Chapter 3

Manage Microsoft 365 governance and compliance

This chapter looks at the key technologies for governance and compliance in Office 365. When you complete this chapter, you should have a good understanding of which technologies are suitable based on a given scenario with specific requirements. You should also have a firm grasp of environment prerequisites, integration with other technologies, and common configurations. Although this chapter focuses on five key tools, you should familiarize yourself with complementary technologies to help solidify your knowledge for this area of the exam.

Skills covered in this chapter:

Skill 3.1: Plan for compliance requirements

This section looks at built-in data-governance features in Office 365.

Plan compliance solutions

Microsoft 365 includes several services and features to help organizations achieve compliance and regulatory goals. Many of the features covered in the MS-101 exam, and included in this chapter, help you plan aspects of an overall compliance solution. You can manage many of these solutions through the Microsoft 365 compliance center at https://compliance.microsoft.com.

Key considerations of any compliance solution include managing the following:

  • Insider risk

  • Information protection

  • Information governance

  • eDiscovery

  • Holds

  • Auditing and alert policies

  • Risks

You can use various Microsoft 365 features discussed in earlier chapters, such as the Secure Score, to gauge your organization’s overall security and compliance posture. But one tool that brings all these features together, in terms of compliance, is the Microsoft 365 solution catalog.

The solution catalog is a one-stop location that contains information cards for compliance solutions like information protection, governance, insider risk management, discovery, and response. (See Figure 3-1.)

The Microsoft 365 compliance center solution catalog, which contains built-in solutions for information protection and governance. These include application protection and governance, data loss prevention, information governance, information protection, and records management.

Figure 3-1 Microsoft 365 solution catalog

To access the solution catalog, click Catalog in the Microsoft 365 compliance center navigation bar on the left. To view the solution catalog, you must have one of the following roles assigned to your user account:

  • Global administrator

  • Compliance administrator

  • Compliance data administrator

Assess compliance

The primary tool to assess compliance information for the Microsoft 365 tenant is the Compliance Manager. To access this tool, click Compliance Manager in the Microsoft 365 compliance center navigation bar. The Compliance Manager is similar to the Secure Score tool in that it has the following components:

  • Compliance score

  • Improvement actions

  • Solutions

  • Assessments

  • Assessment templates

The compliance score and improvement actions work the same way the Secure Score does. The score is a representation of how many points the tenant configuration has relative to the compliance goals. The improvement actions are recommended changes that would increase the score.

To view the compliance score for your tenant, follow these steps:

  1. Log in to the Microsoft 365 compliance center at https://compliance.microsoft.com.

  2. In the navigation bar on the left, click Compliance Manager.

  3. On the Compliance Manager page, review the overall compliance score. Figure 3-2 shows the compliance score for Contoso Electronics.

The Microsoft 365 compliance center’s Compliance Manager Overview page. This page displays a compliance score of 59% for the organization and a portion of the list of key improvement actions the organization could take to improve its score.

Figure 3-2 Microsoft 365 compliance score

The Compliance Manager page’s Overview tab also breaks down the compliance score into different categories. (See Figure 3-3.) These include the following:

  • Protect information

  • Govern information

  • Control access

  • Manage devices

  • Protect against threats

  • Discover and respond

  • Manage internal risks

  • Manage compliance

Figure 3-3 shows the different categories with the score breakdown.

The Microsoft 365 compliance center displays the compliance score breakdown page. The Categories tab displays the percentage of each compliance category.

Figure 3-3 Microsoft 365 compliance score category breakdown

As with the Secure Score, the Improvement Actions tab of the Compliance Manager page shows actions you can take to improve compliance. The columns of information displayed are slightly different, however. They include the following:

  • Points Achieved

  • Regulations

  • Solutions

  • Assessments

  • Test Status

  • Action Type

Solutions as they relate to Compliance Manager are groupings of settings—not to be confused with categories, which are different—that relate to a solution. So the Solutions tab on the Compliance Manager page lists solution types and their current and potential compliance score. The built-in solutions include the following:

  • Audit

  • Azure

  • Azure Active Directory

  • Azure Information Protection

  • Azure Security Center

  • Cloud App Security

  • Communication compliance

  • Data classification

  • Data loss prevention

  • eDiscovery

  • Exchange Online protection

  • Information governance

  • Insider risk management

  • Intune

  • Microsoft 365 Admin Center

  • Microsoft Defender for Endpoint

  • Microsoft Defender for Identity

  • Microsoft Defender for Office 365

  • Microsoft Information Protection

  • Microsoft Teams

  • OneDrive for Business

  • Records management

  • Compliance Center

  • SharePoint

  • Windows 10

With all these different solutions and the individual configurations that can be made in each area, there is a massive 19,716 possible points available. By default, Compliance Manager calculates your points by peering into these other solutions and capturing the current configuration.

You can change these settings by clicking the Compliance Manager Settings link in the upper-right corner of any Compliance Manager page, selecting either the Turn On Per Improvement Action option button or the Turn Off for All Improvement Actions option button on the Automated Testing page, and clicking Save. Figure 3-4 shows the default settings for automatically collecting data about the tenant.

The Microsoft 365 compliance center displaying the Compliance Manager Automated Testing settings. The default current configuration is set to Turn On for All Improvement Actions.

Figure 3-4 Microsoft 365 Compliance Manager settings

Plan for legislative and regional or industry requirements and drive implementation

The best way to plan for legislative, regional, and specific industry compliance requirements is to either use various built-in assessments or create a custom assessment for your specific organization. As of this writing, Compliance Manager offers more than 300 assessment templates. (Obviously, we won’t look at every type of requirement or assessment here.)

Most organizations, depending on the type of license they have, will have access to the following assessment templates:

  • Data Protection Baseline

  • EU GDPR

  • NIST 8 – 53 rev.4

  • NIST 8 – 53 rev.5

  • ISO 27001:2013

The other built-in templates must be purchased and renewed each year.

To use an assessment template, follow these steps:

  1. Log in to the Microsoft 365 compliance center at https://compliance.microsoft.com.

  2. In the navigation bar, click Compliance Manager.

  3. On the Compliance Manager page, click the Assessments tab.

  4. On the Assessments tab, click Add Assessment.

  5. In the Create Assessment wizard’s Select a Template page, click the assessment template you want to use—in this example, the EU GDPR template (see Figure 3-5)—and click Next.

    The Create Assessment wizard displays available assessment templates. Here, the EU GDPR template is selected.

    Figure 3-5 The Select a Template page of the Create Assessment wizard

  6. On the Name and Group page, type a name for your assessment in the Assessment Name box.

  7. To assign your assessment to a group, select Use Existing Group. Then select Default Group from the drop-down menu and click Next.

  8. On the Review and Finish page, click Create Assessment.

  9. Click Done.

After the assessment is created, your browser will display the progress of the assessment, a list of improvement actions, and the group of controls that relate to the compliance type you selected. (See Figure 3-6.) You can use this information to guide you in making any required changes in your organization. When you’re finished, click the Generate Report button on the assessment to create and download an Excel spreadsheet that contains a line-by-line report of the current status of the environment as it relates to the selected compliance. For example, the Excel report created with regard to EU GDPR compliance is approximately 600 lines of individual technical, operational, and documentation requirements.

The Microsoft 365 Compliance Center displays an assessment named GDPR 2021. This assessment is still in progress. The page also includes a Generate Report button to summarize what the findings of the assessment.

Figure 3-6 Microsoft 365 assessment in progress

Skill 3.2: Manage information governance

Organizations must manage their data by keeping it while it is needed, deleting it when it is no longer needed, and labeling it to enable any special handling requirements. These data-management tasks are often referred to as data governance.

In Office 365, data is spread across multiple services. So your data governance must be viable across these services. Historically, data governance has been handled within each individual service, such as Exchange Online. Now, data governance is moving toward a centralized model, which can be implemented across all Office 365 services. In this skill section, you will look at the built-in data governance features in Office 365.

Plan for data classification and labeling

Labeling is critical to the success of your Azure Information Protection (AIP) implementation. AIP enables you to control and secure email, documents, and other data with labels that you configure. Without proper labeling, sensitive data might be unprotected or leaked outside your organization. Too much complexity in your labeling, however, is difficult to manage, making it confusing for users and potentially leading to incorrect classifications (and by extension leakage of sensitive data).

Create a new label

In this section, you will go through the step-by-step process to create a new sensitivity label in the Microsoft 365 compliance center. For the purposes of this walk-through, you will mark the content of files. Follow these steps:

  1. Use an administrator account to log in to the Microsoft 365 compliance center at https://compliance.microsoft.com.

  2. In the navigation bar, click Show All, and then click Information Protection.

  3. On the Information Protection page, click +Create a Label.

    The New Sensitivity Label wizard starts with the Name and Description page displayed.

  4. In the Label Name and Display Name text boxes, type HR Only.

  5. In the Description text box, type This Data Is Limited to HR Team Members Only. Then click Next.

  6. On the Scope page, ensure that Files & Email is selected, and click Next.

  7. On the Files & Emails page, select Mark the Content of Files, and click Next.

  8. On the Content Marking page, enable the Content Marking toggle, and then click Customize Text.

  9. A Customize Watermark Text panel opens. In the Watermark Text box, type CONFIDENTIAL HR (see Figure 3-7), and click Save.

    The Microsoft 365 compliance center New Sensitivity Label wizard with the Customize Watermark Text panel set to CONFIDENTIAL HR.

    Figure 3-7 Creating a custom watermark label

  10. Complete the remaining steps in the wizard and accept the default settings to create the label.

After you create a label, it will appear in the list on the Labels tab of the Information Protection page. The list also indicates which labels have visual markings and protection.

For users to be able to apply a label you create, you must publish the label. When you publish a label, you essentially create a policy for applying that label. To publish a label, follow these steps.

  1. Use an administrator account to log in to the Microsoft 365 compliance center at https://compliance.microsoft.com.

  2. In the navigation bar, click Show All, and then click Information Protection.

  3. On the Information Protection page, click Publish Label.

  4. Choose the labels to publish—in this example, HR Only—and click Next.

  5. Choose the users and/or groups to publish the label to—such as an HR group—and click Next.

  6. On the Policy Settings page, accept the defaults, and click Next.

  7. On the Name Your Policy page, type a name, like HR File Policy, and click Next.

  8. Review your settings and click Submit.

After you publish the label, it appears in the Label Policies tab of the Information Protection page. (See Figure 3-8.)

The Microsoft 365 compliance center displaying the Label Policies tab of the Information Protection page. There are three policies on this tab and the HR File Policy is selected.

Figure 3-8 Published label policy

Understand label capabilities

Labels have certain capabilities, many of which are optional. At a minimum, labels provide a visual clue as to the sensitivity of the associated data. But you can configure other capabilities to enhance labels. Here are some of the key capabilities of labels, which you should be familiar with for the exam:

  • A label can automatically protect a document or email message By default, a label does not protect data. However, you can configure a label to protect data, or to remove protection. Protection is applied (or not) by the label policy you create. You can define the specific permissions for users and groups—for example, one group can have view, open, and read permissions, while another group can have view, open, read, edit, and save permissions. Additionally, you can opt to use labels to expire content and enable offline access.

  • A label can mandate visual markings for a document You can require a document header, footer, or watermark. In high-security organizations, you can have a label apply all three visual markings.

  • A label can have conditions Using conditions with labels enables automatic classification. The available conditions are pulled directly from your configured sensitive information types. (These are covered in Skill 3.4.) For example, you could create a label that looks for Australian driver’s license numbers in a document. When a condition is added to a label, you can have the label applied automatically or have it recommended (the default), as shown in Figure 3-9. Note that conditions require a P2 license.

The Microsoft 365 compliance center displaying the auto-labeling settings for a sensitivity label. The label is configured to identify Australian driver’s license numbers with medium confidence.

Figure 3-9 Custom label condition

Plan for restoring deleted content

As an administrator, you can restore deleted content in Exchange Online, SharePoint Online, and OneDrive for Business. This section looks at the restore process for all three of these technologies.

Restore deleted data in Exchange Online

You can restore deleted items by using the Outlook desktop app or Outlook on the web. This section looks at the options in the Outlook desktop app, which provides the same functionality as Outlook on the web.

Restore deleted data in Outlook

To restore a deleted item in Outlook, follow these steps.

  1. Launch Outlook.

  2. In the left pane, click the Deleted Items folder.

    Items in the Deleted Items folder appear in list form to the right of the list of folders in the left pane.

  3. Drag and drop an item from the Deleted Items list onto the desired folder in the left pane, such as the Inbox folder, to restore the item.

If the Deleted Items list is empty, follow these steps to restore a deleted item:

  1. Click the Recover Items Recently Removed from the Folder link above the (empty) Deleted Items list.

  2. In the Recover Deleted Items window, select the item you want to restore, make sure the Restore Selected Items option button is selected, and click OK.

Tip To select multiple items, press the Ctrl key as you click each item.

You can also permanently delete items from the Recover Deleted Items window. To do so, simply select the Purge Selected Items option button instead of the Restore Selected Items option button.

Create a hold to recover purged items

Purged items are items that a user deleted and then purged using the Recover Deleted Items tool. Once an item is purged, only an administrator can recover it—if it is still recoverable. For example, with Exchange Online, you can configure the service to retain purged items for up to 30 days.

As an administrator, you can use the eDiscovery and Hold functions to recover purged items. eDiscovery is the process of identifying and delivering information that can be used as evidence in legal cases. As part of the eDiscovery process, you create an eDiscovery case; then, as part of the case you create holds. After you place a hold on a set of accounts, you can search existing and purged items for the content that might related to the case. These are part of the Content Search feature in the Microsoft 365 compliance center. To create an eDiscovery case for the purposes of restoring purged items, follow these steps:

  1. Use an administrator account to log in to the Microsoft 365 compliance center at https://compliance.microsoft.com.

  2. In the navigator bar, click Show All, click eDiscovery, and then click Core.

  3. On the Core eDiscovery page, click Create a Case.

  4. In the New Case window, type a name for the search, such as Recovering Purged Items, and click Save.

  5. Click the pop-out icon to manage the case.

  6. Click the Holds tab, and then click Create.

  7. Type a name for the hold—for example, Recover Purged Items—and click Next.

  8. On the Choose Locations page, for Exchange Email, click the Choose Users, Groups, or Teams. Then click Choose Users, Groups, or Teams again.

