Overview
MFA enablement completely changes an organization’s security posture. Even though MFA does not necessarily provide perfect security, it does make it significantly more challenging to breach accounts and perhaps enough to encourage the attacker to seek out an easier target instead. This statement is not a presumption; during the 2017 Black Hat conference, multi-factor authentication and encryption were the 2 biggest named obstacles surveyed from hackers. Organizations recognize the benefits of MFA but we’ve received feedback about usability challenges in Exchange administration scenarios. This post identifies the popular administration workflows and will reference tools to fulfill them in accounts with MFA enforced.
To help increase the security of administrator accounts, you should enable MFA for your administrative accounts. For instructions on how to turn on MFA for Office 365 accounts, see this article. The workflow for users to set up MFA on their accounts is laid out in this document.
Exchange Online Administration Tools
Depending on the organization, Exchange Online is administrated through several different interfaces. The Office 365 customer base is incredibly diverse with larger tenants relying on automation to service their users while less complex organizations administrate the service from the portals.
Automation
Automation of Exchange administration is exposed primarily through remote PowerShell cmdlets. Many administrators use standard Windows PowerShell to connect to a remote Exchange server but if the account has MFA enabled, you need to install a separate Exchange Online PowerShell module based on the instructions in this document.
Follow the instructions here to connect to Exchange Online PowerShell with MFA. You can run scripts from this client or interact directly with Exchange. Some organizations create custom interactive scripts which provides a more admin friendly and less error prone interface for common administrative tasks on the tenant.
Portals
Office 365 provides portals to administrate Exchange Online, such as the Admin center, Security & Compliance Center and Exchange admin center. When MFA is enabled, you will be prompted for an authentication code.
Other Administration Workflows
Scheduled Automation
One of the main reasons organizations need to periodically run scripts on their tenant is for compliance/reporting requirements to scan the states of various assets. Some organizations have established procedures for employees to run a set of scripts as a part of their weekly/monthly responsibilities.
Some admins set up scheduled PowerShell tasks to delegate the responsibility of running this script to a machine. Of course, since the objective is to run these scripts without human intervention, MFA is not possible and will need to be turned off on these accounts. In order to authenticate into the service, administrators will still need to submit their credentials. Credentials should never be stored in plaintext. Instead, use the commands below to encode your password. You can only decode the password on the same computer with the same user account.
$AdminCred = Get-Credential
$AdminCred.Password | ConvertFrom-SecureString | Out-File C:AdminCred.txt
To submit this password in your scripts use the commands below. Replace “AdminUsername” with your account username.
$password = Get-Content C:AdminCred.txt | ConvertTo-SecureString
$Credentials = New-Object -typename System.Management.Automation.PSCredential -ArgumentList "AdminUsername",$password
Connect-EXOPSSession -Credential $AdminCred
Import-PSSession $ExoSession
Since this does still register a risk if an adversary breaches your computer, you should take the following precautions on the machine with the scheduled task:
- Tightly control access to the machine and disable Remote Desktop Protocol (RDP)
- Limit the use of the account to only administrative activities (disable mail or use an alt account)
- Set strong passwords
- Enable unified audit log and mailbox auditing
- Periodically review the audit logs for this account for signs of compromise
- Confine admin activities to within your network perimeter
- Constrain cmdlets permissions as tightly as possible to the account through role management
Exchange Role Management
You can limit the permissions of administrative accounts using role groups to ensure that even if the account does get breached, the actions that the attacker can take are limited to the administration responsibilities of the account. Details on how to manage role assignments are in this article.
Long-running Scripts
When running long scripts from the standard Windows PowerShell client, administrators have faced session timeouts. Typically, the solution is to wrap the script with a loop that checks for session timeouts and recover by submitting saved credentials to re-establish the session. Now, how would you do this without human intervention for MFA accounts which require a second method of authentication?
Fortunately, the Exchange Online PowerShell Module takes care of session timeouts by re-establishing the session automatically. NOTE: it is important to use the UserPrincipalName parameter to connect so that the client can automatically re-establish the session for you.
Connect-EXOPSSession –UserPrincipalName joe@contoso.com
See below, the original PowerShell session has expired before I ran the Get-mailbox command. The client recognizes that the session has expired and automatically creates a new session without prompting for credentials.
