Microsoft Security Virtual Training Day:Protect SensitiveInformation and ManageData Risk

Day 1 Slides

© Copyright Microsoft Corporation. All rights reserved.FOR USE ONLY AS PART OF VIRTUAL TRAINING DAYS PROGRAM. THESE MATERIALS ARE NOT AUTHORIZED FOR DISTRIBUTION, REPRODUCTION OR OTHER USE BY NON-MICROSOFT PARTIES.

Information Protection (segment 1 of 2)

• Information Protection Concepts• Sensitivity Labels• Data Loss Prevention (DLP) basics• Create a DLP policy• Customize DLP policies• Policy Tips

Digital estate

Unregulated/UnknownHybrid data = new normal

It’s harder to protect

Managed mobile

environment

Identity, device

management protection

On-premisesPerimeter protection

Your classification journeyClassify data – Begin the journey

Classify data based on sensitivity

IT admin sets policies,

templates, and rules

Personal

Confidential

Restricted

Internal

Public

Start with the data that is most

sensitive

IT can set automatic rules;

users can complement it

Associate actions such as visual

marking and protection

Four ways to classify data

Classification user experiences:

Automatic:

Policies can be set

by IT Admins for

automatically

applying

classification and

protection to data

Recommended:

Based on the

content you’re

working on, you can

be prompted with

suggested

classification

Reclassification:

You can override a

classification and

optionally be

required to provide

a justification

User set:

Users can choose to

apply a sensitivity

label to the email or

file they are working

on with a single click

Balance data security and productivity

Secure Data

Enforce conditional access to sensitive data

DLP actions to block sharing

Encrypt files and emails based on sensitivity label

Prevent data leakage through DLP policies based

on sensitivity label

Business data separation from personal data on

devices

Secure email with encryption & permissions

Enable productivity

Manually apply sensitivity label consistently across

apps applications and endpoints

Show recommendations and tooltips for sensitivity

labels with auto-labeling and DLP

Visual markings to indicate sensitive documents

across apps and services (e.g. watermark, lock

icons, sensitivity column in SPO)

Co-author and collaborate with sensitive

documents

Enable searching of encrypted files in SharePoint

Allow users to open and share encrypted pdf files

in Edge in addition to Adobe Acrobat Reader

Sensitivity labels explained

Customizable

Persists as container

metadata or file metadata

Readable by other systems

Determines DLP policy

based on labels

Extensible to partner solutions

Manual or Automated Labels

Apply to content or

containers

Label data at rest, data in use,

or data in transit

Enable protection actions

based on labels

Seamless end user experience

across productivity applications

CONFIDENTIAL

Capabilities of sensitivity labels

Capabilities include:

Encrypt Mark contentPrevent

data loss

Protect

content in

containers

Apply labels

automatically

Demo

Sensitivity labels

Sensitivity label policiesBest practice: Think across all environments

On-prem:

Classify and label

data in on-prem

repositories

Office apps

across

platforms:

Label and protect

Office files natively

across Windows,

Mac, iOS, Android

and Web Clients

SharePoint

sites teams,

Office 365

groups:

Label and protect

sensitive SharePoint

Sites, Teams,

Office 365 Groups,

Power BI artifacts

Exchange

Online:

Automatically label

and protect

sensitive emails in

Exchange Online

SharePoint

Online:

Automatically label

and protect

sensitive files in

SharePoint Online

and OneDrive for

Business

Non-Microsoft

clouds and

SaaS apps:

Extend protection

through Microsoft

Cloud App Security

to third party clouds

and SaaS apps

Unified Label Management in Microsoft 365 Compliance center

Create and configure sensitivity labels and policies

Admin

Creates a sensitivity label

Publishes the sensitivity label to users and groups selected in a

label policy

End userWorks on an email or document and sees the available labels

Classifies the document by applying a label

Office or third-

party app/serviceEnforces protection settings on the email or document based in the

applied label

Label analytics

With label analytics you can view:

Total number of

retention labels and

sensitivity labels

applied to content

Top labels and the

count of how many

times each label was

applied

Locations where

labels are applied

and the count for

each location

Count for how many

files and folders had

their retention label

changed or removed

Transition from Azure Information Protection (AIP) to

Microsoft Information Protection

Guidance for existing

Azure Information

Protection (AIP)

deployments

DLP capabilitiesData loss prevention in Microsoft 365 identifies, monitors, reports, and protects

sensitive data such as Social Security and credit card numbers through deep

content analysis while helping users understand and manage data risk

DLP can be configured to identify sensitive information

DLP policies protect content by enforcing rules comprised of conditions

and actions

Policies are typically based on policy templates provided in the service

Sensitive information types

A sensitive information type is defined by a pattern that can be identified by a regular

expression or a function

Data loss prevention in Microsoft 365 includes definitions for many common sensitive

information types such as credit card numbers, bank account numbers, national ID

numbers and others

Each sensitive information type is defined and detected by using a combination of:

Format

Keywords

Internal functions to validate checksums or composition

Evaluation of regular expressions to find pattern matches

Other content examination

DLP policies explained

After creating DLP policies, you can activate them to examine different

locations, such as:

Exchange email

SharePoint sites

OneDrive accounts

You can also create a DLP policy and choose not to activate it but run it

in test mode

To monitor and audit your DLP Policies, there are two predefined reports

available, that show “DLP policy matches” and “DLP false positive and

override”

Conditions and actionsConditions focus not only on the content, such as the type of sensitive information

you’re looking for, but also on the context, such as who the document is shared with

Conditions can determine if:

Content contains any of the 80+ built-in types of sensitive information

Content is shared with people outside or inside your organization

The document properties contain specific values

When content matches a condition in a rule, you apply actions to protect the

document

or content

You can perform actions such as:

Block access to the content

Send a notification

Email notifications

When you create a DLP

policy in the Security &

Compliance Center, you can

configure a user notification

action to inform users and

educate them when they

are in violation of an

organization’s policy

Users can be notified

through email notifications

and policy tips

Policy tips

A policy tip is a notification or warning

that appears when someone is working

with content that conflicts with a

DLP policy

Policy tips can be entered in email, on

sites, and in Office 2016 apps such as

Excel, PowerPoint, and Word

Policy templatesThe quickest way to start using DLP

policies is to create a new policy from

a template

A preconfigured DLP policy template

can help you detect specific types of

sensitive information

Three methods exist for you to begin

creating DLP policies by using the

Security & Compliance Center:

Apply an out-of-the-box template supplied

by Microsoft

Create a custom policy with one or more

different pre-existing conditions

Create a custom policy without any

pre-existing conditions

Use DLP policies with FCI

In Office 365, you can use a Data Loss

Prevention (DLP) policy to identify,

monitor, and protect sensitive information

You can create a DLP policy in Office 365 that

recognizes the properties that have been applied to

documents by Windows Server FCI or other system

Choose a built-in policy template

Before you can enforce

data loss prevention,

you must first create a

DLP policy

Choose locations to protectNew DLP policy wizard lets you select the services you want to protect

Configure rules

Policy settings tab,

displays the template’s

default DLP rules

You can accept the

default settings for

conditions and actions

or select Use advanced

settings to create

custom rules

Enable the policy

The last two pages of the New DLP policy

wizard ask about the status of the DLP policy

after the wizard finishes and displays a review

of the policies settings

When you create your DLP policies, you should

consider rolling them out gradually to assess

their impact and test their effectiveness before

fully enforcing them

Create and manage Teams DLP policies

For the organizations which

have DLP for Teams licensed,

policies can be configured that

prevent people from sharing

sensitive information in a

Microsoft Teams channel or

chat session. With these

policies, the admin can protect:

Sensitive information in messages

Sensitive information in documents

Integrated

Integrations (e.g. with Microsoft Information Protection)

build on existing capabilities and focus on risks that matter

Native protection

Built-in to Windows 10, Office Apps, Edge – no agent required

Seamless deployment

Cloud-delivered, lightweight configuration leads to immediate value

Works out of the box for MDATP customers

Identify and protect information on endpoints

Endpoint Data Loss Prevention

Currently in public preview

Generally available Q4 CY20

Discover sensitive data on devices on day 1

• Audit activity of common file types with rich context

• Data classification without any policy

• Data driven policy orchestration

Cloud-native, lightweight config

• Managed through Microsoft Compliance Center

• Single click extends existing DLP policies to devices

Seamless deployment

Integrated and data-centric

Data-centric protection

• Content-centric auditing and enforcement

• Apply sensitivity label and encryption (future)

DLP & Threat Protection: better together

• Prioritize incident response based on data sensitivity

• DLP sensors and data exfil detection in MDATP

• Risk-aware DLP policies (future)

• Serves as Insider Risk Management endpoint sensor

Endpoint DLP

Microsoft Endpoint DLP allows you to

monitor Windows 10 devices and detect

when sensitive items are used and shared.

Requirements:

• Devices must be Windows 10

• Devices need to be onboarded

• Devices must be Azure AD joined

Customize conditions and actions

The default sensitive information types associated with the U.S.

