It’s on the evening news, it’s in your social media, it’s in nearly every vendor presentation you attend, and it’s the theme of most large IT conferences – security. And the security threats to M365 have never been larger. Luckily, Hornetsecurity’s Cyber Security Report 2023 is now out and contains cutting-edge research on the most critical M365 security.

In this article, we’ll look at the main takeaways and cyber risk management steps you should implement in your tenant to combat email threats and reduce your chances of ending up on front page news (for the wrong reasons).

If you’re in a large corporation, with supportive executives and a clear mandate to improve your cyber resilience, you probably know exactly what steps you need to take. For the rest of us, whether you’re in a large or small business, the huge wave of security advice for the cyber threat landscape can be hard to surf (apologies for the Aussie reference). What do you do first? What’s going to give you the most resilience against cybersecurity threats?

Here are the four major takeaways from the Cyber Security Report 2023.

Email threats – still the primary vector

Let’s start by looking at different types of email security threats. There’s regular spam, enticing you to buy something and then there’s phishing. This type of attack relies on social engineering to trick the user into clicking on a link, entering their username and password into a fake login page or opening an attachment they shouldn’t. Variants include smishing in SMS/text messages, vishing in voice messages or calls and spear phishing, a specially crafted, targeted email threat which lures specifically for particular recipients.

Another type of email security threat, which poses a significant risk on businesses, is Business Email Compromise (BEC) which also relies on social engineering to trick users, but here the criminal is inserting themselves into a legitimate email conversation thread and (for example) at the right time, sends an email advising that a bank account number has changed for the upcoming transaction, of course leading to the criminal’s bank account. Spoofing is often a part in these attacks where the email looks like it’s coming from a trusted or known sender but there are slight changes to domain names or sender display names that’ll fool a casual observer. Overall estimates (criminals don’t submit financial reports) say that BEC losses worldwide are actually outstripping ransomware costs.

The final category of email threats is malware delivery, either directly as an attachment, or tricking the user into clicking a link to download the malware, often leading to system compromise.

Here’s an example of an email threat malware attack, covered in depth in the Cyber Security Report 2023.

A Growing Industry

The days of a group of hackers performing every step of a compromise are long gone. Today, the cybercriminal marketplace has evolved into specialization, where each group completes a single step and then sells that to the highest bidder. So, you don’t write your own access tools, someone else does, and you buy it from them (or rent, and they take a cut from your “earnings”). You also procure a ransomware kit from someone else. And perhaps you buy your access into a victim organization from an Initial Access Broker (IAB). In this gig economy of criminality, you don’t get the whole pie for yourself, but because everyone is focused on their link in the chain, the overall efficiency is improved. And the barrier to entry is lowered considerably, inviting more players into this burgeoning “industry” of data breaches.

Also, with the move to “big game” ransomware attacks where payouts in millions of dollars aren’t unheard of, expect the criminals to do their homework on sites such as LinkedIn and ZoomInfo – they’ll know exactly what you can afford to pay once they spring their trap. And they’ll focus on targets most likely to pay, such as hospitals and critical infrastructure, whose function in society will increase the pressure to pay. Some are even state-sponsored ransomware attacks, which are generally harder to defend against.

IABs has a few different ways to gain access to your organization. They might buy credentials from a data breach and try matching emails/passwords against your Microsoft 365 tenant, it’s no secret that most users re-use their “favorite” password across personal and business accounts. Your best protection here is MFA – preferably a phishing-resistant flavor such as FIDO2 key or Windows Hello for Business. Also, block commonly used passwords using Password Protection in Azure AD / Active Directory.

But as the report reveals, the preferred way of compromising patient zero is through Phishing. Nearly 5% of all emails in our data (25 billion emails over the year) are classified as malicious, and 40% of attacks involving emails are Phish. Send a specially crafted email to the user with an enticing attachment or an important-looking link in the email itself, and wait for the users to do your work for you. Once they enter the credentials on a fake Microsoft 365 login page (this is why you should customize backgrounds and logos so that users are more likely to stop and think when the login page doesn’t look familiar) or open the malware-laden attachment, it usually only takes minutes before the criminals use the access.

By now, it should be obvious that you need a strong and easy-to-use email hygiene solution to keep your organization and your sensitive data safe from cybersecurity threats such as 365 Total Protection. But technology alone isn’t enough to combat email threats, you need to improve your “human firewalls” by training your users, another conclusion we made in the Cyber Security Report 2023. The combination of well-trained people, secure processes (call to check with the person in the other company whenever a bank account number is altered, for example), and technology creates a cyber-resilient business. There are many cyber threats, and you can’t combat each of them individually, but you can increase your organization’s overall security defenses by combining people, processes, and technology.

We also found that brand impersonation is very common in email threats. Users are much more likely to fall for a phishing attack if the email looks legitimate, with all the right logos and text. Cyber security vulnerabilities aren’t just about technical flaws, it’s just as much about psychology and creating the right approach and culture to manage cyber risk.

Beyond Email Threats

A growing attack vector is phishing and other cybersecurity threats spreading beyond emails. The mantra for years (in the Microsoft world) has been to move collaboration, both internal and external, into Microsoft Teams. We see attacks increasing, particularly as it’s getting easier to collaborate with users outside your business in Teams.

Speaking of Teams, we also noted that the desktop app itself has some security implications as it runs as an Electron app and recommends that users stick with the web version instead, as all of the modern security enhancements in browsers protect you.

A worrying trend is the shortening of exploit timelines. The gap between a cyber security vulnerability being publicly disclosed and attacks against your users and system has shortened considerably in the last few years. This increases the pressure on already strained security teams to prioritize the right systems to patch based on the level of cyber risk in your particular context. A hospital or a school will have different systems and priorities compared to a critical infrastructure provider, which will affect their security posture.

Another interesting finding in the report was the impression some IT staff have that “if it’s in the cloud, it’s secure.” Nearly 25% of staff were either unsure or thought that Microsoft 365 was immune to ransomware attacks, which it’s not. In the shared responsibility model from Microsoft (and any other cloud provider), you are responsible for your data, your endpoints, and your identity governance as part of your overall cyber risk management. A good backup solution for Microsoft 365 (including Teams data) is a must to protect against data loss and ransomware.

A Strong Defense

There are several layers in protecting against email security threats. For any email system, ensure that your Sender Policy Framework (SPF), Domain-based Message Authentication, Reporting and Conformance (DMARC), and DomainKeys Identified Mail (DKIM) DNS records are in place and correct. Collectively these records help your email hygiene solutions to spot incoming spam, as well as filter out phishing scams and spoofed email threats.

A good email hygiene solution should integrate seamlessly with Exchange Online. For any email threat that does slip through, frequent and easy-to-digest user awareness training and simulated phishing attacks increase the resiliency of your end users against falling for the threat actor’s tricks.

And finally, if an email threat gets through these layers and starts a compromise or attack, a good backup solution for all your critical data gives you a way to recover, should it be necessary.

Read the Full Report

In this article, we’ve only scratched the surface of the Cyber Security Report 2023 and what you should do about email security threats to increase your security posture. The full report goes deep into the statistics, cyber risk, and also covers other predictions and advice for time-poor IT and security staff. Enjoy reading it!

The post Email Threats Have Never Been Bigger – 4 Key Cyber Security Report Findings appeared first on Altaro DOJO | Microsoft 365.

A few years ago, the expression was “data is the new oil” and that might be true but when it comes to your organization’s documents stored in the cloud, I think a more apt description would be “data is radioactive”. Yes, you can do good things with it (generate electricity) but it’s dangerous stuff and you shouldn’t keep it around for longer than you need to.

For most IT pros, data security is NTFS, share permissions and SharePoint access levels. Turns out that doesn’t work so well anymore, even when documents are stored in OneDrive for Business, SharePoint and Exchange Online, they don’t stay there. They’re shared, via Teams, via third-party collaboration and cloud storage services, via email and even stored on USB sticks now and then. And when everyone is working from home, or anywhere, you quickly lose what little control you used to have over where these documents are and who has access to them.

This is a serious problem, for businesses both big and small, that I think is going to come much more into focus over the next few years. But there are actually technical solutions to this, that you may already have paid to license for, but are not using today, in the form of Microsoft Information Protection, sometimes called Azure Information Protection. This article will show you how it works, how to start using it, how to make sure the business is onboard and what you can do at the different licensing levels.

The Basics

Before we talk about protection, let’s talk about labelling, the foundation of M365 Information Protection. A document is labelled with a classification, such as “Sensitive” or “Highly Confidential”, and this label follows it wherever it goes. Then you apply policies that say that “Public” documents aren’t protected at all, but “Highly Confidential” ones have a watermark applied on each page (or a footer or a header) and are encrypted and that a user has to designate the specific internal or external users that should have access to it. The labelling names are up to you, with some suggestions, you can have different labels scoped to different groups and have nested labels such as “Highly Confidential/All employees” and “Highly Confidential/Executives”. Again, the protection follows the document and the recipient must prove who they are at the time of access, and either given a few days grace period after the initial authorization to access the document offline or have to authenticate every single time. Access can be time-limited and specific permissions can be assigned such as read-only, or you can’t print it etc. For emails, you can apply Do not forward, no printing etc. Many file types are supported out of the box including the Office ones, and PDF, with third-party add-ins on offer to protect CAD engineering files for instance.

Microsoft 365 E3 and Business Premium offers manual labelling of documents, relying on staff training (more below) and judgement, whereas Microsoft 365 E5 can automatically identify sensitive information and label documents for you.

Rather than relying on where a document is stored (file share, cloud storage, USB stick etc) and trying to control access there, M365 Information Protection embeds the protection in the document itself. This means that if you try to open a protected/encrypted document in a third-party application instead of Microsoft Office or a compatible PDF reader (Adobe Reader works), it won’t open.

Note that this isn’t an anti-hacker technology, it’s a way to ensure control over documents and help good people do the right thing. If I have read access to a document and I’m determined to steal the content I can take photos of it with my smartphone, pop my laptop on the photocopier and hit print or simply memorize the information. None of those actions can be claimed to be accidental if you’re caught though, whereas if you have no information protection in place, you don’t even know if a copy of the text is pasted into another file or forwarded to a personal email address.

A building block of M365 Information Protection is Sensitive Information Types (SITs), built-in ways to spot different types of data, at the time of writing there are 264 types, including classics such as credit cards and SWIFT codes, and adding bank account numbers, passport, and identification card numbers for many different countries in the world. There are also more recent additions such as IP addresses, disease IDs, names and physical addresses, Azure Storage Account keys and many, many others. You can also create your own SITs for organization-specific terms.

Data classification dashboard

For more complex document types, where a string of numbers and corroborating evidence words aren’t sufficient (16 numbers in groups of four, with the words CC, MasterCard etc. next to it), you can use Trainable classifiers that rely on Machine Learning models to identify data. There are 19 built-in ones (for English, a total of 49 when Japanese, German, French etc. are included) for: Agreements, Finance, HR, Intellectual Property, Legal, Resume, Source Code, Profanity, Targeted Harassment and Threats plus several others.

If you have E5 licensing you can also create your own by feeding it many documents of the type you’re seeking to classify (Australian Legal Contracts for example) and then refine the model by feeding it the right kind of documents, as well as wrong ones, and manually marking each batch when it gets it right and wrong. When the model is accurate enough you can publish it to your tenant and then use it in your policies.

If you have a database of terms or codes (say employee IDs, or project numbers) you can use Exact Data Match (EDM) to spot these when they show up in documents or emails.

To see the SITs and other sensitive information types, go to compliance.microsoft.com and login with an administrator account, go to Data classification in the menu on the left.

But how do you know what sensitive data you’ve already got in your tenant, so you know where to start? That’s where Content explorer comes in, as long as you’ve been assigned the extra roles (on top of Global Admin) of Content Explorer List Viewer and Content Explorer Content Viewer, you can browse and see what’s already stored in your tenant. Here’s my tenant:

Content Explorer in M365 Information Protection

As you can see there are lots of names across email and OneDrive for Business which makes sense, as does Australian Business Number, while the Diseases identification is a false positive. I can then drill down to individual documents and if I have the Content Viewer role, I can even preview the documents themselves (obviously be careful with this permission). This should give you a good starting point for understanding what sensitive data you have stored.

Documents identified in Content Explorer

Activity Explorer on the other hand shows you what users are doing with documents and when you start using labels and protections, and how they’re being used.

Activity Explorer in M365 Information Protection

Nowadays it’s not just files and emails that can be labelled, you can also apply your classifications to SharePoint sites and M365 groups (this is in preview at the time of writing and require manual steps to enable). Note that today that doesn’t mean that the documents inside those containers are automatically labelled (they don’t work as NTFS permissions in other words), it means that you can control the external sharing of documents from those locations.

Finally, you can also apply M365 Information Protection labels and policies to data other than documents, using Microsoft Purview (up until very recently called Azure Purview). This extends the whole concept of labels to databases (SQL, Cosmos DB, Amazon RDS, Cassandra, DB2, Google BigQuery and others), cloud storage and data lakes etc.

Scoping a sensitivity label in M365 Information Protection

Applying the labels

OK, you have worked out what labels to use (see below), at least for your first pilot project. Now you need to create your policies to actually apply them. Still, in the compliance portal, go down to Solutions – Information protection. Here you create your labels, based on the SITs and other classification options covered above and then publish them using Label policies.

