Microsoft Security Virtual Training Day:Protect SensitiveInformation and ManageData Risk
Day 1 Slides
© Copyright Microsoft Corporation. All rights reserved.FOR USE ONLY AS PART OF VIRTUAL TRAINING DAYS PROGRAM. THESE MATERIALS ARE NOT AUTHORIZED FOR DISTRIBUTION, REPRODUCTION OR OTHER USE BY NON-MICROSOFT PARTIES.
Information Protection (segment 1 of 2)
• Information Protection Concepts• Sensitivity Labels• Data Loss Prevention (DLP) basics• Create a DLP policy• Customize DLP policies• Policy Tips
Digital estate
Unregulated/UnknownHybrid data = new normal
It’s harder to protect
Managed mobile
environment
Identity, device
management protection
On-premisesPerimeter protection
Your classification journeyClassify data – Begin the journey
Classify data based on sensitivity
IT admin sets policies,
templates, and rules
Personal
Confidential
Restricted
Internal
Public
Start with the data that is most
sensitive
IT can set automatic rules;
users can complement it
Associate actions such as visual
marking and protection
Four ways to classify data
Classification user experiences:
Automatic:
Policies can be set
by IT Admins for
automatically
applying
classification and
protection to data
Recommended:
Based on the
content you’re
working on, you can
be prompted with
suggested
classification
Reclassification:
You can override a
classification and
optionally be
required to provide
a justification
User set:
Users can choose to
apply a sensitivity
label to the email or
file they are working
on with a single click
Balance data security and productivity
Secure Data
Enforce conditional access to sensitive data
DLP actions to block sharing
Encrypt files and emails based on sensitivity label
Prevent data leakage through DLP policies based
on sensitivity label
Business data separation from personal data on
devices
Secure email with encryption & permissions
Enable productivity
Manually apply sensitivity label consistently across
apps applications and endpoints
Show recommendations and tooltips for sensitivity
labels with auto-labeling and DLP
Visual markings to indicate sensitive documents
across apps and services (e.g. watermark, lock
icons, sensitivity column in SPO)
Co-author and collaborate with sensitive
documents
Enable searching of encrypted files in SharePoint
Allow users to open and share encrypted pdf files
in Edge in addition to Adobe Acrobat Reader
Sensitivity labels explained
Customizable
Persists as container
metadata or file metadata
Readable by other systems
Determines DLP policy
based on labels
Extensible to partner solutions
Manual or Automated Labels
Apply to content or
containers
Label data at rest, data in use,
or data in transit
Enable protection actions
based on labels
Seamless end user experience
across productivity applications
CONFIDENTIAL
Capabilities of sensitivity labels
Capabilities include:
Encrypt Mark contentPrevent
data loss
Protect
content in
containers
Apply labels
automatically
Demo
Sensitivity labels
Sensitivity label policiesBest practice: Think across all environments
On-prem:
Classify and label
data in on-prem
repositories
Office apps
across
platforms:
Label and protect
Office files natively
across Windows,
Mac, iOS, Android
and Web Clients
SharePoint
sites teams,
Office 365
groups:
Label and protect
sensitive SharePoint
Sites, Teams,
Office 365 Groups,
Power BI artifacts
Exchange
Online:
Automatically label
and protect
sensitive emails in
Exchange Online
SharePoint
Online:
Automatically label
and protect
sensitive files in
SharePoint Online
and OneDrive for
Business
Non-Microsoft
clouds and
SaaS apps:
Extend protection
through Microsoft
Cloud App Security
to third party clouds
and SaaS apps
Unified Label Management in Microsoft 365 Compliance center
Create and configure sensitivity labels and policies
Admin
Creates a sensitivity label
Publishes the sensitivity label to users and groups selected in a
label policy
End userWorks on an email or document and sees the available labels
Classifies the document by applying a label
Office or third-
party app/serviceEnforces protection settings on the email or document based in the
applied label
Label analytics
With label analytics you can view:
Total number of
retention labels and
sensitivity labels
applied to content
Top labels and the
count of how many
times each label was
applied
Locations where
labels are applied
and the count for
each location
Count for how many
files and folders had
their retention label
changed or removed
Transition from Azure Information Protection (AIP) to
Microsoft Information Protection
Guidance for existing
Azure Information
Protection (AIP)
deployments
DLP capabilitiesData loss prevention in Microsoft 365 identifies, monitors, reports, and protects
sensitive data such as Social Security and credit card numbers through deep
content analysis while helping users understand and manage data risk
DLP can be configured to identify sensitive information
DLP policies protect content by enforcing rules comprised of conditions
and actions
Policies are typically based on policy templates provided in the service
Sensitive information types
A sensitive information type is defined by a pattern that can be identified by a regular
expression or a function
Data loss prevention in Microsoft 365 includes definitions for many common sensitive