General Secure Administration Recommendations
Beyond using MFA for Exchange administration, Microsoft recommends that you also take a broader look at your security. Below are some great solutions and ideas to help protect administrator accounts:
We hope this post has helped create a more secure and usability friendly administration story for you. Leave us a comment below with feedback!
Overview
MFA enablement completely changes an organization’s security posture. Even though MFA does not necessarily provide perfect security, it does make it significantly more challenging to breach accounts and perhaps enough to encourage the attacker to seek out an easier target instead. This statement is not a presumption; during the 2017 Black Hat conference, multi-factor authentication and encryption were the 2 biggest named obstacles surveyed from hackers. Organizations recognize the benefits of MFA but we’ve received feedback about usability challenges in Exchange administration scenarios. This post identifies the popular administration workflows and will reference tools to fulfill them in accounts with MFA enforced.
To help increase the security of administrator accounts, you should enable MFA for your administrative accounts. For instructions on how to turn on MFA for Office 365 accounts, see this article. The workflow for users to set up MFA on their accounts is laid out in this document.
Exchange Online Administration Tools
Depending on the organization, Exchange Online is administrated through several different interfaces. The Office 365 customer base is incredibly diverse with larger tenants relying on automation to service their users while less complex organizations administrate the service from the portals.
Automation
Automation of Exchange administration is exposed primarily through remote PowerShell cmdlets. Many administrators use standard Windows PowerShell to connect to a remote Exchange server but if the account has MFA enabled, you need to install a separate Exchange Online PowerShell module based on the instructions in this document.
Follow the instructions here to connect to Exchange Online PowerShell with MFA. You can run scripts from this client or interact directly with Exchange. Some organizations create custom interactive scripts which provides a more admin friendly and less error prone interface for common administrative tasks on the tenant.
Portals
Office 365 provides portals to administrate Exchange Online, such as the Admin center, Security & Compliance Center and Exchange admin center. When MFA is enabled, you will be prompted for an authentication code.
Other Administration Workflows
Scheduled Automation
One of the main reasons organizations need to periodically run scripts on their tenant is for compliance/reporting requirements to scan the states of various assets. Some organizations have established procedures for employees to run a set of scripts as a part of their weekly/monthly responsibilities.
Some admins set up scheduled PowerShell tasks to delegate the responsibility of running this script to a machine. Of course, since the objective is to run these scripts without human intervention, MFA is not possible and will need to be turned off on these accounts. In order to authenticate into the service, administrators will still need to submit their credentials. Credentials should never be stored in plaintext. Instead, use the commands below to encode your password. You can only decode the password on the same computer with the same user account.
$AdminCred = Get-Credential
$AdminCred.Password | ConvertFrom-SecureString | Out-File C:AdminCred.txt
To submit this password in your scripts use the commands below. Replace “AdminUsername” with your account username.
$password = Get-Content C:AdminCred.txt | ConvertTo-SecureString
$Credentials = New-Object -typename System.Management.Automation.PSCredential -ArgumentList "AdminUsername",$password
Connect-EXOPSSession -Credential $AdminCred
Import-PSSession $ExoSession
Since this does still register a risk if an adversary breaches your computer, you should take the following precautions on the machine with the scheduled task:
- Tightly control access to the machine and disable Remote Desktop Protocol (RDP)
- Limit the use of the account to only administrative activities (disable mail or use an alt account)
- Set strong passwords
- Enable unified audit log and mailbox auditing
- Periodically review the audit logs for this account for signs of compromise
- Confine admin activities to within your network perimeter
- Constrain cmdlets permissions as tightly as possible to the account through role management
Exchange Role Management
You can limit the permissions of administrative accounts using role groups to ensure that even if the account does get breached, the actions that the attacker can take are limited to the administration responsibilities of the account. Details on how to manage role assignments are in this article.
Long-running Scripts
When running long scripts from the standard Windows PowerShell client, administrators have faced session timeouts. Typically, the solution is to wrap the script with a loop that checks for session timeouts and recover by submitting saved credentials to re-establish the session. Now, how would you do this without human intervention for MFA accounts which require a second method of authentication?
Fortunately, the Exchange Online PowerShell Module takes care of session timeouts by re-establishing the session automatically. NOTE: it is important to use the UserPrincipalName parameter to connect so that the client can automatically re-establish the session for you.