Pick the label(s) to publish and scope it to users and groups (you can select All for a companywide policy) and then select policy settings.

Policy settings for a Sensitivity label policy

Here you can make it so that users must provide a business justification when removing a label or lower it to a less sensitive one, requiring users to always apply a label (be very careful with this setting, see below), requiring labelling for PowerBI content and offer a link to a custom, inhouse help page. Make sure that you give your policy a descriptive name that fits neatly into the flyout under the button in the Office apps and a longer description as well. This might seem trivial but is actually crucial in helping users understand what label to use for each type of content.

Realistically though, asking users to manually label documents and emails (hopefully without enforcing it) is only going to take you so far, and only with new documents. To really get a handle on and labelling across all your data, you must use Auto-labeling policies. These are available in E5 licensing (for a good breakdown of what’s available in each licensing tier – see here).

These will scan through existing documents in OneDrive for Business and SharePoint online and label documents based on sensitive data found, optionally apply markings and encryption, based on your label settings. When you first create one you can run it in simulation mode to ensure that it’s going to work as you expected.

If you have documents on-premises, in file shares / SharePoint server, you can use the Azure Information Protection scanner to do the same for all that data. Managed from the cloud, once the agents are deployed on-premises they will scan SMB or NFS (preview) shares and SharePoint 2013 to 2019 servers.

Another important step to take is to designate a group of highly trusted users as super users so that they can unencrypt documents that were protected by an end-user who’s no longer with the company for instance.

I haven’t gone into it, but M365 Information Protection has had many names over the years so if you see references to Azure Information Protection, Azure Rights Management Services etc. in essence they’re all talking about the same thing. The current product is also unified within Microsoft 365 and the client agent is built into Apps for Business / Apps for Enterprise, which the rest of the world calls Office – i.e., Word, Excel and so forth on your desktop, on a smartphone or the web version in a browser.

Working with the business

This is the most important part of this article – the technology isn’t the crucial bit, even though it’s cool – it’s engaging with the rest of the business. Successfully implementing M365 Information Protection in your business relies on you being able to get executive sponsorship – it’s got to be something that the business leaders understand and see as aligned to business outcomes. If it’s something IT is trying to “enforce” for compliance reasons on their own, it’s unlikely to succeed.

After the executives are onboard, and lead by example (as they often handle the most sensitive data in the business) you need to train your users. Start small, perhaps with a group of users in the legal, finance or HR department, who understand the need more than other staff. Gather feedback and really understand how adding extra steps to their daily workflow impacts productivity. Make sure that the labels are crystal clear and that there are as few of them as possible.

When you first start out, especially in a large business, you can end up with dozens of labels, with each department insisting that their Highly Confidential classification is different than in another department. Be ruthless – to have any chance of success you must get everyone to agree on a small set of labels that are clear to everyone. If required you can have different labels for different groups of users, just be aware of the potential management and maintenance overhead. Just like file permissions can be straightforward on a new file server, over time minor changes and exceptions can make maintenance hard, so plan for quarterly meetings to go back over labels and usage and impacts in the business to ensure that you can adjust as M365 Information Protection is more and more adopted by the organization (Activity Explorer really helps with this).

Also – make it fun! Have competitions to see who can label as many documents as possible, or who used the most labels in a week.

To properly protect your Microsoft 365, use Office 365 backup by Altaro to securely backup and replicate your crucial Microsoft Office 365 data. We work hard perpetually to give our customers confidence in their Office 365 backup for MSPs strategy.

To keep up to date with the latest Microsoft best practices, become a member of the Altaro DOJO | Microsoft 365 now (it’s free).

Conclusion

M365 Information Protection ties in nicely with several other governance features such as Data Loss Prevention (DLP), now available on Windows and MacOS endpoints as well as in the cloud. It’s also related to Retention policies and Records management and is part of an overall strategy to secure your Microsoft 365 tenant.

As you can appreciate, Information Protection is a huge area of Microsoft 365 and one that is constantly evolving, a good place to catch the latest as well as ask questions is the Information Protection public Yammer community.

The post Protecting your data in M365 with Information Protection appeared first on Altaro DOJO | Microsoft 365.

Out of the blue, and after the Build conference, Microsoft released a “new” service called Entra. In this article, we’ll look at what it is, why you should care and how it’s going to change how you do identity security.

It’s been said many times, by many security pundits over the last few years: “identity is the new perimeter”, “identity is the new firewall” and strong identity authentication is a cornerstone of a Zero trust strategy. And certainly, Azure Active Directory (AAD), as Microsoft’s central identity directory has been adapting more and more security features over the last few years, and indeed AAD is one third of Entra.

The second part is Microsoft Entra Permissions Management (MEPM? EPM?), based on the recent CloudKnox acquisition and finally, there’s Microsoft Entra Verified ID for decentralized identities.

Let’s dig into what each of these offers and why you should consider using them.

Incidentally, if you’re wondering about the name, it’s an allusion to Entrance / gaining entry and it ties in with two other name changes a little while ago – all the privacy-focused services in Microsoft 365 are now under the “Priva” name and all the compliance features are under the Purview name.

Microsoft Entra Permissions Management

This cloud-based service is a Cloud Infrastructure Entitlement Management (CIEM) solution. It’s multi-cloud and can be connected to Azure’s, AWS’s and GCP’s cloud identity and permissions systems. The basic premise is that there are so many permissions (40,000 across the three clouds according to Microsoft) that it’s impossible to track them manually to ensure that each assignment is privileged. Instead, EPM (I’m going to stick with that) gives you a Permissions Creep Index (PCI), showing you the difference between assigned permissions and used permissions for each user account, workload, or group. You can then easily right-size permissions to exactly the ones required, lowering the gap between assigned and used permissions. There’s also an option to request permissions for those one-off situations where an administrator needs higher permissions for a particular task.

Currently, EPM is in public preview, and you can try it out by following the instructions here.

I set it up for one of my clients (who are only using Azure) and it’s fairly straightforward to get started with. Obviously, it’ll have the most appeal for larger businesses with many administrators, especially when they’re using two or three clouds. The problem EPM helps address is definitely an issue (ever heard of a breach of a cloud instance due to lax permissions?) and it’s nearly impossible to do manually. Having this automated tool gives you a visual way to see the gap between granted and used permissions, and that’s very helpful:

Permission Creep Index heatmap

EPM is free during the preview – note that it’s not GDPR compliant at the moment and hence is not available in the EU, something that Microsoft will fix before it becomes generally available.

Azure Active Directory

Take a deep breath… your cheese is about to be moved –the Azure AD portal is going to go away (I suspect). It’ll be replaced with the new Entra portal:

Microsoft Entra portal

Currently, this portal is in preview but eventually, it’ll be the home for all identity-based UI actions. On the left we have the three pillars of Entra, starting with AAD. Predictably, there are a lot more blades under AAD, which mirrors most of the options in the current (legacy? classic?) portal.

Azure Active Directory Menu

Although it’ll take some time to re-learn where everything is, I do feel like this is a cleaner and more logical layout (although that’s often true when you make something new, and then as more features are added over time, more menu option shows up and it gets messy again).

If you’re used to the current Azure AD portal there are no real surprises here, the External identities area for instance has links to the new Cross-tenant access settings and External collaboration settings. Once you open one of these blades it’s the same menu layout as in the AAD portal. Interestingly, Sign-in, Audit and Provisioning logs are now under Monitoring & health, and under Hybrid management, we find Azure AD Connect Health monitoring, including Active Directory DC monitoring.

Active Directory monitoring in the Entra portal

Another recent addition to Entra is protection for workload identities. Up until now, there’s been a strong focus on user identity (MFA, passwordless) but less so on application/automation/service, i.e., workload identity. This was brought into sharp focus in the Solarwinds hack, as the Russians used these types of identities to further compromise their victims. Sometimes you’ll see these types of identities being referred to as non-human, which always makes me think of Klingons and Vulcans, but that’s probably just me.

For user identities we have Identity Protection in Azure AD (Premium P2) which identifies anomalous behavior of user accounts and each sign-in (using Machine Learning), this is now extended to workload identities as well. Furthermore, we have Access Reviews where group owners or the users themselves regularly attest that they still need a particular permission, again this is now available for applications (by designated reviewers). Finally, Conditional Access is also available for workload identities.

Conditional Access Policy for workload identities

There’s another preview currently for Lifecycle workflow, which manages the whole lifecycle of joining an organization, changing roles, and then eventually leaving through entitlement management.

Verified ID

This is possibly the part of Entra that’s going to have the most impact on your work as an IT Pro going forward (it’s also in preview at the moment). It’s the result of a technology that Microsoft has been talking about for a few years now – decentralized identity.

Today our identity is “owned” to a large extent by tech giants, Google, Microsoft, Apple and Facebook, many users simply use a FB account to sign in to sites and services for example. But you’re not in control of your identity and you can’t control exactly what data about you is being shared with various sites and services. On the business side (where verified ID as part of Entra sits), think of the challenges of new hires joining your organization. How do you identify them, what documents do they need to show your HR department (and how do you do that in a work-from-home setting where they’re not physically present) and how do you authenticate those documents?

Setting up Verified ID in the Entra portal

Imagine instead if they had a verifiable identity that they could share with you, with exactly the right information you need (and no more) and that you could trust that identity because it’s cryptographically secured. That, in a nutshell, is verifiable identity. There are many other scenarios such as access to high-value resources and self-service account recovery where a strong identity would be beneficial. Microsoft has a click through site that steps through an employee onboarding scenario, demonstrating the power of verifiable credentials, and showing how much easier it is than today’s manual processes.

The current preview allows you to both issue and verify identities. The setup is fairly straightforward, you need to create an Azure KeyVault to store signing keys etc. and you need to register an app in Azure AD.

Create a key vault for verified ID

There are currently several verifiable credential organizations supported, such as Acuant, Clear, Jumio and others, covering 192 countries and over 6000 different types of identification documents.

Conclusion

The cynic in me looks at this new portal and wonders if it’s a subtle way of “selling” the new CIEM solution – although the final licensing cost hasn’t been announced yet we know it’s not going to be part of Microsoft 365 E5 or Azure AD Premium P2 licensing. By moving everyone to the Entra portal, more users will be exposed to Permissionless’s Management, be curious as to what it can do and eventually become paying customers. But maybe that’s too cynical a view, maybe having one portal for identity, one for security and one for compliance makes sense.

No matter what, Entra is here (at least in preview), it’ll change some of your processes around workload identities, permissions management across clouds and how you onboard new hires, plus other areas where decentralized identities will make your life easier. It’s exciting and I can’t wait to see these services come out of preview, so we get a clearer picture of the licensing cost, scope etc.

The post How will Microsoft Entra Change your Identity Security? appeared first on Altaro DOJO | Microsoft 365.

Few areas of technology garner more questions than those questions centered around security, except maybe licensing. Pair that with the fact that features in Microsoft 365 are relatively new to the industry, depending on the feature, and you’ve got a number of administrators who find themselves in a place where there are knowledge gaps to fill. We’ve gathered several common M365 security questions in this post to hopefully help those IT pros who find themselves in this position. If you have other questions not covered in the list below, feel free to use the questions form and we’ll be sure to get back with you!

Watch the M365 Security Webinar

In case you’re wondering where this list of questions comes from, we hosted a webinar on this very topic. This list of questions was curated from questions asked during two live sessions. You can now watch the M365 Security Configurations webinar on-demand.

Also, if you prefer your security content in book form, we’ve got an excellent eBook on this topic here!

The questions

Is it worth implementing the legacy per-user MFA in Azure AD?

There are two ways to enable MFA in Office / Microsoft 365. You can either use the legacy interface where it’s just enabled on a per-user basis, this requires no additional licensing (all versions of Azure AD can do this), but you have very little flexibility. You can set the MFA status to be remembered for X amount of days on a device that the user successfully used MFA on. The second way is to use Conditional Access Policies, which lets you customize it based on group the user is a member of, the device they’re coming from and the application they’re accessing. You can fine-tune it so that they have to do MFA every time for very sensitive applications, while not prompting them for day-to-day access very often. Of course, the second method is preferable, but it requires Azure AD Premium P1 licensing (or P2) to use Conditional Access Policies.

If you have no other option, using per-user MFA instead of relying on just username and password is vastly preferable and will make your organization much more secure.

Any hints on identifying/filtering for actual credit card numbers?

(question continued) We have a number of trades customers and it sure seems like part numbers in the construction industry look to Microsoft like they are credit cards.

The credit card Sensitive Information Type (SIT) doesn’t just look at 4 x 4 numbers, it also takes into account adjacent information to increase the confidence that it is really a CC.

Also – we would create a custom SIT for the part numbers, so that they don’t get confused with CCs. But we do understand that it’s not easy and that false positives will happen.

Do you have any recommendations on implementing MFA for an organization?

The technical side of the question is easy and well documented. That said, it’s usually the human side of MFA implementation that goes wrong. Best suggestion is to heavily communicate with your end-users and to conduct A LOT of planning and prep work up front. MFA only keeps you secure when you have the users’ cooperation and understanding of what to do AND what not to do.

Do alert policies for SharePoint require AAD Plan 2?