  9. In the text box at the top of the Edit Locations page, type the name of a user, group, or team in your environment.

  10. Choose a user, group, or team in the list that appears, and click Choose. Then click Done. This is the logical location(s) where the search will be performed.

    Figure 3-10 shows a search for Sales, with the Sales Team option selected.

    The Microsoft 365 compliance center displays the Microsoft Exchange email locations, with the Sales Team group selected.

    Figure 3-10 Custom label condition

  11. On the Query page, add keywords to the query, such as contact list, and click Next. The keywords will be used to look through the locations that you selected earlier to return any results.

  12. Click Create This Hold.

Recover purged items

After you create a case with a hold, you can use it to recover purged items. Follow these steps:

  1. Use an administrator account to log in to the Microsoft 365 compliance center at https://compliance.microsoft.com.

  2. In the navigation bar, click Show All, click eDiscovery, and then click Core.

  3. Select the Recovering Purged Items check box and click Open Case.

  4. On the case page, click the Searches tab, and then click New Search.

  5. Type a keyword in the Keywords field, such as contacts, and click Save & Run. (See Figure 3-11.)

    The Microsoft 365 compliance center displaying the Searches tab for recovering purged items. The current search is looking for a keyword of ‘contacts’ in locations on hold.

    Figure 3-11 Searching an eDiscovery case

  6. Type a name for the search and then click Save & Run.

    Search results are displayed in the pane on the right side of the page.

  7. On the Actions menu, click Export Results. You can export all messages to a PST file or export individual messages.

Restore deleted data in SharePoint Online

You can restore data from a SharePoint Online site’s Recycle Bin or, if it has been purged from the Recycle Bin, from the site’s collection Recycle Bin.

To restore data from a SharePoint site’s Recycle Bin, follow these steps:

  1. Sign in as an administrator to the SharePoint site where you want to restore deleted items.

  2. In the left pane, click Recycle Bin.

    The Recycle Bin page displays a list of deleted items. (See Figure 3-12, which shows the Recycle Bin for a Contoso Electronics SharePoint site.)

    The Contoso Electronics SharePoint site displaying the Recycle Bin page, which contains a single PowerPoint file that is selected to be restored.

    Figure 3-12 Restoring content from a SharePoint site

  3. Click the item you want to restore; then click the Restore button.

To restore data from a site collection’s Recycle Bin, follow these high-level steps:

  1. Sign in as an administrator to the SharePoint admin center.

  2. Navigate to the Site Collections page.

  3. Click the site collection that has the data you want to restore.

  4. Navigate to the site collection’s Recycle Bin.

  5. Restore the desired data.

Restore deleted data in OneDrive for Business

For OneDrive for Business, there are three scenarios in which you might need to restore data:

  • If data was deleted

  • If a user was deleted

  • If you need to restore all OneDrive data to a specific date—for example, if all data was accidentally deleted

Restore OneDrive data from the Recycle Bin

To restore items that were deleted from your OneDrive but are still in the Recycle Bin, follow these steps:

  1. Using a web browser, sign in to your OneDrive account.

    Note

    The URL for your OneDrive is https://<SiteName>-my.sharepoint.com, where <SiteName> represents your individual site name. This will redirect to https://<SiteName>-my.sharepoint.com/personal/<User_UPN>/_layouts/15/onedrive.aspx, where <SiteName> is the individual site name and <User_UPN> is the user’s user principal name (UPN) with underscores (such as charles_pluta_com for [email protected]).

  2. In the left pane, click Recycle Bin.

    Files in the Recycle Bin are listed in the right pane.

  3. Click the file you want to restore.

  4. Click Restore. (See Figure 3-13.)

The Contoso Electronics OneDrive page is displayed with one Word document selected for restore.

Figure 3-13 Restoring content from a SharePoint site

Restore a deleted user’s OneDrive

If a user account was recently deleted (within the last 30 days, by default), you can restore that user account and all its OneDrive data from the Microsoft 365 admin center. Simply navigate to the Deleted Users page and restore the user.

If a user account has been deleted for too long and no longer appears on the Deleted Users page in the Microsoft 365 admin center, you can use PowerShell to restore the user, as shown here. This example uses a fictitious user named Kari Tran within the Contoso Electronics organization.

To connect to SharePoint Online via PowerShell as Kari, run the following commands:

[email protected]
$orgName=”karitran”
$userCredential = Get-Credential -UserName $adminUPN -Message “Type the password.”
Connect-SPOService -Url https://$orgName-admin.sharepoint.com
-Credential $userCredential

To restore the deleted user with OneDrive content, follow these steps:

  1. From the PowerShell prompt, run the following command:

    Get-SPODeletedSite -IncludeOnlyPersonalSite | FT url

    If the site appears in the output, you can restore it.

  2. Run the following command to obtain the site URL. Substitute your tenant name at the beginning of the resulting URL and Kari’s UPN at the end.

    Get-SPOSite -IncludePersonalSite $true -Limit all -Filter “Url -like ‘-my.
    sharepoint.com/personal/” |select Url
  3. Run the following command, where <URL_of_deleted_site> is the site URL you obtained in step 2:

    Restore-SPODeletedSite -Identity <URL_of_deleted_site>
Restore OneDrive to a previous date

You can use the OneDrive Files Restore feature to restore data to a previous date. This is handy if you must restore all the data on the drive—for example, after a malware infestation. It’s also helpful if you need to restore a large number of individual files, which would be too time consuming to restore one-by-one.

Note

The Files Restore feature can only restore data that is available in version history, the Recycle Bin, or the site collection Recycle Bin.

Follow these steps to restore your OneDrive to a previous date:

  1. Using a web browser, log in to your OneDrive account.

  2. In the upper-right corner of the page, click the Settings button (it features a picture of a gear), and select OneDrive (Restore your OneDrive) in the menu.

  3. On the Restore Your OneDrive page, select a date from the drop-down menu.

  4. Click Restore.

Plan for Microsoft 365 backup

Although many administrators are familiar with backing up their data when it is on-premises, they are not familiar with backups in the public cloud. Many on-premises backup solutions don’t work for cloud-based services or feel like quickly developed add-ons that lack critical features. This section looks at the planning considerations for backing up data in Microsoft 365/Office 365.

Understand backup capabilities and limitations

Many organizations simply use the built-in backup capabilities of Office 365, which allow for basic data recovery in specific scenarios. However, some organizations enhance and/or extend these built-in capabilities with third-party tools to meet all their disaster-recovery and business-continuity needs. This section outlines the capabilities and limitations of these capabilities, separating Exchange from SharePoint and OneDrive.

Exchange Online

Microsoft uses database availability groups (DAGs) to protect the Exchange Online service. In this scenario, your data is stored in multiple data centers that are geographically dispersed. These backups are used only in case of a service outage, however. You still need a way to back up your data in case you need to access it for some other reason.

Exchange Online backup capabilities focus on email data and public folder data. This is like what you find with Exchange Server on-premises. Outside of email, key data also exists in Active Directory (if you are syncing users and groups from on-premises) or in Azure Active Directory (if your users and groups are in Azure Active Directory but not in an on-premises Active Directory environment). The key capabilities are as follows:

  • Recovering deleted items Deleted items are stored in the Deleted Items folder and are recoverable by users. After items are permanently deleted, they are stored in the Recoverable Items/Deletions folder for 14 days by default, although you can extend this to a maximum of 30 days. Administrators can recover permanently deleted items.

  • Archiving email data forever In Office 365, you can create archive mailboxes for users. Archive mailboxes store older email data and are configurable based on time or size. Initially, the archive mailbox had a maximum size of 100 GB, although you could contact Microsoft to increase the size. Today, archive mailboxes have an unlimited size. They also automatically increase in size as needed, although this is an optional feature. An Exchange Online Plan 2 license, Exchange Online Archiving license, or Office 365 E3/Microsoft 365 E3 license is required for unlimited archiving.

  • Maintaining email for legal purposes During a lawsuit or similar legal issue, organizations are often required to preserve email data that is specifically related to the matter. Historically organizations have relied on two specific Office 365 features to preserve this type of data:

    • In-Place Hold This enables you to place a hold specific data, such as data based on a query for keywords or similar, such that it cannot be deleted or archived. In-Place Holds can be used for both private and public folders.

    • Litigation Hold When you place a Litigation Hold on a mailbox, all mailbox data is maintained. Again, you cannot delete or archive it. Litigation Holds cannot be used for public folders.

Note

Items on hold do not count against a mailbox quota.

Note In-Place Hold is Going Away

The In-Place Hold feature is currently being deprecated as Microsoft officially transitions to Litigation Holds and retention policies. However, the exam is unlikely to call out the deprecation of In-Place Holds, so plan to be familiar with the technology.

Following are the key limitations of the backup features in Exchange Online:

  • You cannot restore mailboxes to a specific point in time Imagine a mailbox is flooded with malware or spam or becomes corrupt in some way. With many technologies, you could restore the mailbox to a point in time just before the issue started. This capability is commonly found in on-premises solutions for Exchange Server. It is not, however, offered with Exchange Online.

  • Archive mailboxes have limits in some plans Archive mailboxes are limited to 50 GB for Office 365 Business Essentials, Office 365 Business Premium, and Office 365 Enterprise E1. For more information about the capabilities of different plans, see https://docs.microsoft.com/en-us/office365/servicedescriptions/exchange-online-service-description/exchange-online-limits.

SharePoint Online and OneDrive for Business

In SharePoint Online, Microsoft backs up the environment every 12 hours and retains that data for 14 days. Additionally, your SharePoint Online instance is available in two geographically dispersed datacenters. This is helpful from a SharePoint Online service perspective. But you still need a way to maintain your own data. Following are the key capabilities for maintaining data:

  • SharePoint document versioning With document versioning, each time a document is updated, a new version is created. You can store up to 50,000 major versions (such as 1.0, 2.0) and 511 minor versions (such as 2.1, 2.2). Versioning is configurable—you can turn it off, set it to only create major versions, or set it to configure major and minor versions. Versions take up space in your tenant. For example, if you have 5 MB Excel file and it has 10 versions, then it takes up 50 MB in your tenant.

  • The SharePoint site’s Recycle Bin keeps data for 93 days After 93 days, the data is permanently deleted.

  • The SharePoint site collection Recycle Bin maintains data for up to 93 days The time is based on how much time the data spent in the site’s Recycle Bin. For example, if data is kept in the site’s Recycle Bin for 40 days and is then deleted, it will be stored in the site collection Recycle Bin for 53 days. Data is maintained for up to 93 days, no matter which Recycle Bin is used.

  • OneDrive offers the OneDrive Files Restores feature This feature enables users to restore data from up to 30 days ago.

  • OneDrive offers a Recycle Bin The Recycle Bin maintains data for up to 93 days.

Remember the Microsoft backups we talked about at the beginning of this section? You can request a restore from those backups. You can, however, only request a restore of an entire site collection or sub-site with all of its content. Consider this as a last resort if you are unable to get the data elsewhere, as the restores can take as long as a few days.

Back up Exchange Online data

This section walks through configuration items for maintaining your Exchange Online data. This isn’t a traditional backup, whereby you use software to make backup copies of your Exchange databases. Rather, Exchange Online offers retention policies and retention tags, which are service-specific and apply only to Exchange Online. Policies and labels in the Microsoft 365 compliance center protect content across services and are the recommended method to use.

Configure how long to retain deleted items

You must use Exchange Online PowerShell to work with the settings for retaining deleted items in your mailbox. By default, deleted items are maintained for 14 days. You can change the period, although 30 is the maximum number of days. Run the following commands to connect to Exchange Online PowerShell.

$Creds = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange
-ConnectionUri https://outlook.office365.com/powershell-liveid/
-Credential $Creds -Authentication Basic - AllowRedirection
Import-PSSession $Session -DisableNameChecking

As an example, the following command looks at the retention settings for Charles Pluta’s mailbox:

Get-Mailbox -Identity “Charles Pluta” | select RetainDeletedItemsFor

To individually set Charles’s mailbox to retain deleted items for 30 days, run the following command:

Set-Mailbox -Identity “Charles Pluta” -RetainDeletedItemsFor 30

If you want to set all mailboxes to retain data for 21 days, run the following command:

Get-Mailbox -ResultSize unlimited -Filter {(RecipientTypeDetails -eq
‘UserMailbox’)} | Set-Mailbox -RetainDeletedItemsFor 21
Create archive mailboxes

By default, archive mailboxes are not created for new mailboxes. To archive mail, you must create archive mailboxes. Follow these steps to create an archive mailbox:

  1. Log in to the Security & Compliance Center as an administrator at https://protection.office.com.

  2. In the left pane, click Data Governance, and then click Archive.

    A list of your mailboxes is displayed in the right pane. Entries in the Archive Mailbox column indicate whether there is an archive mailbox associated with your mailbox.

  3. Click the mailbox you want to configure for archiving.

  4. Click Enable in the Archive Mailbox column.

    You’ll see a warning that items older than two years will be moved to the archive mailbox. (This is based on the archiving policy.)

  5. Click Yes.

You can also use PowerShell to enable archiving as well as to view the current archiving configuration. First, connect to Exchange Online PowerShell. Then enter the following commands:

$Creds = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange
-ConnectionUri https://outlook.office365.com/powershell-liveid/
-Credential $Creds -Authentication Basic - AllowRedirection
Import-PSSession $Session -DisableNameChecking

To check all mailboxes for their current archiving status, run the following command:

Get-Mailbox -Filter {ArchiveStatus -Eq “None” -AND RecipientTypeDetails
-eq “UserMailbox”} | Select Name,*ArchiveSt*

To enable archiving for a single mailbox (Charles’s mailbox, in this example), run the following command:

Enable-Mailbox -Identity “Charles Pluta” -Archive

To enable archiving for all user mailboxes, run the following command:

Get-Mailbox -Filter {ArchiveStatus -Eq “None” -AND RecipientTypeDetails
-eq “UserMailbox”} | Enable-Mailbox -Archive
Back up SharePoint Online and OneDrive for Business data

This section walks through some of configuration options for maintaining your SharePoint Online and OneDrive for Business data. This doesn’t involve a traditional backup procedure, whereby you use software to back up your SharePoint databases. Rather, it involves using tools like document versioning (SharePoint) and adjusting backup settings (OneDrive) to retain and recover data.