information types such as credit card numbers, bank account numbers, national ID
numbers and others
Each sensitive information type is defined and detected by using a combination of:
Format
Keywords
Internal functions to validate checksums or composition
Evaluation of regular expressions to find pattern matches
Other content examination
DLP policies explained
After creating DLP policies, you can activate them to examine different
locations, such as:
Exchange email
SharePoint sites
OneDrive accounts
You can also create a DLP policy and choose not to activate it but run it
in test mode
To monitor and audit your DLP Policies, there are two predefined reports
available, that show “DLP policy matches” and “DLP false positive and
override”
Conditions and actionsConditions focus not only on the content, such as the type of sensitive information
you’re looking for, but also on the context, such as who the document is shared with
Conditions can determine if:
Content contains any of the 80+ built-in types of sensitive information
Content is shared with people outside or inside your organization
The document properties contain specific values
When content matches a condition in a rule, you apply actions to protect the
document
or content
You can perform actions such as:
Block access to the content
Send a notification
Email notifications
When you create a DLP
policy in the Security &
Compliance Center, you can
configure a user notification
action to inform users and
educate them when they
are in violation of an
organization’s policy
Users can be notified
through email notifications
and policy tips
Policy tips
A policy tip is a notification or warning
that appears when someone is working
with content that conflicts with a
DLP policy
Policy tips can be entered in email, on
sites, and in Office 2016 apps such as
Excel, PowerPoint, and Word
Policy templatesThe quickest way to start using DLP
policies is to create a new policy from
a template
A preconfigured DLP policy template
can help you detect specific types of
sensitive information
Three methods exist for you to begin
creating DLP policies by using the
Security & Compliance Center:
Apply an out-of-the-box template supplied
by Microsoft
Create a custom policy with one or more
different pre-existing conditions
Create a custom policy without any
pre-existing conditions
Use DLP policies with FCI
In Office 365, you can use a Data Loss
Prevention (DLP) policy to identify,
monitor, and protect sensitive information
You can create a DLP policy in Office 365 that
recognizes the properties that have been applied to
documents by Windows Server FCI or other system
Choose a built-in policy template
Before you can enforce
data loss prevention,
you must first create a
DLP policy
Choose locations to protectNew DLP policy wizard lets you select the services you want to protect
Configure rules
Policy settings tab,
displays the template’s
default DLP rules
You can accept the
default settings for
conditions and actions
or select Use advanced
settings to create
custom rules
Enable the policy
The last two pages of the New DLP policy
wizard ask about the status of the DLP policy
after the wizard finishes and displays a review
of the policies settings
When you create your DLP policies, you should
consider rolling them out gradually to assess
their impact and test their effectiveness before
fully enforcing them
Create and manage Teams DLP policies
For the organizations which
have DLP for Teams licensed,
policies can be configured that
prevent people from sharing
sensitive information in a
Microsoft Teams channel or
chat session. With these
policies, the admin can protect:
Sensitive information in messages
Sensitive information in documents
Integrated
Integrations (e.g. with Microsoft Information Protection)
build on existing capabilities and focus on risks that matter
Native protection
Built-in to Windows 10, Office Apps, Edge – no agent required
Seamless deployment
Cloud-delivered, lightweight configuration leads to immediate value
Works out of the box for MDATP customers
Identify and protect information on endpoints
Endpoint Data Loss Prevention
Currently in public preview
Generally available Q4 CY20
Discover sensitive data on devices on day 1
• Audit activity of common file types with rich context
• Data classification without any policy
• Data driven policy orchestration
Cloud-native, lightweight config
• Managed through Microsoft Compliance Center
• Single click extends existing DLP policies to devices
Seamless deployment
Integrated and data-centric
Data-centric protection
• Content-centric auditing and enforcement
• Apply sensitivity label and encryption (future)
DLP & Threat Protection: better together
• Prioritize incident response based on data sensitivity
• DLP sensors and data exfil detection in MDATP
• Risk-aware DLP policies (future)
• Serves as Insider Risk Management endpoint sensor
Endpoint DLP
Microsoft Endpoint DLP allows you to
monitor Windows 10 devices and detect
when sensitive items are used and shared.
Requirements:
• Devices must be Windows 10
• Devices need to be onboarded
• Devices must be Azure AD joined
Customize conditions and actions
The default sensitive information types associated with the U.S.