Connect-EXOPSSession –UserPrincipalName joe@contoso.com
See below, the original PowerShell session has expired before I ran the Get-mailbox command. The client recognizes that the session has expired and automatically creates a new session without prompting for credentials.
General Secure Administration Recommendations
Beyond using MFA for Exchange administration, Microsoft recommends that you also take a broader look at your security. Below are some great solutions and ideas to help protect administrator accounts:
We hope this post has helped create a more secure and usability friendly administration story for you. Leave us a comment below with feedback!
Overview
MFA enablement completely changes an organization’s security posture. Even though MFA does not necessarily provide perfect security, it does make it significantly more challenging to breach accounts and perhaps enough to encourage the attacker to seek out an easier target instead. This statement is not a presumption; during the 2017 Black Hat conference, multi-factor authentication and encryption were the 2 biggest named obstacles surveyed from hackers. Organizations recognize the benefits of MFA but we’ve received feedback about usability challenges in Exchange administration scenarios. This post identifies the popular administration workflows and will reference tools to fulfill them in accounts with MFA enforced.
To help increase the security of administrator accounts, you should enable MFA for your administrative accounts. For instructions on how to turn on MFA for Office 365 accounts, see this article. The workflow for users to set up MFA on their accounts is laid out in this document.
Exchange Online Administration Tools
Depending on the organization, Exchange Online is administrated through several different interfaces. The Office 365 customer base is incredibly diverse with larger tenants relying on automation to service their users while less complex organizations administrate the service from the portals.
Automation
Automation of Exchange administration is exposed primarily through remote PowerShell cmdlets. Many administrators use standard Windows PowerShell to connect to a remote Exchange server but if the account has MFA enabled, you need to install a separate Exchange Online PowerShell module based on the instructions in this document.
Follow the instructions here to connect to Exchange Online PowerShell with MFA. You can run scripts from this client or interact directly with Exchange. Some organizations create custom interactive scripts which provides a more admin friendly and less error prone interface for common administrative tasks on the tenant.
Portals
Office 365 provides portals to administrate Exchange Online, such as the Admin center, Security & Compliance Center and Exchange admin center. When MFA is enabled, you will be prompted for an authentication code.
Other Administration Workflows
Scheduled Automation
One of the main reasons organizations need to periodically run scripts on their tenant is for compliance/reporting requirements to scan the states of various assets. Some organizations have established procedures for employees to run a set of scripts as a part of their weekly/monthly responsibilities.
Some admins set up scheduled PowerShell tasks to delegate the responsibility of running this script to a machine. Of course, since the objective is to run these scripts without human intervention, MFA is not possible and will need to be turned off on these accounts. In order to authenticate into the service, administrators will still need to submit their credentials. Credentials should never be stored in plaintext. Instead, use the commands below to encode your password. You can only decode the password on the same computer with the same user account.
$AdminCred = Get-Credential
$AdminCred.Password | ConvertFrom-SecureString | Out-File C:AdminCred.txt
To submit this password in your scripts use the commands below. Replace “AdminUsername” with your account username.
$password = Get-Content C:AdminCred.txt | ConvertTo-SecureString
$Credentials = New-Object -typename System.Management.Automation.PSCredential -ArgumentList "AdminUsername",$password
Connect-EXOPSSession -Credential $AdminCred
Import-PSSession $ExoSession
Since this does still register a risk if an adversary breaches your computer, you should take the following precautions on the machine with the scheduled task:
- Tightly control access to the machine and disable Remote Desktop Protocol (RDP)
- Limit the use of the account to only administrative activities (disable mail or use an alt account)
- Set strong passwords
- Enable unified audit log and mailbox auditing
- Periodically review the audit logs for this account for signs of compromise
- Confine admin activities to within your network perimeter
- Constrain cmdlets permissions as tightly as possible to the account through role management
Exchange Role Management
You can limit the permissions of administrative accounts using role groups to ensure that even if the account does get breached, the actions that the attacker can take are limited to the administration responsibilities of the account. Details on how to manage role assignments are in this article.
Long-running Scripts
When running long scripts from the standard Windows PowerShell client, administrators have faced session timeouts. Typically, the solution is to wrap the script with a loop that checks for session timeouts and recover by submitting saved credentials to re-establish the session. Now, how would you do this without human intervention for MFA accounts which require a second method of authentication?