No, most types of alert policies are available at all licensing levels, including SharePoint external (or internal) sharing alerts. There are some advanced alerts, primarily security related that require E5 licensing. You can read more about alert policies here https://docs.microsoft.com/en-us/microsoft-365/compliance/alert-policies?view=o365-worldwide.

Do we need Azure AD Plan 2 for all users of the tenant or only admins who manage them?

To use Privileged Identity Management (PIM) you only need it for administrators but there are many advanced security features that are “unlocked” with AAD P2 licensing that might be desirable to have for all users, depending on your organization’s risk appetite, third party service usage etc.

Does Conditional Access make a distinction between enabled/enforced for MFA?

If you have a Conditional Access (CA) policy setting that requires a user to perform MFA to access a particular application, and that user is not enabled for MFA yet, they’ll automatically be redirected to the registration page to complete that process first. And you can definitely have CA policies that enforce MFA for every access to a particularly sensitive application.

How do you create a block legacy authentication policy in Conditional Access?

There is a pre-existing policy template in the Conditional Access wizard that simplifies the creation of the policy. Take a look at the template and deploy it with the wizard once you’re ready to proceed.

I’ve had issues with external guests having “contributor” permission. Help!

(question continued) They can open an excel file we have given them permission to view but embedded links to allowed documents within the excel file cannot be opened and instead show an error that they should “ask permission”. Is this a known issue with external guests and non-member access in SharePoint sites?

This article gives some troubleshooting steps to follow for SharePoint external file sharing https://docs.microsoft.com/en-us/sharepoint/troubleshoot/sharing-and-permissions/error-when-external-user-accepts-an-invitation-by-using-another-account Also, please check if you have SharePoint settings set to New and Existing guests, or Existing guests only.

When do I use an inverse policy?

(question continued) If you create a new CAP and it allows access based on specific conditions, is it recommended to create a converse block policy in conjunction to explicitly block access that doesn’t fit the allow conditions?

When created properly, the initial policy should be enough to block unwanted access, so you shouldn’t have to create an inverse policy.

If you’ve already set SharePoint sites with a logo et. al. branding, do the settings in Entra override them?

No, Entra is just another view into the existing Azure AD portal settings and blades so the settings should be visible / in sync between the two of them.

Is there specific Microsoft (or other) training you would recommend for security personnel who may be relatively new to the Azure/M365 environment?

Microsoft Learn paths are fantastic and they’re free. We would suggest to then prepare for the AZ-500, MS-500 and / or the SC-200, SC-300, SC-400 exams, all of which have paths here https://docs.microsoft.com/en-us/learn/.

What are your ideas to confront the phishing email with common domains like Gmail, Yahoo, Outlook, Hotmail, etc..?

We would use the anti-phishing policies in HornetSecurity 365 Total Protection (or use the native ones in Exchange Online Protection).

What do you suggest if MFA is not applicable for any account used for some services or software

(question continued) for example, sending a scan from printer/scanner to e-mail, sending backup reports to e-mail, or sign in into software, etc.?

We would suggest auditing those accounts closely and limiting their access, i.e. “this account can send PDF scanned files from this device via email, but only if it comes from your public IP address”.

How do you use Smart Card auth against Microsoft 365 with an on-prem AD CS CA?

You’ll have to use Active Directory Federation Services (or a third-party provider).

What directory services (user identity management) tool would you recommend for mixed OS-environments Windows/Mac/Unix? e.g. Jumpcloud?

We’d recommend continuing to use Azure AD for mixed environments like this. It’s very important to have a single (if at all possible) source of identity for the whole organization and all identity types.

How do you exclude a Global Admin account from access to SharePoint instances?

You can take them out of any group with access to a SP site BUT they can always assign themselves permissions. Keep the number of GAs low, audit their actions closely and use PIM if possible.

What if for 2FA apps staff refuse to put that app on personal phone so use phone call or text?

This is really a company policy issue. In most cases company technology-use policy (or employment contracts) needs to be updated with verbiage along the lines of – “If you’re going to work here, this app/tool is REQUIRED”. I would also add clear policies about what the Microsoft Authenticator App can’t do when installed on a personal smartphone, to assuage user’s fears.

Is Defender for 365 included with “M365 Business Premium” licensing? Didn’t see it listed on either included or available for add-on.

Yes, M365 Business Premium comes with Defender for Office P1, and Defender for Business / Endpoint.

Defender still has the stigma that it isn’t good enough compared to mainstream AV solutions. What’s your take on this? Would you drop your AV solution just for Defender?

Absolutely! Defender for Endpoint is now a leading EDR / Endpoint protection for iOS, Android, MacOS, Linux and Windows. And it includes Threat and Vulnerability management to identify vulnerable software.

I have been told by Microsoft to put all my conditions into compliance policies and then leave Conditional Access for just “MFA required” and “marked as compliance”. Is this still best practice?

It’s a bit generic as an overall statement, and it always depends on the individual organizations’ security posture etc. But yes – use Conditional Access to build business policies into technical enforcement for all access to all applications and data. Use MFA wherever possible, and also enforce compliant devices. This last bit of course depends on your compliance policies for each platform so make sure you keep those tight.

Is there an easy way to prevent users from downloading attachments when using Outlook online/OWA?

This should be possible with Conditional Access. Take a look at the controls in the Conditional Access policy wizard.

Does Defender come with Mobility & Security E3?

Defender for Endpoint Plan P1 comes with M365 E3, but it’s a bit limited compared to MDE P2 that comes with M365 E5 (and Defender for Business that’s included in M365 Business premium is better – as long as you have less than 300 users).

How does permissions and invitations work for new guests?

(question continued) When setting the permission level to “New and Existing Guests”, when generating a link to a document to be shared externally, do users have to sign in using their Office 365/Microsoft accounts to access that file? What if the user doesn’t use an Office 365 or Microsoft account? Do they have to create it when accepting the invitation?

In that situation the external user will be emailed a code that they’ll have to enter when accessing the document.

What is a best practice for sharing only selected folder or two from a SharePoint site with a guest user?

Depends on the specific use-case, but it’s recommended to follow the rules of least privilege. I would also make sure to configure the time limit on share length to make sure the share is turned off after a given amount of time.

For phones that don’t have Android or IOS we allow those users to get a Microsoft call. Is that advised?

Yes. MFA via a phone call is better than nothing!

For SMB customers where licensing E3/E5 for all users may be cost-prohibitive, does it make sense to add security-related add-on plans à la carte? If so, what are the most important add-ons to include?

Generally, the pre-packaged plans (E3/E5) are the most cost-effective in terms of value. If there are specific features required by an end-customer organization, then it becomes a costing exercise based on the needs of that given situation. Another option if the larger bundles are too pricy would be to look at a third-party security vendor.

When I turn off legacy authentication, does this mean that basic 2FA will stop working? By basic 2FA I mean per user MFA, where everything requires 2FA prompts.?

No, all forms of Azure AD MFA / 2FA are unaffected by legacy authentication being turned off.

Which 2FA products do you recommend for 365 and single sign-on?

We would recommend using the built-in MFA in Azure AD, preferably enforced with Conditional Access policies as they give you the most flexibility.

Wrap-Up

That wraps up our M365 security configurations questions. Again, if you think of any follow-up questions, be sure to use the comments section below this article and we’ll be sure to get you an answer!

Thanks for reading!

The post Your Microsoft 365 Security Questions Answered appeared first on Altaro DOJO | Microsoft 365.

That the world of IT is changing is an understatement, and that it’s changing quicker than it used to is common knowledge, but the ramification of those changes can be hard to perceive when we’re in the middle of the shifting sands. Only a few years ago, having good firewall systems with content filtering and malware inspection was considered state of the art. Today, you have two problems, first, most of your users aren’t in the office so they’re not behind that big “blinky light” protector and second, most of the applications and services your users are accessing aren’t on-premises anymore, they’re cloud services that they access from any device with an internet connection.

No problem says the older, “pry my servers from my cold, dead hands” IT Pro, we’ll just force everyone’s traffic back to on-premises via VPN and then we can inspect all the traffic. Sounds good? Quick question, when your VPN went from 10% of the workforce using it to 100% at the start of 2020 – how was the user experience? And even if that was mitigated, how’s their experience when they’re using Teams / Zoom? Not quite so “modern” anymore?

The point is that security and firewall and filtering need to move with the times and in this article, we’re going to discuss Cloud Access Security Brokers (CASBs) and specifically, Microsoft’s Defender for Cloud Apps (MDCA), up until recently known as Microsoft Cloud App Security (MCAS). We’ll also look at how you can use MDCA specifically with Microsoft 365.

A CASB is an on-premises or cloud-based software firewall that sits between cloud services and users, enforcing policies and monitoring activity.

Deploy Microsoft Defender for Cloud Apps

While the new name makes perfect sense, I know that I’ll have to deal with numerous questions about the difference between it and Microsoft Defender for Cloud, the new name for Azure Security Center and Azure Defender. Defender for Cloud is all about protecting workloads in Azure (and AWS & GCP, hence the name change from Azure Defender to Defender for Cloud), whereas Defender for Cloud Apps is all about spotting shadow IT, managing SaaS service access by your end-users, and applying policy.

Let’s start with how it works – MDCA needs to have data on what apps your users are browsing on the internet. You can continuously upload logs from your on-premises firewalls and proxy servers, you can integrate directly with a set of cloud services that have API connections and you can use Microsoft Defender for Endpoint as an agent for MDCA. The number of cloud services that can be integrated into MDCA are increasing, at the time of writing they are:

• • Atlassian (Preview)

• • AWS

• • Azure

• • Box

• • Dropbox

• • Egnyte

• • GCP

• • GitHub Enterprise Cloud

• • Google Workspace

• • NetDocuments

• • Office 365

• • Okta

• • OneLogin

• • Salesforce

• • ServiceNow

• • Slack

• • Smartsheet

• • Webex

• • Workday

• • Zendesk

The list of supported firewalls and proxies is too long to list, but you can find it here. It includes all the usual suspects plus cloud-based “firewalls” such as Zscaler and iboss. You can also use Syslog or FTP with “container appliances” to upload custom logs to MDCA and you can customize the log parser if you need to.

As mentioned, if you’re using Defender for Endpoint (MDE) Plan 2 on Windows 10/11, it’s an excellent way to gather data for MDCA. Note that while MDE also supports Android, iOS, Linux and MacOS, they’re not supported as agents for MDCA today, and Defender for Business (in public preview) and Defender for Endpoint Plan 1 (included in Microsoft 365 E3) also aren’t supported. Since both MDCA and Endpoint Plan 2 are part of Microsoft 365 E5 licensing, this is less of a hurdle than you might think (see flavors below). The steps to integrate them are really simple, a single slider in each portal needs to be enabled.

The power this brings is not to be underestimated, you get a full 360 view of all services accessed by your users, no matter where they’re working and how they’re connecting, and you can apply policies to them.

Shadow IT Discovery

OK, once you have data flowing into Defender for Cloud Apps through any of the methods above, you’ll start getting Cloud Discovery reports. This will tell you what service categories are most used, which apps are most used by your users and if there’s the usage of high/medium and low-risk apps. Commonly known as shadow IT, this is the usage of apps that the business isn’t aware of, including potential storage of sensitive data in these locations. It’s vital that this is discovered and managed and Defender for Cloud Apps helps you a lot with this task.

Defender for Cloud Apps Cloud Discovery dashboard

Based on this data you can start digging into the riskiest apps with high usage and identify why they’re being used and what the risks are. There’s a built-in catalog of 30,036 apps (and growing, last time I looked it was just over 27,000). Each app/cloud service in the catalog has an overall score from 1-10, based on four categories, General, Security, Compliance and Legal.

Defender for Cloud Apps catalog listing

The point of the catalog is to give you instant visibility into the security stance (perhaps of a service you’ve just found out is used by the entire finance department) and regulatory compliance of an app, without having to spend hours digging through their website or requesting more information from them. For instance, if your organization requires suppliers to adhere to a specific compliance regulation you can filter the catalog to identify any application in use that doesn’t.

The next step is to sanction or unsanction an app. The latter will block access if you’re using Defender for Endpoint, Zscaler or iboss and there are options to download a script to add the block to on-premises firewalls. But even if you’re not outright blocking the use of these apps, it does allow you to track down the users and suggest an alternative app with a better security track record.

Another way that I find this discovery useful is by letting me find popular apps that I can publish through Azure Active Directory for users to add governance around their usage.

Using Defender for Cloud Apps

There are several types of policies you can use to detect risky behavior, and suspicious activity and in some cases, automatically remediate the issue. Activity policies use the APIs of integrated applications and let you build custom alerts for multiple failed sign-ins, large amounts of file downloads or logins from unusual countries or regions. Anomaly detection uses User and Entity Behavioral Analytics (UEBA) and Machine Learning and for most detections, it takes seven days to establish a baseline so it can identify what’s unusual. Signals used in these policies include risky IP addresses, inactive accounts, location, device, user agent etc. Malware detection across Box, Dropbox, Google Workspace and Office 365 (when used with Defender for Office 365) are one of these policies.

Defender for Cloud Apps activity policy to catch ransomware

OAuth app policies keep an eye on apps that are granted permissions in Azure AD, either by end-users (if you allow this) or by administrators, we covered the risks and mitigations in-depth in an article and webinar.