Personally Identifiable Information (PII) Data policy include the
U.S. Individual Taxpayer Identification Number, U.S. Social Security
Number, and U.S./U.K. Passport Number
You can add any sensitive
information type and, if
necessary, remove any
of the default types
Customize user notificationsThe User notifications section of the Security and Compliance Center lets you configure
and customize the notifications that people receive when a user attempts to share
content that is protected
Customize user overrides
User notifications are effective in educating
users about an organization’s compliance
requirements
You can configure user overrides so that
users can override a block with a business
justification
Send incident reportsAdministrators can configure an action to generate incident reports if a DLP
event occurs
Document protection through DLP policiesMany organizations already have
a process to identify and classify
sensitive information by using the
classification properties in
windows server file classification
infrastructure (FCI)
You can create a DLP
policy in Office 365 that
recognizes the properties
that have been applied to
documents by windows
server FCI or other system
When you create a DLP
policy, the only content
that is detected is the
content that is newly
uploaded and the existing
content that is edited
To detect existing
content, you need to
manually re-index
your library, site, or
site collection
Create a document protecting DLP policy (Step 1&2)
Step 1 – Upload a document with the
needed property to Microsoft 365:
You first need to upload a document with the
property that you want to reference in your
DLP policy. Microsoft 365 will detect the
property and automatically create a crawled
property from it
Step 2 – Create a managed property
in SharePoint Online
Create a document protecting DLP policy (Step 3)
Step 3 – Create the DLP Policy:
The condition Document properties contain any of these values is not
available in the user interface of the Microsoft 365 Security &
Compliance Center, so you need to use PowerShell to use it
You can use the New\Set\Get-DlpCompliancePolicy cmdlets to work
with a DLP policy
Policy tips in EmailWhen you compose a new email in Outlook on the web and Outlook 2013 and later,
you’ll see a policy tip if you add content that matches a rule in a DLP policy that uses
policy tips
Policy tips in SharePoint and OneDrive
When a document on a
OneDrive for Business
site or SharePoint Online
site matches a rule in a
DLP policy that uses
policy tips, the policy
tips display special icons
on the document
Policy tips in Office 2019
When end users work with
sensitive content in the desktop
versions of Excel 2019, PowerPoint
2019, and Word 2019, policy tips
can notify them in real time that
the content conflicts with a
DLP policy
Policy tips in Office 2019 (continued)Depending on how you configure the policy tips in the DLP policy, people can choose to
simply ignore the policy tip, override the policy with or without a business justification,
or report a false positive
Demo
© Copyright Microsoft Corporation. All rights reserved.FOR USE ONLY AS PART OF VIRTUAL TRAINING DAYS PROGRAM. THESE MATERIALS ARE NOT AUTHORIZED FOR DISTRIBUTION, REPRODUCTION OR OTHER USE BY NON-MICROSOFT PARTIES.
Information Protection (segment 2 of 2)
• Information Rights Management (IRM)• Secure Multipurpose Internet Mail Extension• Office 365 Message Encryption
Microsoft 365 encryption options
Microsoft 365 offers a
variety of different
encryption services
and features, with a
basic differentiation
between data at rest
and data is transit
With Microsoft 365,
you can have
multiple layers and
kinds of encryption
working together to
secure your data
Kinds of content Encryption technologies
Files on a device. This can include
email messages saved in a folder,
Office documents saved on a
computer, tablet, or phone, or data
saved to the Microsoft cloud
BitLocker in Microsoft datacenters. BitLocker
can also be used on client machines, such as
Windows computers and tablets
Distributed Key Manager (DKM) in Microsoft
datacenters
Customer Key for Microsoft 365
Files in transit between users. This can
include Office documents or
SharePoint list items shared between
users
TLS for files in transit
Email in transit between recipients.
This includes email hosted by
Exchange Online
Office 365 Message Encryption with Azure
Rights Management, S/MIME, and TLS for
email in transit
Rights management in ExchangeWith the IRM features in Exchange, your organization and users can control the
permissions that recipients have for email
IRM can allow or restrict recipient actions
IRM protection can be applied by users in Outlook and Outlook on the web, or it can be
based on your organization’s messaging policies
Microsoft Office applications, such as Word, Excel, PowerPoint, and Outlook are
RMS-enabled
IRM cannot prevent information from being copied using the following methods:
Third-party screen capture programs
Use of imaging devices to photograph IRM-protected content displayed on the screen
Users remembering or manually transcribing the information
Applying IRM protection to emailMethod Description
Manually by Outlook
users
Your Outlook users can IRM-protect messages with the RMS rights policy templates available to
them. This process uses the IRM functionality in Outlook rather than Exchange. However, you can
use Exchange to access messages, and you can take actions (such as applying transport rules) to
enforce your organization’s messaging policy
Manually by Outlook
on the web users
When you enable IRM in Outlook on the web, users can IRM-protect messages they send, and
view IRM-protected messages they receive
Manually by mobile
device users
Mobile devices like Windows Phone, iOS and Android can view and create IRM-protected
messages with the Outlook app. This requires users to connect their supported devices to a
computer and activate them for IRM. You can enable IRM in Microsoft Exchange ActiveSync to
allow users of Exchange ActiveSync devices to view, reply to, forward, and create IRM-protected
messages
Automatically in
Outlook
You can create Outlook Protection Rules to automatically IRM-protect messages in Outlook.
