4. Working with Security Compliance Alerts and Content Search
Let’s talk now about the process of being able to do searches and looking at the audit side of things with Microsoft 365. OK, so here we are on admin.microsoft.com or Portal Microsoft.com. You can click on “Show all clicked securities” to bring you back into the Security and Compliance Center. Once you get in the Security Compliance Center, if you look to the left, you’ll notice that you can drop down right here where it says “Search.” And if you click Search, you’ve got the option to do a content search. So I can click on “Content Search,” and this is going to allow me to search for particular content in my environment. This is along the same lines as what we got with our rediscovery. So I can do a new search if I want. I can search based on keywords, okay? So if I was trying to search for a keyword like “budget,” I could say “Save and run.” Now if I want, I could go ahead and save the search, and this could be used in Discovery as well if I wanted, but I could go ahead and save and run.
The other thing you’ve got to do is notice that you have to specify locations. If you want to choose specific locations, you can choose “Modify there” or “All locations.” Again, keep in mind that if you’re working in a large environment, this could take a long time; it could take hours and hours and hours, possibly even days. So you might want to keep that in mind if you’re doing a certain keyword search here. But this is along the exact same lines as what we have in Rediscovery, okay? Along the exact same lines So it’ll go through its search and if it locates any locations that have the keyword budget, and I’m talking like Exchange, SharePoint, and OneDrive, it’ll look for that keyword in the files in those locations, even teams like Messages. It would pull that information and let me analyse it. I can export this as well if I want to. Okay? Jumping back over here, we also have audit log search. So with the different auditing capabilities that Microsoft 365 has, you can also do audit log searches as well. So you can choose a specific date and time, like a start point and an end point. Maybe you’re trying to search based on the date and time of your IP address, the user, the activity they performed, or the item that was involved. You can have a start date and an end date on that if you want. You can specify the name of the user that you want to actually look at, and then you can do a search. You can, if you want, create a new alert policy as well.
All right, so I could come up here and I could say, “Test custom alert, alright, send this alert when you drop that down.” Once the screen appears, you can select which activities the person has completed. Maybe they’ve printed a file; maybe they’ve deleted a file; maybe they’ve renamed a file; maybe they’ve created a file. So all these different options are here; take a look at some of the different options you have. I mean, there are a tonne of options here. So I checked out a file, copied a file, discarded a file, checked it out, moved a file, and restored a file. Look at all this stuff that you can do involving just monitoring the different files that you’ve got. Okay, let’s go delete a file. Right, so we’ll set that as one of our conditions. You can do it multiple times if you want. You can specify a particular user if you want. Like if I want to do Alex Rogers, I can select that user, and then I could say, “Send an alert.” We’re going to send an alert to the mod administrator, the admin. So that’s [email protected] So then I would click save, and I’ve now generated that alert, so it’ll go through, and anytime Alex Rogers deletes a file, it will generate an audit log that I can search through, but it will also appear under alerts. I can click “view alerts.” Okay.
It’s going to show me any alert activity that I have. And you can actually create more of these alert policies here as well. So there’s actually a little bit of control you can get with auditing and all that. Keep in mind that the very first time you go into the audit log, your auditing won’t be turned on. So you do have to turn it on. In my case, I’ve already turned it on. When you turn it on, the sad part is that it can take about 24 hours before it actually becomes active. So if you go in here now and turn this on, it can take a while, and supposedly Microsoft is going to change that. So, hopefully, things have already changed for you. But with the recording of this video, they used to require you to click on it to enable it, and it would take 24 hours to get enabled. Okay. So, of course, I do like to keep my stuff updated. So if it seems like something’s out of date here, just make sure you message me, and I’ll make sure things get updated. But all in all, as you can see, you can jump around and manage your settings and stuff pretty easily through this.
5. Understanding the Information Barrier Policy
What exactly is information? Barriers or IB? So first off, information barriers are basically a policy that can be implemented by an admin and that can be applied to individual users or groups, and it can prevent them from being able to communicate with each other in certain situations. So for example, if you had a department that wasn’t supposed to be sharing information with another department or maybe people outside your organization, this is another way to handle that situation. Okay? Obviously, in our environments, we can have very complex environments. You can have issues where you may not want people in your company communicating with other people, or you may not want departments communicating with other departments.