Fortunately, the Exchange Online PowerShell Module takes care of session timeouts by re-establishing the session automatically. NOTE: it is important to use the UserPrincipalName parameter to connect so that the client can automatically re-establish the session for you.
Connect-EXOPSSession –UserPrincipalName joe@contoso.com
See below, the original PowerShell session has expired before I ran the Get-mailbox command. The client recognizes that the session has expired and automatically creates a new session without prompting for credentials.
General Secure Administration Recommendations
Beyond using MFA for Exchange administration, Microsoft recommends that you also take a broader look at your security. Below are some great solutions and ideas to help protect administrator accounts:
We hope this post has helped create a more secure and usability friendly administration story for you. Leave us a comment below with feedback!
Overview
MFA enablement completely changes an organization’s security posture. Even though MFA does not necessarily provide perfect security, it does make it significantly more challenging to breach accounts and perhaps enough to encourage the attacker to seek out an easier target instead. This statement is not a presumption; during the 2017 Black Hat conference, multi-factor authentication and encryption were the 2 biggest named obstacles surveyed from hackers. Organizations recognize the benefits of MFA but we’ve received feedback about usability challenges in Exchange administration scenarios. This post identifies the popular administration workflows and will reference tools to fulfill them in accounts with MFA enforced.
To help increase the security of administrator accounts, you should enable MFA for your administrative accounts. For instructions on how to turn on MFA for Office 365 accounts, see this article. The workflow for users to set up MFA on their accounts is laid out in this document.
Exchange Online Administration Tools
Depending on the organization, Exchange Online is administrated through several different interfaces. The Office 365 customer base is incredibly diverse with larger tenants relying on automation to service their users while less complex organizations administrate the service from the portals.
Automation
Automation of Exchange administration is exposed primarily through remote PowerShell cmdlets. Many administrators use standard Windows PowerShell to connect to a remote Exchange server but if the account has MFA enabled, you need to install a separate Exchange Online PowerShell module based on the instructions in this document.
Follow the instructions here to connect to Exchange Online PowerShell with MFA. You can run scripts from this client or interact directly with Exchange. Some organizations create custom interactive scripts which provides a more admin friendly and less error prone interface for common administrative tasks on the tenant.
Portals
Office 365 provides portals to administrate Exchange Online, such as the Admin center, Security & Compliance Center and Exchange admin center. When MFA is enabled, you will be prompted for an authentication code.
Other Administration Workflows
Scheduled Automation
One of the main reasons organizations need to periodically run scripts on their tenant is for compliance/reporting requirements to scan the states of various assets. Some organizations have established procedures for employees to run a set of scripts as a part of their weekly/monthly responsibilities.
Some admins set up scheduled PowerShell tasks to delegate the responsibility of running this script to a machine. Of course, since the objective is to run these scripts without human intervention, MFA is not possible and will need to be turned off on these accounts. In order to authenticate into the service, administrators will still need to submit their credentials. Credentials should never be stored in plaintext. Instead, use the commands below to encode your password. You can only decode the password on the same computer with the same user account.
$AdminCred = Get-Credential
$AdminCred.Password | ConvertFrom-SecureString | Out-File C:AdminCred.txt
To submit this password in your scripts use the commands below. Replace “AdminUsername” with your account username.
$password = Get-Content C:AdminCred.txt | ConvertTo-SecureString
$Credentials = New-Object -typename System.Management.Automation.PSCredential -ArgumentList "AdminUsername",$password
Connect-EXOPSSession -Credential $AdminCred
Import-PSSession $ExoSession
Since this does still register a risk if an adversary breaches your computer, you should take the following precautions on the machine with the scheduled task:
- Tightly control access to the machine and disable Remote Desktop Protocol (RDP)
- Limit the use of the account to only administrative activities (disable mail or use an alt account)
- Set strong passwords
- Enable unified audit log and mailbox auditing
- Periodically review the audit logs for this account for signs of compromise
- Confine admin activities to within your network perimeter
- Constrain cmdlets permissions as tightly as possible to the account through role management
Exchange Role Management
You can limit the permissions of administrative accounts using role groups to ensure that even if the account does get breached, the actions that the attacker can take are limited to the administration responsibilities of the account. Details on how to manage role assignments are in this article.