Outlook Protection Rules are deployed automatically to Outlook clients, and IRM-protection is
applied by Outlook when the user composes a message
Automatically on
mailbox serversYou can create transport protection rules to automatically IRM-protect messages
Rights management in SharePoint
Within SharePoint Online, IRM protection is applied to files at the list and library level
IRM relies on the Azure Rights Management service from Azure Information Protection
In SharePoint, IRM enables administrators and content creators to limit the actions that
users can take on files that are stored in document libraries
You can use IRM on lists and libraries to limit the dissemination of sensitive content
You can use IRM to prevent these individuals from sharing this content with other
employees in the company
Applying IRM protection to SharePoint
IRM protection in SharePoint is
applied to files at the list or
library level
When people download files in an IRM-enabled list or library,
the files are encrypted so that only authorized people can
view them
Permissions IRM Permissions
Manage Permissions,
Manage Web Site
Full control (as defined by the client program): This permission generally allows a user to
read, edit, copy, save, and modify permissions of rights-managed content
Edit Item, Manage Lists,
Add and Customize Pages
Edit, Copy, and Save: A user can print a file only if the Allow users to print documents check
box is selected on the Information Rights Management Settings page for the list or library
View Items Read: A user can read the document but cannot copy or modify its content. A user can print
only if the Allow users to print documents check box is selected on the Information Rights
Management Settings page for the list or library
Other No other permissions correspond directly to IRM permissions
S-MIME explained
S-MIME is based on using
certificates that work with a
private key and a public key
If you sign a message with the
private key, it can only be
validated by using the public key
and if somebody encrypts a
message with the public key, it
can only be decrypted with the
private key
S-MIME digital signatures
Digital signatures provide several security capabilities, including Authentication,
Nonrepudiation, and Data integrity
Authentication in a digital signature works by allowing a recipient to know that a message
was sent by the person or organization who claims to have sent the message
The uniqueness of a signature prevents the owner of the signature from disowning the
signature. This capability is called nonrepudiation
Data integrity is a result of the specific operations that make digital signatures possible
Although digital signatures provide data integrity, they do not provide confidentiality
Applying digital signaturesAt its simplest, a digital signature works by performing a signing operation on the text of
the e-mail message when the message is sent, and a verifying operation when the
message is read
Verifying digital signatures
When the recipient opens a
digitally signed e-mail message,
a verification procedure is
performed on the digital
signature, to ensure the senders
identity and consistency of the
message
S-MIME messages
Encryption is a way to change the content so that it cannot be read or
understood until it is changed back into a readable and understandable form
Message encryption provides two specific security services:
Confidentiality
Data Integrity
The message is encrypted by utilizing the recipients public key, available to
everyone, thus Message encryption does not provide authentication, and
therefore, does not provide nonrepudiation
Encrypting e-mail messages
Message encryption makes
the content of a message
unreadable by performing an
encryption operation on it
when it is sent
Decrypting e-mail messagesWhen the recipient opens an encrypted message, a decryption operation is performed
on the encrypted message
Digital signatures and encryption working together
Digital signatures and
message encryption
are not mutually
exclusive services
These two services are
designed to be used in
conjunction with one
another, because each
separately addresses
one side of the
sender-recipient
relationship
Triple-wrapped messages
One of the enhancements in the latest version of S/MIME (version 3) is known as
“triple-wrapping”
A triple-wrapped S/MIME message is one that is signed, encrypted, and then signed again
This extra layer of encryption provides an additional layer of security
When users sign and encrypt messages with Outlook on the web using the S/MIME
control, the message is automatically triple-wrapped
Office 365 message encryption explained
OME combines email encryption and rights management (RMS) capabilities, that are
provided with Azure Information Protection (AIP)
Office 365 Message Encryption and S/MIME both encrypt email messages, but S/MIME
requires the client sending the message to encrypt the email message using a public key
infrastructure (PKI) certificate that is installed or available on the client computer
Office 365 Message Encryption, uses built-in certificates to encrypt messages in the
Office 365 service during the transport of the message
With Office 365 Message encryption the service ensures only the intended recipient can
view the message
How Office 365 message encryption works
Office 365 Message Encryption is an online
service that is built on Microsoft Azure Rights
Management (Azure RMS, part of AIP)
When a user sends an email message in
Exchange that matches an encryption rule, the
message is sent out with an HTML attachment
Working with encrypted emails
Users can send encrypted email from Outlook and Outlook on the web