And, of course, the way to address this is through Information Barriers. So first thing, before we get too deep into this, I want to clarify what the licences and the permissions are here. So, as you can see on the screen, and this is directly from Microsoft’s latest Knowledge Base article on the subject, you get information barriers with your subscriptions, the E-5 subscriptions, a 5-point advanced compliance plan, and Insider Risk Management. They also inform you that you can look up more information on the compliance solutions on that website. So if you go to their knowledge base articles, you can look up that they have even more details because they’ve put together some other little specifics on that. Also, as far as permissions go for being able to define and edit these policies, you have to be assigned one of these roles.
You have to be a Global Admin, Microsoft 365 Global Admin, Office 365 Global Admin Compliance Administrator, or they actually have the IB Compliance Management role, which is new, which is really cool. And that was recently added, and just to clarify, the concepts of supporting barriers are actually new. This is a very new feature. And really, to be honest with you, I feel like it’s a little bit in its infancy. I feel like it’s got a ways to go, especially in terms of implementation. However, it’s a great feature, and I think it’s going to be a huge gain for the Microsoft 365 Azure world. Now, a little background on barriers. One of the main reasons that Microsoft went through with creating this capability and this feature was for the financial industry’s regulation by the Regulatory Authority. However, they discovered that it is actually beneficial in a variety of situations, including education systems where students are communicating and you want to ensure that students cannot see each other’s information, possibly from another school, or similar things. They’re communicating.
If you’re in the legal industry and need to pass information back to a legal-based team or the government, this is a great way to handle it. And then, of course, for the more general idea of it, professional services, right? So in our professional industry, there’s a great little graphic here. You’ll see they’ve got an investment banker segment and a financial advisor segment, and the investment banker segment can communicate with the financial, with the HR, sorry, but not the financial, and vice versa. And so that’s another thing I want to point out about barriers. Barriers. You’re going to essentially break these up into segments, and you’re going to control groups of users based on these segments. Which segment can communicate with which other segment?
Okay, so when should you use barriers? All right, so they can be used in certain situations as far as a team is concerned, mainly when you want to prevent one team from communicating with or being able to share data with another team. All right, another reason would be when a team shouldn’t communicate with or share data with anyone outside the team. So that’s another way of doing it. Of course, we also have guest configuration and external configuration, so this is sort of another policy on top of that. Okay, so in the Microsoft 365 services, we have a service called the Information Barrier Policy Evaluation Service. It’s kind of a mouthful of a service, but it’s what actually checks everything. So it’s actually checking when communications occur between your different teams or different users. And it verifies that there’s a barrier policy there, whether or not this is a violation of that policy.
And then, based on that, it allows it to go through or not. OK, so speaking of that, what triggers that? So you have information barrier triggers, right? So, here are some examples of things that can cause the policy to check: In other words, this long-winded service here, the Information Barrier Policy Evaluation Service, will get triggered when members get added to a team. Okay? So it’s going to check if a new chat message is requested or a new chat is requested. So maybe a user is trying to chat with another user. OK, a user is invited to join a meeting. So maybe somebody on one team has invited another person to join another team for a meeting. Maybe a screen share between two or more users Okay, how about a user makes a phone call, voiceover IP as a team, guest users and teams, or just guest users in a team in general? It’s another thing that will check that guest support to make sure somebody is truly allowed to be a part of that team and communicate in that team.
So how do the policy changes impact existing chats? Okay, so imagine this: you’ve already had teams going for a while, people are chatting back and forth, everything’s fine, and then all of a sudden, the company says we’re going to implement the barrier policy, so how is that going to be affected? So, whenever an administrator modifies a policy—or any kind of change takes effect, even within an existing policy, okay, the Information Barrier Policy Evaluation service will search all communications to ensure that there are no violations. Okay? So looking through that, if there is, then it can stop those communications, and basically you will no longer have those communications between those services. Keep in mind that you can still do what’s called “Ediscovery lookups” and see communications as an administrator. If you’re doing something involving forensic evidence collection, you can still do queries for that if you’re an admin. But as far as your users are concerned, they’ll be cut off from communicating with each other as soon as the new changes have taken effect. Okay? Okay. The concepts of information barrier policies were discussed in the last few paragraphs. So one thing is that I mentioned segments a minute ago.