Long-running Scripts
When running long scripts from the standard Windows PowerShell client, administrators have faced session timeouts. Typically, the solution is to wrap the script with a loop that checks for session timeouts and recover by submitting saved credentials to re-establish the session. Now, how would you do this without human intervention for MFA accounts which require a second method of authentication?
Fortunately, the Exchange Online PowerShell Module takes care of session timeouts by re-establishing the session automatically. NOTE: it is important to use the UserPrincipalName parameter to connect so that the client can automatically re-establish the session for you.
Connect-EXOPSSession –UserPrincipalName joe@contoso.com
See below, the original PowerShell session has expired before I ran the Get-mailbox command. The client recognizes that the session has expired and automatically creates a new session without prompting for credentials.
General Secure Administration Recommendations
Beyond using MFA for Exchange administration, Microsoft recommends that you also take a broader look at your security. Below are some great solutions and ideas to help protect administrator accounts:
We hope this post has helped create a more secure and usability friendly administration story for you. Leave us a comment below with feedback!
In February we announced several new capabilities coming soon to help organizations protect their sensitive data – across devices, apps, cloud services and on-premises. Today we’re announcing the general availability of several new sensitive information types and a new template that helps you discover, classify, protect and manage personal information that is relevant to GDPR obligations.
The addition of the new personal information data types adds to the existing built-in sensitive information types that are available in the Office 365 security & compliance center. You can use these sensitive information types in defining your data governance and data protection policies – there are now 87 different data types to choose from. While many of the previous sensitive information types were relevant to GDPR, the new sensitive information types help provide a more complete and consolidated set. The new personal information data types include:
- EU passport number
- EU national identification number
- EU driver’s license number
- EU tax identification number (TIN)
- EU social security number (SSN) or equivalent ID
For each of these information types, the service detects data that matches the specific patterns used by the 28 EU countries. For example, configuring your policy to include “EU driver’s license number” will detect driver’s license numbers used by any of the 28 covered EU countries.
New EU personal information data types in the Office 365 Security & Compliance Center
When configuring data governance or data loss prevention policies, you can now scan Office 365 locations (e.g. Exchange Online, SharePoint Online, OneDrive for Business) for personal information that matches the new EU data types, and then apply the desired data retention or protection actions. You can customize your policies to look for any combination of these new personal data types or use in conjunction with any of the other existing sensitive information types. For example, you can detect EU national identification numbers and EU passport numbers (both of which are new information types), in combination with US passport numbers (a previously available information type). We’ve also made it easy to detect any of the EU personal information data types by providing a GDPR template that consolidates these new information types into a single group that you can use in your policy configuration.
The GDPR template consolidates the new EU personal information data types into a single group – this can be used when configuring your data governance or data loss prevention policies
As with all the other sensitive information types, there is a lot of flexibility to customize and fine-tune the parameters to meet your specific needs. Learn more about the built-in sensitive information types or even create your own custom sensitive information types (such as employee ID numbers that are unique to your company).
We’re excited to release the new EU sensitive information types and GDPR template – this should help make it easier to discover, classify, protect and manage GDPR related personal information. Our support articles have also been updated with details on the specific detection methods and patterns associated with each of the data types. These new sensitive information types are available now in the Office 365 security and compliance center, and we are targeting these to also be available in Azure Information Protection in Q3 CY18. We are also investigating adding more EU personal information data types in the future and will provide more details as plans get formalized.
In February we announced several new capabilities coming soon to help organizations protect their sensitive data – across devices, apps, cloud services and on-premises. Today we’re announcing the general availability of several new sensitive information types and a new template that helps you discover, classify, protect and manage personal information that is relevant to GDPR obligations.
The addition of the new personal information data types adds to the existing built-in sensitive information types that are available in the Office 365 security & compliance center. You can use these sensitive information types in defining your data governance and data protection policies – there are now 87 different data types to choose from. While many of the previous sensitive information types were relevant to GDPR, the new sensitive information types help provide a more complete and consolidated set. The new personal information data types include:
- EU passport number
- EU national identification number
- EU driver’s license number
- EU tax identification number (TIN)
- EU social security number (SSN) or equivalent ID
For each of these information types, the service detects data that matches the specific patterns used by the 28 EU countries. For example, configuring your policy to include “EU driver’s license number” will detect driver’s license numbers used by any of the 28 covered EU countries.
