Issues with Sensitivity Labels and "Specific email addresses or domains" - Not working
Hello! We have enabled Sensitivity Labels in our tenant. The access control settings for the label states that a specific domain gets the permission "Co-Author". When we enable the Sensitivity label on a document and sent it towards the approved domain, it results in an error message when authenticating to open the document: "Selected user account does not exist in tenant 'Veni AS' and cannot access the application in that tenant. The account needs to be added as an external user in the tenant first. Please use a different account." After doing some research I did some changes to the external domain within the Cross-tenant settings. The external domain now has the following settings: Inbound access: Allow access on external users and groups, within B2B Collaboration Allow access on external users and groups, within B2B direct connect Trust multifactor authentication from Microsoft Entra tenants, within Trust settings. Outbound access: Allow access on users and groups, within B2B Collaboration Allow access on users and groups, within B2B direct connect External Identities: Block access for external users and groups. (Inherited from default) After doing this change, I no longer get the same error message as above when authenticating to open the labeled document. Now I get the following error message: "You are not signed in to office with an account that has permission to open this document. You may sign in a new account into Office that has permission or request permission from the content owner" I have this working from another tenant to the same external domain and I have cross-checked the settings. Any idea on how to proceed, or if it is any obvious change I need to make in order to get this to work? All feedback appreciated! :-)Track Sensitivity Label Downgrades and Removals with Audit Log Data
The Purview Insider Risk Management solution can do all sorts of clever things, like tracking sensitivity label downgrades and removals as an indicator that a user might be preparing to exfiltrate data. The same kind of checking can be done by using the events captured in the audit log when people remove or change sensitivity labels. All in a few lines of PowerShell… https://office365itpros.com/2024/11/20/sensitivity-label-downgrades/
I lost my Admin privileges in Microsoft 365
So, I'm working in a corporate company and we had services purchased like Azure, PowerBI etc. that we were paying for a long time. And until today I was logging in with the Admin email to the 365 admin portal with my admin account. but today when I try that Email has lost it's admin privileges. And so to recover that account I tried directly connecting through the phone call which also had to go through an automated voice assistant. And even after finally connected with the call. the only way they were about to provide a help was to telling them what is the current admin account's email address. which is like the reason why we called them because we have a security breach and don't know who did that. And I had all my previous admin accounts with credentials and all payment details etc. but I had to talk to some guy for like 20 minutes that just repeating the same thing like tell me the current admin email so w can help you further. Like if I know that why would I even call them. And I have all the details of my previous info but how can I know what the email that the attacker has used in just one day.
Connect-Aipservice is not working
Hello everyone, Please is anyone able to connect to the aip service using powershell version 5.5 and above? Even after installing and importing the aip service module, the connect-aipservice failed to work with all its parameters. However, creating and publishing sensitivity label policy is working. Thanks.How to Handle an Unwanted Sensitivity Label
Sometimes sensitivity labels defined for use within a Microsoft 365 tenant turn out to be unnecessary. The question then is what to do with these unwanted sensitivity labels. The answer is to pause for thought, gather information, and then make an informed decision, all of which we discuss here. https://practical365.com/how-to-handle-an-unwanted-sensitivity-label/C# application with MIP SDK fails creating the FileEngine