Configure document versioning for SharePoint

In this section, you will configure SharePoint Online document versioning settings. Follow these steps:

  1. Sign in as an administrator to the SharePoint site whose settings you want to change.

  2. Click the Settings button (it features a picture of a gear) and select Library Settings. (See Figure 3-14.)

    The Settings menu, which contains links to Microsoft SharePoint settings, including Library Settings.

    Figure 3-14 The SharePoint Settings menu

  3. On the Settings page (see Figure 3-15), click Versioning Settings.

    The list of settings for a Microsoft SharePoint document library is displayed.

    Figure 3-15 SharePoint library settings

    The Versioning Settings page opens, where you can configure several versioning settings:

    • Require Content Approval for Submitted Items This is off by default. When enabled, items that are new or edited remain in a draft state until they are approved. Enabling this setting can slow down the content-publishing process, but it is useful in highly regulated or high-security environments.

    • Create Major Versions This is enabled by default. This ensures that modifications are saved to a major version, such as version 1, version 2, and so on.

    • Create Major and Minor (Draft) Versions This is disabled by default. If enabled, a major and minor version of the document is generated anytime the document is changed—for example, version 1.1, version 1.2, and so on.

    • Keep the Following Number of Major Versions By default, 500 major versions are kept. You can increase the number to a maximum of 50,000.

    • Keep Drafts for the Following Number of Major Versions This is disabled by default. If you enable content approval, then you can also configure versioning for drafts.

    • Draft Item Security This is disabled by default, and is not available unless you require content approval. You can configure drafts so that only users who can edit drafts are allowed read them; any user can read them; or only the author and approvers can read them. This is useful for highly regulated industries or high-security organizations.

    • Require Check Out This is disabled by default. If you enable it, users must check out a file before editing it. When a file is checked out, other users cannot edit the document.

  4. Choose the desired versioning settings and click OK.

Configure OneDrive data retention for deleted users

By default, OneDrive content is retained based on SharePoint retention settings. For deleted users, OneDrive retains the user data 30 days by default. Follow these steps to change the retention period for deleted users:

  1. Sign in as an administrator to the OneDrive admin center at https://admin.onedrive.com/.

  2. In the left pane, click Storage.

  3. On the Storage page, type the number of days to retain files for deleted users in the text box, and then click Save.

Note

Days are counted from the time the user is deleted.

When users are deleted, access to the OneDrive content is automatically enabled for the user’s manager (if configured). This is controlled in the SharePoint settings through the Enable Access Delegation feature, which is enabled by default. Optionally, you can manually designate a secondary owner, which is useful if the user doesn’t have a manager. Managers will be notified by email with instructions to access the deleted user’s data.

Configure information retention

Office 365 retention policies apply to your SharePoint, email, and Skype/Teams content. To retain data, you must configure retention policies. The policies will be based on your company requirements and which services you use. For the exam, you should be familiar with the capabilities across all the services and understand the limitations of the built-in retention capabilities.

Sometimes, retaining information is required for compliance or legal reasons. Other times, it is merely a way to help employees work more efficiently. For example, suppose you are trying to locate a document in your organization. Instead of searching through only the last year of documents, you might have to search every document ever produced (for example, in a company that keeps all data indefinitely). Obviously, that is not efficient.

Many organizations retain data for compliance, legal, and efficiency reasons. There are also organizations that maintain data “just in case,” or “because they aren’t sure if they will need it sometime in the future.” This often points to immature information retention policies or a non-existent information retention strategy.

The exam covers two ways to retain data:

  • Information retention policies These can be used to retain data for a specific period of time, delete data after it has been retained for a set period of time (optional), or delete data when it reaches a certain age. You choose the location(s) for the policy, including Exchange Online, SharePoint Online, and OneDrive. You can look at all of the locations later in this section.

  • Retention labels These are displayed in apps such as Outlook and OneDrive. Users can opt to use them to retain or delete data. One downside is that users choose whether to use labels and if so which ones. To avoid this, you can apply labels automatically based on conditions you dictate. (This requires an E5 license.) Labels can be used across Exchange, SharePoint, OneDrive, and Office 365 groups, but not across other services such as Teams, which is supported by retention policies.

Beyond retention policies and labels, this section also covers built-in features to manage data, such as the In-Place Hold in Exchange Online and the SharePoint Recycle Bin. Some of these built-in features, like the In-Place Hold, are deprecated or are no longer being developed, and will be replaced by retention labels and retention policies.

Before you implement information retention, you should have a good understanding of the prerequisites, capabilities, and limitations of the Office 365 information-retention policies.

Retention prerequisites

When using retention policies for Exchange Online and SharePoint Online, there are licensing prerequisites that must be met. These include:

  • Exchange Online Mailboxes must be tied to an Exchange Online Plan 2 license, an Office 365 E3 or Office 365 E5 license, or a Microsoft 365 E3 or E5 license. Anything less than that requires a separate Exchange Online Archiving license.

  • SharePoint Online (by way of the preservation hold library) You need SharePoint Online Plan 2, Office 365 E3 or E5, or Microsoft 365 E3 or E5.

Retention capabilities

Retention policies work across several areas of Office 365. While the focus here is on the major services of Office 365 (Exchange Online, SharePoint Online, and OneDrive for Business), you should be familiar with applicable locations for the smaller services. The following services are supported locations for retention policies:

  • Exchange email With Exchange email, you target mailboxes. Although you can use a distribution group or a mail-enabled security group as a target, the groups are expanded at the time of use and not dynamic. So, for example, if you add Group1 to a retention policy, and that group contains nine members, only those nine members will be the target of the retention policy—even if you add 10 more people to the group later on. Note that in addition to including mailboxes, you can also exclude mailboxes.

  • SharePoint sites For SharePoint Online, you target the site level. You just need the site URL. Alternatively, you can select the site from a list.

  • OneDrive accounts For OneDrive, you can add accounts individually using the account URL or by selecting a site from a list.

  • Office 365 groups Office 365 groups can be targets of retention policies. You can search for a group or select groups from a list.

  • Skype for Business For new policies, this is off by default. If you enable it, you can choose individual users.

  • Exchange public folders For new policies, this is off by default. You can enable this, which automatically retains all public folders.

  • Teams channel messages For Teams, you can target channel messages for select teams and exclude specific teams.

  • Teams chats For Teams chats, you can include or exclude individual users.

Retention policies begin the retention period based on the age of the content or the last modification date. In contrast, retention labels can be used to start the retention period at the time of labeling. Additionally, labels can be used to launch a disposition review after the retention period has passed. This simply means the SharePoint or OneDrive document must be reviewed before it can be deleted.

Retention limitations

Microsoft is rapidly enhancing its services. As such, although the limitations listed here existed when the exam was developed, and even at the time of this writing, some of them may have been resolved by the time you read this.

Typically, the exam will reference limitations, especially long-term (or permanent) limitations. However, the exam often avoids short-term limitations. Be aware of the following limitations for the exam:

  • When you create a retention policy for Teams (Teams channel messages or Teams chats), all other retention locations are turned off. To retain Teams data, you must have a dedicated retention policy.

  • Teams does not support advanced retention. Therefore, you cannot create a retention policy to apply to data that meets specific conditions.

  • Advanced retention does not apply to Skype for Business or Exchange Online public folders. This is because public folders and Skype for Business do not support sensitive information types (which is one of the options for advanced retention).

  • Retention labels are not valid for Teams channel messages, Teams chats, or Skype for Business.

  • Only one retention label can be applied at a time.

Design data retention labels

There are two types of labels: sensitivity labels and retention labels. These cannot be used interchangeably. Sensitivity labels are for classifying documents to a certain level and retention labels prevent the data from being deleted before a certain amount of time. If you want to use a label for retention, it must be a retention label.

After you decide on a design for your data retention labels—whether it’s a sensitivity label or a retention label, and what settings you want to apply (discussed in the next section), you can create these labels. Once the labels are in place, you must monitor how effective they are.

Create a data retention label

In this section, you will go through the process of creating a data retention label and explore the available options. Follow these steps:

  1. Use an administrator account to log in to the Microsoft 365 compliance center at https://compliance.microsoft.com.

  2. In the navigation bar, click Show All, and then click Information Governance.

    The Information Governance page opens with the Labels tab displayed by default. This tab contains a list of existing sensitivity labels. (See Figure 3-16.)

    The Information Governance page with the Labels tab displayed. This tab contains a list of sensitivity labels. There are several labels defined, with durations that vary from three to 10 years.

    Figure 3-16 The Information Governance page with the Labels tab displayed

  3. Click the Retention tab.

  4. Click +Create A Label.

    The Create Retention Label wizard starts.

  5. On the Name Your Label page, type a name for the label—for this example, Tax Data – 7 Years.

  6. Optionally, type a description for admins and a description for users. Then click Next.

    Note

    It is recommended that you enter both of these descriptions. Although you might know what the label is for, others might not, and the label usage might not be so obvious, say, three years from now.

  7. On the Define Retention Settings page (see Figure 3-17), select a retention option—in this case, Retain Items for a Specific Period.

    The Microsoft 365 compliance center displaying the Define Retention Settings page of the Create Retention Label wizard. The settings are configured to retain the data for 7 years and then delete the items automatically.

    Figure 3-17 Defining retention settings

    Note

    Your other options here are to retain items forever, only delete items when they reach a certain age, or to not retain or delete items. Be aware that if you opt to delete items when they reach a certain age, that will apply to all items, not just items with retention labels applied.

  8. Leave the Retention Period drop-down list at the default setting (7 Years).

  9. Leave the Start the Retention Period Based On drop-down list at the default setting (When Items Were Created).

  10. Under At the End of the Retention Period, choose one of the following, and then click Next:

    • Delete Items Automatically Any item with the retention label applied will be deleted automatically when the retention period ends.

    • Trigger a Disposition Review Reviewers will receive an email to review the data when the retention period expires.

    • Do Nothing Choose this to leave the content as is when the retention period expires.

  11. On the Review Your Settings page, click Create This Label.

  12. On the Tax Data – 7 Years workspace, click Close.

Now that you have a retention label, you can use it to retain data—but first, it must become available for use. Remember, you create labels from the Microsoft 365 compliance center. After that, labels must sync to the applicable services such as Exchange Online and SharePoint Online. For SharePoint and OneDrive, the sync might take up to one day. For Exchange Online, the sync might take up to seven days.

Need More Review? Digging into Labels

To find out more about the label sync process and timing, along with other details of how labels work, see https://docs.microsoft.com/office365/securitycompliance/labels.

Monitor data governance

After you implement data governance, you need a way to find out if it is effective. You must also track usage rates and see whether any gaps exist in your implementation.

The Data Governance dashboard enables you to review key data-governance data at a glance:

  • Top five labels

  • Labels trend over the past 90 days

  • Top label users/policies

  • Risky labels activity

  • How labels were applied

Note

Data-governance data is available for up to 90 days. If you need to maintain data longer, you should plan to capture the data before it becomes unavailable.

One option for monitoring data governance is to use supervision policies. These enable you to capture organizational communications that can then be examined. Supervision is often used for individual employees or to monitor communications between specific groups in your organization. During the communication examination, an examiner classifies items as Compliant, Non-Compliant, Questionable, or Resolved. The examination takes place in Outlook on the web (via an add-in) or in the Outlook desktop app (also via an add-in).

Skill 3.3: Implement Azure Information Protection

Azure Information Protection (AIP) helps organizations protect data by using encryption, data classification, and labels. It was built from Active Directory Rights Management Services (AD RMS) and various acquisitions that Microsoft has made over the last few years.

AIP provides everything that AD RMS provides, plus much more. Where AD RMS is an on-premises service that is often restricted to internal use only, AIP is cloud-based and enables you to easily interoperate and share data with people at other organizations—even if they don’t have AIP.

Plan information protection solution

The first step in an AIP implementation project is to plan the implementation. To maximize your chances of a successful implementation, you must identify prerequisites, licensing requirements, and integration fundamentals before you start the implementation process.

Understand AIP prerequisites

Although AIP is a cloud-based service, there are prerequisites that you must be able to meet before you can use AIP. Following are the key prerequisites:

  • Azure Active Directory (Azure AD) Although many organizations have Azure AD for other reasons (for example, to support Office 365 or other cloud-based apps), some organizations don’t. Azure AD requires its own planning (for example, for Azure AD security, syncing from on-premises, and so on) but that isn’t part of this exam.

  • Client computers AIP clients must run Windows 7 or later or macOS 10.8 (Mountain Lion) or later.

  • Mobile devices Android phones must run Android 6.0 or later, while iOS devices must run iOS 11.0 or higher.

  • On-premises applications To integrate Exchange Server with AIP, you need a minimum of Exchange Server 2010. For SharePoint, you need a minimum of SharePoint 2010. To integrate with Windows file servers (specifically, with the File Classification Infrastructure), you need servers that run Windows Server 2012 or later. You can protect data on Windows Server 2008 R2 by using PowerShell, but not by using a file-management task like you can in Windows Server 2012 and later.

License AIP

You must license AIP before you can use it. Although you can consume AIP content without a license—for example, if a licensed AIP user protects data and sends it to you—you can’t protect content. To protect content, you need a license.

You have three options for AIP licensing:

  • Azure Information Protection Premium P1 AIP P1 is included with Enterprise Mobility + Security E3 and Microsoft 365 E3.

  • Azure Information Protection Premium P2 AIP P2 is included with Enterprise Mobility + Security E5 and Microsoft 365 E5.

  • Azure Information Protection for Office 365 AIP for Office 365 is included with Office 365 Enterprise E3 or higher plans.

Table 3-1 shows the key feature differences between versions of AIP. Note that this is not an exhaustive list of features.

Table 3-1 AIP features

Feature

AIP P1

AIP P2

AIP O365

On-premises connectors

Yes

Yes

No

Track and revoke shared documents

Yes

Yes

No

Automated classification

No

Yes

No

Recommended classification

No

Yes

No

Labeling

No

Yes

No

Bring your own key (BYOK)

Yes

Yes

Yes

Hold your own key (HYOK)

No

Yes

No

Plan for AIP

Before deploying AIP, you must plan for the implementation. Now that you understand the prerequisites, the licensing, and the features available, you must figure out how your organization will use AIP and what you’ll need to do to prepare your environment for AIP.

