Microsoft Purview and Modern Work (Part 3a) - Exchange Email Messaging
Published Dec 08 2022 11:49 PM 1,751 Views
Microsoft

James_Havens_1-1670275799187.png

 

 

 

Before we start, please note that if you want to see a table of contents for all the sections of this blog, you can locate them at the following URL:

Microsoft Purview and Modern Work (Part 1) - Overview

 

 

Disclaimer

This document is not meant to replace any official documentation, including those found at docs.microsoft.com.  Those documents are continually updated and maintained by Microsoft Corporation.  If there is a discrepancy between this document and what you find in the Compliance User Interface (UI) or inside of a reference in docs.microsoft.com, you should always defer to that official documentation and contact your Microsoft Account team as needed.  Links to the docs.microsoft.com data will be referenced both in the document steps as well as in the appendix.

 

All of the following steps should be done with test data, and where possible, testing should be performed in a test environment.  Testing should never be performed against production data.

 

Target Audience

The Information Life Cycle Management section of this blog series is aimed at Security and Compliance and Modern Work officers who need to properly label data, encrypt it where needed.

 

Document Scope

This blog and document are meant to help an IT administrator who is looking to secure their data throughout the lifecycle of the data.

It is presumed that you already have a basic understanding of the Purview tools and the Modern Work tools (including Exchange, Teams, SharePoint and OneDrive).

 

Out-of-Scope

This document does not cover configuring any of the below, ie. Holding your hand through the process of configuration”, as that is covered via other blogs, official Microsoft documents, or through the aid of Microsoft implementation teams or Microsoft partners:

  • Audit
  • Communications Compliance
  • Compliance Manager
  • Data Classification (Sensitive Information Types)
  • Data Classification (Exact Data Matching)
  • Data Classification (Trainable Classifiers)
  • Data Lifecycle Management (retention and disposal)
  • Data Protection Loss (DLP) for Exchange, OneDrive, Devices, etc
  • Information Barriers
  • Information Protection (labeling, encrypting, watermarking, etc of files)
  • Insider Risk Management
  • Microsoft Defender for Cloud Apps (MDCA)
  • Privacy Management (Priva)
  • Records Management (retention and disposal)
  • Standard or Premium eDiscovery

 

Notes

After each section of this blog, I will make a note of which of the 3 parts of the CIA Triad that Microsoft tool will help you meet.  Here are a few examples.

 

Example #1 –

James_Havens_0-1668710331856.png CIA component – Integrity & Availability

 

Example #2 –

James_Havens_1-1668710331859.png CIA component – Confidentiality & Availability

 

Example #3 –

James_Havens_2-1668710331859.png CIA component – Integrity

 

 

Exchange Email

For this part of the blog, I have broken down the Purview workloads, mapped them to the Exchange messaging activity, and then mapped those to the corresponding stage of the Information Lifecycle.

Here is the high-level view of this mapping.

 

 

James_Havens_0-1668714595308.png

 

 

Please note I’ve added a new stage to the Information Lifecycle and called it Pre-data creation.  This was done to help show that Microsoft Auditing is always enabled within your Microsoft tenant.

 

After each Purview workload, you will find a CIA triad “indicator” to show which part of the triad Purview is supported.  In addition, you will also find assorted links to assorted Microsoft documents or blog postings that can help you enable that functionality in your environment, presuming you are appropriately licensed.

 

Pre-data Creation

  1. Premium Audit (email/file) – It is recommended that this be enable before all functionality to watch all data activity in your environment.

Microsoft Purview Audit (Premium) - Microsoft Purview (compliance) | Microsoft Learn

James_Havens_1-1668714595310.png CIA component – Confidentiality & Integrity

 

James_Havens_2-1668714595311.png

 

 

 

Create (data)

  1. Premium Audit (email/file) – This watches the creation, user, searching, labeling (sensitivity and Retention labels), etc. of all data in your tenant.

Microsoft Purview Audit (Premium) - Microsoft Purview (compliance) | Microsoft Learn

James_Havens_3-1668714595312.png  CIA component – Confidentiality & Integrity

 

  1. Information Protection (Sensitivity Label) (email/file/site) – This tool applies encryption, watermarking, access, editing, etc. based on a user’s credentials either in your tenant or associated with your tenant.  There are two ways that this tool can apply labels:
    1. Automatic Sensitivity labeling – This is done by the tool reasoning over data that exists or being created and applies a sensitivity label based on what it finds.
    2. Manual Sensitivity labeling – This is done by the user who applies a sensitivity label based what they see or have placed in that file/email.

Learn about sensitivity labels - Microsoft Purview (compliance) | Microsoft Learn

 

Microsoft Purview- Paint By Numbers Series (Part 2)- Information Protection - Microsoft Community Hu...

James_Havens_4-1668714595312.png CIA component – Confidentiality & Integrity

 

  1. Data Lifecycle Management / Records Management (Retention Label) (email/file) – This tool applies retention based on what is inside of an email/file.  There are two ways that this tool can apply labels:
    1. Automatic Retention labeling - This is done by the tool reasoning over data that exists or being created and applies a retention label based on what it finds.
    2. Manual Retention labeling – This is done by the user who applies a retention label based what they see or have placed in that file/email.

Learn about Microsoft Purview Data Lifecycle Management - Microsoft Purview (compliance) | Microsoft...

 

Records management for documents and emails in Microsoft 365 - Microsoft Purview (compliance) | Micr...