So when you’re looking at segments and building segments, the way that this is going to get sort of grouped together is with user attributes. Your user attributes are stored in AzureAD and edited through Azure ID. Or, of course, you can also do some of this in exchange online as well. All right, the attributes that can be controlled by this, as far as segments are concerned, are department job title, location, team name, and you can have other job profile details that can be specified there as well. But those are your main attributes, your segments; these are your sets of users, and they’re actually defined through the security and appliance centres, though this can only be done through PowerShell. Okay. This is actually one of the reasons why I say that I feel like this is kind of in its infancy, because you’re going to find that everything’s got to be done through PowerShell. It’s not a graphic thing, at least not in this video’s creation. Remember, this is a new capability and feature, so they’ll most likely get graphical support for it eventually.
But as of yet, they don’t. Or, at the time of the video’s production, they had not. Okay, so information barrier policies will either restrict or allow users based on the policy. Now there are basically two simple kinds of policies: block and allow. And I think those are pretty cut-and-dry, right? So Block, this is going to prevent one segment from being able to communicate with another segment. And, obviously, allow will allow one segment to communicate with another. Okay? So as far as policy application is concerned, you’re going to basically define these policies, and then you will apply them within your organization, where they get applied to the segments that are being defined, which again happens to be security and compliance. But it’s a PowerShell thing, all right? So those are the concepts of what an information-barrier policy is and how it works.
6. How to utilize the Information Barrier Policy
Okay? So when it comes to defining information-barrier policies, let me warn you, this is not for the faint of heart. Again, this is sort of still in its infancy. I feel like it’s got a long way to go before it’s going to be a really intuitive-based system, as with a lot of the newest capabilities that Microsoft has come out with. A lot of the time, what they do is create a way to do it in PowerShell, and then they create a way to do it graphically, okay? And this has been in preview for the longest time, and it’s only recently moved into the mainstream where we can really start using it, and it hasn’t changed much since preview. This article is over a year old, for example. It’s well over a year old and hasn’t really changed. So they haven’t really done a whole lot to add graphical support for it.
For the most part, it is completely handled by PowerShell. So you kind of have to get down and dirty with PowerShell in order to use it. But one thing I want to advise you on is that if you are going to implement this, you need to look at this PowerShell article. All you’ve got to do to find this PowerShell article is just go out to your Google search engine and search these keywords right here. Define information-barrier policies. If you do that, I’ll demonstrate what I’m saying right now. I just pasted it into Google. Here’s the article right here. Okay, so go to that article, and this is going to basically walk you through setting this ically wSo first off, it’s going to talk about the prerequisites. You’ve got to have the right licenses, and then this is where you segment your users.
All right? So if we open up this article and segment your users, there’s going to be some PowerShell commands. However, the warning on this is that when it comes to the pre-requisites, not only do you have to have the correct licenses, but you’ve also got to have some PowerShell prereqs as well. So I’m going to bring up a little script I was working on for this so you guys can look at it. All right? And so let me just clean this up so it’s not so messy on the screen here, but here is the example. So the first thing you’ll want to do, and this is what these articles will go over, is make sure you have the most recent version of the AZ commands.
These are the Azure commands. So you can do that by running this command right here. So if I highlight this, for example, and hit this little button here, it’s going to install those. I’ve already got those, okay. I’ve already got those available, so I don’t have to do that. And by the way, this is all in the article here. This is all in the article. So you can just copy and paste if you want. You’re welcome to use my command here as well. So then the next thing is that we have to confirm that barriers are allowed. Now barriers are not allowed by default. You have to enable this, and there’s no graphical way to do it. So the first step is to sign in to your AZ account.
Once you’ve got your Azure command, I’m just going to hit Play on that, and it’s going to prompt me to log on to [email protected] and we’re going to put the password in. All right, I’ve successfully connected. Now I’ve got to create this little app ID variable. This is going to be the app ID to connect us to the C. This is why I say this is a bit complex, but remember that these knowledge-based articles will walk you through exactly how to do this. And that’s what I’m doing here in the video. I’m just going to hit Play. I’ve created my variable. I’ve got to create another variable for the service principle that contains that app ID. So we’re implementing that variable. And then here is my if statement. So it says that if it’s going to do a newad service principal application, it’ll check that appID and make sure the variable isn’t null, which means it’s not empty.
So it’s just going to verify that. And if so, then it’s going to go ahead and create this new service principal application ID with that application ID in my subscription here. So I’m going to hit play. Okay, now that’s done. And then finally, this is the end part here. It’s going to jump up, and it’s going to essentially have me make sure that barriers are allowed. So I’m going to hit play on that, right? So here’s where I am accepting the barrier, all right? And that’s it. You get this flow-complete message. So, as I said, it doesn’t really give you a lot of information back. It says “Flow complete.” Okay? Alright. So from there, the next step is to connect to the Security and Compliance Center. You actually don’t have those commands in Azure right now, so we actually have to connect to that. And you have to put this big, long line in right here. I’ll expand this out so you can see the whole thing here. This long, winding line must be entered here.
Okay? So we’re going to highlight that. We’re going to hit play on it. And here we go. So, all right, we’re putting this in again. And we’re authenticating. This is connecting us with the exchange services, which tie into the compliance center, and it’s officially connected. So now that we have defined it by creating this variable, we have stored that connection in this variable. But we’ve got to import the variable now. So we’re going to import this PS session. We’re going to import this and we’re going to disable name checking, which is just going to stop it from generating the warning messages and things like that. So I’m going to hit play on that, and it’s now importing the commands. All right, now the reason I’m getting this right here is because I had already imported these commands, okay? So you won’t get this message if you do because you have not imported the commands. But I’m fine, so the next step is to create a new Dash Organization segment, which is where you get into creating your segments. So at this point, I’m also going to kind of point you back to this article, all right? And this is how information barrier policies are defined.
And this is where you’re going to be putting in your PowerShell commands for this. So, for example, if you were doing HR, let’s show an example. Your new Dash organisation name is HR. The groupfilter department equals HR. So you’re creating a segment called HR. You can do that with all of your different departments if you want. Okay? You also need to ensure that in Azure, for example, if I go to Portal Azure.com, let’s take a quick look at that, and we go to our Azure Active Directory, that our users have department attributes or whatever attributes we’re going to be using. So like Alex Rogers here, I need to go through and make sure that Alex Rogers has a department and all that stuff, right? and he does not.
So I’d have to edit this and define apartments. I was doing HR, for example. I’d say HR, right? And then I would hit save, and he’s got an apartment. You can write a PowerShell script that will do that for certain users as well, pretty easily. Okay, so at that point, again, looking back over here, defining information barrier policies and all that, again, I’m going with my segments. I’d have to create my segments, attach those to the department, and then from there, I’m basically going to go down here and I can specify what I want here. In the new organisation segment, you can filter by location, all right?
And then right here is where you’re implementing your barrier policy to block communications between segments. So they now have an example. “Sales, Research, and Sign Segment” is the new Dash Information Barrier Policy name, and the sales segment block is “Research.” So that’s an example right there.
That’s what you would do. So you would copy that in, and if you want, you can copy it from this article and paste it right here into your PowerShell ISP. And then you can work from there, and that’s going to be your way that you’re going to do this, and that’s going to be how you’re going to prevent one department from communicating with another. Again, this is a great feature, and you can kind of muscle through it. You have to definitely get down and dirty with PowerShell to do it, but ultimately you can get this done. I believe it’s only a matter of time before Microsoft implements a simple graphical method for us to do this, but there’s nothing wrong with PowerShell. I’m a huge fan of PowerShell, but I definitely would like to see it be a little bit more user-friendly for administrators to implement.
7. Security Reports
Let’s talk now about some of the security reports that can assist us in deciphering things like malware and some of the different posts that could be malicious involving our team’s environment. So here we are on portal dot Microsoft.com. So this is our starting point, and we’re going to go over to the left, click “Show all,” and open up this security center.
Keep in mind that this is the security compliance center. You can also go into the compliance center, and a lot of the reports can be found there as well. But I’m going to do it through the security compliance centre because there is more there that we can look at. All right, so it’s loading up on security and compliance. The other thing I want to point out is that I’m kind of focusing on teams here. This is Microsoft 365 services in general, so you’re going to see a lot of reports involving the Microsoft 365 environment as a whole. Okay, so here we are. The first thing I want to do is scroll down, and there’s a little dropdown called reports. So we’re going to click on that, and then we’re going to click dashboard.
Okay. Now if you have a production environment, you’re going to see a lot more going on. If you’ve got a newly set-up tenant, there aren’t really a lot of reports here that are going to show you because obviously I haven’t really had any malware hitting the environment. So there aren’t really too many malicious activities going on here, but you can definitely get a feel for the stuff that’s available to you. There are a lot of little reports here on this dashboard that I can look at. As you can see, we’ve got spoof detection, threat protection status, and URL protection.