New EU personal information data types in the Office 365 Security & Compliance Center
When configuring data governance or data loss prevention policies, you can now scan Office 365 locations (e.g. Exchange Online, SharePoint Online, OneDrive for Business) for personal information that matches the new EU data types, and then apply the desired data retention or protection actions. You can customize your policies to look for any combination of these new personal data types or use in conjunction with any of the other existing sensitive information types. For example, you can detect EU national identification numbers and EU passport numbers (both of which are new information types), in combination with US passport numbers (a previously available information type). We’ve also made it easy to detect any of the EU personal information data types by providing a GDPR template that consolidates these new information types into a single group that you can use in your policy configuration.
The GDPR template consolidates the new EU personal information data types into a single group – this can be used when configuring your data governance or data loss prevention policies
As with all the other sensitive information types, there is a lot of flexibility to customize and fine-tune the parameters to meet your specific needs. Learn more about the built-in sensitive information types or even create your own custom sensitive information types (such as employee ID numbers that are unique to your company).
We’re excited to release the new EU sensitive information types and GDPR template – this should help make it easier to discover, classify, protect and manage GDPR related personal information. Our support articles have also been updated with details on the specific detection methods and patterns associated with each of the data types. These new sensitive information types are available now in the Office 365 security and compliance center, and we are targeting these to also be available in Azure Information Protection in Q3 CY18. We are also investigating adding more EU personal information data types in the future and will provide more details as plans get formalized.
In February we announced several new capabilities coming soon to help organizations protect their sensitive data – across devices, apps, cloud services and on-premises. Today we’re announcing the general availability of several new sensitive information types and a new template that helps you discover, classify, protect and manage personal information that is relevant to GDPR obligations.
The addition of the new personal information data types adds to the existing built-in sensitive information types that are available in the Office 365 security & compliance center. You can use these sensitive information types in defining your data governance and data protection policies – there are now 87 different data types to choose from. While many of the previous sensitive information types were relevant to GDPR, the new sensitive information types help provide a more complete and consolidated set. The new personal information data types include:
- EU passport number
- EU national identification number
- EU driver’s license number
- EU tax identification number (TIN)
- EU social security number (SSN) or equivalent ID
For each of these information types, the service detects data that matches the specific patterns used by the 28 EU countries. For example, configuring your policy to include “EU driver’s license number” will detect driver’s license numbers used by any of the 28 covered EU countries.
New EU personal information data types in the Office 365 Security & Compliance Center
When configuring data governance or data loss prevention policies, you can now scan Office 365 locations (e.g. Exchange Online, SharePoint Online, OneDrive for Business) for personal information that matches the new EU data types, and then apply the desired data retention or protection actions. You can customize your policies to look for any combination of these new personal data types or use in conjunction with any of the other existing sensitive information types. For example, you can detect EU national identification numbers and EU passport numbers (both of which are new information types), in combination with US passport numbers (a previously available information type). We’ve also made it easy to detect any of the EU personal information data types by providing a GDPR template that consolidates these new information types into a single group that you can use in your policy configuration.
The GDPR template consolidates the new EU personal information data types into a single group – this can be used when configuring your data governance or data loss prevention policies
As with all the other sensitive information types, there is a lot of flexibility to customize and fine-tune the parameters to meet your specific needs. Learn more about the built-in sensitive information types or even create your own custom sensitive information types (such as employee ID numbers that are unique to your company).
We’re excited to release the new EU sensitive information types and GDPR template – this should help make it easier to discover, classify, protect and manage GDPR related personal information. Our support articles have also been updated with details on the specific detection methods and patterns associated with each of the data types. These new sensitive information types are available now in the Office 365 security and compliance center, and we are targeting these to also be available in Azure Information Protection in Q3 CY18. We are also investigating adding more EU personal information data types in the future and will provide more details as plans get formalized.
In February we announced several new capabilities coming soon to help organizations protect their sensitive data – across devices, apps, cloud services and on-premises. Today we’re announcing the general availability of several new sensitive information types and a new template that helps you discover, classify, protect and manage personal information that is relevant to GDPR obligations.