 

Microsoft Purview - Paint By Numbers Series (Part 4) - Records Management - Microsoft Community Hub

James_Havens_5-1668714595313.pngCIA component – Integrity

 

James_Havens_6-1668714595319.png

 

 

 

Use & Retain (data)

  1. Premium Audit (email/file) – This is always logging interactions with files/emails.

Microsoft Purview Audit (Premium) - Microsoft Purview (compliance) | Microsoft Learn

 

James_Havens_7-1668714595319.png CIA component – Confidentiality & Integrity

 

  1. Communications Compliance (email/teams) – This watches over email and Teams communications for terms and verbiage that should not be used or shared
    1. Examples include. inappropriate words, bullying, PHI, or PII.

Learn about communication compliance - Microsoft Purview (compliance) | Microsoft Learn

James_Havens_8-1668714595320.pngCIA component – Confidentiality

 

  1. Information Barriers (email/teams) – This blocks emails or teams’ conversations between users/groups that should not be communicating. 
    1. Examples would include researchers and financial analysts, or Subsidiary A in the USA and Subsidiary B in Europe.

Learn about information barriers - Microsoft Purview (compliance) | Microsoft Learn

Microsoft Purview - Paint By Numbers Series (Part 8a) - Information Barriers and Team Chat - Microso...

James_Havens_9-1668714595320.png CIA component – Confidentiality

 

  1. Data Loss Prevention (email/file) – This blocks sending emails/chats/data/files to the wrong individuals or organizations. 
    1. Example - your organization and your organization’s primary competitor.

Learn about data loss prevention - Microsoft Purview (compliance) | Microsoft Learn

Microsoft Purview - Paint By Numbers Series (Part 3) - Data Loss Protection for Exchange - Microsoft...

 

James_Havens_10-1668714595320.pngCIA component – Confidentiality &Integrity

 

  1. Information Protection (Sensitivity Labels) – This allows for manual/automatic sensitivity labeling of existing data OR changing sensitivity label of an existing label.
    1. An example of this would be encrypting files so only your Business partners can read the files using a user profile associated with your Azure Active Directory.  All other credentials, personal, competitor, etc. would be blocked from accessing the data.

Learn about sensitivity labels - Microsoft Purview (compliance) | Microsoft Learn

 

Microsoft Purview- Paint By Numbers Series (Part 2)- Information Protection - Microsoft Community Hu...

James_Havens_11-1668714595321.png CIA component – Confidentiality & Integrity

 

  1. Data Lifecycle Management / Records Management (Retention label) (file/email) – These tools provide for either manual or automatic retention labeling of existing unlabeled data OR change the retention label of existing labels.
    1. Examples include applying a 7 year retention to PHI for HIPAA regulations, or changing a 7 year retention label to a 3 year retention when data within a file has been changed.

Learn about Microsoft Purview Data Lifecycle Management - Microsoft Purview (compliance) | Microsoft...

 

Records management for documents and emails in Microsoft 365 - Microsoft Purview (compliance) | Micr...

Microsoft Purview - Paint By Numbers Series (Part 4) - Records Management - Microsoft Community Hub

James_Havens_12-1668714595321.png CIA component – Integrity

 

  1. Insider Risk Management (email/file) – This tool tracks data movement, deletion, changes in labels, exfiltration, etc  and maps it to user behavior.  If needed, this tool can hand collected information (emails, files, users name, etc) to eDiscovery as a case.
    1. An example of this would be a user tendering their resignation, and you see a sudden spike in their downloading corporate data to a USB stick.

Learn about insider risk management - Microsoft Purview (compliance) | Microsoft Learn

 

Microsoft Purview - Paint By Numbers Series (Part 6) – Insider Risk Management - Overview - Microsof...

James_Havens_13-1668714595322.png CIA component – Confidentiality

 

  1. eDiscovery (email/file) – With this tool you can search, collect, sift, hold, review, and export data for legal/compliance/HR/forensics investigations.

Microsoft Purview eDiscovery solutions - Microsoft Purview (compliance) | Microsoft Learn

Microsoft Purview - Paint By Numbers Series (Part 5) - Advanced eDiscovery - Microsoft Community Hub

James_Havens_14-1668714595322.png CIA component – Integrity

 

James_Havens_15-1668714595329.png

 

 

Destroy (data)

  1. Premium Audit (email/file) – This watches the deletion of emails/files.

Microsoft Purview Audit (Premium) - Microsoft Purview (compliance) | Microsoft Learn

James_Havens_16-1668714595329.png CIA component – Confidentiality & Integrity

 

  1. Insider Risk Management (email/file) – This tool tracks data movement, deletion, changes in labels, exfiltration, etc. and maps it to user behavior.  If needed, this tool can hand collected information (emails, files, users name, etc) to eDiscovery as a case.

 

Learn about insider risk management - Microsoft Purview (compliance) | Microsoft Learn

James_Havens_17-1668714595330.png CIA component – Confidentiality

 

  1. Data Lifecycle Management / Records Management (Retention label) (file/email) – These tools provide for either manual or automatic retention labeling of existing unlabeled data OR change the retention label of existing labels.

Learn about Microsoft Purview Data Lifecycle Management - Microsoft Purview (compliance) | Microsoft...

 

Records management for documents and emails in Microsoft 365 - Microsoft Purview (compliance) | Micr...

 

Microsoft Purview - Paint By Numbers Series (Part 4) - Records Management - Microsoft Community Hub

James_Havens_18-1668714595330.png CIA component – Integrity

 

James_Havens_19-1668714595333.png

 

 

Next Steps

We will now move to look at Teams and specific Purview workloads that can be mapped to communication data within that platform.

 

Appendix and Links

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Co-Authors
Version history
Last update:
‎Dec 05 2022 01:40 PM
Updated by: