Blocking Email Forwarding from Power Automate

Power Automate (Flow) can forward email from Exchange Online mailboxes to external recipients. This isn’t a great idea if you want email kept within the control of your data governance framework. Power Automate now inserts x-headers in the email it sends, which allows the use of transport (mail flow) rules to detect and reject these messages if required.

Teams Messages from Hybrid Users Scanned by Communication Compliance Policies

Communications compliance policies scan user messages to detect violations of company or regulatory rules. A change introduces support for hybrid users whose mailboxes are on Exchange on-premises servers. The change might not pick up many new violations, but it does increase the coverage and stops some violations sneaking through, which is always a good thing.

Handling Sensitivity Label Mismatches in SharePoint Online

Support for sensitivity labels is generally available for SharePoint Online. Users can apply labels to classify and protect documents, but a mismatch can happen between labels applied to documents and the sites where the documents are stored. When this happens, SharePoint Online emails site owners to tell them that a mismatch exists.

Using Teams Compliance Data for eDiscovery

For compliance purposes, the Microsoft 365 substrate captures copies of Teams messages in Exchange Online mailboxes. The compliance records are indexed and discoverable, which means that they can be found by content searches. However, Teams compliance records are imperfect copies of the real data, which is a fact that seems to have escaped many people.

Reporting SendAs Audit Events for Exchange Online Mailboxes

The SendAs audit event is logged when someone uses the send as permission to send a message from an Exchange Online mailbox. The events are stored in the Office 365 audit log and can be found there with an audit log search. However, things aren’t as straightforward as they are on-premises because some other types of delegated messages turn up in searches. Fortunately, we have a script to help.

Capturing Crucial Office 365 Audit Data Requires E5 Licenses

Microsoft has released information about high-value Office 365 audit events and audit event retention policies. Both are part of a Microsoft 365 Advanced Audit offering. The MailItemsAccessed event is the first high-value audit event (we can expect more) and the retention policies are used to purge unneeded events from the Office 365 audit log.

Applying Holds to Teams Private Channel Messages

The Office 365 compliance framework can now to place holds on Teams compliance records created for conversations in private channels. You simply have to place holds on the mailboxes of members of the private channels and hope that no one removes the members from the tenant. If they do, the hold lapses, which seems like a pity.

Microsoft 365 Compliance and Security Centers Rolling Out to Office 365 Tenants

The Microsoft 365 Compliance and Security centers are roling out to Office 365 tenants where they’ll replace the old Security and Compliance Center over time. The new centers look fresher than the SCC, but looks can deceive and it’s much more important that the functionality exposed in the new portals work reliably all the time.

OWA Supports Automatic Labeling for Office 365 Sensitivity Labels

OWA now supports the automatic labeling of outbound messages with Office 365 Sensitivity Labels. The new feature uses Office 365 sensitive data types to detect content in messages that should be protected, and once detected, the message is stamped with a label before it passes through the Exchange Online transport service.

Teams Voice Memos – Interesting Functionality with a Compliance Problem

The Teams mobile clients allow users to record and send voice memos in personal and group chats. It’s nice functionality, but from a compliance standpoint some glaring weaknesses exist in the way that Office 365 captures compliance records for these memos. No voice recognition, no metadata, nothing to search for. It’s a compliance mess that Microsoft needs to clean up.

How to Stop Users Adding Personal Retention Tags to Exchange Online Mailboxes

Exchange Online allows users to add personal retention tags to their maiboxes through OWA settings. Some organizations don’t like this, so they can deploy user role assignment policies to block the feature. It;s something that you could consider doing if you’re preparing to switchover to Office 365 retention policies to impose the same retention regime across multiple workloads.

Teams Compliance Records and Frontline Office 365 Accounts

Teams does a good job of storing compliance records in Exchange Online mailboxes so that the data is available for Office 365 eDiscovery. But the number of records can impact the mailbox quotas of frontline workers, especially if they send graphics in personal and group chats. Here’s some PowerShell to help discover how much mailbox quota is being absorbed by compliance records.

What’s Happening with the MailItemsAccessed Audit Event

Microsoft launched the MailItemsAccessed audit event (to capture when email is opened) in January, reversed the roll-out in April, and now might restart sometime in Q3. It’s an odd situation that isn’t really explained by a statement from Microsoft. Are they going to charge extra for this audit event? Will they be analyzing the events? Or does Office 365 capture too many mail items accessed events daily?

Office 365 Data Governance in Oslo

A busy week included speaking engagements in Germany and Oslo. The Experts Live Norway event saw Tony talk about Office 365 data governance, a topic he thinks he knows well. You can grab a copy of the presentation he used in Oslo from this post.