File policies bring a built-in DLP engine to inspect content across 100+ file types and allow you to take automated action when the content matches your criteria. You can create policies for publicly shared files, files shared with a specific domain or with a specific set of unauthorized users, and even for specific high-risk file extensions.

Access policies is a very cool concept, essentially combining the best of Azure AD Conditional Access policies with the app control of MDAC. You deploy the apps using Conditional Access App Control and this lets you not only block access to applications based on the device the user is using for instance, but it also allows you to use session policies to control what a user can do in the app. You can monitor all activity, block all downloads, block specific activities, require step-up authentication for sensitive tasks, protect files on download or upload, block malware and educate users on protecting sensitive files.

Defender for Cloud Apps cloud discovery anomaly detection policy

Finally, App discovery policies alert you to new cloud services that are being used (to continue the fight against Shadow IT) and cloud discovery anomaly detection policies alert you to unusual activity in cloud apps.

Unlike many other security applications, what I like about Defender for Cloud Apps is that it creates many default policies for you “out of the box” so you’re getting good protection, even before you create your own policies.

Alerts from these policies can be sent as emails, or text messages or you can use a Power Automate playbook to notify the right people. You can also automatically disable a user account, require the user to sign in again or confirm them as compromised to automatically contain a potential attack.

As you can see, you can provide granular control over what your users can and can’t do in cloud applications and if they’re working from home (on Windows 10/11 devices) they’re still under your purview. Note that it’s not only end-user SaaS services that are protected with Defender for Cloud Apps: AWS, GCP and Azure admin access and usage can also be monitored and controlled.

The integration with the rest of the Microsoft 365 Defender stack is also strong, here’s an example of a Data Loss Prevention policy being used to control sensitive data in third-party apps.

Microsoft 365 Data Loss Prevention Policy integration

Flavors of Defender for Cloud Apps

There are three flavors of Defender for Cloud Apps, the full version that we’ve described so far, which is part of Microsoft 365 E5 licensing (or a stand-alone license). With Office 365 E5 you get Office 365 Cloud App Security which only has a catalog of about 750 cloud apps (that are similar in functionality to Office 365), only manual upload of firewall logs for analysis, app control and threat detections for office type apps only and Conditional Access App Control for Office 365 apps only.

Cloud App Discovery on the other hand is part of Azure Active Directory Premium P1 and brings the full catalog of cloud apps, and both manual and automatic log upload but no information protection / DLP or threat detections at all (hence the name “discovery”).

Here’s a deep dive on licensing if you really have trouble going to sleep. Alternatively, I appeared on an episode of the Sysadmin DOJO Podcast discussing this exact topic:

Defender for Cloud Apps for Microsoft 365

There’s quite a steep price jump from Microsoft 365 E3 to E5 and this could have been a hard sell a few years ago, before the pandemic. Today, however, if your business collaboration is built on Office 365, digital transformation is the aim of the business and people are working from anywhere, the power of Defender for Cloud Apps, with Defender for Endpoint as the agent, makes it a lot easier to convince the bean counters.

If you’re an MSP and you have clients with strong security and compliance needs (financial industry, lawyers, medical facilities etc.), even if they’re an SMB, definitely consider the upgrade to E5. This doesn’t just give you Defender for Cloud Apps; it also offers Defender for Identity along with a whole heap of other security features.

To properly protect your Hyper-V virtual machines, use Altaro VM Backup to securely backup and replicate your virtual machines. We work hard perpetually to give our customers confidence in their Hyper-V backup strategy.

To keep up to date with the latest Hyper-V best practices, become a member of the Hyper-V DOJO now (it’s free).

Conclusion

As you can tell, Defender for Cloud Apps is a powerful tool with numerous uses. To learn more, visit the Ninja training page (each Microsoft security product has one) which is a set of links to webinars, docs pages, blog articles, interactive guides, product videos and GitHub repositories.

The post Use Microsoft Defender for Cloud Apps to Protect your M365 Tenant appeared first on Altaro DOJO | Microsoft 365.

Data is seen as the “new gold” for enterprise organizations as it is the lifeblood of the business revenue stream. No matter what industry, product, or solution a business offers, most companies have embraced data-driven processes to meet modern business challenges in today’s world. It underscores the importance for organizations to protect their data at all costs.

Data Loss Prevention (DLP) solutions provide the capabilities for businesses to protect their data. Companies must include their cloud SaaS solutions as part of their overall DLP strategies. The Microsoft 365 cloud SaaS solution provides robust DLP capabilities built into the platform. We will look at how to protect your business data in Microsoft 365 with DLP and backup.

Before diving into the Microsoft 365 DLP solution, let’s look at what DLP is in general, and why do companies need it? Most organizations have sensitive data that would be highly damaging to fall into the wrong hands. Data including financial data, trade secrets, personally identifiable information (PII) data for customers, health records, or other traditionally sensitive information such as social security numbers (SSNs) or credit card numbers (CCNs) is deemed sensitive.

What is Data Loss Prevention (DLP)?

Data Loss Prevention (DLP) is the set of tools and solutions that protect against sensitive data loss, leak, misuse, or unauthorized access. DLP is a critical aspect of today’s very stringent compliance regulations. Failure to maintain compliance by having the proper security controls and DLP guardrails in place can result in catastrophic consequences for an organization, including steep fines from regulatory violations.

DLP is a framework that enforces remediation with the protective measures that prevent users from accidentally or intentionally sharing data that places a business at risk. Data Loss Prevention is often categorized as a compliance concern for businesses since most compliance frameworks require organizations to take proactive measures to protect sensitive data.

Maintaining strict adherence to compliance regulations is beneficial to customers, end-users, and businesses as it helps protect everyone involved. However, compliance can present challenges as organizations move into cloud Software-as-a-Service (SaaS) environments.

Often businesses have a solution that helps with DLP and other compliance concerns in on-premises environments. However, as they move to cloud SaaS and other cloud offerings, the traditional tools and solutions are no longer relevant to modern cloud architectures. As a result, organizations often must rethink their tooling and strategies for DLP as they migrate business-critical data to the cloud.

Data leaks can be catastrophic

A significant driver to giving due attention to compliance and DLP initiatives is the destructive nature of a data breach. The sheer financial repercussions alone can be substantial. The IBM Cost of a Data Breach 2021 Report helps to emphasize the fiscal implications of a data breach event. Note the following findings for 2021.

• • 10% increase in the average total cost of a breach – 2021 saw the most significant jump in the 17-year history of the report

• • $4.24 million – the average cost of a data breach

• • Healthcare had the highest cost of a data breach for eleven consecutive years

• • Lost business represented 38% of the overall average

• • $180 – the cost per record of personally identifiable information (PII) data

• • 287 – the average number of days to identify and contain a data breach

• • $3.61 million – the average cost of a data breach in hybrid cloud environments

• • $4.62 million – the average cost of a ransomware breach

As the numbers show, financially, a data breach can potentially ruin a business. Part of the cost of a data breach event is also the regulatory compliance implications as a result. These can be significant. For example, in cases of gross negligence leading to a data breach, the General Data Protection Regulation (GDPR) can fine a business as much as €20 million or 4% of the global turnover, whichever is more.

Compliance is no longer a “nice to have” for businesses. Current compliance regulations have “real teeth” to impose fines and other legal ramifications.

In Cloud SaaS, DLP is Your Responsibility

Organizations may misunderstand the responsibilities of cloud service providers when they move their data to cloud SaaS environments like Microsoft 365. Many may assume protecting their data is now solely the responsibility of the cloud service provider. While hyperscale cloud service providers like Microsoft provide robust cloud architectures that do well to help protect your data from loss, the burden of responsibility for business-critical data rests with the cloud SaaS customer.

Cloud service providers such as Microsoft operate on a “shared responsibility model” that places responsibility for the data itself with the customer. In the “Shared Responsibility in the cloud,” note specifically the section of “Responsibility always retained by the customer.” Among the responsibilities that fall within the organization is the responsibility for information and data.

The shared responsibility model defined by Microsoft for cloud environments

Given that information and data are the customer’s responsibility, organizations must take the compliance and security of their data seriously.

Cloud SaaS Backups are Essential

Often Data Loss Prevention (DLP) focuses on the data leak aspect of losing data. However, DLP also indirectly relates to data protection. Most organizations today have a solid on-premises backup solution they use to protect mission-critical workloads running in on-premises enterprise datacenters.

However, as mentioned earlier, there is a notion that data backups are no longer needed once data is migrated to cloud SaaS environments. This idea can prove to be a grave mistake for organizations that suffer data loss from human error or a malicious attack at the hands of ransomware.

The shared responsibility model used by hyperscale cloud service providers such as Microsoft places all aspects of protecting your information and data, including backups. Backing up ALL your data, including Office 365 workloads, is the cornerstone of any data protection strategy and business continuity plan.

What is Microsoft 365 Data Loss Prevention (DLP)

Microsoft has not left organizations on their own when it comes to Data Loss Prevention (DLP) in the Microsoft 365 cloud SaaS environment. Microsoft has baked in DLP into the Microsoft 365 SaaS environment using DLP policies.

Microsoft 365 DLP is part of the Microsoft 365 Compliance tools that allow protecting your sensitive data, no matter where the data is stored and how it is accessed. Microsoft 365 DLP policies allow businesses to monitor end-user activities and how users access sensitive data, whether at rest, in transit, or in use.

You can log into the Microsoft 365 Compliance Center here:

• • https://compliance.microsoft.com

Microsoft 365 Compliance Center

The DLP policies then allow taking protective action based on sensitive data access. For example, Microsoft 365 DLP policies can take action when a user attempts to copy sensitive data from the sanctioned Microsoft 365 business environment to an unapproved location.

Additionally, it can block sharing of sensitive information in an email or other restrictions defined in the DLP policy. Other protective actions that can be defined in the DLP policy include:

• • Warn a user they may be trying to share a sensitive item inappropriately

• • Block the sharing and, via a policy tip, allow the user to override the block and capture the user’s justification

• • Block the sharing without the override option

• • For data at rest, sensitive items can be locked and moved to a secure quarantine location

• • With Teams chat, the sensitive information will not be displayed

Navigating to Data Loss Prevention in Microsoft 365 Compliance Center

When it comes to ensuring your sensitive data is compliant, visibility is essential for DLP. Microsoft 365 DLP outputs the monitored activity events to the Microsoft 365 Audit Log, unified auditing, and “event viewer” of sorts for your Microsoft 365 cloud environment. It provides visibility to user and administrator activities in your organization.

As mentioned, the Microsoft 365 Audit Log is “unified.” This aspect of the logging capabilities in Microsoft 365 is important for DLP enforcement as it allows easily searching the audit log for activities performed in different Microsoft 365 services. In addition, the sheer width and breadth of cloud services offered in Microsoft 365 are staggering, so the unified logging capabilities provide a single-pane-of-glass view for activities affecting your Microsoft 365 security and compliance.

To take advantage of the Microsoft 365 Compliance Center auditing, you need to start recording user and admin activity.

Configuring Microsoft 365 Auditing to record user and admin activity

Microsoft 365 DLP vs. Microsoft Information Protection (MIP)

Many may be confused with the various offerings from Microsoft related to compliance and data loss prevention. Microsoft Information Protection (MIP) is an offering that helps to discover, classify, and protect sensitive information. It is actually a suite of technologies rather than a single product. The capabilities of MIP include the Data Loss Prevention (DLP) capabilities found in Microsoft 365.

• • Sensitive information types (SITs)

• • Trainable Classifiers

• • Data Classification

• • Sensitivity Labels

• • Azure Information Protection (AIP) unified labeling client, now Microsoft Information Protection

• • Azure Information Protection (AIP) unified labeling Scanner, now Microsoft Information Protection

• • Azure Purview

• • Double Key Encryption (DKE)

• • Office 365 Message Encryption (OME)

• • Service encryption with Customer Key

• • SharePoint Information Rights Management (IRM)

• • Rights Management connector

• • Microsoft Cloud App Security (MCAS)

• • Microsoft Information Protection (MIP) SDK

• • Data Loss Prevention (DLP)

Data Loss Prevention (DLP) is Not a Substitute for Cybersecurity

It is essential to understand, that while DLP is required to satisfy regulatory compliance demands and prevent data leak catastrophes, it is not an all-inclusive cybersecurity solution. While DLP should be part of your overall cybersecurity stance, it does not protect your environment from hackers.

Data Loss Prevention helps organizations enforce governance restrictions with business-critical and sensitive data. However, it does not protect your environment from a ransomware attack, stolen credentials, phishing emails, malicious third-party applications, and other threats in the cloud.

On the other hand, strong cybersecurity measures do not protect your organization from data leak events when users transmit or share data accidentally or intentionally. DLP helps organizations protect from insider threats, while other cybersecurity measures and technologies help protect from outside threats posed by attackers and other malicious activities.

Microsoft has other products that help organizations protect from malicious threats such as email compromise and credential phishing. Microsoft Defender for Office 365 provides deep inspection and can sandbox executables to understand if it is legitimate, based on intent and behavior. Advanced artificial intelligence (AI) and machine learning (ML) in ATP help to protect your business-critical and sensitive data from attackers. Learn more about that solution here:

• Advanced Email Threat Protection | Microsoft Security

365 Total Protection from Hornetsecurity offers comprehensive protection for Microsoft cloud services – specially developed for Microsoft 365 and seamlessly integrated to provide comprehensive protection for Microsoft cloud services. Easy to set up and extremely intuitive to use, 365 Total Protection simplifies your IT Security management from the very start.