Admins can set up mail flow rules in Office 365 to automatically encrypt
emails based on keyword matching or other conditions
Office 365 advanced message encryption explained
Advanced capabilities include:
Message
revocation
Message
expiration
Multiple
branding
templates
Demo
Information Governance
• Archiving in Microsoft 365• Retention in Microsoft 365• Archiving and Retention in Exchange• In-place records management in SharePoint
Information governance
Information governance helps you manage the end-to-end lifecycle of all
content across your organization’s digital estate, including Microsoft 365,
third-party clouds, hybrid deployments, and any content you bring into
Microsoft 365
Common information governance scenarios:
Create an organization-wide retention policy to delete all Microsoft Teams
communications older than seven days
Review documents stored in a SharePoint document library prior to them being deleted
because a retention policy expired
Implement a 5-year retention policy where automatically labeled content will be kept five
years and then automatically deleted
Records managementRecords management in Microsoft 365 provides the following capabilities:
Label content as a record
Migrate and manage your retention requirements with file plan
Establish retention and deletion policies within the record label
Trigger event-based retention
Review and validate disposition
Export information about all disposed items
Set specific permissions
File planFile plan can be used for all retention labels, even if they don’t mark content as a record
In-place archiving and records managementData governance in Microsoft 365 enables you to archive content as appropriate in Exchange
mailboxes, SharePoint sites, and OneDrive for Business locations in your Microsoft 365
organization
In Place Archiving in Exchange:
Archiving in Exchange is performed by a feature called In-Place Archiving
With In-Place Archiving, users can view an archive mailbox and move or copy messages between their primary
mailbox and their archive mailbox
Archive mailboxes allow you to offload the data footprint on the Exchange servers
With archive mailboxes, your organization can control messaging data by eliminating the need for personal
store files
In-Place Records Management in SharePoint:
In-Place Records Management enables you to effectively manage records in collaborative spaces
In-Place Records Management allows SharePoint documents to be declared as records
In-place archiving in ExchangeWhen an administrator enables the user’s mailbox for In-Place Archiving, an additional
mailbox is created and displayed in the user’s Outlook and Outlook on the web
Mails from the primary mailbox can then be moved to Archive
The archive mailbox is not cached on the client computer
To protect from accidental or malicious deletion and to facilitate discovery efforts
Exchange 2016 and Exchange Online use the Recoverable Items folder
The Recoverable Items folder replaces the feature that was known as the dumpster in
earlier versions of Exchange
In-place records management in SharePoint
A record is a document or other electronic or physical entity in an organization that
serves as evidence of an activity or transaction
Records management is the process by which an organization:
Determines what kinds of information should be considered records
Determines how active documents that will become records should be handled
Determines how active documents should be collected
Determines in what manner and for how long each record type should be retained
Researches and implements technological solutions
Performs records-related tasks
In SharePoint, archiving is referred to as In-Place Records Management
Retention policies
A retention policy in Microsoft 365 can help
you achieve following goals:
Comply proactively with industry regulations and internal
policies
Reduce your risk in the event of litigation or a security
breach
Help your organization to share knowledge effectively
and be more agile
Retention wins over deletion
Longest retention period wins
Explicit inclusion wins over
implicit inclusion
Strongest deletion period wins
Messaging Records Management in ExchangeMessaging Records Management (MRM) in Exchange helps to manage user’s
mailboxes and archive mailboxes
It can move messages from the primary mailbox to the archive, delete mails after a
specific time or preserve Exchange elements
In Exchange, retention is performed using the retention policies
Retention policies allow you to:
Remove all messages after a specified period
Remove messages based on folder location
Allow users to tag messages
Retain messages for a specified period
Retention tags in Exchange
Administrators use retention tags
to apply retention settings to items
and folders in a user’s mailbox
The applied settings specify
how long a message stays in the
user’s mailbox and what happens
when the message reaches its
retention age
Retention tags contain settings on
how to process messages, while
retention policies are required to
group retention tags and assign
them to a mailbox
Create Retention Tags
Retention tags used to apply retention settings to message and folders. There are three types of
retention tags:
Default Policy Tags
A default policy tag (DPT) applies to all
items that do not have a retention tag
applied, either inherited or explicit.
Retention Policy Tags
Retention policy tags (RPTs) are created for
default folders such as Inbox, Deleted
Items, etc.
Personal Tags
Personal tags are used by Outlook and
Outlook Web App users to apply retention
settings to custom folders and individual
items such as emails message.
