New High-Value Audit Records Capture Details of Microsoft Teams Meetings

New audit events are available to capture information about Teams meetings and participants, but only if you have Office 365 E5 or above licenses. That’s because Microsoft deems these events to be high-value audit information prized by forensic investigators when they try to unravel what happened in an incident. You’ll have to make your own mind up how valuable the events are, but we’ve written some PowerShell to make the data more accessible.

Policy Lookup for Microsoft 365 Retention Policies in Preview

The ability to lookup a user, site, or group and report the Microsoft 365 retention policies applicable to the location is now available in preview. The new feature helps administrators understand what retention policies might block the deletion of a mailbox, site, or group, something that’s often difficult when multiple retention policies exist in a tenant. Although welcome, it would be nice if Microsoft could extend the feature to add some actions. Maybe that will come in the next version.

Microsoft Extends Problematic Information Barriers Solution to All Education Tenants

Information barriers seem like a good idea. Implement policy-driven controls over who can communicate within a Microsoft 365 tenant. Microsoft is making the solution available to education tenants. In reality, they should spend some the engineering effort required to improve the current sad state of the information barriers solution. No GUI, horrible management, PowerShell with impenetrable errors, and a lack of visibility into how the solution works.

How to Create a DLP Policy to Stop External Sharing of Teams Meeting Recordings

Teams meeting recordings can contain a lot of confidential information. It’s a quick and easy task to create a Data Loss Prevention (DLP) policy to stop people sharing these files externally, In this post, we show just how simple the required policy is, and just how effective it is at stopping external sharing.

Microsoft Overselling E5 Capabilities Through Data Loss Prevention

Microsoft plans to surface recommendations to use communications compliance policies as part of its DLP workflow. That sounds acceptable, but it’s the second example of how Microsoft pushes high-priced premium features to Office 365 tenants through DLP. Apart from the undesirability of pushing features to customers through software, communications compliance is not something that you implement on a whim, so why does Microsoft think this is a good idea?

How to Use a Microsoft 365 Retention Policy to Manage Inactive Mailbox Content

Most Microsoft 365 tenants will have to manage the mailboxes of ex-employees. Retention policies are an excellent method to achieve this goal, if you remember to add mailboxes to a suitable retention policy before deleting their Azure AD account. In this article, we consider Microsoft’s recommendation to use a specific retention policy for inactive mailboxes and how to go about using such a policy.

How Retention is Changing for SharePoint Online’s Preservation Hold Library

The preservation hold library is an important component of SharePoint Online retention processing. A change coming in November should simplify file handling and reduce the amount of storage taken up by retained files in the library. Basically, instead of storing multiple versions of a file, SharePoint Online will hold a single file containing all the updates. It seems like a good change to make. We’ll know more when it rolls out.

How Exchange Online Uses Archives to Offload Recoverable Items Storage

A change rolling out in mid-October will remove storage pressure on the Recoverable Items structure in Exchange Online mailboxes by offloading some data to archive mailboxes. The idea is a good one because it means that the storage allocated to Recoverable Items won’t fill up and require intervention so often. Users won’t know anything about what’s happening under the covers as it’s all hidden from view.

How to Use the Free Microsoft 365 Compliance Trial

Microsoft is making a free 90-day trial of Microsoft 365 E5 Compliance licenses available to tenants who don’t yet have compliance licenses. The purpose is to allow organizations to test the advanced compliance functionality which requires Office 365 E5 or Microsoft 365 E5 licenses. Microsoft obviously hopes that organizations will be so delighted at the functionality that they sign up for E5 licenses in the long run. If you don’t want to run a test in your production tenant, you can achieve much the same effect by getting an E5 trial tenant and testing there.

How Teams Makes Webinar Information Available for Search and eDiscovery

Teams-based webinars are a popular way of hosting events like product briefings or announcements. Behind the scenes, the Microsoft 365 substrate stores information about webinar speakers, attendance, and event details as lists in the meeting organizer’s OneDrive for Business account. The information stored in OneDrive is indexed and available for eDiscovery. It’s a great example of the Microsoft 365 ecosystem in action.

How Microsoft Search Finds Spoken Text in Teams Meeting Transcripts

Adding the ability to search for spoken text in Teams meeting recordings is just one of the new features added after Microsoft moved storage for meeting recordings to OneDrive for Business. A new video viewer and support for 27 additional languages (some different variants of a base language) are also important developments. In this article, we explore how Exchange Online captures the text spoken in Teams meetings, how OneDrive for Business links the text with the video, and how Search can find spoken text from the transcripts.

How to Monitor Changes to Microsoft 365 Retention Policies

Microsoft 365 retention policies control how the system removes items automatically from Exchange Online, SharePoint Online, Teams, and other locations. Because these policies are so powerful, it’s a good idea to keep an eye on who makes changes to their settings. The audit log is a natural place to go looking for information about policy updates and while we can find information there, some of the data is oddly formatted or obscured for some reason. Persistence and PowerShell delivers answers, but this is a task way harder than it should be.