Users and groups

Earlier in this section, we noted that a prerequisite for AIP is to have a sync between your on-premises AD DS environment and Azure AD. To license users with AIP, they must be in Azure AD. You can create users manually; however, it is a good practice to sync users from AD DS instead, because this reduces administrative overhead.

Along with users, you also must account for AD DS groups. You can use groups to delegate administration of AIP, to control the use of AIP, or for document access. As part of your planning, you should figure out which users and groups need to be synced. In many organizations, you should sync your user accounts for your users, but not for your on-premises service accounts, or other non-human accounts.

Assign Licenses

After you have users and groups synced (or created) in Azure AD, you must assign licenses. Each user who uses AIP must be licensed.

You can assign licenses individually, but this is tedious for organizations with more than a few users. You can also assign licenses to groups, such as an AIP Users group. This is especially effective for large organizations.

If you plan to do a phased implementation of AIP (for example, where the IT department is the first department to use AIP), you can create multiple groups and use them for licensing.

Choose an AIP key

The AIP key is an important planning consideration. You can choose the Microsoft-managed key (the default configuration) or bring your own key (BYOK).

Configure classification and labeling

Labels identify data based on sensitivity. For example, marketing materials used on your website might be labeled Public, while documents outlining a product strategy for the future might be labeled Sensitive.

When you apply a label to data, it can automatically encrypt data or adjust user access. Classification is the act of labeling data. For example, you might classify a Word document as Confidential (with Confidential being a label).

You can manually classify data or use automatic classification. Additionally, you can opt for classification tips, or recommendations. In this scenario, you enter a condition—for instance, “If a document contains X, then...”—and recommendations are displayed in supported applications such as Microsoft Word. As an example, Word might detect a condition in a document and recommend that the document be labeled Confidential. The user can then accept that recommendation by clicking Change Now or dismiss it by clicking Dismiss.

Some organizations might already use classification and labeling—for example, if they use data loss prevention (DLP), or if they use AD RMS with on-premises file servers. But for many organizations, classifying and labeling documents is a new concept. To start, these organizations might consider using a built-in AIP policy that provides various default labels, such as Confidential and Highly Confidential and build up from there. Most organizations will need more than the default labels.

As part of your classification and labeling strategy, you must train end users on the proper labeling of data. At some point, you might also want to take advantage of advanced features such as enforced labels, customization, and conditions. You will look at labeling in more detail later in this chapter.

Implement Azure Information Protection policies

With information protection, you publish policies to apply to a set of users or to all users. These policies contain various default labels (such as Public and Confidential) as well as some optional ones, most of which are turned off.

Although the default policies might work for some organizations, many will need to customize them or create new ones. When you publish a policy, you essentially indicate how the labels that comprise that policy should be used.

View existing policies

To view existing policies, follow these steps.

  1. Log in to the Microsoft 365 compliance center at https://compliance.microsoft.com.

  2. In the navigation bar, click Show All, and then click Information Protection.

  3. On the Information Protection page, click the Label Policies tab.

    You will see any existing policies. Figure 3-18 shows three policies.

The Microsoft 365 compliance center displays the label policies for information protection. There are three policies defined for the organization.

Figure 3-18 Information protection policies

Create and configure a policy

When you create a policy, you essentially publish how the labels in that policy should be used. For example, the HR department might have its own scoped policies.

The primary end-user settings that you can define in a policy are as follows:

  • Require Users to Apply a Label to Their Email or Documents This setting is turned off by default. If you turn it on, users will be prompted to label a document or email when they save or send it, respectively. Optionally, you can automatically label a document or email based on a condition or automatically assign a default label.

  • Users Must Provide Justification to Set a Lower Classification Label, Remove a Label, Or Remove Protection This setting is turned off by default. If you turn it on, and a user tries to lower the label classification, remove protection, or remove a label, they will be prompted to provide an explanation. This explanation is saved to the local event log (called the Applications and Services Logs/Azure Information Protection log). This log is not usually captured by log archiving or SIEM solutions, so consider capturing it as part of your AIP deployment.

  • Provide Users with a Link to a Custom Help Page This setting is turned off by default. If you turn it on, you will be prompted to include a URL that users can visit to learn more about the labels and policies within the organization.

In a scoped policy, you can implement departmental settings that override the global policy settings. Follow these steps to create a new scoped policy:

  1. Log in to the Microsoft 365 compliance center at https://compliance.microsoft.com.

  2. If necessary, click Show All on the navigation bar. Then click Information Protection.

  3. On the Information Protection page, click the Label Policies tab.

  4. Click Publish Label.

  5. On the Create Policy page, click Choose Sensitivity Labels to Publish.

  6. Select a label that you created in skill section 3.2 and click Next.

  7. On the Publish to Users and Groups page, click Select Which Users or Groups Get This Policy.

  8. In the Azure AD Users and Groups pane, search for the email-enabled group to which you want to apply the policy, select it, and click Done.

    Note

    You can apply this policy only to groups that are email-enabled.

    The group will be displayed below the name and description, as shown in Figure 3-19.

    The Microsoft 365 compliance center displaying the Users and Groups pane to select a group to which to apply a sensitivity label policy to. The search results show three groups.

    Figure 3-19 New scoped policy configuration settings

  9. Click Next.

  10. In the Policy Settings page, select the Require Users to Apply a Label to Their Email or Documents check box, and click Next.

  11. In the Name & Description page, type a name for the policy, and click Next.

  12. Review your settings and click Submit.

Note

If you have multiple policies, they are applied in order. In other words, the last policy in the list is applied.

When using custom policies, it is a good practice to use sub-labels. This enables departments to use more precise labels than the default ones such as Public and Confidential. The following steps show you how to create a new sub-label for the Highly Confidential label:

  1. On the Microsoft 365 compliance center Information Protection page, click the Labels tab. (See the preceding series of steps for help accessing this page.)

  2. Click the ellipsis (...) on the right side of the Highly Confidential label entry and choose Add Sub-Label from the menu that appears.

  3. On the New Sensitivity Label page, type a name for the sub-label, such as HR PII.

  4. Type a description for the label—for example, HR PII Data – Automatic Headers— and click Next.

  5. On the Scope tab, specify how the label should be applied within the organization, and click Next.

  6. On the Files & Email page, specify the encryption and content-marking settings, and click Next.

  7. Click Next on the Groups & Sites and Azure Purview Assets pages.

  8. On the Review & Finish page, click Create Label.

    Figure 3-20 shows the label added as a sub-label under Highly Confidential.

Figure 3-20 The Highly Confidential label with sub-labels

Need More Review? Learn More About Policy Settings and Labels

To learn more about policy settings and creating new labels, see the how-to guides at https://docs.microsoft.com/en-us/azure/information-protection/how-to-guides.

After an organization has established policies, labels, and clients (discussed later), the next task it often takes on is protecting data. For this, Microsoft offers an Azure Information Protection scanner. The scanner runs as a service on a Windows server and can scan and protect local files on the server, UNC paths, and on-premises SharePoint libraries and sites.

Need More Review? AIP Scanner

For more information about the AIP scanner, see https://docs.microsoft.com/en-us/azure/information-protection/tutorial-install-scanner.

Monitor label alerts and analytics

The Microsoft 365 compliance center has built-in reporting and analytics for the labels that you have configured in the organization. To access this information, click Reports in the navigation bar on the left. The Reports page contains the following information cards (see Figure 3-21):

  • How Labels Were Applied Shows how many labels were applied manually and how many were applied automatically

  • Labels Classified as Records Shows how many labels are records and how many are non-records

  • Labels Trend Over the Past 90 days Shows the use of labels across SharePoint, OneDrive, and Exchange

  • Top 5 Labels Shows the top five labels used over the last 90 days

  • Retention Label Usage Shows the top labels applied for SharePoint, OneDrive, and Exchange

  • Sensitivity Label Usage Enables you to configure analytics using a Log Analytics workspace in Microsoft Azure

The Microsoft 365 compliance center displaying the Reports page. This page shows details of labels, reports, retention labels, and label use across the organization.

Figure 3-21 The Microsoft 365 compliance center Reports page

Reporting in Azure Information Protection

Azure Information Protection offers centralized reporting. The following reports are available.

Usage report

Activity logs

Data discovery report

Recommendations report

As of this writing, using centralized reporting with Azure Information Protection is in preview. For more information, see https://docs.microsoft.com/en-us/azure/information-protection/reports-aip.

Deploy Azure Information Protection unified labeling client

The unified labeling client is a local installation that allows users to work with documents that have been marked with sensitivity labels, even if those users do not have an AIP license. There are two options to deploy the unified labeling client:

  • Executable The EXE version checks for and can install many prerequisites.

  • Windows Installer The MSI version can be used with Intune, Configuration Manager, or group policies for large deployments. This version does not automatically install any missing prerequisites.

You can perform the executable version of the installer silently by running the following command from a command prompt or script:

AzInfoProtection_UL.exe /quiet

If you plan to use the MSI version, you must manually install the prerequisites, depending on which version of Office the client will be running. Table 3-2 outlines the dependencies required on the client based on Office version.

Table 3-2 Unified labeling client prerequisites

office version

operating system

software

All versions except Office 365 1902 or later

Windows 10 version 1809 only

KB 4482887

Office 2016

All supported versions

KB 3178666

Office 2013

All supported versions

KB 3172523

Office 2010

All supported versions

Microsoft Online Service Sign-in Assistant v2.1

Office 2010

Windows 8.1 and Windows Server 2012 R2

KB 2843630

Office 2010

Windows 8 and Windows Server 2012

KB 2843630

For a default installation, you can also install the unified labeling client from the command prompt or script by running the following:

AzInfoProtection_UL.msi /quiet

Configure Information Rights Management (IRM) for workloads

AIP is functional when used with Microsoft Office. However, you can enhance its capabilities and increase its benefits by extending the functionality to other supported applications.

Earlier, you looked at integration with on-premises technologies such as file servers, Exchange Server, and SharePoint. In this section, you examine the process of integrating IRM with Office 365.

AIP integrates with some Office 365 applications. You should be familiar with these applications and the integrations. Additionally, there are some specific implementation details that you should know for the exam.

Here are the supported integrations with Office 365:

  • Exchange Online Integration with Exchange Online enables users to protect individual email messages. For example, you can prevent recipients from forwarding emails and protect attachments by encrypting them. Optionally, you can enable only the HR department to view specific attachments. On the back end, email administrators can use mail flow rules to automatically apply protection to email messages based on recipient, subject, or content (based on keywords or phrases).

    Note

    AIP is useful for DLP policies because when something sensitive is being sent outbound, it can automatically be protected with AIP.

  • SharePoint Online When SharePoint Online is integrated with AIP, admins can protect SharePoint lists and document libraries with IRM. As users download files, those files will be protected based on the configured protection settings. When unprotected files are uploaded, they will be automatically protected upon download.

  • OneDrive for Business After integration, users can configure their OneDrive for Business library for IRM. Note that OneDrive integration relies on the SharePoint Online integration with AIP. Optionally, admins can use PowerShell to configure IRM on behalf of users.

There are different capabilities offered with the integrations:

  • Protection You need a subscription that includes AIP to enable protection capabilities. All AIP levels (AIP for Office 365, AIP P1, and AIP P2) offer protection capabilities. AIP for Office 365 is included with Office 365 Enterprise E3 and above. AIP P1 is included with Microsoft 365 E3 and Microsoft Enterprise Mobility + Security E3. AIP P2 is included with Microsoft 365 and Enterprise Mobility + Security E5.

  • Classification and labeling To enable classification and labeling, you must have a subscription that includes AIP P1 or AIP P2. AIP for Office 365 does not include classification and labeling. Automatic labeling and classification is included only with AIP P2.

Plan for Windows Information Protection (WIP) implementation

Windows Information Protection (WIP) is a data-protection technology that focuses on data residing on client computers running Windows 10. WIP combines mobile device management (MDM), AppLocker, and Encrypting File System (EFS). WIP isn’t a direct competitor of AIP. Instead, it focuses on a different kind of protection—protecting local data on devices—whereas AIP focuses on protecting shared data or protecting data in Exchange, on SharePoint, and on file servers.

Understand WIP

WIP relies on data encryption through EFS to encrypt data based on an organization’s WIP MDM policies. These policies dictate if and when data is encrypted and if and when it can be accessed.

WIP allows organizations to obtain the following benefits:

  • Encrypt corporate data By using EFS, WIP encrypts corporate data across all enrolled devices.

  • Wipe corporate data from devices When users use their own devices, it can be challenging to manage those devices and to ensure that corporate data isn’t lost on them. WIP enables administrators to wipe only corporate data on these devices.

  • Enable personal devices to access corporate data Some organizations prohibit the use of personal devices to access corporate data. With WIP, organizations can safely enable such access while providing data protection.

  • Specify the list of apps that can access corporate data WIP enables you to specify a whitelist of applications that can access corporate data.

WIP relies on Windows 10 (version 1607 and later) and an MDM solution. At the time of this writing, the supported MDM solutions are Microsoft Intune and System Center Configuration Manager. You can also use a third-party MDM, although you might not be able to take advantage of a GUI for the configuration. Instead, you might have to use the EnterpriseDataProtection cloud solution provider (CSP).

WIP categorizes apps into two categories:

  • Enlightened apps These apps can figure out the difference between corporate data and personal data.

  • Unenlightened apps These apps consider all data to be corporate data. Therefore, they encrypt all data instead of just encrypting corporate data.

You can convert an unenlightened app to an enlightened app by using code and the WIP API. Note, however, that if an app is intended to work only with corporate data, you might not need to enlighten it.