Move to Achieve
Permanently Delete
Voice Mail (Delete)
Achieve – 365 days
Business Critical
Delete – 1 Week
Delete – 180 days
Create Retention Policies
A retention policy is a group of
retention tags that can be
applied to a mailbox
Link retention Tags to Retention Policies
A retention policy can have one DPT to move item to archive,
one DPT to delete items, one DPT to delete voice mail
messages, one RPT for each supported default folder
and any number of personal tags
Corp-Users
Apply Retention Polices
Retention policies are applied to mailbox users. Different sets of users can have
different retention policies Corp-Execs
Calculate retention ageThe Managed Folder Assistant
processes mailboxes that have a
retention policy applied, add the
retention tags included in the
policy to the mailbox, and
process items in the mailbox
based on policy settings
The retention age of mailbox
items is calculated from the
date of delivery or the date of
creation for items such as
drafts that are not delivered
but created by the user
When using retention
policies in the Compliance
Center, you can control the
way in which the age of
elements is calculated
Retention policies explainedTo apply retention policy you
should consider following:
Content in OneDrive accounts and
SharePoint sites
How a retention policy works with
document versions in a site
Content in mailboxes and public
folders
Content in Teams
Content in Skype locations
Limitations for creating retention
policies
Use retention labels with policies
Create a retention policy
Following tasks are needed
to create a retention policy:
Assigning permissions to create a
policy
Creating a retention policy in the
compliance center
Using Advanced Retention settings
Creating a retention policy in
PowerShell
Event-driven retentionTo successfully use event-driven retention, it’s important to understand the relationship
between event types, labels, events, and asset IDs:
Create retention tagsRetention tags are
used to apply
retention settings
to messages and
folders
Multiple retention
tags can be
grouped together
into a retention
policy, and
retention policies
can be applied to
a mailbox
Retention tag type Description
Default Policy Tags (DPTS) These are default retention tags for the entire mailbox
Retention Policy
Tags (RPTS)
These are for default folders. The only valid action is to delete or delete permanently
Personal Tags These tags become available in Outlook and Outlook on the web. Users can use them to apply to a mailbox folder or an individual item
Retention action Description
Delete and allow Recovery This action allows the user to recover deleted items until the deleted item
retention period is reached for the mailbox database or the user
Permanently Delete This action purges the item from the mailbox database
Note: If the content of a mailbox is target for any retention policy in SCC or a
hold, the content will not be deleted permanently; therefore, it can still be
returned by an eDiscovery search
Move to Archive This action moves the item to the user’s archive mailbox, if one exists. If a user
does not have an archive mailbox, no action is taken. This action is available
only for default retention tags that are automatically applied to the entire
mailbox, as well as tags applied by users to items or folders (personal tags)
Create a retention policyConfiguring a retention policy is simply a matter of creating a new policy and then
adding the retention tags you want to that policy
Assign retention policies to mailboxes
To apply retention policy, you have to assign
it to a user mailbox
You can use Exchange Admin Center or
Powershell to assign retention policy
Records management in SharePoint explainedRecords management planning process should include the following steps:
1 Identify records management roles
2 Analyze organizational content
3 Develop a file plan
4 Develop retention schedules
5Evaluate and improve document
management practices
6 Design the records management solution
7 Plan how content becomes records
8 Plan email integration
9 Plan compliance for social content
10Plan compliance reporting and
documentation
Benefits of in-place records managementThe benefits of implementing an in-place records management system include the
following:
Records can exist and be managed across multiple sites
With versioning enabled, maintaining versions of records is automatic
eDiscovery search can be executed against both records and active documents at the
same time
Broader control over what a record is in your organization and who can create a record
Configure in-place records management
You must perform several tasks
to configure in-place records
management
Activate in-place records management at the
site collection level1
Configure record declaration settings
at the site collection level2
Configure record declaration
settings at the list or library
level 3
Demo
Day 2 Slides
Compliance Management• Compliance Center• Compliance Manager
Compliance center in Microsoft 365
Information protection
& governance
Protect and govern data
wherever it lives
Insider
risk management
Identify and remediate
Critical insider risks
Discover
& respond
Quickly investigate and
respond with relevant data
Compliance management Simplify compliance and reduce risk
Compliance managementMicrosoft compliance management use cases
Data protection baseline:Implement baseline technical, procedural, and people controls to protect your data
IT risk management:Assess and monitor risks in Office 365 and Intune
Regulatory compliance:Assess and maintain controls for data protection regulations (e.g. GDPR, CCPA)
Audits and control assessments:Demonstrate control effectiveness to internal and external auditors
Microsoft 365 compliance center
Microsoft Compliance Manager
Compliance
manager
assessments
Microsoft Service Trust Portal
Demo
© Copyright Microsoft Corporation. All rights reserved.FOR USE ONLY AS PART OF VIRTUAL TRAINING DAYS PROGRAM. THESE MATERIALS ARE NOT AUTHORIZED FOR DISTRIBUTION, REPRODUCTION OR OTHER USE BY NON-MICROSOFT PARTIES.