• Test Hornetsecurity 365 Total Protection free of charge without any obligations

Data Loss Prevention (DLP) is Not a Substitute for Backup

Although Data Loss Prevention sounds like backup, as you can see it’s not the same thing. Your information governance plan for your business should include DLP, Information Protection, AND Backup.

Office 365, Exchange Online, and SharePoint Online / OneDrive for Business uses various data protection technologies to ensure that your data is highly available and protected against hardware failure but there’s NO backup in a separate system and no way to “go back in time”. Make sure you complement DLP and Information Protection with solid third-party backup services for Office 365, such as Altaro’s Office 365 Backup.

Microsoft 365 DLP Default Policy

In the Microsoft 365 Compliance Center, you will see a default Data Loss Prevention (DLP) policy listed, aptly named Default Office 365 DLP policy. The policy contains two safeguards by default, helping to protect organizations from data leaks involving credit card numbers. Let’s take a closer look at the default DLP policy, as it helps to get a feel for the configurable policy settings.

Viewing and editing the default Data Loss Prevention (DLP) policy in Microsoft Compliance Center

The default DLP policy already configured in your Microsoft 365 environment applies to Exchange email, SharePoint sites, and OneDrive accounts. The great thing about Microsoft 365 DLP policies is you can effectively implement DLP policies across multiple services at the same time. As you see below, the policy applies to Exchange email, SharePoint sites, and OneDrive accounts.

Services assigned to the default Microsoft 365 DLP policy

The default DLP policy contains two advanced DLP rules out of the box. The advanced rules contain conditions and actions that define the protection requirements for the policy. You can edit the existing rules or create new ones. The two default rules in the advanced DLP ruleset are:

• • Items containing 1-9 credit card numbers shared externally

• • Items with 10 or more credit card numbers shared externally

Default advanced rules contained in the Microsoft 365 DLP policy

You can see how the policy rules are configured if you edit one of the default policies. Under Conditions, the Sensitive info types are set to Credit Card Number.

Sensitive info types configured for Credit Card Number

It is configured to look for the CCNs that are shared with people outside my organization.

Data shared outside the organization

The Microsoft 365 DLP policies, by default, are configured for user notifications. These notify the following

• • The person who sent, shared, or modified the content

• • Owner of the SharePoint site or OneDrive account

• • Owner of the SharePoint or OneDrive content

You can also configure additional notification rules to send emails to other recipients.

Notification rules for the Microsoft DLP policy

Another configurable setting in the Microsoft 365 DLP policy settings is to allow overrides. This setting allows users to override policy restrictions in Exchange, SharePoint, OneDrive, and Teams. It is a setting that needs to be used with caution as it can potentially violate compliance and governance.

As seen below, you can additionally require a business justification to override. Admins can also choose to receive alerts with user override activity.

Allowing user overrides from M365 services

Built-in Templates

One of the really nice features Microsoft has built into the Microsoft 365 DLP policy configuration wizard is templates. Depending on the type of compliance, industry, and other factors, the templates make it much easier to start with a good baseline of DLP policy settings.

Using Microsoft 365 DLP templates

Microsoft 365 Endpoint DLP

With Microsoft 365 DLP, organizations must monitor the actions taken on sensitive data and help peent the unintentional sharing of those items. However, there is another aspect – the endpoint.

Microsoft 365 Endpoint data loss prevention (Endpoint DLP) provides the capabilities to extend the activity monitoring and protection capabilities to sensitive items that are physically stored on the endpoint. These may include Windows 10, Windows 11, and macOS (currently in public preview) devices.

To access and use Endpoint DLP functionality, you must have one of these subscriptions or add-ons.

• • Microsoft 365 E5

• • Microsoft 365 A5 (EDU)

• • Microsoft 365 E5 compliance

• • Microsoft 365 A5 compliance

• • Microsoft 365 E5 information protection and governance

• • Microsoft 365 A5 information protection and governance

The Endpoint DLP solution allows companies to onboard the devices into the Microsoft 365 compliance solution and monitor activities and actions taken on the endpoint. In addition, using DLP policies, protective actions can be enforced to provide DLP guardrails for the clients.

There are specific activities Microsoft 365 Endpoint DLP allows monitoring and acting upon with Windows 10, Windows 11, and macOS devices. These include the following:

• • Upload to cloud service or access by unallowed browsers

• • Copy to other app

• • Copy to USB or other removable media

• • Copy to a network share

• • Printing a document

• • Copy to a remote session

• • Copy to a Bluetooth device

• • Create an item

• • Rename an item

You can also monitor specific file types, including:

• • Word files

• • PowerPoint files

• • Excel files

• • PDF files

• • .csv files

• • .tsv files

• • .txt files

• • .rtf files

• • .c files

• • .class files

• • .cpp files

• • .cs files

• • .h files

• • .java files

Configuring Microsoft 365 Endpoint DLP settings

To configure Microsoft 365 Endpoint DLP settings, navigate to Data Loss Prevention (DLP) > Endpoint DLP settings. As you can see below, you can configure policy settings controlling:

• • File path exclusions

• • Unallowed apps

• • Unallowed Bluetooth apps

• • Browser and domain restrictions to sensitive data

• • Additional settings for endpoint DLP

• • Always audit file activity for devices

Configuring Endpoint DLP settings

As an example, let’s set up unallowed browsers. Under Browser and domain restrictions to sensitive data > Unallowed browsers > Add or edit unallowed browsers.

Adding Unallowed Browsers in a Microsoft 365 Endpoint DLP policy

Next, you will select or add the executable for the unallowed browser for your Endpoint DLP policy.

Choosing unallowed browsers for your Endpoint DLP policy

Onboarding devices into Microsoft 365 Endpoint DLP

You must enable device monitoring and onboard your endpoints before you can monitor and protect sensitive items on a device. You can enable device management and onboard devices using the Microsoft 365 Compliance portal. Onboarding is accomplished by downloading the appropriate script and running the script on the endpoint.

You can also onboard devices using Group Policy, Microsoft Endpoint Configuration Manager, Mobile Device Management tools, and onboarding virtual desktop infrastructure (VDI) devices.

Onboarding devices into Microsoft 365 Endpoint DLP

Does DLP Cover all Your Data Loss Needs?

Compliance and governance are both extremely important initiatives for organizations today. Data Loss Prevention (DLP) is required by most compliance regulations and helps prevent the accidental or intentional sharing of sensitive data outside the sanctioned environment.

Microsoft 365 Data Loss Prevention (DLP) is a solution from Microsoft that helps organizations effectively meet the challenges of protecting their business-critical and sensitive data from leaking outside their Microsoft 365 environment. The policy-driven engine of Microsoft 365 allows effectively building and applying policies to control how data can be shared, accessed, and transmitted from Microsoft 365.

It allows controlling both the data that resides in the Microsoft 365 environment and the data that physically resides on the endpoint. By configuring both aspects of Microsoft 365 DLP, organizations can effectively prevent unauthorized data access of sensitive information. As covered, DLP is not an all-inclusive cybersecurity solution. Organizations must combine DLP with other security solutions, such as Microsoft’s Defender for Office 365 or Hornetsecurity’s 365 Total Protection for protecting against phishing attacks, ransomware, and other threats plus a backup solution such as Office 365 Backup. You can also bundle both together in 365 Total Protection Enterprise Backup.

The post What you Need to Know about Data Loss Protection in Microsoft 365 appeared first on Altaro DOJO | Microsoft 365.

Protecting identities is a fundamental part of Zero Trust and it’s the first “target” that most attackers look for. We used to say that attackers hack their way in, now we say they log in, using bought, found or stolen/phished credentials. This article will show you why MFA is so important and how to implement advanced security features in Azure AD such as PIM, Password protection, Conditional Access policies (also a strong part of Zero Trust), auditing and more.

Below is the first chapter from our free Microsoft 365 Security Checklist eBook. The Microsoft 365 Security Checklist shows you all the security settings and configurations you need to know for each M365 license to properly secure your environment. Download the full eBook and checklist spreadsheet.

Multi-Factor Authentication

It should be no surprise that we start with identity, it’s the new security perimeter or the new firewall and having a strong identity equals strong security. The first step to take here is implementing Multi Factor Authentication (MFA). It’s free for all Office / Microsoft tenants. If you want to use Conditional Access (CA) to enforce it (rather than just enabling users “in bulk”), you need Azure AD Premium P1+ licensing. A username and a simple password are no longer adequate (it never was, we just never had a simple, affordable, easy to use alternative) to protect your business.

Hand-in-hand with MFA you need user training. If your business is relying on users doing the right thing when they get the prompt on their phone – they MUST also know that if they get a prompt when they’re NOT logging in anywhere, they must click Block / No / Reject.

To enable MFA on a per-user basis, go to aad.portal.azure.com, login as an administrator, click Azure Active Directory – Security – MFA and click on the blue link “Additional cloud-based MFA settings”.

Additional MFA settings

There are two parts (tabs) on this page, “service settings” where you should disable app passwords (a workaround for legacy clients that don’t support MFA, shouldn’t be necessary in 2022), add trusted public IP addresses (so that users aren’t prompted when they’re in the corporate office – we and Microsoft recommend not using this setting), disabling Call and Text message to phone and remember MFA on trusted devices setting (1-365 days), Microsoft recommends either using CA policies to manage Sign-In frequency or setting this to 90 days. Phone call / text message MFA are not strong authentication methods and should not be used unless there’s no other choice.

On the user’s tab you can enable MFA for individual users or click bulk update and upload a CSV file with user accounts.

If you have AAD Premium P1, it’s better to use a CA policy to enforce MFA, it’s more flexible and the MFA settings page will eventually be retired.

Enforcing MFA with a Conditional Access Policy

A few words of caution, enabling MFA for all your administrators is a given today. Seriously, if you aren’t requiring every privileged account to use MFA (or 2FA / passwordless, see below), stop reading and go and do that right now. Yes, it’s an extra step and yes, you’ll get push back but there’s just no excuse – it’s simply unprofessional and you don’t belong in IT if you’re not using it. For what it is worth, I’ve been using Azure MFA for over seven years and require it for administrators at my clients – no exceptions.

Enabling MFA for all users is also incredibly important but takes some planning. You may have some users who refuse to run the Microsoft Authenticator app on their personal phone – ask for it to be put in their hiring contract. You need to train them as to why MFA is being deployed, what to do, both for authentic logins and malicious ones. Furthermore, you need to have a smooth process for enrolling new users and offboarding people who are leaving.

You should also strongly consider creating separate (cloud only) accounts for administrators. They don’t require a license and it separates the day-to-day work of a person who only performs administrative actions in your tenant occasionally (or use PIM, Chapter 10).

MFA protects you against 99.9% of identity-based attacks but it’s not un-phishable. Stronger alternatives include biometrics such as Windows Hello for Business (WHFB) and 2FA hardware keys which bring you closer to the ultimate in identity security: passwordless.

Legacy Authentication

However, it’s not enough to enable MFA for all administrators and users, the bad guys can still get in with no MFA prompt in sight. The reason is that Office 365 still supports legacy protocols that don’t support modern authentication / MFA. You need to disable these; you can’t just turn them off, you need to check if there are legitimate applications / workflows / scripts that use any of them. Go to aad.portal.azure.com, login as a Global Administrator, click Azure Active Directory – Monitoring – Sign-in logs. Change the time to last one month, and click Add filters, then click Client app and then None Selected, in the drop-down pick all 13 checkboxes under Legacy Authentication Clients and click Apply.

Filtering Azure AD Sign-in logs for legacy authentication

This will show you all the logins over the last month that used any of the legacy protocols. If you get a lot of results, add a filter for Status and add Success to filter out password stuffing attacks that failed. Make sure you check the four different tabs for interactive / non-interactive, service principals and managed identity sign-ins.

You’ll now need to investigate the logins. In my experience there will be some users who are using Android / Apple mail on smartphones; point them to the free Outlook app instead (Apple mail can be configured to use modern authentication). There’s also likely to be line-of-business (LOB) applications and printers / scanners that send emails via Office 365, so you’ll need updates for these. Alternatively, you can use another email service for these such as smtp2go.

Once you have eliminated all legitimate legacy authentication protocol usage you can disable it in two ways, it’s best to use both. Start by creating a Conditional Access policy based on the new template to block it, also go to admin.microsoft.com, Settings – Org settings – Services – Modern authentication and turn off basic authentication protocols.

Disable legacy authentication protocols in the M365 Admin Center

Break Glass accounts

Create at least one, preferably two break glass accounts, also known as emergency access accounts. These accounts are exempted from MFA, all CA policies and PIM (see below) and have very long (40 characters+), complex passwords. They’re only used if AAD MFA is down, for example, to gain access to your tenant to temporarily disable MFA or a similar setting, depending on the outage.

A second part to this is that you want to be notified if these accounts are ever used. One way to do this is to send your Azure AD sign-in logs to Azure Monitor (also known as Log Analytics), with instructions here. Another option is to use Microsoft Sentinel (which is built on top of Log Analytics) and create an Analytics rule.