The addition of the new personal information data types adds to the existing built-in sensitive information types that are available in the Office 365 security & compliance center. You can use these sensitive information types in defining your data governance and data protection policies – there are now 87 different data types to choose from. While many of the previous sensitive information types were relevant to GDPR, the new sensitive information types help provide a more complete and consolidated set. The new personal information data types include:
- EU passport number
- EU national identification number
- EU driver’s license number
- EU tax identification number (TIN)
- EU social security number (SSN) or equivalent ID
For each of these information types, the service detects data that matches the specific patterns used by the 28 EU countries. For example, configuring your policy to include “EU driver’s license number” will detect driver’s license numbers used by any of the 28 covered EU countries.
New EU personal information data types in the Office 365 Security & Compliance Center
When configuring data governance or data loss prevention policies, you can now scan Office 365 locations (e.g. Exchange Online, SharePoint Online, OneDrive for Business) for personal information that matches the new EU data types, and then apply the desired data retention or protection actions. You can customize your policies to look for any combination of these new personal data types or use in conjunction with any of the other existing sensitive information types. For example, you can detect EU national identification numbers and EU passport numbers (both of which are new information types), in combination with US passport numbers (a previously available information type). We’ve also made it easy to detect any of the EU personal information data types by providing a GDPR template that consolidates these new information types into a single group that you can use in your policy configuration.
The GDPR template consolidates the new EU personal information data types into a single group – this can be used when configuring your data governance or data loss prevention policies
As with all the other sensitive information types, there is a lot of flexibility to customize and fine-tune the parameters to meet your specific needs. Learn more about the built-in sensitive information types or even create your own custom sensitive information types (such as employee ID numbers that are unique to your company).
We’re excited to release the new EU sensitive information types and GDPR template – this should help make it easier to discover, classify, protect and manage GDPR related personal information. Our support articles have also been updated with details on the specific detection methods and patterns associated with each of the data types. These new sensitive information types are available now in the Office 365 security and compliance center, and we are targeting these to also be available in Azure Information Protection in Q3 CY18. We are also investigating adding more EU personal information data types in the future and will provide more details as plans get formalized.
This week we shared an update on recent enhancements to Office 365 threat protection services and enhancements to the end user experience with Office 365 Advanced Threat Protection (ATP). We conclude our week at InfoSec Europe with an update on the Office 365 admin experience.
Empowering Admins with Insights
The Office 365 Security and Compliance Center already provides access to malware trends, real-time reports, and granular threat details. We are now adding organizational insights such as anomalous behavior or repeat policy offenders. These insights are presented both in the reports and in the threat dashboard, correlating signals from a broad range of data to help identify, prioritize, and provide recommendations on how to address potential problems. The recommendations are generally remediation actions empowering admins to proactively secure their organization. The insights are holistic and cover both information and threat protection.
Threat Protection Insights include:
- Policy or end user configurations (e.g. transport or mail flow rules, custom policy settings, junk mail folder settings) that can be improved to block delivery of malware, phish, or spam.
- Policies and configurations enhancing protection for users targeted by malware and phishing campaigns in an organization.
Figure 1.. Threat protection insights in the Security dashboard in the Security and Compliance Center
Soon we will release an enhanced Threat Protection status trending report, offering a single view with drill downs into malicious emails identified within the organization, including detection details for malware and phish.
Figure 2. Threat protection status report with email malware and phish detections in the Security and Compliance Center
Information Protection Insights include:
- Views into users who violate large volumes of Office 365 Data Loss Prevention (DLP) policies
- Anomaly insights showing unusual trends in your DLP policy violations
We are also introducing a new report of DLP policy matches on a per item level enabling easier identification of documents or emails which violate policies.
Figure 3. DLP incident report with information protection insights embedded in the Security and Compliance Center
Enhanced Admin Quarantine
Admins can now view, release, delete, and report false positive quarantined messages in Office 365. Quarantine for the Office 365 Security and Compliance Center (SCC) is enriched with a more in-depth investigation and analysis experience including:
- Enhanced search and filtering capabilities for messages in quarantine.
- In line actions for message download and release to any recipient, supporting security investigation and analysis workflows in the organization.
- Restricting the ability to view, download, release, delete, and report phishing messages in quarantine to admins (due to rise in phishing campaigns)
Figure 4. Download quarantined messages (left) and release quarantined messages to recipients (right)
We recently announced the extension of Office 365 Advanced Threat Protection (ATP) to protect files in SharePoint Online, OneDrive for Business and Microsoft Teams and we’re excited to now extend quarantine capabilities to files stored in these applications. This includes download, release, report and delete features in quarantine.