Personally Identifiable Information (PII) Data policy include the

U.S. Individual Taxpayer Identification Number, U.S. Social Security

Number, and U.S./U.K. Passport Number

You can add any sensitive

information type and, if

necessary, remove any

of the default types

Customize user notificationsThe User notifications section of the Security and Compliance Center lets you configure

and customize the notifications that people receive when a user attempts to share

content that is protected

Customize user overrides

User notifications are effective in educating

users about an organization’s compliance

requirements

You can configure user overrides so that

users can override a block with a business

justification

Send incident reportsAdministrators can configure an action to generate incident reports if a DLP

event occurs

Document protection through DLP policiesMany organizations already have

a process to identify and classify

sensitive information by using the

classification properties in

windows server file classification

infrastructure (FCI)

You can create a DLP

policy in Office 365 that

recognizes the properties

that have been applied to

documents by windows

server FCI or other system

When you create a DLP

policy, the only content

that is detected is the

content that is newly

uploaded and the existing

content that is edited

To detect existing

content, you need to

manually re-index

your library, site, or

site collection

Create a document protecting DLP policy (Step 1&2)

Step 1 – Upload a document with the

needed property to Microsoft 365:

You first need to upload a document with the

property that you want to reference in your

DLP policy. Microsoft 365 will detect the

property and automatically create a crawled

property from it

Step 2 – Create a managed property

in SharePoint Online

Create a document protecting DLP policy (Step 3)

Step 3 – Create the DLP Policy:

The condition Document properties contain any of these values is not

available in the user interface of the Microsoft 365 Security &

Compliance Center, so you need to use PowerShell to use it

You can use the New\Set\Get-DlpCompliancePolicy cmdlets to work

with a DLP policy

Policy tips in EmailWhen you compose a new email in Outlook on the web and Outlook 2013 and later,

you’ll see a policy tip if you add content that matches a rule in a DLP policy that uses

policy tips

Policy tips in SharePoint and OneDrive

When a document on a

OneDrive for Business

site or SharePoint Online

site matches a rule in a

DLP policy that uses

policy tips, the policy

tips display special icons

on the document

Policy tips in Office 2019

When end users work with

sensitive content in the desktop

versions of Excel 2019, PowerPoint

2019, and Word 2019, policy tips

can notify them in real time that

the content conflicts with a

DLP policy

Policy tips in Office 2019 (continued)Depending on how you configure the policy tips in the DLP policy, people can choose to

simply ignore the policy tip, override the policy with or without a business justification,

or report a false positive

Demo

© Copyright Microsoft Corporation. All rights reserved.FOR USE ONLY AS PART OF VIRTUAL TRAINING DAYS PROGRAM. THESE MATERIALS ARE NOT AUTHORIZED FOR DISTRIBUTION, REPRODUCTION OR OTHER USE BY NON-MICROSOFT PARTIES.

Information Protection (segment 2 of 2)

• Information Rights Management (IRM)• Secure Multipurpose Internet Mail Extension• Office 365 Message Encryption

Microsoft 365 encryption options

Microsoft 365 offers a

variety of different

encryption services

and features, with a

basic differentiation

between data at rest

and data is transit

With Microsoft 365,

you can have

multiple layers and

kinds of encryption

working together to

secure your data

Kinds of content Encryption technologies

Files on a device. This can include

email messages saved in a folder,

Office documents saved on a

computer, tablet, or phone, or data

saved to the Microsoft cloud

BitLocker in Microsoft datacenters. BitLocker

can also be used on client machines, such as

Windows computers and tablets

Distributed Key Manager (DKM) in Microsoft

datacenters

Customer Key for Microsoft 365

Files in transit between users. This can

include Office documents or

SharePoint list items shared between

users

TLS for files in transit

Email in transit between recipients.

This includes email hosted by

Exchange Online

Office 365 Message Encryption with Azure

Rights Management, S/MIME, and TLS for

email in transit

Rights management in ExchangeWith the IRM features in Exchange, your organization and users can control the

permissions that recipients have for email

IRM can allow or restrict recipient actions

IRM protection can be applied by users in Outlook and Outlook on the web, or it can be

based on your organization’s messaging policies

Microsoft Office applications, such as Word, Excel, PowerPoint, and Outlook are

RMS-enabled

IRM cannot prevent information from being copied using the following methods:

Third-party screen capture programs

Use of imaging devices to photograph IRM-protected content displayed on the screen

Users remembering or manually transcribing the information

Applying IRM protection to emailMethod Description

Manually by Outlook

users

Your Outlook users can IRM-protect messages with the RMS rights policy templates available to

them. This process uses the IRM functionality in Outlook rather than Exchange. However, you can

use Exchange to access messages, and you can take actions (such as applying transport rules) to

enforce your organization’s messaging policy

Manually by Outlook

on the web users

When you enable IRM in Outlook on the web, users can IRM-protect messages they send, and

view IRM-protected messages they receive

Manually by mobile

device users

Mobile devices like Windows Phone, iOS and Android can view and create IRM-protected

messages with the Outlook app. This requires users to connect their supported devices to a

computer and activate them for IRM. You can enable IRM in Microsoft Exchange ActiveSync to

allow users of Exchange ActiveSync devices to view, reply to, forward, and create IRM-protected

messages

Automatically in

Outlook

You can create Outlook Protection Rules to automatically IRM-protect messages in Outlook.