Microsoft Sentinel alert rule when a Break Glass account is used

Security Defaults

If yours is a very small business, with few requirements for flexibility, the easiest way to set up Azure AD with MFA for everyone, plus several other security features enabled, is to turn on Security Defaults. Note that you can’t have break-glass accounts or other service accounts with Security Defaults as there’s no way to configure exceptions. Go to Properties for your Azure AD tenant and scroll to the bottom, and click on Manage Security defaults, here you can enable and disable it.

Privileged Identity Management

It’s worth investing in Azure Active Directory (AAD) Premium P2 for your administrator’s accounts and enabling Privileged Identity Management (PIM). This means their accounts are ordinary user accounts who are eligible to elevate their privileges to whatever administrator type they are assigned (see Chapter 10).

If you’re not using PIM, create dedicated admin accounts in AAD only. Don’t sync these accounts from on-premises but enforce MFA and strong passwords. Since they won’t be used for day-to-day work, they won’t require an M365 license.

Password Protection

After MFA, your second most important step is banning bad passwords. You’re probably aware that we’ve trained users to come up with bad passwords over the last few decades with “standard” policies (at least 8 characters, uppercase, lowercase, special character and numbers) which results in P@ssw0rd1 and when they’re forced to change it every 30 days, P@ssw0rd2. Both NIST in the US and GHCQ in the UK now recommends allowing (but not enforcing) the use of upper / lowercase etc., but not mandating frequent password changes and instead of checking the password at the time of creation against a list of known, common bad passwords and blocking those. In Microsoft’s world that’s called Password protection which is enabled for cloud accounts by default. There’s a global list of about 2000 passwords (and their variants) that Microsoft maintains, based on passwords they find in dumps, and you should add (up to 1000) company-specific words (brands, locations, C-suite people’s names, local sports teams, etc.) for your organization.

You find Password protection in the AAD portal – Security – Authentication Methods.

Password protection settings

Remember, you don’t have to add common passwords to the list, they’re already managed by Microsoft, just add company / region specific words that your staff are likely to use.

If you’re syncing accounts from Active Directory on-premises to AAD, you should also extend Password protection to your DCs. It involves the installation of an agent on each DC, a proxy agent, and a reboot of each DC.

Continuous Access Evaluation

This feature has been in preview for quite some time but is now in general availability. Before Continuous Access Evaluation (CAE), when you disabled a user’s account, or they changed location (from the office to a public Wi-Fi for example) it could be up to one hour before their state was re-evaluated and new policies applied, or they were blocked from accessing services. With CAE, this time is much shorter, in most cases in the order of a few minutes. It’s turned on by default for all tenants (unless you were part of the preview and intentionally disabled it). Another benefit of CAE is that tokens are now valid for 28 hours, letting people keep working during a shorter Azure AD outage. You can disable CAE in a CA policy, but it’s not recommended.

Conditional Access policies

We’ve mentioned Conditional Access (CA) policies several times already as it’s a crucial component of strong identity security and Zero Trust. Unlike other recommendations, there isn’t a one size fit all set of CA policies we can give you, however (at a minimum) you should have policies for:

• • Require MFA for admins (see MFA above)

• • Require MFA for users (see MFA above)

• • Require MFA for Azure management

• • Block legacy authentication (see MFA above)

• • Require compliant or Hybrid AAD joined device for admins

• • Require compliant or Hybrid AAD joined device for users

• • Block access to M365 from outside your country

• • Require MFA for risky sign-ins (if you have AAD Premium P2)

• • Require password change for high-risk users (if you have AAD Premium P2)

This is all going to be a lot easier going forward with the new policy templates for identity and devices. Go to Azure AD – Security – Conditional Access – New policy – Create a new policy from templates. Another step to take is to create a system for managing the lifecycle of policies and there’s an API for backing up and updating policies, that you can access in several ways, including PowerShell. There’s even a tutorial to set up a backup system using a Logic App.

Conditional Access policy templates for identity

A common question is if there’s a priority when policies are evaluated and there isn’t, they’re all processed together for a particular sign-in, from a specific device and location to an individual application. If there are multiple policies with different controls (MFA + compliant device), all controls must be fulfilled for access. And if there are conflicting policies with different access (block vs grant), block access will win.

To get you started, here are the step-by-step instructions for a policy blocking access to M365 from outside your country, appropriate for most small and medium businesses that only operate in one or a few countries. Keep in mind that travelling staff may be caught out by this so make sure you align with business objectives and be aware that this won’t stop every attack as a VPN or TOR exit node can make it appear as if the attacker is in your country, but it’s one extra step they must take. Remember, you don’t have to run faster than the Fancy Bear, just faster than other companies around you.

Start by going to Azure AD – Security – Conditional Access – Named locations and click +Countries location and call the location Blocked countries. Leave Determine location by IP address, a new feature is using GPS location from the Microsoft Authenticator app which will be more accurate once all your users are using Azure AD MFA (and therefore can be located via GPS). Click the box next to Name to select all countries, then find the one(s) that you need to allow login from and click Create.

Creating a Named Location for a Conditional Access Policy

Go to Azure AD – Security – Conditional Access – New policy – Create new policy and name your policy with a name that clearly defines what the policy does and adheres to your naming standard. Click on All Users… and Include All users and Exclude your Break Glass accounts.

Click on No cloud apps… and select All cloud apps. Select 0 conditions… and click Not configured under Locations. Pick Selected locations under Include and select your newly created location. Finally, under Access controls – Grant, click 0 controls selected and then Block access.

CA policies can be either in Report-only mode where you can look at reports of what they would have blocked and control they would have enforced, or they can be turned on / off. Report-only can be handy to make sure you don’t get fired for accidentally locking everyone out but turn this policy on as soon as possible.

Conditional Access policy to block logins from outside Australia

A common question is, how can I control how often users are prompted for MFA or signing in again? While it might be counterintuitive, the default in Azure AD is a rolling windows of 90 days. Remember, if you change a user’s password, block non-compliant devices, or disable an account (plus any number of other CA policies you have in place that might affect the security posture of the session), it’ll automatically require new authentications. Don’t prompt the users for authentication when nothing has changed because if you do it too frequently, they’re more likely to approve a malicious login.

Branding Log-on Pages

While in the Azure AD portal, click on Company branding and add a company-specific Sign-in page background image (1920x1080px) and a Banner logo (280x60px). Note that these files have to be small (300 KB and 10 KB respectively) so you may have to do some fancy compression. This isn’t just a way to make users feel at home when they see a login page, in most cases when attackers send phishing emails to harvest credentials, they’ll send users to a fake login page that looks like the generic Office 365 one, not your custom one which is another clue that should alert your users to the danger. Also – Windows Autopilot doesn’t work unless you have customized AAD branding.

Edit Azure AD Company Branding images

Self Service Password Reset

The benefit of Self Service Password Reset (SSPR) is to lower the load on your help desk to manage password resets for users. Once enabled, users must register various ways of being identified when they’re resetting their password, mobile app notification/code, email (non-Office 365), mobile/office phone call, security questions (not available to administrators, plus you can create custom questions). If you are synchronizing user accounts from AD to Azure AD, take care in setting up SSPR as the passwords must be written back to AD from the cloud once changed.

Configuring Self Service Password Reset in Azure AD

Unified Auditing

Not restricted to security but nevertheless, a fundamental building block is auditing across Microsoft 365. Go to the Microsoft 365 Defender portal and find Audit in the left-hand menu (it’s almost at the end). If for some reason unified auditing isn’t enabled in your tenant a yellow banner will give you a button to turn it on (it’s on by default for new tenants). Once enabled, click the Audit retention policies tab, and create a policy for your tenant. You want to ensure that you have logs to investigate if there’s a breach and you want them kept for as long as possible.

With Business Premium you get a maximum of 90 days of retention and Microsoft 365 E5 gives you one year, but you want to make sure to create a policy to set this, rather than rely on the default policy (which you can’t see). Give the policy a name, a description and add all the record types, one by one. This policy will now apply to all users (including new ones that are created) for all activities. Only use the Users option when you want to have a specific policy for a particular user. Give the policy a priority, 1 is the highest and 10,000 is the lowest.

Create an audit retention policy for maximum retention

Integrating applications into Azure AD

One of the most powerful but often overlooked features (at least in SMBs) is the ability to use Azure AD to publish applications to your users. Users can go to myapps.microsoft.com (or office.com) and see tiles for all applications they have access to. But there’s more to that story. Say, for example, you have a shared, corporate Twitter account that a few executives and marketing staff should have access to. Instead of sharing a password amongst them all and having to remember to reset it if someone leaves the organization, you can create a security group in AAD, add the relevant users, link Twitter to the group and they’ll automatically have access – without knowing the password to the account. There are a lot more actions you can take here to simplify access and secure management of applications, here’s more information.

Azure AD Connect

If you’re synchronizing accounts from Active Directory to Azure Active Directory (AAD), check the configuration of AAD Connect and make sure you’re not replicating an entire domain or forest to AAD. There’s no reason that service accounts etc. should be exposed in both directories, start the AAD Connect wizard on the server where it’s installed and double-check that only relevant OUs are synchronized. One other thing to note here is the fact that any machine running Azure AD Connect should be treated with the same care (in terms of security) as a domain controller. This is because AAD Connect requires the same level of access as AD itself and has the ability to read password hashes. Making sure security best practices for access, patching, etc. are followed to the letter for the system running AAD connect is critically important.

The M365 Identity Checklist

Download the Excel template to use with your team >

Go Further than Identity to Protect your M365 Tenant

There you have it, all the most important steps to take to make sure your users’ identities are kept secure, and therefore your tenant and its data also safeguarded. Keen to learn and do more?

The Microsoft 365 Security Checklist has another nine chapters of security recommendations each with its own checklist for:

• • Email

• • Teams

• • SharePoint

• • Applications

• • Endpoint Manager

• • Information Protection

• • Secure Score

• • Business Premium

• • Microsoft 365 Enterprise E5

Download the full Microsoft 365 Security Checklist eBook and checklist template >

The post Use this Identity Checklist to secure your M365 tenant appeared first on Altaro DOJO | Microsoft 365.

The best way to protect a business of any size today against cyber risks is with an integrated suite of tools. Microsoft 365 Defender is one such service that we’ll look at in this article.

For many years the conventional wisdom, especially in larger organizations, was to buy best of breed solutions for each area. So, you ended up with the “best” (defining the “best” solution is hard, and changes quite quickly) email hygiene solution, the best anti-malware solution, the best firewall etc. And because none of them natively integrated with each other, and manual integration is hard and time-consuming, you ended up with multiple consoles and multiple data silos where low fidelity signals were ignored, while they could actually have told you about a breach in progress if you’d been able to correlate those individual low severity signals between each of the systems. A way to solve this issue is via Security Orchestration and Automation Response (SOAR) solutions that act as a “glue” between each product. Another is to buy an already integrated suite of tools such as Microsoft 365 Defender. The promise is eXtended Detection and Response (XDR), which is an extension of Endpoint Detection and Response (EDR) to indicate that not only endpoints but all systems are included in the protection and response.

Microsoft 365 Defender Main Dashboard

Name changes

In late 2020, Microsoft changed the names of nearly all of their security products so if you’re used to hearing about Advanced Threat Protection (ATP) or Microsoft Threat Protection (MTP), those have all been replaced. There’s now Microsoft 365 Defender which is the umbrella term for the Defenders in M365, as well as a unified console. There’s also Microsoft Defender for Identity (formerly Azure ATP), Microsoft Defender for Office 365 (formerly Office 365 Advanced Threat Protection), Defender for Endpoint (formerly Microsoft Windows Defender, then Microsoft Defender).

These products all tie into Microsoft 365 Defender (M365D) and are commonly abbreviated MDI, MDO and MDE. Microsoft’s Cloud App Security Broker (CASB) was renamed to Defender for Cloud Apps (MDCA?) at the Ignite conference in November 2021, it was previously known as Cloud App Security (MCAS). This makes a whole lot of sense as it’s part of the Defender family and can feed logs into the unified console.

Whilst not strictly a security product, and not bearing the Defender moniker, Azure Active Directory (AAD) and its security features also tie strongly into Microsoft 365 Defender.

There’s also Azure Defender for your IaaS and PaaS workloads in Azure, which also changed its name at Ignite in November 2021 to Microsoft Defender for Cloud. Also, separate from all of these security products but eminently capable of working with all of them is Azure Sentinel – a cloud-based Security Information and Event Management (SIEM).

Meet the Defenders

We have deep-dive articles on MDI, MDO and MDE here in the M365 Dojo but understanding what each of them does is crucial to understanding how Microsoft 365 Defender ties them all together.

MDI is a cloud-based service that monitors your on-premises Active Directory for specific indicators of compromised identities and attacker operations. Anytime an attacker gains a foothold in your organization, one of their first goals is to move laterally and elevate privileges, preferably reaching Domain Dominance. This last stage, where your entire on-premises identity infrastructure is completely under the criminal’s control, takes on average 48 hours.

