AFRAIT

Security and Compliance Center Series Part 3

Office Security Compliance Center Part Banner

Patrick

, , ,

Hey there! Welcome to my Security and Compliance Center Series. If you want to start with Part 1 and Part 2 you can check them out to get going. In this part we will cover the following topics:

If you have a topic which I haven’t covered and you want to see an article, let me know via Twitter or in the comments below.

You are looking for more series? Then check my Master common challenges in Office 365 series where I talk about PowerShell, OneDrive, SharePoint and Teams. There will also be an update soon about the new Teams Admin Center and if you are just here to have a good time, I recommend checking the “How to use 7 tools to create 1 simple survey” article. Most ridiculous article (available in German and English) I ever wrote 🙂

Content Search and eDiscovery Case Management

Start by logging in to the Office 365 portal and then go to the Security and Compliance Center. You can also go directly to https://protection.office.com to start. On the left side menu, click permissions and scroll down to eDiscovery Administrator and add your global administrator.

eDiscovery Administrator permission
eDiscovery Administrator permission

Then click on the left side menu -> Search and Investigation and then click eDiscovery. Click “+Create a case” button, add a case name “Diana Prince Review” and click Save. Of course you give your case and name which suits you.

Create a eDicovery case
Create a eDicovery case

Click the Open button by the eDiscovery case you just created. Then click in the top navigation onto Hold and click “+ Create”.

eDiscovery Case Hold
eDiscovery Case Hold

Name your new hold and describe it, click next and choose your locations, create a query and review your settings. Then create your hold.

After this it should look similar to my screen below:

Review your eDiscovery Hold
Review your eDiscovery Hold

Then go in the menu to “Search” to start your discovery and click on “+ New search”.

Switch to eDiscovery Search
Switch to eDiscovery Search

In the Search query menu you can enter keywords and add conditions. You can also specify the locations. It makes sense to choose the locations on hold if you followed the steps above. Click then on “Save & run”, type in a name and description and start discovering.

eDiscovery Search Query settings
eDiscovery Search Query settings

In my demo I am able to discover all items in Dianas mailbox and for example a mail to my account.

eDiscovery Search Results
eDiscovery Search Results

In the Search overview you can also export your report by clicking the search and under “More” click on “Export report”.

Export your search report
Export your search report

You can then change the output options and then generate your report.

Export report output settings
Export report output settings

Then switch to the “Export” menu and after the generation is finished you can download the report.

eDiscovery Export menu
eDiscovery Export menu

You have to wait a while until the report is finished to download. So hang in there.

eDiscovery Download report
eDiscovery Download report

Activity Alerting

With the build-in activity alerting you have an fast and easy option to gain insights if there is something you want to be informed. In this guide I will show you an alerting option, if an admin is deleting files from OneDrive or SharePoint.

Go to the left menu in the “Alert” section and click “Dashboard”. In the tiles “Other alerts” you find the Activity alerts.

Activity alerts
Activity alerts

Please note that this is already deprecating. You can use it now, but who knows the future, right?

What happens in the future?
What happens in the future?

You can also access it, if you open the URL https://protection.office.com/#/managealerts

In there you can click on “+ New alert policy” and define whatever you want to be alerted of. In the screenshot below you see my admin deletion alert.

Admin deletion alert policy
Admin deletion alert policy

Please not that it could take some time for the alert policy to be active. The more future-proof way of alerting is the next part. Office 365 Cloud App Security.

Office 365 Cloud App Security

If you never used Office 365 Cloud App Security and you go in the section “Alerts” to “Manage advanced alerts” you will probably find the following screen where you have to enable it. If you have a new tenant, you probably don’t have to do this.

"Turn

In the Office 365 Cloud App Security Portal, click Control in the top menu and select Policies.

Control the Cloud App Security Policies
Control the Cloud App Security Policies

Click “Create Policy” and select “Activity Policy”.

Create Activity Policy
Create Activity Policy

You can then choose between several template or start your activity policy from scratch. For this demo I choose “Mass download by a single user”. After selecting a template a warning is shown, that if you continue the existing values getting replaced. After confirming your template looks like this:

Policy Template
Policy Template

These templates are super helpful to get started. They also make the settings pretty clear and you are still able to change the settings as you wish. This is for sure the better “Activity Alert”, but needless to say unfair to compare.

I highly recommend that you at least have a look into this and check if you have a need for it. I definitely have multiple things in mind where these alerts become handy. You have to wait for about one hour when you followed the above steps to check the alerts.

Multi-Factor Authentication

I think needless to say, that MFA is a good feature for your security in general. I absolute agree that it is not always easy to “promote” this, but a least for the admin accounts this should not be hard to implement and to sell in front of your management.

To activate it go on the left side menu in the Office 365 Admin center to “Settings” (Gear symbol) (1), click “Services and add-ins” (2), then click on “Azure multi-factor authentication” (3) and then click “Manage multi-factor authentication” (4).

Click “Service Settings” at the top. Define if you want to allow users to create app passwords to sign into non-browser apps that don’t support modern authentication. Then define the verification options that will be selectable by the enrolling users. Define if the MFA token should be cached for a specific number of days or leave it unchecked to require MFA each time. Then click “Safe” at the bottom.

Please note that you will have more settings if you have an Azure AD Premium or an Enterprise Mobility + Security license.

Go back to the “users” section. You can either bulk update users, or select users and activate MFA.

Enable MFA for a user
Enable MFA for a user

If a new enabled users tries to login again, he or she will get a notification the MFA is enabled and that the user should “Set it up now”. The next steps about security verification are pretty easy and straight forward.

And then you have instantly a more secure Office 365 tenant. Pretty cool!

Note, that if you download the Microsoft Authenticator App, you can also easily approve it there and you don’t need to enter a code. If you want to go even further (if you have an Apple Watch) you can send the notifications to your watch and directly do everything you need to authenticate there. Pretty super cool!

Pretty super cool MFA
Pretty super cool MFA

And that’s already it for Part 3 of the Security and Compliance Center Series. If you are interested in a closer look into certain features or the recently moved-in “Mail Flow”, let me know in the comments or on Twitter.

Hope, you will check back soon, until then: Don’t be afraIT and have fun with IT.

Leave a Reply

Your email address will not be published. Required fields are marked *