Outlook Protection Rules are deployed automatically to Outlook clients, and IRM-protection is

applied by Outlook when the user composes a message

Automatically on

mailbox serversYou can create transport protection rules to automatically IRM-protect messages

Rights management in SharePoint

Within SharePoint Online, IRM protection is applied to files at the list and library level

IRM relies on the Azure Rights Management service from Azure Information Protection

In SharePoint, IRM enables administrators and content creators to limit the actions that

users can take on files that are stored in document libraries

You can use IRM on lists and libraries to limit the dissemination of sensitive content

You can use IRM to prevent these individuals from sharing this content with other

employees in the company

Applying IRM protection to SharePoint

IRM protection in SharePoint is

applied to files at the list or

library level

When people download files in an IRM-enabled list or library,

the files are encrypted so that only authorized people can

view them

Permissions IRM Permissions

Manage Permissions,

Manage Web Site

Full control (as defined by the client program): This permission generally allows a user to

read, edit, copy, save, and modify permissions of rights-managed content

Edit Item, Manage Lists,

Add and Customize Pages

Edit, Copy, and Save: A user can print a file only if the Allow users to print documents check

box is selected on the Information Rights Management Settings page for the list or library

View Items Read: A user can read the document but cannot copy or modify its content. A user can print

only if the Allow users to print documents check box is selected on the Information Rights

Management Settings page for the list or library

Other No other permissions correspond directly to IRM permissions

S-MIME explained

S-MIME is based on using

certificates that work with a

private key and a public key

If you sign a message with the

private key, it can only be

validated by using the public key

and if somebody encrypts a

message with the public key, it

can only be decrypted with the

private key

S-MIME digital signatures

Digital signatures provide several security capabilities, including Authentication,

Nonrepudiation, and Data integrity

Authentication in a digital signature works by allowing a recipient to know that a message

was sent by the person or organization who claims to have sent the message

The uniqueness of a signature prevents the owner of the signature from disowning the

signature. This capability is called nonrepudiation

Data integrity is a result of the specific operations that make digital signatures possible

Although digital signatures provide data integrity, they do not provide confidentiality

Applying digital signaturesAt its simplest, a digital signature works by performing a signing operation on the text of

the e-mail message when the message is sent, and a verifying operation when the

message is read

Verifying digital signatures

When the recipient opens a

digitally signed e-mail message,

a verification procedure is

performed on the digital

signature, to ensure the senders

identity and consistency of the

message

S-MIME messages

Encryption is a way to change the content so that it cannot be read or

understood until it is changed back into a readable and understandable form

Message encryption provides two specific security services:

Confidentiality

Data Integrity

The message is encrypted by utilizing the recipients public key, available to

everyone, thus Message encryption does not provide authentication, and

therefore, does not provide nonrepudiation

Encrypting e-mail messages

Message encryption makes

the content of a message

unreadable by performing an

encryption operation on it

when it is sent

Decrypting e-mail messagesWhen the recipient opens an encrypted message, a decryption operation is performed

on the encrypted message

Digital signatures and encryption working together

Digital signatures and

message encryption

are not mutually

exclusive services

These two services are

designed to be used in

conjunction with one

another, because each

separately addresses

one side of the

sender-recipient

relationship

Triple-wrapped messages

One of the enhancements in the latest version of S/MIME (version 3) is known as

“triple-wrapping”

A triple-wrapped S/MIME message is one that is signed, encrypted, and then signed again

This extra layer of encryption provides an additional layer of security

When users sign and encrypt messages with Outlook on the web using the S/MIME

control, the message is automatically triple-wrapped

Office 365 message encryption explained

OME combines email encryption and rights management (RMS) capabilities, that are

provided with Azure Information Protection (AIP)

Office 365 Message Encryption and S/MIME both encrypt email messages, but S/MIME

requires the client sending the message to encrypt the email message using a public key

infrastructure (PKI) certificate that is installed or available on the client computer

Office 365 Message Encryption, uses built-in certificates to encrypt messages in the

Office 365 service during the transport of the message

With Office 365 Message encryption the service ensures only the intended recipient can

view the message

How Office 365 message encryption works

Office 365 Message Encryption is an online

service that is built on Microsoft Azure Rights

Management (Azure RMS, part of AIP)

