Welcome to the Security and Compliance Center Series. This is part 1 of a 3-part series. At the bottom you find the next topics for part 2. In this series we will look at the following topics:
- Configure your Office 365 Tenant
- Retention and Deletion Policy
- Labels and Label Policy
- Supervision Policy
As you see this first part is all about policies. I highly recommend that you go through this article step by step. It just makes way more sense in the end. If you have any questions don’t be afraIT to comment or write me at Twitter.
If you are interested in my other series “Mastering common challenges with Office 365” you can check that out where I talk about PowerShell, OneDrive, SharePoint, SharePoint HubSites and Microsoft Teams or you can read the my most ridiculous article 🙂 about “How to use 7 tools to create 1 simple survey“. My goal is, that you to have fun working with Microsoft tools.
Configure your Office 365 Tenant
Login as your global administrator at https://portal.office.com or https://office.com and click on Security and Compliance Center. If you don’t see the app, go to the App launcher, All Apps and select Security and Compliance Center. You can also go directly to Security and Compliance Center by clicking the link https://protection.office.com
Navigate to Search & investigation on the left side menu and click Audit log search. Click Start recording user and admin activities. Wait for the below message to disappear before running an Audit log search. This may take some time, so make sure, that you enable it as early as possible, so you can use it, when you need it.
Next, navigate to the Alerts – Dashboard. You probably get a notification, that this changed. It did in my tenant and looked different in the past.
Depending on your license you have more options. If you have an Office 365 Enterprise E5 license, you can check the Office 365 Cloud App Security under Manage advanced alerts and turn that on.
If you open den Alert – Dashboard for the first time you might get an indicator that you should click through. There is then a button called “Get started with Office 365 analytics”.
Next go the Exchange Online Admin Center, therefore go the Office 365 admin center and then under Admin Centers click on Exchange.
Then click the mail flow tab on the left-hand side and then go to “rules”. Check the rules and if you see an unneeded rule, delete that. You might see a rule called “Delete if sent outside the organization”. Delete this rule if not needed by clicking the rule and then click the delete Icon (Trashcan) at the top.
That’s all you should do to configure your tenant for now. Next is the retention and deletion policy topic as well as permissions.
Retention and Deletion Policy
On the left side menu in the Security and Compliance center, click Permissions (1). Click on Organization Management (2), scroll down and click Edit (3) on the same line as Members. Choose members, click the +Add button, select your global administrator account, and click the Add button at the bottom. Click the Done button at the bottom and then click the Save button.
Click eDiscovery Manager, scroll down and click Edit on the same line as eDiscovery Administrator. Click Choose eDiscovery Administrator, click the +Add button, select your global administrator account and click the Add button at the bottom. Then click the Done button at the bottom and then click the Save button.
Next click Data Governance and then click Retention. Then click “+ Create”.
Name the policy whatever you like. I will show in the article a retention for Microsoft Teams which is quite new in Security and Compliance center.
If you want to know more about retention and Microsoft Teams you can check a great article by Tony Redmond and his at “What You Need to Know About Teams and Office 365 Retention Policies“.
I named the policy “3 Year Microsoft Teams Data Retention” and added the description “This policy retains all Microsoft Teams data for 3 years (1095 days). Created by Patrick afraIT”. Then click Next.
Select “Yes, I want to retain it”, ensure the first drop-down says, “For this long…”, update the second field to “3”, ensure the last drop-down is set to “years” and ensure the “Retain the content based on” field is “when it was created”. Click Next.
Ensure the option, “Let me choose specific locations” is selected. Toggle all off except for “Teams channel messages” and “Teams chats”. Click Next.
Verify all settings are correct and click “Create this policy”. The status for the policy will say, “On (Pending)”. Once it says, “On (Success)” the policy is active and is now retaining data based on the configuration of the policy. This can take up some hours.
Next let us check the deletion policy.