At the time of this writing, the following Microsoft apps are enlightened:

  • Microsoft 3D Viewer

  • Microsoft Edge

  • Internet Explorer 11

  • Microsoft People

  • Mobile Office apps, including Word, Excel, PowerPoint, OneNote, Outlook Mail, and Calendar

  • Office 365 Professional Plus apps, including Word, Excel, PowerPoint, OneNote, and Outlook

  • OneDrive app

  • OneDrive sync client (OneDrive.exe, the next generation sync client)

  • Microsoft Photos

  • Groove Music

  • Notepad

  • Microsoft Paint

  • Microsoft Movies & TV

  • Microsoft Messaging

  • Microsoft Remote Desktop

  • Microsoft To Do

WIP has some limitations that you should know about (this isn’t an exhaustive list):

  • WIP is suited for single-user devices If two or more people use the same computer, there might be app-compatibility issues when using WIP. So, if you want to use WIP, you should limit each device to a single user.

  • Sharing data with USB drives doesn’t work If you use WIP, you can copy data to a USB drive, and it stays encrypted. The data, however, will be is inaccessible on other devices or for other users. Instead, you should share files through your internal file servers or authorized cloud data repositories.

  • WIP is limited to a select set of apps WIP can’t cover all use cases because it is limited to a specific set of apps. Although you can add more apps, not all apps will support WIP integration.

Implement WIP

To apply a WIP policy to an enlightened app, follow these steps:

  1. Log in to the Microsoft Endpoint Manager admin center at https://endpoint.microsoft.com.

  2. Click Apps in the navigation bar. Then click App Protection Policies.

  3. In the App Protection Policies page, click Create Policy and choose Windows 10 from the menu that appears. (See Figure 3-22.)

    The Microsoft Endpoint Manager admin center displays the current app protection policies and a button to create a new policy.

    Figure 3-22 Creating an app protection policy

    The Create Policy wizard starts with the Basics tab displayed.

  4. Type a name for the policy in the Name box—in this case, BYOD – WIP Policy.

  5. Select the desired platform—here, Windows 10.

  6. Open the Enrollment State drop-down list and choose With Enrollment. (See Figure 3-23.) Then click Next.

    The Microsoft Endpoint Manager admin center displaying the Basics tab on the Create Policy wizard with settings to create a new policy. The name of the new policy is BYOD – WIP Policy, and the enrollment state is set to With Enrollment.

    Figure 3-23 The Basics tab on the Create Policy wizard

  7. In the Targeted Apps tab, click the Add link under Protected Apps.

  8. Select the Word Mobile check box and click OK.

    The app you added appears in the list of protected apps. (See Figure 3-24.)

    The Microsoft Endpoint Manager admin center displaying the Targeted Apps tab. The selected apps are Word Mobile and Microsoft Teams.

    Figure 3-24 The Protected Apps list in the Targeted Apps tab of the Create Policy wizard

  9. Optionally, add more apps. When you’re finished, click Next.

  10. In the Required Settings tab, set the Windows Information Protection mode to Block. Then click Next.

  11. On the Advanced Settings tab, click the On button under Show the Enterprise Data Protection Icon. Then click Next.

  12. On the Assignments tab, add groups to which the policy should be assigned. Then click Next.

  13. On the Review + Create tab, click Create.

    The new policy appears in the list of policies on the App Protection Policies page. (See Figure 3-25.)

The Microsoft Endpoint Manager admin center displays the list of configured app protection policies. There are three configured policies, including the BYOD – WIP Policy that was just created.

Figure 3-25 WIP policy list

Whereas adding recommended apps is easy, adding desktop and store apps to the list of protected apps isn’t as intuitive. The following steps walk you through the process of adding a desktop app (in this case, Microsoft Word).

  1. On a computer that has the desktop app you want to add installed, open a PowerShell prompt.

  2. Run the following command:

    Get-AppLockerFileInformation -Path C:Program FilesMicrosoft Office
    oot
    Office16WINWORD.EXE’ | FL
  3. Copy the publisher value to the clipboard.

  4. Log in to the Microsoft Endpoint Manager admin center at https://endpoint.microsoft.com.

  5. Click Apps in the navigation bar. Then click App Protection Policies.

  6. In the App Protection Policies page, click Create Policy and choose Windows 10 from the menu that appears.

    The Create Policy wizard starts.

  7. Click the Targeted Apps tab. Then click the Add link under Protected Apps.

  8. Click Protected Apps in the left pane and then click the Add Apps button in the right pane.

  9. Click the drop-down menu at the top of the right pane and then click Desktop Apps.

  10. Enter the following information:

    • Name Microsoft Word

    • Publisher Publisher value from PowerShell command output

    • Product Name Microsoft Word

    • File WINWORD.EXE

    • Min Version 15.0

  11. Finish the Create Policy wizard to add the policy. Figure 3-26 shows the result.

The Microsoft Endpoint Manager admin center displaying the Targeted Apps tab with the new app listed. This policy protects a specific version of Microsoft Word using the publisher and filename details.

Figure 3-26 Add a desktop app to the policy.

When it comes to the policy, be aware of the following:

  • The filename for protected apps is the executable file of the application.

  • The min version specifies the minimum app version. Be sure to account for the lowest version in use at your organization.

  • There are four WIP modes you can use in a policy:

    • Block Enterprise data is blocked from being copied or moved to an unprotected app.

    • Allow Overrides Users are prompted if they try to copy or move data from a protected app to an unprotected app. They can override and perform the copy or move, but the action will be logged.

    • Silent Users can copy or move data from protected apps to unprotected apps, but the actions are logged. Think of this as an auditing mode.

    • Off Users can copy or move data from protected apps to unprotected apps, but the actions are not logged.

Here, you created a basic policy. However, there are additional advanced options that you should be aware of. These are covered in the following list. Each bulleted item represents an optional advanced setting.

  • Add Network Boundary Network boundaries are locations from which clients can get enterprise data. For example, you can add cloud resources (such as SharePoint), protected domains, network domains, proxy servers, IPv4 or IPv6 ranges, and other resources.

  • Enterprise Proxy Servers List Is Authoritative (Do Not Auto-Detect) Windows auto detects proxy servers. Turn on this setting if you want to define an authoritative list of proxy servers.

  • Enterprise IP Ranges List Is Authoritative (Do Not Auto-Detect) Instead of having Windows auto detect IP address ranges, you can define them manually.

  • Data Protection You can upload an EFS Data Recovery Agent (DRA) certificate so that you can recover encrypted data. While this is optional, it is highly recommended. Without a DRA, if anything happens to your EFS encryption key, your encrypted data is unrecoverable.

  • Prevent Corporate Data from Being Accessed By Apps When the Device Is Locked This setting prevents data from being accessed while a device is locked. (Note that this setting applies only to Windows 10 Mobile.)

  • Revoke Encryption Keys on Unenroll If a device unenrolls from your policy, then the encryption keys are revoked. This is turned on by default.

  • Show the Enterprise Data Protection Icon The Data Protection icon indicates to users that they are working with enterprise data. It is helpful for users, especially during the early stages of a WIP deployment.

  • Use Azure Rights Management Service (RMS) for WIP Azure RMS can be used for WIP encryption—specifically to protect data when it leaves a device. This is an enhancement that extends data protection beyond just using WIP by itself.

  • Allow Windows Search Indexer to Search Encrypted Items This is turned on by default. It enables Windows Search to index encrypted items. In high-security environments, you should turn this off.

  • Add Encrypted File Extensions You can specify that files with certain file extensions be encrypted automatically when they are copied to a file server in your corporate boundary.

Need More Review? Create an EFS DRA

You should familiarize yourself with the process of creating an EFS DRA. See https://docs.microsoft.com/previous-versions/tn-archive/cc512680(v=technet.10) for more information.

Skill 3.4: Plan and implement data loss prevention (DLP)

Data loss prevention (DLP) is a technology made up of hardware and software to prevent, minimize, or protect against data loss or unauthorized access to data. Specific to Microsoft 365 and Office 365, DLP is a security feature to protect against data loss, data leakage, and unauthorized viewing of data in Exchange Online, SharePoint Online, and OneDrive for Business. In some cases, DLP is used to enable a company to meet compliance or adhere to government regulations. In other cases, DLP is used to enhance the security of an organization (from intellectual property loss, for example). DLP is one technology, and is intended to be layered with other security technologies, such as data encryption, threat management, and anti-malware.

This is a hands-on skill section. Your goal should be to understand how to create, configure, and manage DLP policies with an emphasis on the configuration. In this section, you will learn how DLP works, create a DLP policy, configure a DLP policy, and monitor DLP policy matches.

Plan for DLP

Data loss prevention (DLP) is a technology that enables you to minimize the leakage of sensitive data. In Office 365, DLP is integrated with Exchange Online (and thus Outlook on the web and Outlook), SharePoint Online, and OneDrive for Business. Additionally, it helps protect information in the desktop versions of Excel, PowerPoint, and Word.

DLP relies on content analysis to detect information you have defined as sensitive. The content analysis includes the following methods:

  • Dictionary matches DLP scans your dictionaries (if you have any) for matches. You can create optional dictionaries containing lists of sensitive information. A single dictionary supports as many as 100,000 terms. When adding multiple keyword terms, you can opt to use keyword lists. These are available as a way to manage smaller sets of keywords.

  • Keyword matches DLP scans documents and emails for keywords that you define in keyword lists. You do this by modifying a built-in sensitive information type.

  • Regular expression matches Sometimes, you need to protect company-specific sensitive information, such as internal project names or numbers. You can create a custom sensitive information type and use regular expressions to define the criteria. DLP will scan using the defined regular expressions.

  • Internal functions DLP uses many internal functions to facilitate built-in functionality. For example, the func_expiration_date function looks for date formats often used by credit cards such as 12/25 (for December of 2025) to identify credit card information.

Understand the DLP policy sync process

By default, there are no DLP policies. You must create them. You can use built-in templates to cover common use cases, such as protecting health information and financial information. Because these policies are used across multiple technologies, you must sync them after creating or modifying them. Figure 3-27 shows an overview of the sync process.

A workflow diagram that displays how the Security & Compliance Center uses data loss prevention policies, which are then applied to various Microsoft services including Exchange Online, SharePoint Online, OneDrive for Business, and Office desktop apps.

Figure 3-27 DLP policy sync process

The following steps describe the general DLP policy sync process:

  1. You create a new DLP policy in the Security & Compliance Center. Note that all new policies are created there.

  2. The DLP policy syncs to the central policy store.

  3. From the central policy store, the DLP policy syncs to Exchange Online (and from there, Outlook on the web and Outlook), SharePoint Online, OneDrive for Business, and Office desktop apps (Word, Excel, and PowerPoint).

  4. After the syncing process is complete, DLP begins to evaluate content in each of the services, based on the DLP policies.

Note DLP Side-By-Side

You might be wondering what happens if you have DLP policies in Exchange Online and in the Security & Compliance Center. In short, they work side-by-side. DLP policies in Exchange Online can be used only when DLP policies created in Security & Compliance Center are used across all integrated technologies. When policies in the Microsoft 365 compliance center meet all your needs, use the policies to simplify your environment. DLP policies in Exchange Online have additional email functionality that isn’t available with policies created in the Security & Compliance Center.

DLP policies have the following characteristics:

  • A location to indicate where to protect content This could be Exchange Online, SharePoint Online, or OneDrive for Business.

  • Conditions to indicate when to protect content For example, you might have a condition that requires a driver’s license number to be shared with people outside your organization. Conditions are stored in rules.

  • Actions to indicate how to protect content You use actions to specify what action should be taken when matching content is discovered. For example, you can configure an action to restrict access or notify a user. Actions are stored in rules.

Create DLP policies

You can create DLP policies from the Security & Compliance Center or by using PowerShell. You should be familiar with both methods for the exam.

Let’s look at the procedure for creating a new DLP policy in the Security & Compliance Center. Follow these steps:

  1. Log in to the Microsoft 365 compliance center at https://compliance.microsoft.com.

  2. Click Data Loss Prevention in the navigation bar on the left.

  3. On the DLP page, click the Create Policy button.

    A DLP wizard launches and presents you with categories of built-in templates. Alternatively, you can choose to create a custom policy from scratch. (See Figure 3-28.)

    The Microsoft 365 compliance center wizard displays available templates for creating a DLP policy.

    Figure 3-28 DLP policy templates

  4. Click the Privacy category and choose the U.S. Personally Identifiable Information (PII) Data template. Then click Next.

  5. Use the default name or type a new name for the policy. For this demonstration, we’ll use the default name.

  6. Optionally, type a description of the policy. Then click Next.

    By default, all DLP policies protect content in all supported locations (such as email, OneDrive, and SharePoint). If you are creating a policy for a particular platform, you can opt to choose specific services instead.

  7. In this example, you will protect content in all locations, so simply click Next.

    In this template, the policy is configured to look for specific information and to dictate how aggressively data is labeled (using a match accuracy number).

  8. On the Define Policy Settings page, choose the Review and Customize Default Settings from the Template option button (see Figure 3-29) and then click Next.

    The Define Policy Settings page is configured to review and customize default settings from the template.

    Figure 3-29 DLP policy content-detection configuration

    The template’s default settings are to detect when content that contains personally identifiable information (PII) is shared only with people outside your organization. However, you can change the policy to detect when data is shared only with people inside your organization. (Note that if you want to detect both scenarios, you will need to create two policies.) Alternatively, you can select the Create or Customize Advanced DLP Rules option button to add more conditions or exceptions to the configuration.

  9. On the Info to Protect page, choose whether to detect when content is shared only outside the organization (the default) or only inside the organization. Then click Next.

  10. On the Protection Actions page, choose how users should be notified when PII is detected, and click Next.

    By default, a policy tip is shown to users, and users get an email notification. You can customize the tip and the email, if desired. You can also change the number of times sharing sensitive data must occur before the action is deemed a violation. Finally, you can opt to restrict access to the data if there is PII or encrypt the data (such as with Azure Information Protection). Figure 3-30 shows the available options.

    The Protection Actions page is displayed with most options enabled. These include showing policy tips, detecting at least 10 instances of sensitive types, and sending reports and alerts when a rule matches.

    Figure 3-30 DLP policy protection actions

  11. On the Customize Access and Override Settings page, specify whether to restrict access or encrypt content, audit or restrict various device actions, restrict third-party apps, and/or restrict access to on-premises file servers. Then click Next. Figure 3-31 displays some of the settings that can be configured at the device level.

    The Access and Override Settings page is displayed. Windows devices have additional auditing enabled for all options except Copy to a USB Removable Media, which is set to Block with Override.