Insider Risk Management• Insider Risk• Communication compliance• Privileged Access Management• Customer Lockbox• Information barriers
Insider risk management explained
Configure insider risk managementInsider risk management configuration steps:
1 Enable permissions for insider risk management
2 Enable the Office 365 audit log
3 Configure perquisites for templates
4 Configure insider risk settings
5 Create an insider risk management policy
Investigate insider risk alerts
Communications compliance explained
INCREASING DATA
INCREASED
REGULATORY
ENFORCEMENT
DIFFICULT TO FIND
SUBJECT MATTER
EXPERTS TO REVIEW
RESULT
Violations slip
through
Privileged access management in Office 365Azure AD Privileged Identity Management primarily allows managing accesses for AD
roles and role groups, while privileged access management in Office 365 is applied only
at the task level
Customer lockbox workflowCustomer lockbox requests allows you to control how a Microsoft support engineer
accesses your data
Customer Lockbox
Information barriers explained
Define policies that are
designed to prevent certain
segments of users from
communicating with each other
or allow specific segments to
communicate only with certain
other segments
Information barrier policies
Part 1: Segment users in
your organization
Segments are sets of users
that are defined in the
Security & Compliance Center
using a selected user account
attribute
Part 2: Define information
barrier policies
“Block” policies prevent one
segment from communicating
with another segment
“Allow” policies allow one
segment to communicate
with only certain other
segments
Part 3: Apply information
barrier policies
Information barriers in Microsoft TeamsInformation barrier policies are activated when the following Teams events take place:
Members are
added to a
team
A new chat is
requested
A user is
invited to
join a
meeting
A screen
is shared
between
two or
more users
A user places
a phone call
(VOIP) in
Teams
Guest users
in Teams
Ethical walls in Exchange OnlineAn ethical wall is a zone of non-communication between distinct departments of a
business or organization
An ethical wall typically spans multiple methods of communication, such as telephone,
e-mail, postal mail, and direct person-to-person communication
Exchange transport rules can be configured to support ethical walls by helping to prevent
email messages from being sent between specific groups of recipients within your
organization
Exchange transport rules should be treated as one part of an overall suite of tools or
processes that are deployed throughout your organization to help enforce an ethical
wall policy
Demo
© Copyright Microsoft Corporation. All rights reserved.FOR USE ONLY AS PART OF VIRTUAL TRAINING DAYS PROGRAM. THESE MATERIALS ARE NOT AUTHORIZED FOR DISTRIBUTION, REPRODUCTION OR OTHER USE BY NON-MICROSOFT PARTIES.
Discover and Respond• Content Search• Audit Log Investigations• Advanced eDiscovery
Content Search explained
In contrast to eDiscovery searches, the Content
Search feature in the Security and Compliance
Center has no limits on the number of
mailboxes and sites that you can search
Content Search contains enhanced
performance capabilities that are useful when
running very large eDiscovery searches
After you run a Content Search, the number of content sources and an estimated number of
search results are displayed for:
Exchange Online mailboxes and public folders
SharePoint Online sites and OneDrive for Business accounts
Skype for Business conversations
Microsoft Teams messages and sites
Microsoft 365 Groups messages and sites
To-Dos and MyAnalytics
Design your Content SearchYou should consider the following questions when designing a Content Search:
Who should create and
run the content search?
What type of content search
do you want to create
(for example, New search,
Guided search, Search by ID
list, and so on)?
What keywords should be
used for the search?
What conditions should be used (for
example, type of data, sender, date,
subject, and so on)?
Do you want to search all locations, or only
specific locations (for example, SharePoint,
Microsoft Teams, and son on)?
