To comply with business standards and industry regulations, organisations must protect sensitive information and prevent its inadvertent disclosure. Sensitive information can include financial data or personally identifiable information (PII) such as credit card numbers, social security numbers, or health records. With a data loss prevention (DLP) policy in the Office 365 Security and Compliance Center, you can identify, monitor, and automatically protect sensitive information across Office 365.
In this blog post I will go through the process of preventing users from forwarding emails including UK Financial Data to anyone outside the organisation. UK Financial data category includes the below by default:
Credit Card Number
EU Debit Card Number
Login to the Microsoft 365 Portal and click on the Security Admin Center
2. Click Data Loss Prevention and click Policy
3. Click + Create a policy
4. For the purpose of this demo I am configuring a policy to protect U.K Financial Data. As you can see from the screenshot below, Microsoft have already defined what requires protecting.
You also have the option to protect other information relating to Medical and Health, Privacy and you could also select a custom sensitivity type or label you have already created.
5. Click Next 6. Give your policy a name and description, click Next
7. Here you could select to protect all documents including UK Financial Data from locations such as Exchange email, Teams Chats and Channel Messages and OneDrive and SharePoint Documents. Or choose a specific location.
8. For the purpose of this demo, I am only selecting Exchange Email so I have selected Let me choose specific locations, click Next
9. And here are your options where you can select the location, include and exclude groups.
10. For the purpose of this demo, I have selected the location as Exchange Email and allowed the policy to apply to all users. Click next
11. I want to detect when the content including UK Financial Data is shared with people outside my organisation. The other option is only with people inside my organisation.
Before I move on you may have noticed the option, Use advanced settings. This is where you can configure the scoring for low volume and high volume of content detected.
Clicking low volume of content displays the screen below and the default criteria setup by Microsoft. The default scoring can be amended and you can also additional criteria/conditions.
The advanced settings option can also be useful if you wish to add an exception, for example, you may want to exclude a partner domain from the policy, configure user notifications, enable incident reports, configure override or customise policy tips or email text, and more. I would recommend that you review the various options.
Note: you can always edit the policy including advanced settings at a later time.
12. Back at the original screen I click next
13. here are the default settings
14. For the purpose of this demo, I have amended detect when content that’s being shared contains at least 1instance
and I will block people from sharing and restrict access to shared content
Customize the tip and email – provides the information below. I will leave this as the default but you could amend now or at a later date.
Send incident reports in email – displays the information below. You may wish to exclude certain information from the incident report, or add additional people to receive notifications.
15. Click next and we come to the screen below. Configure as required and click Next
To block people outside your organisation, you must go back to the ‘Customize the type of content you want to protect’ page and choose to detect content that’s shared with people outside your organization.
If you wish to warn the user but allow them to override the policy, see options below.
15. After clicking next, the screen below appears where you have the options to turn on the policy right away, leave it disabled or test it out. Select your preferred option and click next.
16. Review settings and edit if required, click Create
and that’s the policy created
Click the policy if you wish to edit any of the settings. The window below appears to allow you to edit or delete the policy as required.
It would be great to know how you have found Microsoft 365 DLP. Please comment below if you have anything further to share. Thank you
Privileged Identity Management (PIM) is a service in Azure Active Directory (Azure AD) that enables you to manage, control, and monitor access to important resources in your organisation.
Privileged Identity Management provides time based and approval based role activation to mitigate the risks of excessive, unnecessary, or misused access permissions on resources that you care about. Here are some of the key features of Privileged Identity Management:
Provide just-in-time privileged access to Azure AD and Azure resources
Assign time-bound access to resources using start and end dates
Require approval to activate privileged roles
Enforce multi-factor authentication to activate any role
Use justification to understand why users activate
Get notifications when privileged roles are activated
Conduct access reviews to ensure users still need roles
Download audit history for internal or external audit
Azure AD Premium P2 or Enterprise Mobility + Security (EMS) E5
Ensure that your directory has at least as many Azure AD Premium P2 licenses as you have employees that will be performing the following tasks:
Users assigned as eligible to Azure AD or Azure roles managed using PIM
Users who are assigned as eligible members or owners of privileged access groups
Users able to approve or reject activation requests in PIM
Users assigned to an access review
Users who perform access reviews
Azure AD Premium P2 licenses are not required for the following tasks:
No licenses are required for users who set up PIM, configure policies, receive alerts, and set up access reviews.
It can become confusing when working out the number of Azure AD P2 licences required so Microsoft have provided examples at the following link: Azure PIM Example Licence Scenarios
In this blog post I will go through the process of configuring Azure AD Roles in Privileged Identity Management (PIM). I will grant a user named Joe Bloggs eligible assignment for one of my Azure admin roles.