MDI relies on agents on your Domain Controllers (DCs) or if your security team can’t stomach that, a member server that receives forwarded event log data from each DC and catches network traffic using port mirroring. MDI will catch attacker activity during five phases: Reconnaissance, Compromised credentials, Lateral movement, Domain dominance and Exfiltration.

Because MDI is laser-focused on AD (and AD Federation Services ADFS, after the Solarwinds attacks), it produces high fidelity alerts with very specific data to catch and contain miscreants on your network. Examples of attacks detected include Account enumeration reconnaissance, AS-REP Roasting, Identity theft (pass-the-hash), Skeleton Key attack, Data exfiltration over SMB and many, many others.

MDO is all about providing advanced protection for your Office Online workloads. Incoming emails and attachments are scanned by Exchange Online Protection (EOP) AV engines to provide a base level of protection and if an attachment has never been seen before it’ll be opened in a VM and inspected for malicious behaviour to try and catch zero-day attacks.

MDO also looks at every URL in emails to see if they lead to compromised sites that Microsoft is aware of. It also provides time-of-click scanning as attackers will frequently compromise a benign website, send out their emails with links that won’t raise flags as they’re delivered (since the site isn’t displaying malicious indications at this point), then activate the malicious payload on the website.

By checking the link at the time of actually clicking on it, MDO can offer strong protection against malicious URLs. MDO comes in two flavors, plan 1 covers the above features, whereas plan 2 adds Threat Trackers (intelligence on current attacks in the wild), Threat Explorer (also known as Explorer, shows you recent threats in your tenant), Automated Investigation and Response (AIR) and Attack simulation training (to train your users to recognize phishing emails).

MDE on the other hand is a full-fledged EDR and anti-malware solution for your endpoints, including Windows, MacOS, Android, iOS and Linux. On Windows there’s no agent to deploy, it’s simply a matter of activating the bits already in the OS through onboarding, either with a script or Configuration Manager, Intune, or Group Policy at scale. Apart from local and cloud-based Machine Learning (ML) models to identify new threats, MDE also offers AIR and a complete Threat and Vulnerability Management (TVM) solution.

Threat and Vulnerability Management dashboard

TVM inventories all software installed on your endpoints (Windows 8.1, 10 (1709+), 11 and Windows Server 2008R2+, MacOS and Linux) and compares against known software vulnerabilities. Using signals such as the risk of the vulnerability being exploited, the number of devices in your organization where it’s installed and the usage of the application it’ll give you a prioritized list of programs to upgrade. As this is often a task for the endpoint/desktop team rather than the security team, there’s built-in functionality to create a task in Intune with links to the relevant upgrades etc.

Until recently there was only one version of MDE, but in August 2021 Microsoft announced a new version called Plan 1, while the full-featured version became Plan 2. Plan 1 is in preview and brings Next-generation protection (anti-malware/virus), Attack surface reduction, Manual response actions, Centralized management, Security reports and API access. Plan 2 adds Device discovery, TVM as above, AIR, Advanced hunting, full EDR and Microsoft Threat Experts (MTE). This last one is a managed SOC service by Microsoft which gives you two services, targeted attack notifications where analysts have identified an ongoing attack in your environment and access to experts on-demand to help your SOC if you need them.

At the Ignite 2021 conference, these two siblings (Plan 1 & Plan 2) were joined by a cousin, Microsoft Defender for Business which will (it’s “coming to preview soon”) protect your Windows, macOS, iOS, and Android endpoints for up to 300 users in a business. Unlike Plan 1, it comes with TVM, AIR and full EDR so the only things that are missing are Linux support, MTE and advanced hunting. It’ll be available as part of Microsoft 365 Business Premium or as a standalone license at $3 per user per month. It’ll also integrate with Microsoft 365 Lighthouse.

A common misunderstanding is between MDE and the built-in security features that every Windows 10 user can take advantage of Microsoft Defender Security Center and Microsoft Defender Antivirus. These basic protection features are used by MDE, but it adds many advanced features on top as outlined above.

There are good alternatives to Microsoft’s services, if you’re looking for email hygiene, archiving / journaling, zero-day protection and email continuity even if Exchange Online is unavailable, plus optional backup, 365 Total Protection is excellent.

Microsoft 365 Defender

MDE used to have its own portal, separate from other security products (securitycenter.windows.com) and while it’s still there it comes with a banner strongly suggesting redirecting users to the main M365 Defender portal (security.microsoft.com). MDI’s previous portal is completely retired and its functionality was moved into the Defender for Cloud Apps portal quite some time ago and MDO is already housed in the M365 Defender portal. The work to integrate MDI into the main Microsoft 365 Defender portal is extensive and is likely to take some time. There’s more to the integration than just a single portal, although that’s a good start.

If you are using MCAS, you can integrate its telemetry into Microsoft 365 Defender.

First, there’s a unified alerts queue, so you’re not looking in one place for an email threat that might have snuck past your mail filtering, and in another place for endpoints where that same email attachment might have been opened, it’s all in the same place. The same goes for the unified user page, a user account is an object in MDI (AD) but also an entity in MDO (has a mailbox, OneDrive for Business storage etc.) and of course an object in MDE on whatever devices they’re logged in to.

The unified investigation page is my favourite, the ability to see details of automated actions (AIR) along with options to further investigate myself is very powerful, especially as it spans all the different Defenders. By popular demand, there’s also an email entity page that lets you investigate suspicious emails, including previewing them if they’re stored in an Exchange online mailbox.

Email entity page

There are two ways of controlling access to M365 Defender data using RBAC, either using built-in Azure AD roles or if you want to control access very granularly in a large environment, using Custom role access.

You don’t need to have all the different Defenders enabled to take advantage of M365 Defender, as soon as you enable one workload it works, as you add more services, more of the portal will light up.

Do you like to Hunt?

The coolest benefit of the integration however is the ability to do advanced hunting across all the data flowing into Microsoft 365 Defender. This is a sign of a mature security organization where it’s not all about dealing with alerts and incidents raised by the security systems but where there’s also time for an analyst to say, “I wonder if that attack against a company similar to us last week could have hit us too – let me grab the Indicators of Compromise (IOCs) and look through our logs”. All Microsoft security products rely on Kusto Query Language (KQL) with a similar syntax to SQL for searching through large amounts of security log data and the ability to look in one query over email data (MDO), identity data (MDI), endpoint processes and actions (MDE) as well as third party cloud service logs (MCAS) is incredibly powerful.

There’s a new Advanced Hunting UI, recently released, which offers tabs for each query you’re working with and feedback on the performance of each query run.

Here I’m looking to see if any suspicious PowerShell activity was launched within 30 minutes of a known malicious email being received in the last 7 days.

Advanced Hunting in Microsoft 365 Defender

If you find events of interest during hunting, you can now use them to create an incident or add them as alerts to an existing incident. You can also bring in external data into hunting queries from lists of IP addresses, accounts etc.

Microsoft 365 Defender also offers a Secure Score across identities, devices and apps, giving you an overview of where you have strong controls in place and areas where you can improve your tenant’s overall security posture.

Microsoft 365 Defender Secure Score

There’s also a unified view of Alerts and Incidents, actions taken by AIR and reports for endpoints, emails, identity, and overall security.

Alternative Solutions

While Microsoft 365 Defender is a comprehensive security solution it’s not the only game in town. There are many other providers that offer various solutions for email hygiene that integrate neatly with Exchange Online and provide features Microsoft doesn’t. There are also services for email continuity (when Exchange Online is down), encryption of sensitive data, long term archiving of emails for compliance, signature services, backup of Office 365 data and many other EDR and XDR solutions on the market. One reason for choosing a different provider is the perceived conflict of interest when Microsoft is both providing the collaboration platform and the security services on top. Furthermore, picking best of breed solutions for particular threats often provides strong protection as those third-party providers are solely focused on specialising in those areas – just make sure the integrations required to the rest of the security stack you need are available.

Is Defender All you Need?

The power of an integrated suite that looks for malicious activity across email, identity and endpoints is certainly appealing. There are a few things to keep in mind, however: Microsoft 365 Defender is focused on Microsoft 365 (it’s in the name) but most organizations have many other platforms and services to secure and monitor which is where a SIEM like Azure Sentinel comes into play. It can ingest data from Microsoft 365 Defender and many other Microsoft services, along with 100+ third-party data sources for a true single view of your digital estate. There’s also bi-directional synchronization between them so if you close an incident in Microsoft 365 Defender, it closes in Azure Sentinel and vice versa. Log retention is only 30 days in Microsoft 365 Defender whereas Azure Sentinel gives you 90 days for free, with several different options for storing security log data for longer.

However, and this should not be underestimated, most features in the Defender family require Microsoft 365 E5 licensing (or M365 E3 plus add-ons) which definitely is not cheap, especially in medium to large organizations. The price increase from E3 licensing to the required E5 is a big one and massively more expensive than assembling equivalent non-MS security solutions instead. For example, Hornetsecurity’s 365 Total Protection Enterprise which includes (amongst others) the equivalent security features, is currently priced at $4 per licence as opposed to $14 per user, per month for Microsoft’s security suite (calculated as the difference between Office365 E3 and Office365 E5 licencing from Microsoft.com).

Not only is it more affordable, but 365 Threat Protection Enterprise as a dedicated security service also offers greater overall email security than Microsoft can for example 10 year Email Archiving.

In conclusion, Microsoft 365 Defender is a robust one-stop shop for M365 security and as an integrated suite offers undeniable ease of use but lacks the cutting-edge protection provided by specialised third-party solutions and comes at a considerable cost.

Download a free trial of Hornetsecurity 365 Total Protection and try it out for yourself!

The post Deep Dive on M365 Defender appeared first on Altaro DOJO | Microsoft 365.

When the CEO realizes they deleted a vital email thread three weeks ago, email recovery becomes suddenly becomes an urgent task. Sure, you can look in the Deleted Items folder in Outlook, but beyond that, how can you recover what has undergone “permanent” deletion? In this article, we review how you can save the day by bringing supposedly unrecoverable email back from the great beyond.

Deleted Email Recovery in Microsoft And Office 365

Email Recovery for Outlook in Exchange Online through Microsoft and Office can be as simple as dragging and dropping the wayward email from the Deleted Items folder to your Inbox. But what do you do when you can’t find the email you want to recover?

First, let’s look at how email recovery is structured in Microsoft 365. There are few more layers here than you might think! In Microsoft 365, deleted email can be in one of three states: Deleted, Soft-Deleted, or Hard-Deleted. The way you recover email and how long you have to do so depends on the email’s delete status and the applicable retention policy.

Let’s walk through the following graphic and talk about how email gets from one state to another, the default policies, how to recover deleted email in each state, and a few tips along the way.

Items vs. Email

Outlook is all about email yet also has tasks, contacts, calendar events, and other types of information. For example, you can delete calendar entries and may be called on to recover them, just like email. For this reason, the folder for deleted content is called “Deleted Items.” Also, when discussing deletions and recovery, it is common to refer to “items” rather than limiting the discussion to just email.

Policy

Various rules control the retention period for items in the different states of deletion. A policy is an automatically applied action that enforces a rule related to services. Microsoft 365 has hundreds of policies you can tweak to suit your requirements. See Overview of Retention policies for more information.

‘Deleted Items’ Email

When you press the Delete key on an email in Outlook, it’s moved to the Deleted Items folder. That email is now in the “Deleted” state, which simply means it moved to the Deleted Items folder. How long does Outlook retain deleted email? By default – forever! You can recover your deleted mail with just a drag and drop to your Inbox. Done!

If you can’t locate the email in the Deleted Items folder, double-check that you have the Deleted Items folder selected, then scroll to the bottom of the email list. Look for the following message:

If you see the above message, your cache settings may be keeping only part of the content in Outlook and rest in the cloud. The cache helps to keep mailbox sizes lower on your hard drive, which in turn speeds up search and load times. Click on the link to download the missing messages.

But I Didn’t Delete It!

If you find content in the Deleted Items and are sure you did not delete it, you may be right! Administrators can set Microsoft 365 policy to delete old Inbox content automatically.

Mail can ‘disappear’ another way. Some companies enable a personal archive mailbox for users. When enabled, by default, any mail two years or older will “disappear” from your Inbox and the Deleted Items folder. However, there is no need to worry. While apparently missing, the email has simply moved to the Archives Inbox. A personal Archives Inbox shows up as a stand-alone mailbox in Outlook, as shown below.

As a result, it’s a good idea to search the Archives Inbox, if it is present when searching for older messages.

Another setting to check is one that deletes email when Outlook is closed. Access this setting in Outlook by clicking “File,” then “Options,” and finally “Advanced” to display this window:

If enabled, Outlook empties the Deleted Items when closed. The deleted email then moves to the ‘soft-delete’ state, which is covered next. Keep in mind that with this setting, all emails will be permanently deleted after 28 days

‘Soft-Deleted’ Email

The next stage in the process is Soft-Deleted. Soft-Deleted email is in the Deleted-Items folder but is still easily recovered. At a technical level, the mail is deleted locally from Outlook and placed in the Exchange Online folder named Deletions, which is a sub-folder of Recoverable Items. Any content in the Recoverable Items folder in Exchange Online is, by definition, considered soft-deleted.

You have, by default, 14 days to recover soft-deleted mail. The service administrator can change the retention period to a maximum of 30 days. Be aware that this can consume some of the storage capacity assigned to each user account and you could get charged for overages.

