- Content Search and eDiscovery Case Management
- Activity Alerting
- Office 365 Cloud App Security
- Multi-Factor Authentication
If you have a topic which I haven’t covered and you want to see an article, let me know via Twitter or in the comments below.
You are looking for more series? Then check my Master common challenges in Office 365 series where I talk about PowerShell, OneDrive, SharePoint and Teams. There will also be an update soon about the new Teams Admin Center and if you are just here to have a good time, I recommend checking the “How to use 7 tools to create 1 simple survey” article. Most ridiculous article (available in German and English) I ever wrote 🙂
Content Search and eDiscovery Case Management
Start by logging in to the Office 365 portal and then go to the Security and Compliance Center. You can also go directly to https://protection.office.com to start. On the left side menu, click permissions and scroll down to eDiscovery Administrator and add your global administrator.
Then click on the left side menu -> Search and Investigation and then click eDiscovery. Click “+Create a case” button, add a case name “Diana Prince Review” and click Save. Of course you give your case and name which suits you.
Click the Open button by the eDiscovery case you just created. Then click in the top navigation onto Hold and click “+ Create”.
Name your new hold and describe it, click next and choose your locations, create a query and review your settings. Then create your hold.
After this it should look similar to my screen below:
Then go in the menu to “Search” to start your discovery and click on “+ New search”.
In the Search query menu you can enter keywords and add conditions. You can also specify the locations. It makes sense to choose the locations on hold if you followed the steps above. Click then on “Save & run”, type in a name and description and start discovering.
In my demo I am able to discover all items in Dianas mailbox and for example a mail to my account.
In the Search overview you can also export your report by clicking the search and under “More” click on “Export report”.
You can then change the output options and then generate your report.
Then switch to the “Export” menu and after the generation is finished you can download the report.
You have to wait a while until the report is finished to download. So hang in there.
With the build-in activity alerting you have an fast and easy option to gain insights if there is something you want to be informed. In this guide I will show you an alerting option, if an admin is deleting files from OneDrive or SharePoint.
Go to the left menu in the “Alert” section and click “Dashboard”. In the tiles “Other alerts” you find the Activity alerts.
Please note that this is already deprecating. You can use it now, but who knows the future, right?
You can also access it, if you open the URL https://protection.office.com/#/managealerts
In there you can click on “+ New alert policy” and define whatever you want to be alerted of. In the screenshot below you see my admin deletion alert.
Please not that it could take some time for the alert policy to be active. The more future-proof way of alerting is the next part. Office 365 Cloud App Security.
Office 365 Cloud App Security
If you never used Office 365 Cloud App Security and you go in the section “Alerts” to “Manage advanced alerts” you will probably find the following screen where you have to enable it. If you have a new tenant, you probably don’t have to do this.
In the Office 365 Cloud App Security Portal, click Control in the top menu and select Policies.
Click “Create Policy” and select “Activity Policy”.
You can then choose between several template or start your activity policy from scratch. For this demo I choose “Mass download by a single user”. After selecting a template a warning is shown, that if you continue the existing values getting replaced. After confirming your template looks like this:
These templates are super helpful to get started. They also make the settings pretty clear and you are still able to change the settings as you wish. This is for sure the better “Activity Alert”, but needless to say unfair to compare.
I highly recommend that you at least have a look into this and check if you have a need for it. I definitely have multiple things in mind where these alerts become handy. You have to wait for about one hour when you followed the above steps to check the alerts.
I think needless to say, that MFA is a good feature for your security in general. I absolute agree that it is not always easy to “promote” this, but a least for the admin accounts this should not be hard to implement and to sell in front of your management.
To activate it go on the left side menu in the Office 365 Admin center to “Settings” (Gear symbol) (1), click “Services and add-ins” (2), then click on “Azure multi-factor authentication” (3) and then click “Manage multi-factor authentication” (4).
Click “Service Settings” at the top. Define if you want to allow users to create app passwords to sign into non-browser apps that don’t support modern authentication. Then define the verification options that will be selectable by the enrolling users. Define if the MFA token should be cached for a specific number of days or leave it unchecked to require MFA each time. Then click “Safe” at the bottom.
Please note that you will have more settings if you have an Azure AD Premium or an Enterprise Mobility + Security license.
Go back to the “users” section. You can either bulk update users, or select users and activate MFA.
If a new enabled users tries to login again, he or she will get a notification the MFA is enabled and that the user should “Set it up now”. The next steps about security verification are pretty easy and straight forward.
And then you have instantly a more secure Office 365 tenant. Pretty cool!
Note, that if you download the Microsoft Authenticator App, you can also easily approve it there and you don’t need to enter a code. If you want to go even further (if you have an Apple Watch) you can send the notifications to your watch and directly do everything you need to authenticate there. Pretty super cool!
And that’s already it for Part 3 of the Security and Compliance Center Series. If you are interested in a closer look into certain features or the recently moved-in “Mail Flow”, let me know in the comments or on Twitter.
Hope, you will check back soon, until then: Don’t be afraIT and have fun with IT.