As mentioned above, to use PIM you must have an Azure AD P2 or Enterprise Mobility + Security (EMS) E5 licence. I currently have access to an E3 license which grants me access to an Azure AD P1 licence which is obviously not sufficient.
If you already have access to Azure AD P2, skip to the next section by scrolling down to section Configuring Azure Privileged Identity Management (PIM)
Firstly, I will sign up to a free 90 day Enterprise Mobility + Security (EMS) E5 trial account. As you can see from the screenshot below my licence assignment is currently Azure AD Premium P1.
and if I attempt to access PIM, I receive the message below
Microsoft offer trials for a number of their products including Azure AD P2 which will allow you to test Azure PIM. I’ll start with activating a free trial which can be ready within minutes as you’ll find out shortly.
2. Access Azure AD, click Licenses, click All products and click the + Try / Buy button as highlighted below
3. Enterprise Mobility + Security E5 includes Azure AD P2 and Microsoft offer a 90 day trial so I selected this option. I’ll be going through further demo’s at a later date which require Enterprise Mobility + Security E5 so this licence will be useful.
4. Click Free Trial under the licence you wish to activate. In my case I clicked Free trial under Enterprise Mobility + Security E5
5. Click Activate
6. Wait for the product to activate which should take seconds
7. After activation my licence status still shows as Azure AD P1
8. Log out of the portal and back in and the correct version is now displayed
That’s the free trial sorted
Configuring Azure AD Roles – Azure Privileged Identity Management (PIM)
Log into the Azure Portal (portal.azure.com)
Search PIM and select Azure AD Privileged Identity Management
3. Click Azure AD roles
4. Click Assignments
5. I don’t have any assignments at the moment, click +Add Assignments
6. Select a role and member
For the purpose of this demo, I have selected the role Global Administrator and selected an existing user named Joe Bloggs from my directory. Click Next
7. For the purpose of this demo, I will select Eligible and leave the default at permanently eligible.
Eligible A role assignment that requires a user to perform one or more actions to use the role. If a user has been made eligible for a role, that means they can activate the role when they need to perform privileged tasks. There’s no difference in the access given to someone with a permanent versus an eligible role assignment. An eligible administrator can activate the role when they need it, and then their permissions expire at a set time, until the next time the role is activated. The only difference is that some people don’t need that access all the time. So in my case, Joe Bloggs will be eligible which means he will request access each time he requires access to the Global Administrator role (Default limit for 8 hours and his permissions will be removed until he activates again). Permanently eligible which means he will be allowed to continue to activate the role when he needs to perform privileged tasks. A permanently eligible end date can be configured, for example, users can activate access for 8 hours at a time for up to 1 year instead of being able to activate the role continuously without an end date. I’ll cover more on this as we move on.
Active: This is a role assignment that doesn’t require a user to perform any action to use the role. Users assigned as active have the privileges assigned to the role at all times but can be setup so access is removed at a certain date.
Continuing with Active Assignment, this options provides a user with permanent access or up to a date set by the administrator. See screenshot below. In this case, the user will have access to the role assigned permanently or by a set expiry date. A further text box appears as shown below requesting a justification on why the admin is granting the user with an active assignment.
8. For the purpose of this demo, I have selected eligible. Click Assign when ready
9. Now that Joe Bloggs has been granted an eligible assignment, I will log in as Joe Bloggs and demonstrate what Joe Bloggs will see.
10. When logging in as Joe Bloggs, I am prompted to enable MFA.
11. MFA configured, I can now move on to logging in as Joe Bloggs. Now that I am logged in, Joe Bloggs is still a basic user without global admin permissions, which is normal. He can’t create accounts within Azure AD or perform any other administrative tasks which require elevated permissions. Access is disabled.
12. Joe Bloggs will need to activate his eligible assignment within PIM. Whilst still logged in as Joe Bloggs, I search for PIM and click Azure AD Privileged Identity Management
13. Click My roles
14. The eligible assignment is displayed with an Activate link as shown below. Click Activate
If the user skipped MFA at the initial logon stage, as shown in the screenshot below, the user will be prompted to authorise via MFA which is enforced by a default enabled setting within PIM. I’ll explain where this option is found shortly. If you wish to disable the below 14 day reminder, you can have a read of the following link later – Disable Skip MFA prompt
15. After clicking activate, Joe Bloggs receives the below prompt
Duration: maximum of 8 hours access. After the 8 hours, Joe Bloggs access will be revoked and he will have to activate his assignment again. Joe Bloggs was allowed permanent eligibility which allows him to activate his eligible assignment when required.