Go again to Data Governance and then click Retention. Click the “+Create” Button. Again, you can name the policy whatever you like, I created a deletion policy for “old” OneDrive data, so I named the policy “5 Day Deletion Policy” and added the description “This policy will delete any OneDrive data 5 days after is has been created. This policy will affect only the individual accounts included in the policy and isn’t an organization wide policy.”. I know, it does not make sense, but for demo purpose, it is a good way to show a little bit of variety. Then click on Next.
Select the option, “No, just delete content that’s older than”. Update the number field to “5”, the middle drop-down to “days” and the delete the content based on drop-down to “when it was created”. Then click Next.
Ensure the option, “Let me choose specific locations” is selected. Toggle all off except for “OneDrive accounts”. Click next when completed.
Now verify all your settings and click “Create this policy”. Again, it takes up to 1 day, but it normally takes only a few hours or even less.
Labels and Label Policies
In your Security and Compliance Center go to Classifications (1) and then click Labels (2). Click “+Create a label” (3).
You can create a label for contracts, statements, offers etc. I will create one for contracts. So, you just enter “Contracts” as the name and you can also add a description for administrators and users. Click then Next.
Under Label Settings turn on the Retention and configure the settings as you need it. My retention is set to 7 years and this content gets deleted after that time. In addition, the label classifies the content as a record. Then click Next.
Review your settings and click on “Create this label”. You can add many more labels, but I think you get the idea of a label now.
Next go to the Classification menu in the left-hand side and click on “Label policies”. Then click on “Publish labels” at the top. Under Choose labels to publish click Choose labels to publish.
Under labels click “+Add” and select Contracts. Click Add, next click Done.
Then click Next and under “Choose locations” select “Let me choose specific locations”. Unselect all options except for OneDrive accounts and click Next.
Under Name your policy type “OneDrive Contracts” and click Next.
Under Review your Settings click Publish Labels and click Close.
Now let’s apply the label. Open your OneDrive for Business and upload a document. Select the file and click on the information icon in the upper right corner below your user account profile icon.
On the right-side info panel, you should see a similar picture as the one above. Click inside the “Apply label” column and select your label.
When you create a label policy for SharePoint you can add the label in the library settings and apply the label under “Apply label to items in this list or library”. After that, you can add the label column to your view to have a better overview.
Make sure you are again logged in as your global administrator and go to Permissions (1) in the Security and Compliance Center. Click on Supervisory Review (2) and add your global administrator to the Members (3).
On the left side menu click Data Governance (1) and then click Supervision (2). Then click “+Create” (3).
In this article I named the policy: Master Review and added as description “This policy is kind of god-like mode. The reviewer can “obviously” review emails.” and then click Next.
Under Supervise these users or groups, add your global admin account then click Next. Of course, you can supervise other users. But please make sure, that you should really supervise the selected user. It is probably not the best idea to supervise your CEO…
Under Choose communications to review, leave the default settings, then click Next. We want to monitor the inbound and outbound direction here for this demo.
Under Specify percentage to review, change the value from 10% to 100%, then click Next. This setting will then send every mail to supervision. A normal use-case would be e.g. to check randomly with a 10-20% setting some of your support people, if you are concerned about the language they write. Just an idea…
Under Choose reviewers, add your global admin account then click Next. Here could of course also be somebody of your security team, or other departments which are responsible for the use case.
Review your settings and click on Finish and Close.
To test your supervision policy, go to Outlook Online logged in as your global administrator and send a test email to yourself.
Wait a few minutes, refresh the page and verify if the Supervision mailbox, Supervision – Master Review appears. It should look then like my following screenshot:
Select the new email in the supervision mailbox and the click Supervisory Review option under the sender.
Choose whatever suits you best and confirm.
Click the Compliant folder and you will see the message has been moved.
This is it for the Security and Compliance Center Series Part 1.
Part 2 is already almost ready and will contain the following topics: In-Place Archiving, Data Loss Prevention, Advanced Threat Protection and GDPR / DSGVO. Follow me on Twitter to stay up-to-date and share this article to help me spread the news!