Configure search permissions
Filtered search permissions can be configured
to allow an eDiscovery manager to search only
a subset of mailboxes and sites in a
Microsoft 365 organization
Search permissions filtering is configured by
creating a filter that uses a supported recipient
filter to limit which mailboxes can be searched
Search permissions filtering is configured and managed by using the following Security &
Compliance Center cmdlets:
New-ComplianceSecurityFilter
Get-ComplianceSecurityFilters
Set-ComplianceSecurityFilter
Remove-ComplianceSecurityFilter
Search for third-party data
The Content Search feature in the Security & Compliance Center enables you
to search for items that were imported into mailboxes in Microsoft 365 from a
third-party data source
You can create a query to search all imported third-party items, or you can
create a query to only search specific third-party items
To search or place a hold on any type of third-party data that you’ve
imported into Microsoft 365, you can use the kind:externaldata message
property-value pair
Manage GDPR data subject requestsTo manage investigations in response to a DSR submitted by a person in your organization, you can
use the DSR case tool in the Office 365 Security & Compliance Center to find content stored in:
Any user mailbox in your organization. This includes Skype for Business conversations and one-to-
one chats in Microsoft Teams
All mailboxes associated with an Office 365 Group and all team mailboxes in Microsoft Teams
All SharePoint Online sites and OneDrive for Business accounts in your organization
All Teams sites and Office 365 Group sites in your organization
All public folders in Exchange Online
Audit log search explainedYou can search for the following types of activity in Microsoft 365:
User activity in SharePoint Online and OneDrive for Business
User activity in Exchange Online (Exchange mailbox audit logging)
Admin activity in SharePoint Online
Admin activity in Azure Active Directory
Admin activity in Exchange Online
User and admin activity in Sway
User and admin activity in Power BI for Microsoft 365
User and admin activity in Microsoft Teams
User and admin activity in Yammer
Depending on the Microsoft 365 service, it can take up to 30 minutes or up to 24 hours after an
event occurs for the corresponding audit log entry to be displayed in the search results
Configure audit policies
Microsoft 365 auditing policies enable
organizations to log events, such as viewing,
editing, and deleting content like email messages,
documents, task lists, issues lists, discussion groups,
and calendars
Auditing can be configured to log events such as
the following:
Editing a document or item
Viewing a document or item
Checking a document in or out
Changing the permissions for a document or item
Deleting a document or item
View and retaining the search results
Once auditing is turned on, a
Microsoft 365 administrator or
compliance officer can search for
hundreds of individual types of events
from multiple Microsoft 365 services
for the following reasons:
Discover user and administrator activities
Find eDiscovery-related activities
performed by administrators and
compliance managers
Filter search resultsIn addition to searching for a specific
user or activity, you can also filter the
results of an audit log search for a
specific user or activity
Do the following to filter the results:
1. Run an audit log search
2. When the results are displayed, click
Filter results
Export search results
The results of an audit log search can be
exported to a comma separated value
(CSV) file on your local computer
This enables you to open the file in Microsoft
Excel and use features such as search, sort,
filter, and split a single column (that contains
multi-value cells) into multiple columns
Advanced audit
High value events to power quicker
investigations
Processed insights to show context
and key patterns
Longer-term retention to meet
investigation and compliance
requirements
Near real-time access to data to
enable fast access to audit events
Advanced eDiscovery explained
Pain points of
“collect and export”
Move sensitive data to
other systems
Work with disjointed tools
Lose insights in large
amount of data
Advanced eDiscovery
design principles
Collect and discover data
where it is
Manage end-to-end
workflows in one solution
Find relevant data and
insights intelligently
Export
Advanced eDiscovery workflow
1 Add custodians to a case
2 Search custodial data sources for relevant data
3 Add data to a review set
4 Review and analyze data in a review set
5 Export and download case data
Configure and use Advanced eDiscoveryWhen working with Advanced eDiscovery,
you need to create a eDiscovery case and
assign users to it, using the following steps:
Step 1: Assign eDiscovery permissions to
potential case members
Step 2: Create a new case
Step 3: Add members to a case
Step 4: Open your case in Advanced eDiscovery
Explore the Advanced eDiscovery workflowAfter an eDiscovery case is created, follow
these steps to create and run one or more
Content Searches that are associated with
the case to have data available to analyze
in Advanced eDiscovery:
Step 1: Create and run a Content Search
associated with a case
Step 2: Prepare search results for Advanced
eDiscovery
Step 3: Add the search results data to the case
in Advanced eDiscovery
Analyze data in Advanced eDiscovery
Analyzing data applies the following functionality to the included files:
Identifies and organizes the loaded files into groups of unique files, duplicates,
and near-duplicates
Identifies and organizes emails into hierarchically structured groups of email
threads, based on the progressive inclusiveness of the emails
Enables the use of Themes in Advanced eDiscovery processing and file
batching
Analyze data in Advanced eDiscovery (continued)Enables you to set parameters, run options, and view the results, as follows:
Analyze setup. Allows settings to be specified
before running Analyze on the files
Analyze results. Displays metrics of the
analysis
Demo
Additional resources for Security
Contact Microsoft FastTrack for assistance setting up your organization for remote work.
https://www.microsoft.com/fasttrack
Become Microsoft 365 Certified! Earn a Security Administrator Associate certification.
https://docs.microsoft.com/en-us/learn/certifications/m365-security-administrator
You can find more free Security training modules on Microsoft Learn!