- ‘Release’ removes the end user block on the file
- ‘Delete’ removes the file from quarantine; however, the file is still blocked in SharePoint Online, OneDrive for Business and Microsoft Teams and must be deleted from the respective document libraries in these services to preserve content specific audited activities
Figure 5. Malicious files detected by Office 365 ATP with actions to release, report, download and delete the files from quarantine
Now admins can create policies to send filtered messages to quarantine when they were identified as spam, bulk, phish, or when they match a mail flow rule. By default, Office 365 sends phishing messages and messages containing malware directly to quarantine. Other filtered messages are sent to users’ Junk Email folder unless the policy specifies sending them to quarantine.
Send Us Your Feedback
Your valuable feedback enables us to continue improving and adding features that support the goal of making Office 365 more secure. We encourage you to begin a free Office 365 E5 trial today and begin further enhancing your security for Office 365 today.
This week we shared an update on recent enhancements to Office 365 threat protection services and enhancements to the end user experience with Office 365 Advanced Threat Protection (ATP). We conclude our week at InfoSec Europe with an update on the Office 365 admin experience.
Empowering Admins with Insights
The Office 365 Security and Compliance Center already provides access to malware trends, real-time reports, and granular threat details. We are now adding organizational insights such as anomalous behavior or repeat policy offenders. These insights are presented both in the reports and in the threat dashboard, correlating signals from a broad range of data to help identify, prioritize, and provide recommendations on how to address potential problems. The recommendations are generally remediation actions empowering admins to proactively secure their organization. The insights are holistic and cover both information and threat protection.
Threat Protection Insights include:
- Policy or end user configurations (e.g. transport or mail flow rules, custom policy settings, junk mail folder settings) that can be improved to block delivery of malware, phish, or spam.
- Policies and configurations enhancing protection for users targeted by malware and phishing campaigns in an organization.
Figure 1.. Threat protection insights in the Security dashboard in the Security and Compliance Center
Soon we will release an enhanced Threat Protection status trending report, offering a single view with drill downs into malicious emails identified within the organization, including detection details for malware and phish.
Figure 2. Threat protection status report with email malware and phish detections in the Security and Compliance Center
Information Protection Insights include:
- Views into users who violate large volumes of Office 365 Data Loss Prevention (DLP) policies
- Anomaly insights showing unusual trends in your DLP policy violations
We are also introducing a new report of DLP policy matches on a per item level enabling easier identification of documents or emails which violate policies.
Figure 3. DLP incident report with information protection insights embedded in the Security and Compliance Center
Enhanced Admin Quarantine
Admins can now view, release, delete, and report false positive quarantined messages in Office 365. Quarantine for the Office 365 Security and Compliance Center (SCC) is enriched with a more in-depth investigation and analysis experience including:
- Enhanced search and filtering capabilities for messages in quarantine.
- In line actions for message download and release to any recipient, supporting security investigation and analysis workflows in the organization.
- Restricting the ability to view, download, release, delete, and report phishing messages in quarantine to admins (due to rise in phishing campaigns)
Figure 4. Download quarantined messages (left) and release quarantined messages to recipients (right)
We recently announced the extension of Office 365 Advanced Threat Protection (ATP) to protect files in SharePoint Online, OneDrive for Business and Microsoft Teams and we’re excited to now extend quarantine capabilities to files stored in these applications. This includes download, release, report and delete features in quarantine.
- ‘Release’ removes the end user block on the file
- ‘Delete’ removes the file from quarantine; however, the file is still blocked in SharePoint Online, OneDrive for Business and Microsoft Teams and must be deleted from the respective document libraries in these services to preserve content specific audited activities
Figure 5. Malicious files detected by Office 365 ATP with actions to release, report, download and delete the files from quarantine
Now admins can create policies to send filtered messages to quarantine when they were identified as spam, bulk, phish, or when they match a mail flow rule. By default, Office 365 sends phishing messages and messages containing malware directly to quarantine. Other filtered messages are sent to users’ Junk Email folder unless the policy specifies sending them to quarantine.
Send Us Your Feedback
Your valuable feedback enables us to continue improving and adding features that support the goal of making Office 365 more secure. We encourage you to begin a free Office 365 E5 trial today and begin further enhancing your security for Office 365 today.