Excluding Inactive Mailboxes from Org-Wide Retention Holds

Exchange Online supports inactive mailboxes as a way to keep mailbox data online after Office 365 accounts are removed. Inactive mailboxes are available as long as a hold exists on them. You can update mailbox properties to exclude all or some org-wide holds. If you exclude holds from a mailbox, you run the risk that Exchange will permanently remove the mailbox. If that’s what you want, all is well, but if it’s not, then you might not be so happy.

Detecting Offensive Language with Office 365 Supervision Policies

Office 365 supervision policies can now make use of artificial intelligence and machine learning to detect offensive language in email and Teams communications. The data model covers a wide range of problematic language, but only in English. You can go ahead and cheerfully continue to swear in French, German, and other languages with no danger of being detected by policy.

The Sad Case of Truncated Office 365 Audit Events

On May 7, Microsoft eventually fixed a truncation bug that affected group events (creation, add member, etc.) ingested into the Office 365 audit log. The fix took far too long coming and the overall response is certainly not Microsoft’s finest hour. Audit events, after all, are pretty important in compliance scenarios and it’s not good when those events are incomplete.

The Case of SharePoint Online’s Missing Retention Labels

Sometimes Office 365 can be infuriating. My latest tribulation came in the form of missing retention labels, which disappeared from SharePoint Online without any reason for two weeks. Some labels returned due to auto-label policies, but any applied to documents manually had a vacation somewhere in the bowels of the services. It wasn’t a good experience.

Microsoft 365 Security and Compliance Centers Now Generally Available

The Microsoft 365 Security and Microsoft 365 Compliance Centers are now generally available. The new consoles will eventually replace the Office 365 Security and Compliance Center (SCC) but some work is needed to fill out their functionality and make the switchover possible. In the meantime, the Office 365 for IT Pros eBook writing team will stay focused on the SCC. And when the time’s right, we’ll switchover.

Making Sure Everyone’s Covered by an Office 365 Supervision Policy

Although Office 365 supervision policies are intended to monitor a subset of user communications, usually involving specific groups of people, you might want to use a policy to monitor all email. In that case, how do you make sure that your policy has everyone in scope? The problem is that supervision policies don’t support dynamic distribution lists, so you need to do some work to build and maintain a distribution list containing all user mailboxes.

Office 365 Content Search Actions and Hard Deletes of Mailbox Items

Office 365 content searches now support a hard-delete (permanent deletion) option for the purge action, but only for mailbox items. You can purge up to 10 items at a go. If you have more to purge, you just have to keep on purging until everything is gone. Or use the Search-Mailbox cmdlet, which keeps on proving its usefulness to administrators who need to remove lots of mailbox items quickly.

Cloud App Security Alerts Flow into Office 365 Audit Log

Security alerts from Office 365 Cloud App Security now flow into the Office 365 Audit Log, which means that you can run the Search-UnifiedAuditLog to find the alerts. Unhappily, more work than should be needed is necessary to extract the interesting information from the alert records.

Teams Compliance Records Focused on by New Report

A new report commissioned by Microsoft explains how Exchange Online and the Security and Compliance Center meet the electronic records requirements of regulatory bodies like the SEC and FINRA. Within the report, there’s some news about changes to the way that Office 365 handles Teams compliance records stored in Exchange Online. And after all that, we consider how some backup vendors treat Teams compliance records as equivalent to the data stored in the Teams Azure services.

Using Exchange Session Identifiers in Audit Log Records

Exchange Online now captures session identifiers in its mailbox and admin audit records that are ingested in the Office 365 audit log. That’s interesting and useful, but how do you access and interpret this information on a practical level?

Any Authenticated Users Permission Now Generally Available

Azure Information Protection rights management templates now support the Any Authenticated Users permission to allow Office 365 users to share email and documents with anyone who can authenticate with Azure Active Directory or has an MSA account or uses a federated service.

Office 365 E5 Accounts Now Keep Audit Log Data for 365 Days

Microsoft has updated its retention period for Office audit records from 90 to 365 days, but only for accounts with Office 365 E5 licenses. On another front, the problem with truncated audit records for Azure Active Directory events still persists.

Use the Office 365 Audit Log to Find Out Who Deleted Messages

Exchange Online sends its mailbox audit records to the Office 365 audit log. You can search the log to discover who deleted messages from mailboxes, normally only an issue when delegates are involved.

Using Special Characters in Office 365 Labels

A little known fact is that you can use graphic symbols and characters in Office 365 labels. It might bring a splash of color to your compliance and retention efforts, especially in a world where emojis are everywhere. After all, the symbols are just character codes that computers can process and Office 365 is designed to be multilingual and cope with different character sets (like the way Teams deals with Hebrew and Arabic).

Preserving the Teams Data of Ex-Employees

Content Searches Find Teams Compliance Items When someone leaves your company, you might need to preserve their Office 365 data. The steps needed to preserve user information stored in Email, OneDrive, and SharePoint are straightforward, but what about the messages the employee sent using Teams? As it turns out, an Office 365 content search or …