When a user sends an email message in

Exchange that matches an encryption rule, the

message is sent out with an HTML attachment

Working with encrypted emails

Users can send encrypted email from Outlook and Outlook on the web

Admins can set up mail flow rules in Office 365 to automatically encrypt

emails based on keyword matching or other conditions

Office 365 advanced message encryption explained

Advanced capabilities include:

Message

revocation

Message

expiration

Multiple

branding

templates

Demo

Information Governance

• Archiving in Microsoft 365• Retention in Microsoft 365• Archiving and Retention in Exchange• In-place records management in SharePoint

Information governance

Information governance helps you manage the end-to-end lifecycle of all

content across your organization’s digital estate, including Microsoft 365,

third-party clouds, hybrid deployments, and any content you bring into

Microsoft 365

Common information governance scenarios:

Create an organization-wide retention policy to delete all Microsoft Teams

communications older than seven days

Review documents stored in a SharePoint document library prior to them being deleted

because a retention policy expired

Implement a 5-year retention policy where automatically labeled content will be kept five

years and then automatically deleted

Records managementRecords management in Microsoft 365 provides the following capabilities:

Label content as a record

Migrate and manage your retention requirements with file plan

Establish retention and deletion policies within the record label

Trigger event-based retention

Review and validate disposition

Export information about all disposed items

Set specific permissions

File planFile plan can be used for all retention labels, even if they don’t mark content as a record

In-place archiving and records managementData governance in Microsoft 365 enables you to archive content as appropriate in Exchange

mailboxes, SharePoint sites, and OneDrive for Business locations in your Microsoft 365

organization

In Place Archiving in Exchange:

Archiving in Exchange is performed by a feature called In-Place Archiving

With In-Place Archiving, users can view an archive mailbox and move or copy messages between their primary

mailbox and their archive mailbox

Archive mailboxes allow you to offload the data footprint on the Exchange servers

With archive mailboxes, your organization can control messaging data by eliminating the need for personal

store files

In-Place Records Management in SharePoint:

In-Place Records Management enables you to effectively manage records in collaborative spaces

In-Place Records Management allows SharePoint documents to be declared as records

In-place archiving in ExchangeWhen an administrator enables the user’s mailbox for In-Place Archiving, an additional

mailbox is created and displayed in the user’s Outlook and Outlook on the web

Mails from the primary mailbox can then be moved to Archive

The archive mailbox is not cached on the client computer

To protect from accidental or malicious deletion and to facilitate discovery efforts

Exchange 2016 and Exchange Online use the Recoverable Items folder

The Recoverable Items folder replaces the feature that was known as the dumpster in

earlier versions of Exchange

In-place records management in SharePoint

A record is a document or other electronic or physical entity in an organization that

serves as evidence of an activity or transaction

Records management is the process by which an organization:

Determines what kinds of information should be considered records

Determines how active documents that will become records should be handled

Determines how active documents should be collected

Determines in what manner and for how long each record type should be retained

Researches and implements technological solutions

Performs records-related tasks

In SharePoint, archiving is referred to as In-Place Records Management

Retention policies

A retention policy in Microsoft 365 can help

you achieve following goals:

Comply proactively with industry regulations and internal

policies

Reduce your risk in the event of litigation or a security

breach

Help your organization to share knowledge effectively

and be more agile

Retention wins over deletion

Longest retention period wins

Explicit inclusion wins over

implicit inclusion

Strongest deletion period wins

Messaging Records Management in ExchangeMessaging Records Management (MRM) in Exchange helps to manage user’s

mailboxes and archive mailboxes

It can move messages from the primary mailbox to the archive, delete mails after a

specific time or preserve Exchange elements

In Exchange, retention is performed using the retention policies

Retention policies allow you to:

Remove all messages after a specified period

Remove messages based on folder location

Allow users to tag messages

Retain messages for a specified period

Retention tags in Exchange

Administrators use retention tags

to apply retention settings to items

and folders in a user’s mailbox

The applied settings specify

how long a message stays in the

user’s mailbox and what happens

when the message reaches its

retention age

Retention tags contain settings on

how to process messages, while

retention policies are required to

group retention tags and assign

them to a mailbox

Create Retention Tags

Retention tags used to apply retention settings to message and folders. There are three types of

retention tags:

Default Policy Tags

A default policy tag (DPT) applies to all

items that do not have a retention tag

applied, either inherited or explicit.

Retention Policy Tags

Retention policy tags (RPTs) are created for

default folders such as Inbox, Deleted

Items, etc.

Personal Tags

Personal tags are used by Outlook and

Outlook Web App users to apply retention

settings to custom folders and individual

items such as emails message.