    Figure 3-31 Customizing access for restricted content

  12. On the Test or Turn On the Policy page, indicate whether you want to turn on the policy now, keep the policy turned off, or test it (the default). In this case, accept the default setting, and click Next.

    Note

    It is a good practice to test new policies before turning them on.

  13. On the Review Your Policy and Create It page (see Figure 3-32), check the settings to ensure they are correct, and click Submit.

    The Microsoft 365 compliance center displays the Review Your Policy and Create It page, showing the settings for a new DLP policy. This policy protects U.S. PII.

    Figure 3-32 DLP policy settings review page

    The console displays the policy and status. Note that it can take as long as an hour before the policy takes effect, as shown in Figure 3-33.

The Microsoft 365 compliance center displays the details of the U.S. Personally Identifiable Information (PII) Data Policy, including the locations to apply the policy and the policy settings.

Figure 3-33 DLP policy overview

If you have more than one DLP policy, then policies are ordered, with each policy having an order number. The order number is shown when you view policies in the portal. When you get information about policies from PowerShell, however, you use the term priority. An order of 3 is the same as a priority of 3.

The first policy you create has an order or priority of 1; the second one has an order or priority of 2; and so on. You can’t change the order, and the lower the number, the higher the priority. When you have multiple policies with conflicting rules, the most restrictive action is enforced. Here is an example of how priority works in action:

  • Rule 1 (priority/order 1) Restricts access, allows user overrides

  • Rule 2 (priority/order 2) Restricts access, notifies users, does not allow user overrides

  • Rule 3 (priority/order 3) Notifies users, does not restrict access

  • Rule 4 (priority/order 4) Restricts access, does not notify users

  • Rule 5 (priority/order 5) Restricts access, notifies users, does not allow user overrides

If you send an email that matches all of the rules (rule 1, 2, 3, 4, and 5), then rule 2 is enforced. That’s because rule 2 is the most restrictive and highest priority. Notice that rule 2 and rule 5 have the same restrictions. However, rule 2 is higher priority, so it ends up being the rule enforced.

Configure DLP policies

In this section, you will first look at some key settings. After that, you’ll walk through some of the policy settings.

You can configure DLP policies when you create them, after you create them, or both—for example, tweaking settings to enhance the outcome. Each policy can have three states.

  • Turned on When a policy is on, it evaluates content and takes actions, as configured.

  • Turned off When a policy is off, it does not evaluate content or take any action. Sometimes, administrators prefer to leave newly created policies turned off, have a peer review the policies, and then turn the policies on during a maintenance window.

  • In test mode You can test a rule before turning it on by using test mode. Optionally, you can have policy tips shown in test mode. It is a good practice to use test mode, run DLP reports, and then make necessary tweaks before turning on a policy.

Rules can have two states:

  • Turned on By default, rules in a policy are turned on. Turning off rules is useful for troubleshooting.

  • Turned off If you are troubleshooting a policy or find an issue with a rule in a policy (for example, it’s too restrictive), you can temporarily turn off the rule. After making changes, you can turn the rule back on.

Policies can protect information in three locations. Inside of each location, you have additional options, as follows:

  • Exchange Online You can specify specific distribution groups to be included for protection. You can also specify distribution groups to be excluded from protection.

  • SharePoint Online You can specify specific SharePoint sites to be included or opt to exclude specific SharePoint sites.

  • OneDrive for Business You can include or exclude specific accounts.

Next, let’s review policy conditions in a rule. Figure 3-34 shows the conditions for content within documents or emails.

The Microsoft 365 compliance center displays the advanced DLP rules for policies that have been created. The rules for both low and high volume of PII are set to On.

Figure 3-34 Customizing DLP rules

In this policy, there are two rules defined. These include a low-volume rule, which is triggered if there are between one and nine instances of the sensitive info types, with a match accuracy between 75 and 100. You can change the minimum and maximum instance counts and the minimum and maximum match accuracy numbers. For example, you could change the Max Instance count to 5 and handle everything above that in a high-volume rule.

As part of conditions, you can dictate whether a rule applies to content shared within your organization or outside your organization. You can add other conditions, too. The list of conditions you can add is:

  • Sender IP Address Is Detect content sent from a specific IP address or range of IP addresses.

  • Any Email Attachment’s Content Could Not Be Scanned Flag email with attachments that cannot be scanned.

  • Any Email Attachment’s Content Didn’t Complete Scanning Flag email with attachments that did not finish scanning.

  • Attachment Is Password Protected Message an attachment that is password protected (and thus can’t be opened to be scanned).

  • Recipient Domain Is Detect when content is sent to a specific domain(s).

  • Attachment’s File Extension Is Detect email messages with attachments that have a specific file extension(s). For example, you might specify .exe as one file extension.

  • Document Property Is Match data that has document properties. Document properties are used in Windows Server File Classification Infrastructure (FCI), SharePoint, and other third-party systems. Some organizations already use document properties to classify content (for example, sensitive data). In such organizations, it can be very efficient to reuse the document properties for DLP.

A rule has actions that dictate how to protect the content. The following actions are available:

  • Block People from Sharing and Restrict Access to Shared Content When you block someone, it means they can’t send email with the content, and can’t access the content in SharePoint or OneDrive for Business. You can block people who are outside of your organization, or block everybody (excluding the content owner, the last person to modify the content, and the site admin).

  • Encrypt Email Messages This action is only applicable to Exchange Online. It encrypts email messages using Azure Information Protection.

Each rule has user notification settings. You can opt to notify users or not, based on your goals. It is a good practice to notify users because it helps them understand the sensitivity of the data and to think about proper data usage.

In addition to notifying the user who sent, shared, or last modified the offending content, you can also email the SharePoint site owner, the owner of the OneDrive account or content, and additional people as designated by you. You can also enable users to override a policy if they see a policy tip. However, in most cases, this isn’t a good practice when dealing with sensitive data; it adds risk to your organization by enabling users to bypass a DLP policy.

Manage DLP exceptions

So far, you’ve learned how DLP works and how a policy and a set of rules prevent or minimize data leakage. Next, you will look at exceptions. Exceptions are conditions that dictate when a DLP rule won’t apply to content. For example, you might have a DLP rule to protect tax data. However, you might have an exception if a document has a specific property and value (for example, a property named Description with a value of Personal).

Understand DLP exceptions

Before you implement exceptions, you should have a good understanding of their capabilities. Thereafter, you will have a better idea how to create and modify exceptions.

In a perfect world, you wouldn’t need any exceptions. Your DLP configuration would be simple and easy to work with. Often, however, exceptions are required to meet your goals. Even so, you should try to keep your configuration as simple as possible while also meeting your requirements.

The available exceptions are:

  • Except If Content Contains Sensitive Information This exception enables you to specify sensitive information types or specific labels. In such scenarios, the content will not be subject to the rule.

  • Except If Content Is Shared This exception enables you to specify content shared internally or externally and to ensure such content will not be subject to the rule.

  • Except If Sender IP Address Is If you want to whitelist a specific IP address or IP address range, you can use this exception.

  • Except If Any Email Attachment Content Could Not Be Scanned This exception applies if an email message has an attachment that cannot be scanned.

  • Except If Any Email Attachment Content Didn’t Complete Scanning This exception applies if an email message has an attachment that does not finish scanning.

  • Except If Attachment Is Password Protected This exception applies if an email attachment has a password (and thus can’t be scanned).

  • Except If a Recipient Domain Is If you want to whitelist a domain(s), you can use this exception. For example, imagine that you use DLP for external communication. You acquire a company, and after the acquisition closes, you must ensure that email going to the acquired company’s domain is not part of DLP.

  • Except If Attachment’s File Extension Is If you want to whitelist specific file extensions for attachments, you can use this exception.

  • Except If Document Property Is Use this exception to check document properties for specific property values. In this scenario, you can exclude specific content based on the values.

Some settings are service specific. For example, exceptions that pertain to recipient domains are limited to use with Exchange/email.

As with most DLP settings, you should test them before you implement them in production. Otherwise, you might end up with undesirable behavior because it can be hard to understand the ramifications of an exception without seeing it work with production data.

Create DLP exceptions

You can establish exceptions during your initial DLP rule creation. However, you’ll often find that you must create exceptions after a policy and rule are deployed, when the need for an exception becomes obvious. You can create DLP exceptions after a policy and rule are deployed by editing the rule in the portal. For example, Figure 3-35 shows a rule set up to protect the PII information you configured earlier in this skill section. Configuring an exception might be useful if you have a vendor or partner who handles your customer-service or tech-support department and you will routinely send IP addresses to them via email (such as in trouble tickets or support email).

The conditions of the PII DLP rule are displayed. The Taxpayer Identification Number, Social Security Number, and Passport Number info types are all set to medium confidence for an instance count between 1 and 9.

Figure 3-35 DLP condition and exception

Note

When you create exceptions, always use test mode to understand the impact of the exceptions on the policy’s detection behavior.

Monitor DLP policy matches

After you deploy DLP policies, you need a way to find out whether they are working and how effective they are. You also need a way to pinpoint problems or unexpected behavior. Monitoring is an effective way to understand how DLP is functioning in your environment.

Use policy tips

Policy tips are small informational messages displayed in a web page or a client (such as Outlook). Often, tips are used to provide information to users. For example, if a user is composing an email message that violates a DLP policy, a policy tip can notify the user. The user then has a chance to rectify the violation before sending the email. Figure 3-36 shows a policy tip in Outlook. In this scenario, Brian is sending Bob a message, and there is a conflict with a DLP policy.

A policy tip is displayed in an Outlook email message for a member of the organization.

Figure 3-36 Policy tip in Outlook

The policy tip shown in Figure 3-36 is the default text. There are other default policy tips (such as when access to an item is blocked). Notice that the default text does not indicate which DLP policy was violated or provide much information for the user. Optionally, you can customize the text. Customization is per rule. Figure 3-37 shows the setting to customize the policy tip text.

The DLP Edit Rule page is displayed. Here, you can customize the policy tip text that appears to users in Outlook. The alert to send a notification to an administrator is also set to On.

Figure 3-37 Customizing a policy tip

When you use policy tips, you have an option to enable users who have seen the policy tip to override the DLP policy. You can also require them to report false positives or enter a business justification for the override.

Use the DLP Incidents report

The DLP Incidents reports show you DLP policy matches by date and service (Exchange, SharePoint, and OneDrive for Business). You view this report in the Reports section of the Microsoft 365 compliance center dashboard. Figure 3-38 shows the DLP Incidents report. You can click the graph for this report or the View Details button to see a more detailed dedicated page.

The Microsoft 365 compliance center dashboard displays reports for policy matches, incidents, false positives and overrides, shared files, and risky apps for the organization.

Figure 3-38 Reports dashboard

Use DLP reports

In addition to DLP Incident reports, you can use other reports to help you understand how your organization is complying with your DLP policies. The following reports are available in the Reports section of Microsoft 365 compliance center:

  • DLP Policy Matches This report shows the number of policies that matched in the last week. Although the default view is a graph, you can customize the output to view the data as a table. It also shows the breakdown of policy matches per service: Exchange, SharePoint, and OneDrive for Business.

  • DLP False Positive and Override If you enable users to report false positives and override a policy, this report will show you when and how often it is happening.

Figure 3-39 shows the DLP Policy Matches graph. You access this graph by clicking the corresponding graph or View Details button in the Reports section of the dashboard.

The DLP Policy Matches graph displays the time and alert type of a DLP policy that has been triggered.

Figure 3-39 DLP policy match graph

You can also use PowerShell to obtain some report data. For example, you can run the Get-DlpDetectionsReport command to see a list of recent detections.

Skill 3.5: Manage search and investigation

Historically, auditing has been a decentralized feature available in each of the Office 365 services. You individually configured each service for auditing and individually searched each service for items.

Microsoft is moving to a more centralized approach to data governance. Today, while you can still configure each services individually for auditing, you can also search the audit logs across all services from the same place. This skill section looks at the auditing feature and configuration.

Plan for auditing

Office 365 audits many activities by default. From an administrative perspective, there isn’t much to do to configure audit log retention. This section covers default auditing settings and additional auditing you can enable.

Understand prerequisites

Although auditing is enabled by default, you might need to check your licensing, permissions, and other settings before you start looking at audit logs. The following items are the key prerequisites you must know about:

  • Permissions To have complete control over auditing settings, you must be assigned the organization management or compliance management role or be a global administrator in Office 365. Other roles cannot turn auditing on or off. To search and view audit logs, you can use the view-only audit logs or audit logs role.

  • Licensing The Office 365 E3 license offers up to 90 days of audit log retention. The Office 365 E5 license offers up to 365 days of audit log retention. You can, however, use any Office 365 subscription and add on the Office 365 Advanced Compliance license to get up to 365 days of audit log retention. Today, you can bundle Office 365 Advanced Compliance with Azure Information Protection in a package named Information Protection & Compliance. Expect package names and offerings to change. For the exam, just be aware of the Office 365 Advanced Compliance add-on to gain additional days of retention.

Understand auditing

Office 365 audits several areas across various services by default. For some organizations, the default auditing is enough to meet company requirements. The following activities are audited by default:

  • Admin activity in Azure Active Directory

  • Admin activity in Exchange Online

  • Admin activity in SharePoint Online

  • User activity in SharePoint Online and OneDrive for Business

  • User and admin activity in Dynamics 365

  • User and admin activity in Microsoft Flow

  • User and admin activity in Microsoft Stream

  • User and admin activity in Microsoft Teams

  • User and admin activity in Power BI

  • User and admin activity in Sway

  • User and admin activity in Yammer

  • eDiscovery activities in the Office 365 Security & Compliance Center

Monitor unified audit logs

Before unified audit logs, admins had to search logs in each service. For example, the admin might search in the Exchange Online logs and then search through the SharePoint Online logs. With unified audit logs, admins can search in one place: the Microsoft 365 compliance center. This chapter offers an overview of the unified audit log and walks through various search scenarios.

Note

Auditing is turned on by default, but you must have appropriate permissions to search logs.

Verify that audit logging is enabled

Before you start using unified audit logs, assuming all the prerequisites are in place, you must verify that audit logging is enabled. As mentioned, audit logging is enabled by default, but it might have been disabled somewhere along the way.