When people post spam URLs that are either sent to you or received by you, you can see how many good emails you received in comparison to malicious or bad emails. Okay, connector report. This looks like internet connections without a connector, like mail flow status. There are a lot of different things here that you can really take a look at and analyze. I want to look at this threat protection status report. So what I’ll do is just click on the threat protection status report. And, once again, there aren’t many threats that have been detected, but this is great because it will show you if malware has been detected regardless of its email, whether it was posted through teams or SharePoint, and any type of file that has been detected can show up as “content malware” here.
So, you can actually drop down this viewdata and say content malware. I’ll be able to tell if I’ve received any threats through teams if I use content malware. Now, if you are taking an exam, that’s going to be what you want to remember. There is malware content, and this is going to be the threat protection status report that’s going to give you that. Okay, so in your Microsoft 365 Office 365 environment, you have what’s called “Advanced Threat Protection.” This is going to be a system that is actually looking for threats associated with your Microsoft 365 environment. Again, whether it’s coming through teams, Exchange, SharePoint, or whatever, ATP is actually going to be there to monitor it. And your actual Advanced Threat Protection is managed right here, and we can actually see more threats if we drop this down.
We’ve got a thing we can look at here called Explorer here.So we’ll click on that. So this is called a thread explorer. So you can actually generate a report looking at a particular date. If you want a particular date and time, you can set a range period, and you can see all the malware that has shown up during that period. Okay, you can also use Threat Tracker, and this will show you some more little reports. It has a noteworthy threat count and weekly top threat, and of course all that would show up down here at the bottom. So if you have a production environment, I definitely encourage you to jump into that and take a look at it because you can probably see a lot of things going on.
However, as you might expect, each of these reports can be expanded upon. You can get analysis of things like when the threat occurred and what IP addresses are associated with it, and this can basically help you get an overall look and feel of the security. Now another thing that Microsoft provides us with that’s kind of cool as a security professional is that we can go to a website called Security Center. Microsoft.com andthere is a little blade here called Secure Score. And this is neat because we can get an overall look at our security as a whole in our Microsoft 365 environment. This is called “analysing your security posture.” So if you’re familiar with security terminology, security posture is basically the concept of being your overall feeling of security in your organization, meaning you stay on top of security. If you have a good security posture, you are staying on top of security. You are staying updated, implementing best practices, and having the latest and greatest tools. A good security posture is something you have to maintain.
It is not something that’s sort of like a one-and-done thing where you just put a few things in place and we never have to worry about it again. Okay? You have to have the mindset that this is an ongoing life cycle that really never ends. As a security professional, you’re always having to update, upgrade, and stay on top of security. That is, of course, if you’re going to have good security. Foster: So the Secure Score analyses all of the objects that you’ve implemented in the Microsoft 365 environment, your subscriptions and licenses, and everything else, and looks at what you’ve got. And then it has a tonne of best practises that can be implemented to improve things. And it looks at how many of those best practises you’ve actually performed. So as you can see here, here are some of the top improvements that I could make and how they would impact my score. Okay? And it also lets you see things like your score versus another organisation like yours. OK? which is kind of cool. So I can click “view all” here too, and I can see even more things that I can do. And so it’s kind of prioritised by what’s going to give me the highest score. Some of the things I could do are require MFA and ensure that all users have completed MFA CC.
According to Microsoft, MFA is one of the most important things a company can do. If they want to protect things, mainly their identity, And identity is one of the biggest things we have to worry about. People obtaining other people’s passwords and essentially social engineering their way into their accounts. So you can also look at your history, okay? So you can look through here and see some of the things that have been implemented, some of the things that I’ve gained points for implementing, and get a nice little table for that. And these little reports, too, can be exported. So you can pull these into a spreadsheet if you need to show your boss or something like that. You’ve also got metrics and trends, some more little reports, and you can see if your score is going up or down. And again, the little blue line here, as you can see, is showing me what my score is, and then it’s showing what other organisations have similar scores. Granted, I’m just a test tenant here to demonstrate this to you. I’m not really allowed to show you any of my contract companies that I work with, but I can show you this. And if you set up a trial tenant, you’ll kind of be along the same lines, but I encourage you, if you do have access to a full-blown tenant that you can look at, to take a look at it and see what your company’s overall score is.
Okay? Overall, Microsoft provides a lot of great tools for assessing your security posture and determining what kinds of reports you can generate. You’ve already seen auditing and alerts and all that. So there’s a lot you can experiment with and do to get a good look and feel for security in your company. in regards to teams as well as the other Microsoft 365 services.