Custom activation: If Joe Bloggs requires admin access in the future, he could select the option Custom activation start time and select a date and time he would like his 8 hours access to begin. In the example below, I have configured the time for a time in the past.
16. When ready, click activate
17. Activation has been scheduled
If I check access from my account, i’ll find that Joes Bloggs has been granted access without any further action required from me
From here you could also cancel Joe Bloggs access by clicking the Cancel link
That’s the default settings but what if you wish to increase the default 8 hour access limit? Or you would like for the request to go to a team of approvers for review before Joe Bloggs is granted access? or you require 8 hours access for the Global Administrator role but 10 hours access for the Exchange Administrator role. Let’s move onto where these settings are configured.
Configuring Azure AD Privileged Identity Management Azure AD role settings
Click Azure AD Privileged Identity Management
2. Click Azure AD roles
3. Click Settings
4. Here you can apply different configuration settings based on roles. For the purpose of this demo, I will be configuring the Global Administrator role.
5. After clicking the Global Administrator Role, you’ll find the below settings. Review and click Edit
6. The first windows displays a number of settings including the default 8 hour access. You can extend this to 24 hours if required
Azure MFA is enabled by default, which enforces MFA while activating the assignment.
Require justification: requests a reason why the user requires access
Require ticket information: you may have a process where the user requiring access needs to input a ticket or change number
Require approval to activate: this feature is an important one. Setting approvers adds an additional check before a users assignment is activated. The request goes into a pending approval list after the user activates the assignment which allows a approver to review access and deny or approve access accordingly.
Note: each approver will need to be assigned an Azure AD P2 licence
To allow me to demo the approval process, I have enabled require approval to activate and added a single user as an approver.
Before I move on and demo the approval process, clicking the assignments button moves us onto the next screen below. You may wish to leave the defaults or set an expiry. For example, you could configure the below policy so that users will be eligible to elevate their account into the role assigned for one year instead of being eligible forever. The same applies for the active role.
Finally, the next screen is where you can configure email notifications
7. When ready, click the update button. Note the below fields which can be useful.
We can now move on and test the approval process.
Azure AD PIM Approval demo
I granted Joe Bloggs an eligible assignment earlier. The new settings I configured above will apply to Joe on his next eligible assignment activation.
I log in as Joe Bloggs
Click Azure PIM
Click My Roles
6. Type in justification details and click activate
7. After clicking activate, Joe Bloggs is not granted access immediately. His request is pending approval as shown below
8. The admin allocated as a approver earlier must review the request and decide whether to approve or deny access. Back over to my account where I will review Joe Bloggs access. I will also receive an email to notify me that there is a request pending.
Access PIM > Azure AD Roles > Approve requests
9. Here is the pending request where I can review each case.
Note: Clicking approve or deny opens the window below allowing you review the details fully without having to expand the tabs above. A justification needs to be provided.
10. And Joes Bloggs access is approved. He will be granted access for 8 hours and does not need to take any further action to activate the role.
A complete audit of all actions carried out in PIM Azure AD Roles can also be located at: PIM > Azure AD Roles > Audit
Using Azure Active Directory (Azure AD) Privileged Identity Management (PIM), you can also improve the protection of your Azure resources and as you can see below Privileged access groups which was in preview at the time of writing this post.
Azure PIM also offers Access Reviews. Access to privileged Azure resource roles for employees changes over time. To reduce the risk associated with stale role assignments, you should regularly review access. You can use Azure Active Directory (Azure AD) Privileged Identity Management (PIM) to create access reviews for privileged Azure resource roles. You can also configure recurring access reviews that occur automatically. I will cover these topics in a further post.
Note: Azure AD P2 licences are required within your directory for users assigned to an access review and users who perform access reviews.
Feedback welcome, please comment below. It would also be great to hear about your experience using Azure PIM.
In this blog post I will go through the process of configuring an alert within the Microsoft 365 Compliance portal which will trigger an email whenever permissions are assigned to a mailbox.
From the 365 Admin Center locate and click Compliance or visit the Compliance Admin Center directly via Security & Compliance (compliance.microsoft.com)
2. Click Policies
3. Expand Alert and click Office 365 alert
4. Click New Alert Policy
5. Complete details as required (Demo info below). Click Next
6. There are a number of activities to choose from. For the purpose of this demo, I have selected Granted Mailbox Permission
7. You could also add a condition based on IP address and username. For example, if you want to be alerted when a particular group of users assign permissions, you can do so here. Ignore the conditions box if you would like an alert to be triggered when any user in the organisation performs the action.