To make sure audit logging is enabled, follow these steps:

  1. Run the following PowerShell command.

    Get-AdminAuditLogConfig | FL UnifiedAuditLogIngestionEnabled

    If this command returns True, then audit logging is already enabled.

  2. If the previous command returned False, run the following PowerShell command to turn audit log search on:

    Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true

Note

If logging is enabled and you want to disable it, run the following command: Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $false

Perform searches in unified audit logs

You can search unified audit logs in the Microsoft 365 compliance center or through PowerShell. You can search for all activities, very specific activities, or activities in a specific service, such as Exchange Online.

The following steps walk you through searching unified audit logs in the Microsoft 365 compliance center:

  1. Use an administrator account to log in to the Microsoft 365 compliance center at https://compliance.microsoft.com.

  2. In the navigation bar, click Audit.

    The Audit page opens with the Search tab displayed. (See Figure 3-40.)

    The Audit page with the Search tab displayed. The date and time range is set to one week and all activities selected.

    Figure 3-40 Unified audit log search interface

  3. In the Date and Time Range section, use the Start and End settings to choose a start date, start time, end date, and end time.

    Note

    If you are licensed with E3 or equivalent, audit logs can be retained for 90 days. If you are licensed for E5 or equivalent, audit logs can be retained for 365 days. (This option is currently in preview, but likely to become generally available soon.)

  4. In the Activities section, leave the default settings.

  5. In the Users section, search for the user or users you want to include in the search. You can specify one user, multiple users, or all users (by leaving the box blank).

  6. In the File, Folder, or Site section, specify the file, folder, or site that you want to search for. This is optional and is relevant for some services.

    Figure 3-40 shows a search for all activities from April 11, 2021 to April 18, 2021, for any user, without a specific file, folder, or site.

  7. Click Search.

    Search results will be displayed in the right pane. You can click an entry to bring up the details for that entry.

As mentioned, you can also use PowerShell to search unified logs. You do this by using the Search-UnifiedAuditLog command.

Need More Review? Deep Dive into Search-Unifiedauditlog

To find out more detail about the Search-UnifiedAuditLog command, including all the additional filtering you can do, see https://docs.microsoft.com/en-us/microsoft-365/compliance/audit-log-search-script?view=o365-worldwide.

Design Content Search solution

You can use the Content Search tool to quickly search your Office 365 services for material matching targeted criteria. The results can be used to determine scope, impact, and next steps in the event additional action is required, such as a legal hold. You can save search queries for reuse and export search results for offline review.

In the following steps, you will create a search query for a fictitious company named Contoso Electronics. The legal department needs to know if any documents were shared in the last 30 days related to the Mark 8 Project.

  1. Use an administrator account to log in to the Microsoft 365 compliance center at https://compliance.microsoft.com.

  2. In the navigation bar, click Show All, and then click Content Search.

  3. On the Content Search page, click +Guided Search.

    This option provides a guided experience for creating a new search query. Once you are comfortable with creating queries, you can click +New Search and create your own queries from scratch.

  4. On the New Search panel, in the Name Your Search box, type a name for your new search query—in this example, Mark 8 Project.

  5. Optionally, type a description to help differentiate this search query from other search queries. Then click Next.

  6. On the Choose Locations tab, click the All Locations option button. Then click Next.

    This enables your search to find data across Office 365 services. If you intend to only search a specific service, such as Exchange Online, you can opt to specify that location instead.

  7. On the Create Query tab, in the Keywords box, type the following keywords:

    • project

    • mark 8

    • mark 8 project

  8. Below the search query, click +Add Conditions.

  9. In the Add Conditions panel, select the Date and File Type check boxes, and click Add.

  10. In the Date section, specify the desired dates—in this example, configure the date representing the last 30 days.

  11. In the File Type section enter the following file types:

    • docx

    • xlsx

    • pptx

    • pdf

  12. Click Finish.

    You will return to the Content Search page and the query will run automatically. Any results from the query will be displayed in the main window.

You can update search queries and save your changes from the search results page for the specific query. For example, if there are too many results returned for the Mark 8 Project query, you can open the results for that search query and update the list of keywords or add more conditions.

Results for search queries can also be exported. To access export options for Content Search, select the project whose query results you want to export and click More. A panel opens containing options to export results or reports. As shown in Figure 3-41, these options are as follows:

  • View Results This outputs a copy of all discovered results. Exchange content can be exported as a PST file or as individual emails. Individual messages and SharePoint content can be exported as a compressed ZIP file.

  • Export Report This outputs a report in CSV format. The report contains properties such as sender, recipient, attachments, and date received.

The Microsoft 365 compliance center displays the Content Search results for a query. It also shows a panel containing export options.

Figure 3-41 Content Search export options

Plan for eDiscovery

The eDiscovery tools in Microsoft 365 give you the ability to create electronic discovery cases when required for legal issues. With eDiscovery, you can create either Core or Advanced cases, both of which enable you to create in-place or litigation holds. You then combine this with the Content Search to find data relative to the eDiscovery case.

Often, the first step an administrator will take before creating an eDiscovery case will be to use the Content Search tool. Content Search is part of the eDiscovery solution. Content Search enables administrators to quickly search for content across various services in Office 365. Content Search and eDiscovery generate the same results, including data from email messages, Skype for Business conversations, documents in SharePoint Online or OneDrive for Business, Microsoft Teams, and Office 365 groups. However, they offer different capabilities, such as exporting reports and assigning an in-place hold.

Understand prerequisites

This section looks at the prerequisites for working with eDiscovery and Content Search. These prerequisites include licensing considerations and permissions required to perform various tasks. As mentioned, Content Search is part of the eDiscovery solution, so licensing and permissions are similar for both tools. You must have a clear understanding of these prerequisites for the exam.

Licensing considerations

The licensing options for Content Search are tied to eDiscovery. As you move up in licensing, you unlock more eDiscovery features.

When it comes to licensing, you want to acquire the license that provides all the features you require, but not more. To do this, you must understand the features and limitations of eDiscovery licensing. Following are the key license types that include eDiscovery functionality.

  • Office 365 E1/Office 365 F1/Office 365 Business Essentials/Office 365 Business Premium The E1 license is the lowest license that provides some eDiscovery capabilities. With an E1 license, you can perform searches across Office 365 services. You can also search across multiple mailboxes or sites in a single search. You cannot use content holds or export results from the searches.

  • Office 365 E3 With an E3 license, you get the same functionality as with E1. Additionally, you can export data from the search and use content holds. You can also use eDiscovery cases, which enable you to organize and segment searches.

  • Office 365 E5 With an E5 license, you get the same functionality as with E3. Additionally, you gain access to the Advanced eDiscovery feature, which uses cloud-based analytics to analyze your searches. Advanced eDiscovery provides a more efficient eDiscovery process, potentially reducing costs.

Note Office 365 enterprise plans are functionally equivalent to Office 365 government plans. Thus, E1 is the same as G1, E3 is the same as G3, and E5 is the same as G5.

Permissions

To enable administrators to perform eDiscovery or use Content Search, you must assign the necessary permissions. By default, nobody has permissions—even your existing Office 365 administrators.

The Microsoft 365 compliance center provides several built-in role groups. One such role group, eDiscovery manager, has two role groups inside of it. You assign these to administrators who need to work with eDiscovery.

  • eDiscovery manager An eDiscovery manager can create, view, and edit cases that they have access to. By default, they only have access to cases they create. You can add users or groups to this role group.

  • eDiscovery Administrator An eDiscovery administrator can view and edit all cases. By default, they only have access to cases they create. They can, however, add themselves to any other case. You can only add users, not groups, to this role group.

The eDiscovery Manager role group is assigned roles. The roles give the permissions needed to perform eDiscovery tasks. The default roles for the eDiscovery manager role group are:

  • Export With this permission, you can export data from a search.

  • RMS decrypt You can decrypt RMS-protected content so you can export the data from a search.

  • Review This permission enables you to work with advanced eDiscovery features, such as analyzing results.

  • Preview You can view the list of items returned from a search.

  • Compliance Search You can search across multiple mailboxes.

  • Case management You can create, edit, and delete eDiscovery cases. You can also adjust permissions for cases you own.

  • Hold This permission enables you to place a hold on content.

You can edit the roles included in the role group. However, this isn’t necessary unless you have a specific requirement to enable more functionality or restrict some eDiscovery tasks.

In addition to eDiscovery role groups, there are certain roles that can perform some eDiscovery tasks:

  • Reviewer A reviewer can use advanced eDiscovery functions for existing cases that they are a member of.

  • Organization management Members of this role can create, edit, and delete eDiscovery cases, search across multiple mailboxes, place content on hold, and perform search and purge tasks—that is, perform a search and then delete data in bulk based on that search.

  • Compliance administrator A compliance administrator can create, edit, and delete eDiscovery cases; search across multiple mailboxes; and place content on hold.

Understand legal holds

At any point, your organization could be required to preserve content in Office 365. With eDiscovery, you accomplish this by placing the content on an in-place hold.

An administrator can place content on hold across all Office 365 services. Content holds offer granular controls that leverage the same query interface seen in Content Search and eDiscovery. In this skill, you are going to look at how holds work and how to configure them in the Microsoft 365 compliance center.

How holds work

Holds focus on preserving data. Sometimes, holds are for a defined period. Other times, holds are indefinite (or the hold requirements are not finalized yet). Holds are invisible to users and cannot be bypassed. Holds are available for the following areas:

  • Exchange Online mailboxes Although you can target groups too, the mailboxes that are members are placed on hold, not the actual group.

  • Exchange Online public folders While you can place holds on public folders, you cannot specify individual public folders. Instead, you have to place a hold on all public folders if you want to hold items in any of the folders.

  • SharePoint Online sites You can choose individual SharePoint Online sites to hold data. You just need the URL for the sites you want to target for holds.

When you place holds on mailboxes, the data is preserved in the Recoverable Items folder, which isn’t viewable with the default view in Outlook. The Recoverable Items folder also holds permanently deleted items, such as when users delete items from the Deleted Items folder. A dedicated subfolder named DiscoveryHold is used to store held items.

For the exam, be sure to know some of the details around holds, such as:

  • Items in the Recoverable Items folder don’t count toward a user’s mailbox quota. Instead, the Recoverable Items folder has its own quota, which is 30 GB by default.

  • When a hold is placed on a mailbox, the quota for the Recoverable Items folder is automatically increased to 100 GB. You can enable the archive mailbox and use auto-expanding archiving if you need more space.

  • A minimum license of Exchange Online Plan 2 or Office 365 E3 is required for a mailbox to be placed on hold.

  • Deleting a mailbox on hold will convert it to an inactive mailbox. Inactive mailboxes can no longer receive messages and are not listed in the global address list. The contents of the mailbox will be retained for the duration of the hold.

Need More Review? Working With Office 365 Holds

To find out more about holds, see https://docs.microsoft.com/exchange/security-and-compliance/in-place-and-litigation-holds.

Configure holds

The following steps show the process to create a hold for all email items for one mailbox. To create a hold, you must have created a case and defined a search.

  1. From your existing case, click the Holds tab.

  2. On the Holds tab, click +Create.

  3. On the Create a New Hold panel, type a name for the hold—for example, Recover Purged Items. Then click Next.

  4. On the Choose Locations tab, click Choose Users, Groups, or Teams. Then, click Choose Users, Groups, or Teams.

  5. In the search text box, type the name of the person you are targeting for the hold. A search will be performed dynamically. If it is not, click the search (magnifying glass) icon.

  6. In the results, click the checkbox next to the target mailbox and then click Choose.

  7. Click Done. Then click Next to continue.

  8. On the Create Query tab, type a keyword or list of keywords, such as a configuration referred to as a query-based hold. This limits the search results to the keyword(s) that you specify. Or, if you want to hold everything, do not enter anything. This is called an indefinite hold. Optionally, add conditions. Then click Next.

  9. On the Review Your Settings tab, click Create This Hold.

    Figure 3-42 shows a sample hold status panel. In this example, a hold named Recover Purged Items has been created.

    The Microsoft 365 compliance center displayed the Recover Purged Items search that was created for a hold. The search applies to 7 mailbox and returned one item.

    Figure 3-42 eDiscovery hold details

  10. Click Close.

Need More Review? Managing Content Holds

To find out more about configuring and managing holds, read through https://docs.microsoft.com/office365/securitycompliance/ediscovery-cases#step-4-place-content-locations-on-hold.

Configure eDiscovery

In this skill, you will work with eDiscovery. eDiscovery extends the capabilities of Content Search. With eDiscovery, administrators can create cases for ongoing events. Cases offer an extra layer of permissions, enabling you to control who has access to a case and what level of access they have. You will also work with advanced eDiscovery, an enhancement that enables additional analysis of the eDiscovery results.

Work with eDiscovery cases

You can use eDiscovery cases to organize your eDiscovery searches, preserve content, and export data from your searches. Cases help organize your eDiscovery work. You create and manage cases from the Microsoft 365 compliance center.

In the following steps, you create and configure an eDiscovery case based on a fictitious company named Contoso Electronics that needs to uncover information about a broken part. As part of a case, you essentially create a search query and a hold that retains any data returned by that query.

  1. Use an administrator account to log in to the Microsoft 365 compliance center at https://compliance.microsoft.com.

  2. In the navigation bar, click Show All, choose eDiscovery, and click Core.

  3. On the Core eDiscovery page, click Create a Case.

  4. On the New Case page, type a name for the case, such as Recovering Purged Items, and then click Save.

  5. Click the Pop-Out icon to manage the case.

  6. Click the Holds tab, and then click Create.

  7. Provide a name for the hold, such as Recover Purged Items, and click Next.

  8. On the Choose Locations page, click Choose Users, Groups, or Teams for Exchange email, and then click Choose Users, Groups, or Teams again.

  9. In the search box, search for a user, group, or team in your environment. When you find the one you’re looking for, click Choose, and then click Done.

  10. On the Query page, add keywords to the query, such as broken, and click Next.

  11. Click Create This Hold.

Adjust and export

After previewing the results, you can adjust your search query, similar to a Content Search. For example, you can add more conditions, change the locations, or add more keywords. To export the results from a search, follow these steps:

  1. From the search results, click the More button and then click Export Results in the drop-down menu that appears.

  2. In the Export Results panel, configure the export options:

    • Output Options You can export all items that are in a usable format, all items regardless of whether they are in a usable format, or just items that are in an unusable format.