How items become soft-deleted

There are three ways to soft-delete mail or other Outlook items.

1. Delete an item already in the Deleted Items folder. When you manually delete something that is already in the Deleted Items folder, the item is soft-deleted. Any process, manual or otherwise that deletes content from this folder results in a ‘soft-delete’

2. Pressing Shift + Delete on an email in your Outlook Inbox will bring up a dialog box asking if you wish to “permanently” delete the email. Clicking Yes will remove the email from the Deleted-Items folder but only perform a soft delete. You can still recover the item if you do so within the 14 day retention period.

3. The final way items can be soft-deleted is by using Outlook policies or rules. By default, there are no policies that will automatically remove mail from the Deleted-Items folder in Outlook. However, users can create rules that ‘permanently’ (soft-delete) email. If you’re troubleshooting missing emails, have the user check for such rules as shown below. You can click Rules on the Home menu and examine any created rules in the Rules Wizard shown below.

Note that the caution is a bit misleading as the rule’s action will soft-delete the email, which, as already stated, is not an immediate permanent deletion.

Recovering soft-deleted mail

You can recover soft-deleted mail directly in Outlook. Be sure the Deleted Items folder is selected, then look for “Recover items recently removed from this folder“ at the top of the mail column, or the “Recover Deleted Items from Server” action on the Home menu bar.

Clicking on the recover items link opens the Recover Deleted Items window.

Click on the items you want to recover or Select All, and click OK.

NOTE: The recovered email returns to your Deleted Items folder. Be sure to move it into your Inbox.

If the email you’re looking for is not listed, it could have moved to the next stage: ‘Hard-Deleted.’

While users can recover soft-deleted emails, Administrators can also recover soft-deleted emails on their behalf using the ‘Hard-Deleted’ email recovery process described next (which works for both hard and soft deletions). Also, Microsoft has created two PowerShell commands very useful in this process for those who would rather script the tasks. You can use the Get-RecoverableItems and Restore-RecoverableItems cmdlets to search and restore soft-deleted emails.

Hard-Deleted Email

The next stage for deletion is ‘Hard Delete.’ Technically, items are hard-deleted when items are moved from the Recoverable folder to the Purges folder in Exchange online. Administrators can still recover items in the folder with the recovery period set by policy which ranges from 14 (the default) to 30 (the maximum). You can extend the retention beyond 30 days by placing legal or litigation hold on the item or mailbox.

How items become Hard-Deleted

There are two ways content becomes hard-deleted.

1. By policy, soft-deleted email is moved to the hard-deleted stage when the retention period expires.
2. Users can hard-delete mail manually by selecting the Purge option in the Recover Deleted Items window shown above. (Again, choosing to ‘permanently delete’ mail with Shift + Del, results in a soft-delete, not a hard-delete.)

Recovering Hard-Deleted Mail

Once email enters the hard-delete stage, users can no longer recover the content. Only service administrators with the proper privileges can initiate recovery, and no administrators have those privileges by default, not even the global admin. The global admin does have the right to assign privileges so that they can give themselves (or others) the necessary rights. Privacy is a concern here since administrators with these privileges can search and export a user’s email.

Microsoft’s online documentation Recover deleted items in a user’s mailbox details the step-by-step instructions for recovering hard-deleted content. The process is a bit messy compared to other administrative tasks. As an overview, the administrator will:

1. Assign the required permissions
2. Search the Inbox for the missing email
3. Copy the results to a Discovery mailbox where you can view mail in the Purged folder (optional).
4. Export the results to a PST file.
5. Import the PST to Outlook on the user’s system and locate the missing email in the Purged folder

Last Chance Recovery

Once hard-deleted items are purged, they are no longer discoverable by any method by users or administrators. You should consider the recovery of such content as unlikely. That said, if the email you are looking for is not recoverable by any of the above methods, you can open a ticket with Microsoft 365 Support. In some circumstances, they may be able to find the email that has been purged but not yet overwritten. They may or may not be willing to look for the email, but it can’t hurt to ask, and it has happened.

What about using Outlook to backup email?

Outlook does allow a user to export an email to a PST file. To do this, click “File” in the Outlook main menu, then “Import & Export” as shown below.

You can specify what you want to export and even protect the file with a password.

While useful from time to time, a backup plan that depends on users manually exporting content to a local file doesn’t scale and isn’t reliable. Consequently, don’t rely on this as a possible backup and recovery solution.

Alternative Strategies

After reading this, you may be thinking, “isn’t there an easier way?” A service like Altaro Office 365 Backup allows you to recover from point-in-time snapshots of an inbox or other Microsoft 365 content. Having a service like this when you get that urgent call to recover a mail from a month ago can be a lifesaver.

Summary

Users can recover most deleted emails without administrator intervention. Often, deleted email simply sits in the Deleted folder until manually cleared. When that occurs, email enters the ‘soft-deleted stage,’ and is easily restored by a user within 14-days. After this period, the item enters the ‘hard-deleted’ state. A service administrator can recover hard-deleted items within the recovery window. After the hard-deleted state, email should be considered uncoverable. Policies can be applied to extend the retention times of deleted mail in any state. While administrators can go far with the web-based administration tools, the entire recovery process can be scripted with PowerShell to customize and scale larger projects or provide granular discovery. It is always a great idea to use a backup solution designed for Microsoft 365, such as Altaro Office 365 Backup.

The post How to Recover Deleted Emails in Microsoft 365 appeared first on Altaro DOJO | Microsoft 365.

There are several technologies that work together in Microsoft 365 that helps you manage the lifecycle of your data and documents. In this article, we’ll start with an overview of these and when to use which one, followed by a deep dive into records management and some very powerful features on offer.

Knowing what you have is the first step

Discovering the data you have and where there’s sensitive information that you need to protect is the first step. If it isn’t enabled, make sure to enable Office 365 audit logging in your tenant. It can take several hours until audit data starts showing up so do this ahead.

As part of what Microsoft calls “know your data” you can explore what you have stored in Exchange Online, SharePoint Online and OneDrive for Business before creating any policies or making any changes (apart from enabling auditing). In the Microsoft 365 compliance portal, click on Data classification and the Overview tab will show you the number of sensitive documents stored in any of the online locations (on-premises data will be included here in a coming update if you deploy the AIP Scanner – see below).

Overview in Data Classification

The Content explorer tab on the other hand will give you more than just overview statistics, it’ll let you dig into this data. Note that you need permissions not part of the default Global Administrator role to see this data, as well as at least one license of Office 365 E5, M365 E5 or one of the Advanced Compliance E5 / Advanced Threat Intelligence E5 add-ons. Accounts with Content Explorer List viewer can see the number of sensitive documents in each repository and individual document names but NOT their content, whereas an account that also has Content Explorer Content viewer can see the content of each document. Be very careful with assigning these permissions as these administrators are able to access sensitive data.

Content Explorer in Data Classification

Information Protection

Once you have some idea of the sensitivity of the documents that are stored in your tenant it’s time to apply protection to it. This is done through Sensitive Information Types (SIT) labelling and policies. Currently, Microsoft has 152 built-in different SITs that you can build policies around, covering many different types of PII from different countries in the world.

If you have in-house sensitive data types you can build your own SIT (essentially a regex with supporting keywords and information). For more complex document types you can use trainable classifiers (in preview), a machine learning model that you train to recognize a particular type of document (European Contracts for example).

Using SITs you then build policies that label the email, Office document, PDF, image or another type of document that contains one or more examples of sensitive information. You can further add headers, footers or watermarks to sensitive documents and control permissions for accessing the document, no matter how it’s shared, using built-in encryption.

To scan, label and optionally protect on-premises documents in SharePoint (2013+) and file shares you can use the Azure Information Protection (AIP) scanner.

Sensitive Information Types in M365

Usage of SITs and policies require M365 E3 or E5 licensing, auto labelling requires M365 E5, as does trainable classifiers and the AIP scanner.

Data Loss Prevention

In addition to protecting sensitive data, you probably also want to make sure it’s not shared with the wrong people accidentally. This is the job of Data Loss Prevention (DLP) which relies on the same SITs to give users warning when they’re about to share credit card numbers with an external user via email for instance. Recently (November 2020) DLP protection was extended to Windows 10 endpoints, providing a powerful option for controlling data sharing everywhere (particularly useful now that many of us are working from home).

One big “philosophical” difference between Microsoft’s Information Governance solutions and third-party solutions is that Microsoft manages data “in place”, other solutions create copies of the data in separate repositories, adding extra cost and complexity.

Need to retain data for seven years and ensure it doesn’t get deleted? Create a retention policy and even if users try to delete emails or documents, they will be available for the seven years. Need to ensure that only these three people can access this sensitive Word contract, even if they try to share it with someone else? Use Information Protection to apply permissions to the document and encrypt it – ensuring that only the right people have access to it. Need to ensure that these finalized legal contracts are retained for ten years and not tampered with – use Records Management and keep them where they’re stored, secure in the knowledge that they can’t be altered.

Retention

Sometimes you have data that isn’t sensitive and thus doesn’t fall into what you’d use Information Protection or DLP for, but you have a business or regulatory need to retain the data for a certain number of years. Both SharePoint and Exchange have built-in tech for this (a leftover from when they were on-premises server solutions) but the newer, unified approach in Office 365 lets you retain data, no matter where it’s stored.

Creating a retention label with a disposition review

There are both retention labels and retention policies and you can use them together for slightly different use cases. This is unlike Information Protection policies where you create the labels first and then the label policy is what makes them available for users to use.

Retention labels (but not Retention policies) can also optionally be used to label content as records for Records management. If an individual document has different and conflicting retention labels/policies applied to it there’s a workflow to determine how long it’ll be retained and when it’ll be deleted.

Records Management in M365

Now that you’ve seen the basics for identifying, protecting and managing the data you have in your business – let’s turn to records management. This is used to adhere to legal, regulatory and business needs to manage certain types of documents differently. It can be done manually by applying a retention label or based on the content using SITs, keywords or content types. You can control the retention period based on when the document was created, last modified or (unique to records) based on a particular event taking place, such as an employee leaving the company, a contract expiring or a particular product reaching a stage in its lifecycle. This makes it possible to build workflows around governing the retention of documents.

There are three types of restrictions that can be applied using records (plus the fourth, ordinary retention labels), Record – locked, Record – unlocked and Regulatory record. The last one is new, based on feedback from customers, and lets you lock/prevent any changes not only to the document content but also to its metadata, stops you moving the document to another location AND blocks the ability to change or remove the label. This is important where businesses have strict regulations to follow and must prove that documents are immutable once declared records. The locked/unlocked record types differ in whether they allow changes to the content or not.

If your business could benefit from Regulatory records be aware that you need to enable the feature for it to show up in the UI. Also be aware that if you do declare a document as a Regulatory record and you later want to remove the label you have to contact support – there’s no other way to do it (which is the point, to show auditors that the record really is immutable).

Records management has another feature – File plan. This is a structure similar to traditional (paper-based) records management and lets you add the business function/department, category (and optional subcategories), authority type and provision/citation to the plan.

Defining file plan descriptors for a label

Once created, File plans can be exported as CSV files and edited in Excel as well as imported back into M365 which comes in handy if you’re migrating from a legacy system or you need to import a large number of labels in one go. It’s also useful as you sit down with business stakeholders to figure out what documents should be treated as records and design the workflow around them.

This workflow can involve users declaring a record manually, which will work for small amounts of documents or as mentioned above, when a particular event happens. You can also attach retention labels automatically to documents, based on SITs, keywords or searchable properties of the documents, or trainable classifiers. Be aware that auto-apply retention labels can take up to seven days to apply.

To complete the lifecycle of your records you need to plan for the disposition of them at the end of their useful life. As we’ve seen, records management in M365 is intimately connected to retention labels which by definition configures how long different types of data should be kept.

Once time’s up you can have the information automatically deleted, just left where it is or trigger a disposition review. This last one requires the users who are going to perform it the Disposition Management role (not part of the Global Administrator role by default) and auditing has to be enabled. There’s also a Records Management role which doesn’t include the Disposition Management role today, but this role is changing in mid-December 2020 to now include the Disposition Management role overall.

Disposition reviews cover content in Exchange online mailboxes, SharePoint sites, OneDrive accounts and Microsoft 365 groups (Teams). Reviewers will receive an email notification on weekly basis and then use the Disposition tab in the Compliance Center to review the content, and either permanently delete it, extend the retention period or apply a different retention label.

Disposition options (courtesy of Microsoft)

Note that you can only define individual user accounts or mail-enabled security groups as reviewers and I recommend the latter because if you have a seven-year retention period you can’t guarantee that the people who were given the task that long ago are still around (although you can, of course, update the retention label with new reviewers as time goes on).

The licensing required to be able to declare records manually or automatically are M365 E5, E5 Compliance, E5 Information Protection and Governance, O365 E5, E5 Advanced Compliance.

Conclusion

Microsoft is improving the overall governance of information in Microsoft 365 and adding new features regularly to provide a holistic solution built into the platform. Managing records “in-place” is a good approach – are there documents in your business that you need this type of control over? If so – try out Records management to see if it fulfils your business OneDrive and regulatory requirements.

The post M365 Records Management Guide appeared first on Altaro DOJO | Microsoft 365.