8. Click next and select your notification groups or emails. Click Next, review settings and click finish
By default, Intune device limit restrictions set the maximum number of devices that a user can enrol into Intune (Microsoft End Point Manager). The default setting at the time of writing this blog post was 5 devices, with the option to configure up to a maximum of 15 devices.
In this blog post I will go through the process of how to reconfigure the default limit of 5.
Visit the Microsoft End Point Manager Admin Center or visit endpoint.microsoft.com
2. Click Devices from the left pane
3. Click Enrollment restrictions
4. As you can see below, the default device limit is set to 5. Click ‘All Users’ to edit the default policy, or create a new device limit restriction policy as shown below within the second image.
Note: you may have noticed an option to amend the default Device Type Restriction policy and the option to create a new policy. The device type restriction policy allows you to control what devices can enrol into Endpoint Manager, for example you may only want to allow certain iphone devices with a minimum version, for example iOS 14.3. You may want to block MacOS. This is where you would configure such settings.
5. After clicking All users within the default device restrictions policy, click Properties
6. Click Edit
7. Configure as required, options available are from 1 – 15, click your preferred option, click review+save and save again
Note: Priority of custom policies are used when a user exists in multiple groups that are assigned restrictions. Users are subject only to the highest priority restriction assigned to a group where they are included. For example, James is located in group one assigned to priority 5 restrictions and is also in group two assigned to priority 2 restrictions. James will be subject only to the priority 2 restrictions.
When you create a restriction, it’s added to the list just above the default policy and takes priority over the default policy.
As mentioned in this post earlier, device enrollment includes default restrictions for both device type and device limit restrictions. Both restrictions apply to all users by default unless they’re overridden by higher priority restrictions.
You may have noticed the prompts to try out the new Exchange Admin Center when logging into the Exchange Online Portal within Microsoft 365.
In this blog I will be documenting some of the useful additions to the new Exchange Admin Center.
If you have anything further to share, please do leave a comment below
A feature which stood out when accessing the new Exchange Admin Center was the ability to set an out of office for any users within your organisation. I’ll start with documenting where to perform this action. Note that this feature is also available from within the 365 Admin Center. I’ll go into detail on this shortly.
How to set Out of Office for users from the new Exchange Admin Center
From the new Exchange Admin Center, click Recipients and Mailboxes
2. Click the user
3. Click Manage automatic replies
As mentioned earlier in this post, you can also configure Out Of Office replies for users from within the 365 Admin Center. I’ll go through the process below.
How to set Out Of Office replies from the Microsoft 365 Admin Portal
Login to portal.office.com
Click Users > Active Users
4. Click Mail
5. Click Manage Automatic Replies
Back to the new Exchange Admin Center, I would like to move onto another feature which I found useful. The ability for IT Admins to restore user deleted items from users recoverable deleted items folder.
How to restore emails from a users recoverable deleted items folder
1. Within the new Exchange Admin Center, click Recipients 2. Click Mailboxes 3. Click the user 4. Click Recover deleted items under More actions
4. The portal is shown below. If the deleted item exists within the users recovered deleted items folder, you will be able to recover the deleted item back to the users mailbox. By default, emails are retained within the recoverable deleted items folder for 14 days, but can be configured to 30 days.
Note: users also have access to their own recoverable items folder and can restore emails as they wish. Users are also able to empty the recoverable deleted items folder and delete the emails permanently, unless you have a legal hold/retention in place.
The new portal available within the Exchange Admin Center offers a few useful options such as searching by time, words, item types and so on.
I find the new Exchange Admin Center is easier to navigate when managing users. Please do comment below and let me know your thoughts on the new Exchange Admin Center.
Another change which I find useful is the Groups menu. Groups are accessible from the classic Exchange Admin Center, by clicking Recipients and then the Groups link. All groups reside here. But, in the new Exchange Admin Center, Microsoft have split the groups menu as shown below.
Moving on, another change introduced by Microsoft is that Mailboxes and Shared Mailboxes are separated in the classic Exchange Admin Center, as shown below.
But, in the new Exchange Admin Center, both mailboxes and shared mailboxes exist in the same menu and can be filtered as required. See below.
If you have not already checked out the new Exchange Admin Center, give it a try and it would be great to know your feedback and any features you like or dislike within the new Exchange Admin Center.
Subscribe to new tech posts.
We will never send you spam email or forward your details to third parties.
This will close in 0 seconds