    • Export Exchange Content Options You can export all Exchange content in a single PST file for each mailbox where data was found, in a single PST file for all messages found, in one PST file with a single folder for all messages found, or individual messages.

    • De-Duplication Optionally, you can enable de-duplication. For example, if your search found results in 53 mailboxes, you can use de-duplication so that you don’t get the same message from all 53 mailboxes. (Instead, you get a single message.)

  3. Click Export. Then click Generate Report.

  4. Click the Exports tab. Then, in the list of completed exports, click the export you just ran.

  5. In the panel that appears, copy the export key.

    The export key is sensitive, so you should protect it like a password or secret. It can be used by anybody to download the search results.

  6. Click Download Report.

    You must use Microsoft Edge or Internet Explorer to perform the download.

  7. If this is your first time downloading results, you will be prompted to install the Microsoft Office 365 eDiscovery Export Tool. This tool is required to download results. Click Install.

  8. In the eDiscovery Export Tool pop-up box, paste the export key, browse to the location where you want to save the data, and click Start.

  9. When the status shows that the process is complete, click Close.

    The exported data will be saved to a folder. Inside, you will find a summary CSV file along with the data. The data is separated into folders by service.

Use advanced features

By default, the Core eDiscovery functionality is used when working with eDiscovery cases. You can switch to advanced eDiscovery to unlock additional functionality, such as analyzing your search results. As discussed, you must have the right licensing for the advanced functionality.

Follow these steps to create an advanced case and analyze the results:

  1. Use an administrator account to log in to the Microsoft 365 compliance center at https://compliance.microsoft.com.

  2. In the navigation bar, click Show All, choose eDiscovery, and click Advanced.

  3. Type a name for the case.

  4. Select the No, Just Go to the Home Page. I’ll Use the Default Case Settings for Now option and click Save.

  5. After the case loads, click the Settings tab. (See Figure 3-43.) This is where you manage information, access and permissions, and search and analytics for the case.

    The Microsoft 365 compliance center displays the Settings tab for an advanced eDiscovery case. Here, you can view information, access and permissions, and search and analytics for the case.

    Figure 3-43 Advanced case settings

  6. In the Search & Analytics section, click Select.

  7. Configure the desired settings in the Search & Analytics panel. (See Figure 3-44.) For example, select the Enable OCR check box to enable optical character recognition. Then click Save and Exit.

    The Search & Analytics settings for the selected case are displayed. The similarity threshold is set to 65% and the maximum number of themes is set to 100.

    Figure 3-44 Advanced case Search & Analytics settings

  8. Click the Review Set tab. Then click Add Review Set.

  9. Type a name for the review set and click Add.

  10. Click the review set to open its query page. Then click New Query.

  11. Add a condition to the query and click Save.

  12. On the review set’s page, click Manage Review Set.

  13. In the Analytics section, click Run Analytics for the Review Set. (See Figure 3-45.)

    The Microsoft 365 compliance center displays the review set of an advanced eDiscovery case. The review set includes analytics, summary reports, load sets, tags, and non-Office 365 data.

    Figure 3-45 The Manage Review Set page

  14. Click Yes to confirm that the analytics run could take some time to process.

Need More Review? Express Analysis Settings

You have the option to run an express analysis. To find out more, see https://docs.microsoft.com/en-us/microsoft-365/compliance/analyzing-data-in-review-set?view=o365-worldwide.

Implement insider risk management

Insider risk management is another component of the Microsoft 365 compliance center that targets internal policies and alerts for the organization. Insider risk management is a part of the Microsoft 365 E5 compliance add-on, which is included with Microsoft 365 E5 or as an add-on to a variety of E3 subscription types.

Understand insider risk management roles

Insider risk management has five built-in roles to manage or audit risk-related policies. These roles are as follows:

  • Insider risk management This role provides a single group with all permissions. This is useful in small organizations where separation of roles or duties might not exist.

  • Insider risk management admin This role can be used to create and manage policies, global settings, and the roles for other users.

  • Insider risk management analyst This role has permission to access and view alerts, cases, analytics insights, and templates. However, the role cannot view the content explorer.

  • Insider risk management investigator This role has permission to access alerts, cases, templates, and the content explorer.

  • Insider risk management auditor This role can access the insider risk management audit log.

Change insider risk management global settings

After you have identified the appropriate role or roles for the administrators and users in your organization, the next aspects of insider risk to consider are the global settings. These settings apply to all policies created across several policy control components. As of this writing, many components are still in preview. The current global settings are:

  • Privacy

  • Indicators

  • Policy timelines

  • Intelligent detections

  • Export alerts (preview)

  • Priority user groups (preview)

  • Priority physical assets (preview)

  • Power Automate flows (preview)

  • Microsoft Teams (preview)

  • Analytics (preview)

To access these global settings for configuration purposes, follow these steps.

  1. Use an administrator account to log in to the Microsoft 365 compliance center at https://compliance.microsoft.com.

  2. In the navigation bar, click Show All, and then click Insider Risk Management.

  3. At the top of the page, click Insider Risk Settings.

    Figure 3-46 shows the settings, including the settings still in preview at the time of this writing.

The Microsoft 365 compliance center displays the Privacy tab on the Settings page for insider risk management. The privacy settings are configured to show anonymized versions of user names instead of actual display names.

Figure 3-46 Insider risk management global settings

Create an insider risk management policy

After you have configured the desired global settings, your next step to implement insider risk management is to create policies. Insider risk management policies are divided into three categories:

  • Data theft

  • Security policy violations (preview)

  • Data leaks

Each category has built-in templates that you can use to begin creating policies for your organization. Follow these steps to create an insider risk management policy:

  1. Use an administrator account to log in to the Microsoft 365 compliance center at https://compliance.microsoft.com.

  2. In the navigation bar, click Show All, and then click Insider Risk Management.

  3. Click the Policies tab and click Create Policy.

  4. Select the Data Theft By Departing Users template. Then click Next.

  5. Type a display name for the policy and click Next.

  6. Select specific users or groups to which the policy should apply. Alternatively, leave the default setting of all users and groups as is. Then click Next.

    Choosing specific users and groups is helpful in a global organization, where you might need individual policies for certain geographies or regions.

  7. On the Content to Prioritize page, accept the default setting to specify content. (Alternatively, you can choose to specify content later.) Then click Next.

    You can prioritize SharePoint sites, sensitive info types, and sensitivity labels.

  8. On the Indicators and Triggering Event page, specify what event should trigger the policy and what indicators might be associated with that event. Then click Next.

    The specific policy settings are as follows:

    • Triggering Events The condition that causes the event to be triggered.

    • Office Indicators Actions a user takes in Microsoft Office or Office 365 that trigger the policy.

    • Device Indicators (preview) Actions a user takes on a monitored device that trigger the policy.

    • Physical Access Indicators Attempts to access sensitive information after termination.

    • Microsoft Cloud App Security Indicators Activities within connected cloud apps that trigger the policy.

    • Sequence Detection When two or more activities are performed that suggest a higher risk of data leaks.

    • Cumulative Exfiltration Detection A user appears to be sharing more data than the average user in the organization.

    • Risk Score Boosters Activities that increase a user’s risk score compared to normal day-to-day activities.

  9. On the Indicator Thresholds page, specify whether to use default thresholds or set your own custom values, and click Next.

  10. On the Review Settings and Finish page, click Submit.

    Figure 3-47 shows all the settings configured for this policy.

The Microsoft 365 compliance center displays the settings for a new insider risk policy. The policy has been configured as an intellectual property theft policy using the highly confidential sensitivity label.

Figure 3-47 Insider risk management policy

Note

It can take as long as 24 hours for alerts to appear on the Alerts tab after you create the policy.

Thought experiment

In this thought experiment, demonstrate your skills and knowledge of the topics covered in this chapter. You can find the answers in the section that follows.

You are the systems administrator for Contoso Electronics. Contoso Electronics runs several skiing and outdoor activity locations throughout the world.

The company has an on-premises environment with two data centers. The company has AD DS on-premises, along with some internal servers and Windows 10 clients. For email and collaboration, the company uses Office 365. Soon, the company will start using OneDrive for Business to store data that is currently stored on on-premises file servers. The company recently created a dedicated IT team to handle IT security. The new team is responsible for compliance, data loss prevention, backups, and data governance.

The new team reviewed the existing implementation for data in Office 365 and found the following:

  • The company is using Exchange Online retention tags and retention policies.

  • The company is not using information rights management (IRM) with SharePoint Online.

  • The company is not retaining SharePoint data.

  • The company is not using OneDrive for Business.

The security management team has drafted new requirements for the organization:

  1. The company must centralize the configuration of retention to ensure that retention settings are the same across as many Office 365 services as possible. What action must be taken to unify the data retention configuration?

  2. The data in some SharePoint Online libraries must be encrypted, even if users do not opt to encrypt the data. What should be configured to encrypt data automatically?

You must reconfigure the environment to meet the new requirements.

Thought experiment answers

This section contains the solution to the thought experiment. Each answer explains why the answer choice is correct

In this scenario, there are multiple requirements. We will look at solutions for one requirement at a time.

The first requirement is to centralize the configuration of retention. The company currently uses retention, but it is configured in Exchange Online. This retention configuration cannot be used outside of Exchange Online. To centralize the retention configuration, you must configure retention in the Security & Compliance Center. In this scenario, you should configure retention to apply to Exchange Online, SharePoint Online, and OneDrive. This will ensure you meet the requirement to retain data across as many services as possible.

The second requirement is to encrypt SharePoint data in libraries. To meet this requirement, you must enable information rights management (IRM), which allows for the use of encryption throughout SharePoint Online. Thereafter, you must configure document libraries with IRM settings to make sure that documents are encrypted. This ensures you meet the requirement to encrypt data even if users do not opt to encrypt their files.

Chapter summary

  • Retention policies enable you to retain data, delete data, or both. You can retain data across multiple Office 365 locations.

  • Retention labels enable users to retain data by putting a label on their content. Labels can also be applied automatically, which strengthens your retention.

  • Exchange Online has multiple data recovery methods built-in, including saving deleted items, archiving email with archive mailboxes, and holds (legal and in-place).

  • SharePoint Online stores data for SharePoint and OneDrive. There are two Recycle Bins (site level and site collection level) that maintain deleted data for up to 93 days.

  • SharePoint Online and OneDrive for Business offer document versioning. With document versioning, documents have a version number associated with them. When documents are changed, a new version number is created. Users can go back to previous versions if needed.

  • By default, OneDrive for Business keeps deleted user data for 30 days.

  • An administrator can restore email items out of the Purged Items folder. However, users can only restore deleted items that are in the Deleted Items folder.

  • For some operations in Exchange Online and SharePoint Online, you must use PowerShell. Each service has a specific method to connect to PowerShell.

  • Your Office 365 licensing dictates how long your audit logs are retained. For some subscriptions, you get up to 90 days of logs, while other subscriptions provide up to 365 days.

  • Most admin activity is logged by default. Many user activities are also logged by default. User activity for Exchange Online is not logged by default, and some SharePoint site-specific information is not logged by default.

  • You can search unified audit logs using the Microsoft 365 compliance center or using PowerShell.

  • You can disable audit logging altogether, although this isn’t recommended due to the lack of information that will be available for investigating security incidents.

  • Unified audit logs cover Azure Active Directory, Exchange Online, SharePoint Online, OneDrive for Business, Dynamics 365, Microsoft Flow, Microsoft Stream, Microsoft Teams, Power BI, Sway, Yammer, and eDiscovery activities in the Microsoft 365 compliance center.

  • Azure AD is a prerequisite of AIP. Additionally, a sync between your on-premises AD DS and Azure AD is required so you can license your users.

  • WIP is a data protection technology that complements AIP and is focused on protecting data on client computers that run Windows 10.

  • With WIP, an enlightened app is an app that can differentiate between personal data and corporate or organizational data.

  • Labels in AIP help users easily see the sensitivity of data (such as with visual markings) and can automatically protect data based on the data as well as conditions.

  • DLP uses dictionary matches, keyword matches, regular expression matches, and internal functions to detect sensitive data in DLP rules.

  • DLP has a central policy store, where policies and rules are initially created and stored. From the central policy store, replication is used to replicate policies to Exchange Online, SharePoint Online, OneDrive for Business, and Office 2016 desktop apps.

  • DLP offers a wide array of built-in policies for financial companies and medical and health companies, and with privacy settings applicable to just about all organizations.

  • DLP offers a test mode for policies. In test mode, you can see whether the policy does what you expect before you turn it on for your production environment.

  • Data retention policies can be used to retain data for a specified period. For example, you can retain data for five years. Users cannot bypass data retention policies.

  • Data retention policies can be used to delete data when the data reaches a specified age. For example, all data older than seven years can be automatically deleted. You can combine policies to retain data with policies to delete data.

  • Data retention for Exchange Online stores copies of original content in the Recoverable Items folder, while data retention for SharePoint Online stores copies of original content in the Preservation Hold library.

  • You can use PowerShell to create, manage, and delete policies for DLP or data retention.

  • AIP has three versions that you can license: Azure AIP for Office 365 (least features), Azure AIP P1 (standard features), and Azure AIP P2 (most features).

  • You can use the built-in reports in the Security & Compliance Center to get an overview of your DLP incidents, DLP policy matches, and DLP overrides.

  • Content Search and eDiscovery deliver the same results and leverage the same search query format. Content Search should be used for quick scenarios, while eDiscovery should be used for case tracking and in-place holds.

  • To organize your searches, preserve content, and export data, you can use eDiscovery cases. Cases are especially beneficial if you have multiple administrators and perform many searches.

  • You can enable more eDiscovery features by upgrading your Office 365 licenses. Office 365 E1 provides search capabilities; Office 365 E3 provides search, export, and holds; and Office 365 E5 provides search, export, holds, and advanced eDiscovery features such as analysis.

  • An eDiscovery manager can work with cases that they create or are given access to. An eDiscovery administrator can gain access to any case.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.238.161.165