label outside the organization. 365 label outside the organization.
confidential SharePoint Online team sites.
Highly Confidential Azure Information
Protection (AIP) label: Encrypt files and
grant permissions only to specific group
Contoso used these steps to create secure SharePoint Online members.
team sites for their executives and research teams:

1 Create an Executives sensitive SharePoint Online team
site
The new team site uses existing Azure Active Directory (AD) groups
for executives as members with the Edit SharePoint permission
level and a small set of SharePoint administrator accounts as
owners with the Full Control permission level.
3 Create a Research highly confidential SharePoint Online
team site
The new team site uses existing Azure AD research team groups
as members with the Edit permission level and a small set of
SharePoint administrator accounts as owners with the Full
Control permission level. An AIP label assigned to research files
ensures that they are encrypted and only members of a research
group can open them.

2 Migrate executives files 4 Migrate research files

Move existing on-premises executive files and folders to the Move existing research team on-premises files and folders to
new Executives SharePoint Online team site. the new Research SharePoint Online team site.

The result is two collaboration sites whose access is tightly

controlled by security and SharePoint administrators. For files Secure SharePoint Online sites and files
with the Highly Confidential AIP label, even if they are
distributed outside the Research team site, they are encrypted
Secure SharePoint Online sites in a dev/test environment
and can only be opened by a member of a research team.

Services and
Platform Options Networking Identity Hybrid

More Microsoft aka.ms/cloudarchoptions aka.ms/cloudarchnetworking aka.ms/cloudarchidentity aka.ms/cloudarchhybrid

cloud IT resources
Storage Mobility Test Lab Guides

aka.ms/cloudarchstorage aka.ms/cloudarchmobility aka.ms/catlgs

September 2017 © 2016 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at [email protected].