Move to Achieve

Permanently Delete

Voice Mail (Delete)

Achieve – 365 days

Business Critical

Delete – 1 Week

Delete – 180 days

Create Retention Policies

A retention policy is a group of

retention tags that can be

applied to a mailbox

Link retention Tags to Retention Policies

A retention policy can have one DPT to move item to archive,

one DPT to delete items, one DPT to delete voice mail

messages, one RPT for each supported default folder

and any number of personal tags

Corp-Users

Apply Retention Polices

Retention policies are applied to mailbox users. Different sets of users can have

different retention policies Corp-Execs

Calculate retention ageThe Managed Folder Assistant

processes mailboxes that have a

retention policy applied, add the

retention tags included in the

policy to the mailbox, and

process items in the mailbox

based on policy settings

The retention age of mailbox

items is calculated from the

date of delivery or the date of

creation for items such as

drafts that are not delivered

but created by the user

When using retention

policies in the Compliance

Center, you can control the

way in which the age of

elements is calculated

Retention policies explainedTo apply retention policy you

should consider following:

Content in OneDrive accounts and

SharePoint sites

How a retention policy works with

document versions in a site

Content in mailboxes and public

folders

Content in Teams

Content in Skype locations

Limitations for creating retention

policies

Use retention labels with policies

Create a retention policy

Following tasks are needed

to create a retention policy:

Assigning permissions to create a

policy

Creating a retention policy in the

compliance center

Using Advanced Retention settings

Creating a retention policy in

PowerShell

Event-driven retentionTo successfully use event-driven retention, it’s important to understand the relationship

between event types, labels, events, and asset IDs:

Create retention tagsRetention tags are

used to apply

retention settings

to messages and

folders

Multiple retention

tags can be

grouped together

into a retention

policy, and

retention policies

can be applied to

a mailbox

Retention tag type Description

Default Policy Tags (DPTS) These are default retention tags for the entire mailbox

Retention Policy

Tags (RPTS)

These are for default folders. The only valid action is to delete or delete permanently

Personal Tags These tags become available in Outlook and Outlook on the web. Users can use them to apply to a mailbox folder or an individual item

Retention action Description

Delete and allow Recovery This action allows the user to recover deleted items until the deleted item

retention period is reached for the mailbox database or the user

Permanently Delete This action purges the item from the mailbox database

Note: If the content of a mailbox is target for any retention policy in SCC or a

hold, the content will not be deleted permanently; therefore, it can still be

returned by an eDiscovery search

Move to Archive This action moves the item to the user’s archive mailbox, if one exists. If a user

does not have an archive mailbox, no action is taken. This action is available

only for default retention tags that are automatically applied to the entire

mailbox, as well as tags applied by users to items or folders (personal tags)

Create a retention policyConfiguring a retention policy is simply a matter of creating a new policy and then

adding the retention tags you want to that policy

Assign retention policies to mailboxes

To apply retention policy, you have to assign

it to a user mailbox

You can use Exchange Admin Center or

Powershell to assign retention policy

Records management in SharePoint explainedRecords management planning process should include the following steps:

1 Identify records management roles

2 Analyze organizational content

3 Develop a file plan

4 Develop retention schedules

5Evaluate and improve document

management practices

6 Design the records management solution

7 Plan how content becomes records

8 Plan email integration

9 Plan compliance for social content

10Plan compliance reporting and

documentation

Benefits of in-place records managementThe benefits of implementing an in-place records management system include the

following:

Records can exist and be managed across multiple sites

With versioning enabled, maintaining versions of records is automatic

eDiscovery search can be executed against both records and active documents at the

same time

Broader control over what a record is in your organization and who can create a record

Configure in-place records management

You must perform several tasks

to configure in-place records

management

Activate in-place records management at the

site collection level1

Configure record declaration settings

at the site collection level2

Configure record declaration

settings at the list or library

level 3

Demo

Day 2 Slides

Compliance Management• Compliance Center• Compliance Manager

Compliance center in Microsoft 365

Information protection

& governance

Protect and govern data

wherever it lives

Insider

risk management

Identify and remediate

Critical insider risks

Discover

& respond

Quickly investigate and

respond with relevant data

Compliance management Simplify compliance and reduce risk

Compliance managementMicrosoft compliance management use cases

Data protection baseline:Implement baseline technical, procedural, and people controls to protect your data

IT risk management:Assess and monitor risks in Office 365 and Intune

Regulatory compliance:Assess and maintain controls for data protection regulations (e.g. GDPR, CCPA)

Audits and control assessments:Demonstrate control effectiveness to internal and external auditors

Microsoft 365 compliance center

Microsoft Compliance Manager

Compliance

manager

assessments

Microsoft Service Trust Portal

Demo

© Copyright Microsoft Corporation. All rights reserved.FOR USE ONLY AS PART OF VIRTUAL TRAINING DAYS PROGRAM. THESE MATERIALS ARE NOT AUTHORIZED FOR DISTRIBUTION, REPRODUCTION OR OTHER USE BY NON-MICROSOFT PARTIES.

Insider Risk Management• Insider Risk• Communication compliance• Privileged Access Management• Customer Lockbox• Information barriers

Insider risk management explained

Configure insider risk managementInsider risk management configuration steps:

1 Enable permissions for insider risk management

2 Enable the Office 365 audit log

3 Configure perquisites for templates

4 Configure insider risk settings

5 Create an insider risk management policy

Investigate insider risk alerts

Communications compliance explained

INCREASING DATA

INCREASED

REGULATORY

ENFORCEMENT

DIFFICULT TO FIND

SUBJECT MATTER

EXPERTS TO REVIEW

RESULT

Violations slip

through

Privileged access management in Office 365Azure AD Privileged Identity Management primarily allows managing accesses for AD

roles and role groups, while privileged access management in Office 365 is applied only

at the task level

Customer lockbox workflowCustomer lockbox requests allows you to control how a Microsoft support engineer

accesses your data

Customer Lockbox

Information barriers explained

Define policies that are

designed to prevent certain

segments of users from

communicating with each other

or allow specific segments to

communicate only with certain

other segments

Information barrier policies

Part 1: Segment users in

your organization

Segments are sets of users

that are defined in the

Security & Compliance Center

using a selected user account

attribute

Part 2: Define information

barrier policies

“Block” policies prevent one

segment from communicating

with another segment

“Allow” policies allow one

segment to communicate

with only certain other

segments

Part 3: Apply information

barrier policies

Information barriers in Microsoft TeamsInformation barrier policies are activated when the following Teams events take place:

Members are

added to a

team

A new chat is

requested

A user is

invited to

join a

meeting

A screen

is shared

between

two or

more users

A user places

a phone call

(VOIP) in

Teams

Guest users

in Teams

Ethical walls in Exchange OnlineAn ethical wall is a zone of non-communication between distinct departments of a

business or organization

An ethical wall typically spans multiple methods of communication, such as telephone,

e-mail, postal mail, and direct person-to-person communication

Exchange transport rules can be configured to support ethical walls by helping to prevent

email messages from being sent between specific groups of recipients within your

organization

Exchange transport rules should be treated as one part of an overall suite of tools or

processes that are deployed throughout your organization to help enforce an ethical

wall policy

Demo

© Copyright Microsoft Corporation. All rights reserved.FOR USE ONLY AS PART OF VIRTUAL TRAINING DAYS PROGRAM. THESE MATERIALS ARE NOT AUTHORIZED FOR DISTRIBUTION, REPRODUCTION OR OTHER USE BY NON-MICROSOFT PARTIES.

Discover and Respond• Content Search• Audit Log Investigations• Advanced eDiscovery

Content Search explained

In contrast to eDiscovery searches, the Content

Search feature in the Security and Compliance

Center has no limits on the number of

mailboxes and sites that you can search

Content Search contains enhanced

performance capabilities that are useful when

running very large eDiscovery searches

After you run a Content Search, the number of content sources and an estimated number of

search results are displayed for:

Exchange Online mailboxes and public folders

SharePoint Online sites and OneDrive for Business accounts

Skype for Business conversations

Microsoft Teams messages and sites

Microsoft 365 Groups messages and sites

To-Dos and MyAnalytics

Design your Content SearchYou should consider the following questions when designing a Content Search:

Who should create and

run the content search?

What type of content search

do you want to create

(for example, New search,

Guided search, Search by ID

list, and so on)?

What keywords should be

used for the search?

What conditions should be used (for

example, type of data, sender, date,

subject, and so on)?

Do you want to search all locations, or only

specific locations (for example, SharePoint,

Microsoft Teams, and son on)?

Configure search permissions

Filtered search permissions can be configured

to allow an eDiscovery manager to search only

a subset of mailboxes and sites in a

Microsoft 365 organization

Search permissions filtering is configured by

creating a filter that uses a supported recipient

filter to limit which mailboxes can be searched

Search permissions filtering is configured and managed by using the following Security &

Compliance Center cmdlets:

New-ComplianceSecurityFilter

Get-ComplianceSecurityFilters

Set-ComplianceSecurityFilter

Remove-ComplianceSecurityFilter

Search for third-party data

The Content Search feature in the Security & Compliance Center enables you

to search for items that were imported into mailboxes in Microsoft 365 from a

third-party data source

You can create a query to search all imported third-party items, or you can

create a query to only search specific third-party items

To search or place a hold on any type of third-party data that you’ve

imported into Microsoft 365, you can use the kind:externaldata message

property-value pair

Manage GDPR data subject requestsTo manage investigations in response to a DSR submitted by a person in your organization, you can

use the DSR case tool in the Office 365 Security & Compliance Center to find content stored in:

Any user mailbox in your organization. This includes Skype for Business conversations and one-to-

one chats in Microsoft Teams

All mailboxes associated with an Office 365 Group and all team mailboxes in Microsoft Teams

All SharePoint Online sites and OneDrive for Business accounts in your organization

All Teams sites and Office 365 Group sites in your organization

All public folders in Exchange Online

Audit log search explainedYou can search for the following types of activity in Microsoft 365:

User activity in SharePoint Online and OneDrive for Business

User activity in Exchange Online (Exchange mailbox audit logging)

Admin activity in SharePoint Online

Admin activity in Azure Active Directory

Admin activity in Exchange Online

User and admin activity in Sway

User and admin activity in Power BI for Microsoft 365

User and admin activity in Microsoft Teams

User and admin activity in Yammer

Depending on the Microsoft 365 service, it can take up to 30 minutes or up to 24 hours after an

event occurs for the corresponding audit log entry to be displayed in the search results

Configure audit policies

Microsoft 365 auditing policies enable

organizations to log events, such as viewing,

editing, and deleting content like email messages,

documents, task lists, issues lists, discussion groups,

and calendars

Auditing can be configured to log events such as

the following:

Editing a document or item

Viewing a document or item

Checking a document in or out

Changing the permissions for a document or item

Deleting a document or item

View and retaining the search results

Once auditing is turned on, a

Microsoft 365 administrator or

compliance officer can search for

hundreds of individual types of events

from multiple Microsoft 365 services

for the following reasons:

Discover user and administrator activities

Find eDiscovery-related activities

performed by administrators and

compliance managers

Filter search resultsIn addition to searching for a specific

user or activity, you can also filter the

results of an audit log search for a

specific user or activity

Do the following to filter the results:

1. Run an audit log search

2. When the results are displayed, click

Filter results

Export search results

The results of an audit log search can be

exported to a comma separated value

(CSV) file on your local computer

This enables you to open the file in Microsoft

Excel and use features such as search, sort,

filter, and split a single column (that contains

multi-value cells) into multiple columns

Advanced audit

High value events to power quicker

investigations

Processed insights to show context

and key patterns

Longer-term retention to meet

investigation and compliance

requirements

Near real-time access to data to

enable fast access to audit events

Advanced eDiscovery explained

Pain points of

“collect and export”

Move sensitive data to

other systems

Work with disjointed tools

Lose insights in large

amount of data

Advanced eDiscovery

design principles

Collect and discover data

where it is

Manage end-to-end

workflows in one solution

Find relevant data and

insights intelligently

Export

Advanced eDiscovery workflow

1 Add custodians to a case

2 Search custodial data sources for relevant data

3 Add data to a review set

4 Review and analyze data in a review set

5 Export and download case data

Configure and use Advanced eDiscoveryWhen working with Advanced eDiscovery,

you need to create a eDiscovery case and

assign users to it, using the following steps:

Step 1: Assign eDiscovery permissions to

potential case members

Step 2: Create a new case

Step 3: Add members to a case

Step 4: Open your case in Advanced eDiscovery

Explore the Advanced eDiscovery workflowAfter an eDiscovery case is created, follow

these steps to create and run one or more

Content Searches that are associated with

the case to have data available to analyze

in Advanced eDiscovery:

Step 1: Create and run a Content Search

associated with a case

Step 2: Prepare search results for Advanced

eDiscovery

Step 3: Add the search results data to the case

in Advanced eDiscovery

Analyze data in Advanced eDiscovery

Analyzing data applies the following functionality to the included files:

Identifies and organizes the loaded files into groups of unique files, duplicates,

and near-duplicates

Identifies and organizes emails into hierarchically structured groups of email

threads, based on the progressive inclusiveness of the emails

Enables the use of Themes in Advanced eDiscovery processing and file

batching

Analyze data in Advanced eDiscovery (continued)Enables you to set parameters, run options, and view the results, as follows:

Analyze setup. Allows settings to be specified

before running Analyze on the files

Analyze results. Displays metrics of the

analysis

Demo

Additional resources for Security

Contact Microsoft FastTrack for assistance setting up your organization for remote work.

https://www.microsoft.com/fasttrack

Become Microsoft 365 Certified! Earn a Security Administrator Associate certification.

https://docs.microsoft.com/en-us/learn/certifications/m365-security-administrator

You can find more free Security training modules on Microsoft Learn!