Hi! I have a C# application which tries to create a FileEngine to unprotect AIP protected files. The application runs in Azure. Network connectivity is available. The MIP SDK logs look like this: Info 2024-06-05 11:49:15.652 common/api_utils.h:195 w3wp (6324) "Start calling success callback for API: protection_profile_load_async" mipns::TryExecuteSuccessCallback::<lambda_aa4c0887fcc47f487d59891ccfa0eff4>::operator () 5396 Info 2024-06-05 11:49:15.652 common/api_utils.h:197 w3wp (6324) "Ended calling success callback for API: protection_profile_load_async" mipns::TryExecuteSuccessCallback::<lambda_aa4c0887fcc47f487d59891ccfa0eff4>::operator () 5396 Info 2024-06-05 11:49:15.652 policy_profile_impl.cpp:522 w3wp (6324) "Starting API call: profile_add_engine_async scenarioId=55a8c9cb-bbe6-40bb-992f-10b54066f182" mipns::ProfileImpl::AddEngineAsync 1048 Info 2024-06-05 11:49:15.652 policy_profile_impl.cpp:522 w3wp (6324) "Ended API call: profile_add_engine_async" mipns::ProfileImpl::AddEngineAsync 1048 Info 2024-06-05 11:49:15.652 policy_profile_impl.cpp:522 w3wp (6324) "Starting API task: profile_add_engine_async" mipns::ProfileImpl::AddEngineAsync 1700 Info 2024-06-05 11:49:15.652 policy_profile_impl.cpp:522 w3wp (6324) "Starting API task: profile_add_engine_async scenarioId=55a8c9cb-bbe6-40bb-992f-10b54066f182" mipns::ProfileImpl::AddEngineAsync 1700 Info 2024-06-05 11:49:15.652 policy_profile_impl.cpp:244 w3wp (6324) "Starting to add policy engine with engine id: 09342290-3990-4ef9-bdeb-611113bcccee" `anonymous-namespace'::CreateEngineAsync 1700 Warning 2024-06-05 11:49:15.652 policy_engine_manager_impl.cpp:275 w3wp (6324) "Inconsistent label & sensitivity policy detected. Removing both from cache if it exists." mipns::PolicyEngineManagerImpl::DeletePolicyFromStorage 1700 Info 2024-06-05 11:49:15.652 policy_engine_manager_impl.cpp:358 w3wp (6324) "Loading new policy engine (requires fetch): 09342290-3990-4ef9-bdeb-611113bcccee" mipns::PolicyEngineManagerImpl::LoadNewEngineAsync 1700 Warning 2024-06-05 11:49:15.652 policy_engine_manager_impl.cpp:361 w3wp (6324) "New PolicyEngine was created without an identity. Dynamic content marking will be partially disabled, and URL redirect caching will be fully disabled." mipns::PolicyEngineManagerImpl::LoadNewEngineAsync 1700 Info 2024-06-05 11:49:15.652 auth_request_transformer.cpp:155 w3wp (6324) "Requesting auth token from app. Resource: 'https://syncservice.o365syncservice.com/', Authority: 'https://login.windows.net/common', Scope: '', Claims: ''" mipns::AuthRequestTransformer::GetAuthToken 1700 Info 2024-06-05 11:49:15.917 auth_request_transformer.cpp:169 w3wp (6324) "Authentication response time (seconds): 0.264937" mipns::AuthRequestTransformer::GetAuthToken 1700 Info 2024-06-05 11:49:15.932 http_director_impl.cpp:141 w3wp (6324) "Sending HTTP request: ID: {C3D930DE-50B3-40A8-8C44-0ED22007A6FB}, Type: GET, Url: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies?supportedMaxVersion=1.0.50.0, Body Size: 0, Headers['ClientInfo'] = 'mip_ver=1.14.128;os_name=win;os_ver=10-0-20348;runtime=msvc-1929;arch=x86', Headers['Capabilities'] = 'BestEffortEntityMatch,BestEffortCCSIMatch,SchematizedDataContentType', Headers['Content-Type'] = 'application/xml;charset=utf-8', Headers['Authorization'] = 'UOID:2d3ea670-a6d7-4a66-85fe-0bcc9b5f563a;Tenant:tenant id;Audience:https://syncservice.o365syncservice.com/;Roles:UnifiedPolicy.Tenant.Read;" mipns::HttpDirectorImpl::DoSendHttp 1700 Info 2024-06-05 11:49:16.104 http_client_base.cpp:44 w3wp (6324) "HTTP response time (seconds): 0.185885 ID: {C3D930DE-50B3-40A8-8C44-0ED22007A6FB}" mipns::HttpClientBase::SendAsync::<lambda_b2b0e837acbc3dca3dadb2856c35cf30>::operator () 5756 Info 2024-06-05 11:49:16.120 oneds_helper.cpp:532 w3wp (6324) "OneDsHelper::WriteTelemetryEvent(policy_sync_acquire_policy)" mipns::OneDSHelper::WriteTelemetryEvent 5756 Info 2024-06-05 11:49:16.120 diagnostic_utils.cpp:80 w3wp (6324) "Send Telemetry. Event Name : [policy_sync_acquire_policy] App.ApplicationId: [application id], Pii: [None] App.ApplicationName: [AR_COSI_TEST_AIP], Pii: [None] App.ApplicationVersion: [1.0.0], Pii: [None] App.SessionId: [], Pii: [None] Engine.SessionId: [], Pii: [None] Event.CorrelationId: [3f4d9f3a-a5a1-40fc-bbdb-049f4d40889f], Pii: [None] Event.CorrelationIdDescription: [HttpDirector], Pii: [None] Event.Duration: [0.187074], Pii: [None] Event.ErrorType: [NetworkError], Pii: [None] Event.Failed.File: [src\core\api_impl\http\http_director_impl.cpp], Pii: [None] Event.Failed.Func: [mipns::HttpTelemetryHelper::NotifyOperationComplete], Pii: [None] Event.Failed.Line: [374], Pii: [None] Event.Failed.Message: [No HTTP response. Failed with: [NetworkError: 'HTTP connection failure Inner exception: [http_exception: 'WinHttpSendRequest: 12029: A connection with the server could not be established'], NetworkError.Category=NoConnection, HttpRequest.SanitizedUrl=https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies, HttpRequest.Id={C3D930DE-50B3-40A8-8C44-0ED22007A6FB}']], Pii: [None] Event.ParentCorrelationId: [948d1c35-91a9-47be-af1f-6d6a241125e5], Pii: [None] Event.ParentCorrelationIdDescription: [PolicyProfile], Pii: [None] Event.UniqueId: [eacab4b6-2048-4cf0-8d5c-cba215bcb6a0], Pii: [None] EventInfo.Level: [10], Pii: [None] EventInfo.PrivTags: [33554432], Pii: [None] MIP.Version: [1.14.128], Pii: [None] Request.CorrelationId: [{C3D930DE-50B3-40A8-8C44-0ED22007A6FB}], Pii: [None] Request.IsAsynchronous: [true], Pii: [None] Request.RequestBodySize: [0], Pii: [None] Request.TokenTenantId: [tenant id], Pii: [None] Request.Url: [https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies], Pii: [None] iKey: [ce9aa5fb5a414ecebb15af10715bd8ff-831d197e-fc97-4df6-b998-c8c13a0fc3ce-6768], Pii: [None] " mipns::WriteTelemetryEventToLog 5756 Info 2024-06-05 11:49:16.120 http_director_impl.cpp:38 w3wp (6324) "Received HTTP response: " `anonymous-namespace'::LogHttpOperationDetails 5756 Error 2024-06-05 11:49:16.120 http_director_impl.cpp:42 w3wp (6324) "HTTP operation {C3D930DE-50B3-40A8-8C44-0ED22007A6FB} failed: Failed with: [NetworkError: 'HTTP connection failure Inner exception: [http_exception: 'WinHttpSendRequest: 12029: A connection with the server could not be established'], NetworkError.Category=NoConnection, HttpRequest.SanitizedUrl=https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies, HttpRequest.Id={C3D930DE-50B3-40A8-8C44-0ED22007A6FB}']" `anonymous-namespace'::LogHttpOperationDetails 5756 This error does not occur on every tenant! Does anyone have a clue why this error occurs?
Unable to create a centralised email address containing ”.admin” when ending in @outlook.com
Seeking some guidance how it would be possible to create a centralised email address containing xxxx”.admin” to an @outlook.com email address? The “.admin” address will be used as the front desk / home base for (non-personal) incoming emails and enquires, as well as a central calendar account.
Enable Sensitivity Labels for Containers - Learn Article Query
We have a QA and Production 365 tenant and are looking to enable sensitivity labels for containers. Checking the both tenants using: $Setting = Get-MgBetaDirectorySetting | where { $_.DisplayName -eq "Group.Unified"} $Setting.Values I can see that these labels have been enabled in QA and that Production shows that the labels are not yet enabled. Unfortunately, QA was enabled some time in the past. Rather than jumping straight into Production, I'd like to disable labels in QA and then reenable them. This will allow me to check the validity of the MSFT learn commands shown on : https://learn.microsoft.com/en-us/entra/identity/users/groups-assign-sensitivity-labels#enable-sensitivity-label-support-in-powershell The following article https://learn.microsoft.com/en-us/purview/sensitivity-labels-teams-groups-sites#how-to-disable-sensitivity-labels-for-containers has a section on how to disable labels for containers. However, it doesn't make sense to me. It states 'to disable the feature, in step 5, specify $setting["EnableMIPLabels"] = "False"'. I can't see how applying this command to step 5 does anything. Step 5 is about checking whether a change has been made, not making the change. Step 4 is where the setting change is made (set EnableMIPLabels to True). To me, the command to run would be: $params = @{ Values = @( @{ Name = "EnableMIPLabels" Value = "False" } ) } Update-MgBetaDirectorySetting -DirectorySettingId $Setting.Id -BodyParameter $params What are people thoughts. I'm calling the process into questions as Step 3 also doesn't work as the article suggests. If I run $grpUnifiedSetting = Get-MgBetaDirectorySetting -Search DisplayName:"Group.Unified" in QA, where I know the setting is enabled, nothing happens. The article says if nothing happens, then labels haven't been enabled, which I know is incorrect. (for me the above command doesn't do anything, only set a variable to contain a value.MS 365 DLP not triggering alert for print audit action.
Hi MS Community I'm facing a weird problem with MS 365 DLP solution (compliance.microsoft.com) I have 2 machines 1) Win 10 Desktop 2) Win 10 Azure AVD. Both machines have latest Defender version. as shown below. Background of DLP policy: I have 7-8 Endpoint policy which has audit enable for print and copy to USB option. Both device showing policy updated and sync with latest. Currently Testing a policy where if someone print a business document it should trigger alert. The policy has 1)SIT with few words sensitive words matching 2) A trainable classifier. 3) Extension: PDF WORD PPT Problem: When i try to print a business document, the alert is triggering for desktop machine but not for my AVD machine. even though both machines are scoped for policy, MDE Onboarded, and defender is latest. also, policy is synched. Somewhere its not detecting the print action initiated on AVD machine. The Print action is not working for any policy for AVD machine. Regards Mohammed