Microsoft Launches Preview of App Governance for Cloud App Security

The preview of a new app governance add-on for Microsoft Client App Security gives Office 365 administrators insight into Graph-based apps. The add-on depends on information gathered from Azure AD and MCAS to generate insights about apps and their usage, including highlighting apps which are overprivileged or highly privileged. Although you can do some of the auditing yourself, the add-on makes it easier. It’s a preview, so some glitches are present.

Adaptive Scopes Coming Soon for Retention Policies

Office 365 tenants will soon be able to create adaptive scopes for retention policies. An adaptive scope is nothing more than a filter to select target mailboxes, sites, and Microsoft 365 groups based on some criteria. They’re adaptive because administrators don’t have to update policies as they add new objects. Like other Microsoft 365 Information Governance features which automate some aspect of operations, adaptive scopes are likely to demand Office 365 E5 or Microsoft 365 E5 Compliance licenses.

Teams Private Channels Gain Support for Retention Processing

It is now possible to apply Microsoft 365 retention policies to Teams private channel messages. The messages are in user mailboxes and discoverable due to their properties. All the retention policy must do is find the messages and apply the policy settings, and if an item is expired, remove it from the mailbox. Easy… or is it?

All About Yammer Compliance Records

Yammer compliance records are generated by the Microsoft 365 substrate and consumed by features such as communications compliance policies and eDiscovery. In this post, we consider where Yammer compliance records are stored and what they contain and how to use PowerShell to figure out the activity levels of Yammer communities.

SharePoint Online Adopts OneDrive’s Deletion Method for Items with Retention Labels

A change being made to SharePoint Online in August will make the deletion process for files with retention labels consistent with OneDrive for Business. The intention is to achieve consistency across the two browser interfaces and to remove a little friction for users who might become confused when they SharePoint Online stops them deleting labeled files. Everything will happen in August. We wonder if anyone will notice?

How to Track the Creation of Teams Meeting Recordings in OneDrive for Business and SharePoint Online

After writing about auto-label policies for Teams meeting recordings, we were asked about how to track the creation of the recordings. The key to be able to report the data us events in the Office 365 audit log. Once you know where to look, it’s easy to find the audit records and extract data about the creation of Teams meeting recordings.

How to Track the Progress of an Auto-Label Policy

Auto-label policies are a good way to assign retention labels to important files stored in SharePoint Online and OneDrive for Business. The big problem is tracking the progress of auto-labeling. In this article, we explore how to use events logged in the Office 365 audit log to figure out what files are labeled and how long it takes the auto-label policies to process the files. The example explored here is an auto-label policy for Teams meeting recordings.

How to Apply an Auto-Label Retention Policy for Teams Meeting Recordings

Teams meeting recordings are now accumulating as MP4 files in OneDrive for Business and SharePoint Online. If you have Office 365 E5 licenses, you can use an auto-label policy to remove recordings after a set period. If you don’t have those licenses and need to remove recordings, you’ll have to come up with another plan, maybe after tracking the creation of recordings through the Office 365 audit log.

Understand Licensing for Microsoft 365 Information Protection and Governance

Licensing is everyone’s favorite topic. Combine it with information protection and governance and peoples’ eyes glaze over. Even so, it’s important to know what information protection and compliance features need which licenses as you don’t want to get into a position where something stops working because Microsoft enables some code to enforce licensing requirements. This post covers the basics of licensing and how Microsoft differentiates between manual processing and automated processing when deciding if a feature needs a standard or premium license.

Microsoft 365 Compliance Center Gets New Content Search UI

The Microsoft 365 compliance center has a new content search UI. The new UI is prettier than before, but it’s also slower and more buggy. After several years of effort to develop content searches, you’d expect Microsoft to do better. A lot betterr. Unhappily, the beauty of the new interface seems to have distracted the engineers from the problems that become all too apparent when you try to use content searches to do real work. What, if any testing, was done to validate the new UI is unknown.

How to Report Membership of Microsoft 365 Compliance Role Groups

Compliance role groups control access to Microsoft 365 compliance functionality. A new permissions page makes it easier to manage these groups in the Microsoft 365 compliance center, where you can also manage the Azure AD roles used by Microsoft 365 compliance. If you want to generate a report about who holds what role, you’ve got to use PowerShell. The code is easy once you know which roles you want to report.

Microsoft Tightens Control Over eDiscovery Limits

Microsoft 365 eDiscovery features will respect documented limits from May 10. The changes are likely made to conserve resources consumed by searches against the massive amounts of data now found in Office 365 tenants. The changes probably won’t affect eDiscovery investigators except in reminding everyone that the items shown in search preview are only a representative sample of what can be found by a full search.

How to Report Audit Events Generated for Sensitivity Labels

Audit records are a great way to gain an understanding of what happens inside Office 365. We use PowerShell to report actions taken with sensitivity labels such as protecting files and containers. The latest development is the addition of support in the Microsoft 365 apps for enterprise (Office desktop) to log audit events when users interact with sensitivity labels. Unsurprisingly, more events are often logged by the desktop apps than their online equivalents.

Teams App Messages Captured by Microsoft 365 Substrate for Compliance Processing

The Microsoft 365 substrate now captures Teams app card data in compliance records to make the data available for eDiscovery, content searches, holds, and retention. The compliance records are stored in user and group mailboxes. Audit records for card interactions are also logged in the Office 365 audit log. Using compliance records means that some app data context is lost, but at least you can find the information.

Microsoft Releases New Sensitive Information Types

Microsoft has released a set of new sensitive information types, used to locate sensitive data by Microsoft 365 DLP policies. Many are country-specific versions of previous generic types (like passports or identity cards). The recommendation is to consider upgrading DLP policies to use the new types to get better (more accurate) matching.

Teams Tailors Compliance Records for eDiscovery

The format of the Teams compliance records generated for personal and group chats and stored in Exchange Online mailboxes is changing. Microsoft is removing a bunch of unnecessary attributes from the records to reduce the processing load on the service to retrieve the attributes from Azure AD. The change is unlikely to affect most tenants. Compliance records for older chats are not affected.

Understanding Partially Indexed Exchange Online Messages and Attachments

Exchange Online indexes the items stored in mailboxes. Some of the items are partially indexed, meaning that not all of their content is indexable. Microsoft has a PowerShell script to analyze the number of partially indexed items found in mailboxes. The output is kind of esoteric, so we worked it over to create something more understandable.

Exports of Exchange Online Search Results Now Decrypt Attachments

When you use an Office 365 content search to find items, the results from Exchange Online might include some encrypted attachments. A change means that the attachments can now be decrypted to make it easier for investigators to review the information. It’s a small but important change, just like the update to Edge which stops ClickOnce programs running unless an Edge setting is enabled. All good, clean, honest fun.

Microsoft Makes Endpoint Data Loss Prevention Generally Available

Microsoft has made Endpoint DLP generally available. Leveraging Windows 10 workstations and the Edge browser, Endpoint DLP sends signals for evaluation to detect possible violations. The solution requires Microsoft 365 licenses and only supports Windows, so it’s not for every tenant. But those who have Microsoft 365 licenses will find this an attractive solution.

How to Block Email Forwarding from Power Automate

Power Automate (Flow) can forward email from Exchange Online mailboxes to external recipients. This isn’t a great idea if you want email kept within the control of your data governance framework. Power Automate now inserts x-headers in the email it sends, which allows the use of transport (mail flow) rules to detect and reject these messages if required.

Scanning Teams Messages from Hybrid Users for Compliance Issues

Communications compliance policies scan user messages to detect violations of company or regulatory rules. A change introduces support for hybrid users whose mailboxes are on Exchange on-premises servers. The change might not pick up many new violations, but it does increase the coverage and stops some violations sneaking through, which is always a good thing.

How to Use DLP Policies and Sensitivity Labels to Block External Access to Confidential Documents

When you need to block external access to your most sensitive documents, Office 365 Data Loss Prevention policies and sensitivity labels combine to find and protect the documents. A really simple policy is enough to detect and block external access, and is covered by Office 365 E3 licenses. If you have E5 licenses, you can consider auto-label policies to find and protect sensitive documents at scale.

Handling Sensitivity Label Mismatches in SharePoint Online

Support for sensitivity labels is generally available for SharePoint Online. Users can apply labels to classify and protect documents, but a mismatch can happen between labels applied to documents and the sites where the documents are stored. When this happens, SharePoint Online emails site owners to tell them that a mismatch exists.

Using Teams Compliance Data for eDiscovery

For compliance purposes, the Microsoft 365 substrate captures copies of Teams messages in Exchange Online mailboxes. The compliance records are indexed and discoverable, which means that they can be found by content searches. However, Teams compliance records are imperfect copies of the real data, which is a fact that seems to have escaped many people.

How to Report Email SentAs Other Exchange Online Mailboxes

The SendAs audit event is logged when someone uses the send as permission to send a message from an Exchange Online mailbox. The events are stored in the Office 365 audit log and can be found there with an audit log search. However, things aren’t as straightforward as they are on-premises because some other types of delegated messages turn up in searches. Fortunately, we have a script to help.

How to Report MailItemsAccessed Audit Events

Microsoft has released information about high-value Office 365 audit events and audit event retention policies. Both are part of a Microsoft 365 Advanced Audit offering. The MailItemsAccessed event is the first high-value audit event (we can expect more) and the retention policies are used to purge unneeded events from the Office 365 audit log.

Applying Holds to Teams Private Channel Messages

The Office 365 compliance framework can now to place holds on Teams compliance records created for conversations in private channels. You simply have to place holds on the mailboxes of members of the private channels and hope that no one removes the members from the tenant. If they do, the hold lapses, which seems like a pity.

Microsoft 365 Compliance and Security Centers Rolling Out to Office 365 Tenants

The Microsoft 365 Compliance and Security centers are roling out to Office 365 tenants where they’ll replace the old Security and Compliance Center over time. The new centers look fresher than the SCC, but looks can deceive and it’s much more important that the functionality exposed in the new portals work reliably all the time.