Azure Information Protection
21 TopicsTrack Sensitivity Label Downgrades and Removals with Audit Log Data
The Purview Insider Risk Management solution can do all sorts of clever things, like tracking sensitivity label downgrades and removals as an indicator that a user might be preparing to exfiltrate data. The same kind of checking can be done by using the events captured in the audit log when people remove or change sensitivity labels. All in a few lines of PowerShell… https://office365itpros.com/2024/11/20/sensitivity-label-downgrades/29Views0likes0CommentsI lost my Admin privileges in Microsoft 365
So, I'm working in a corporate company and we had services purchased like Azure, PowerBI etc. that we were paying for a long time. And until today I was logging in with the Admin email to the 365 admin portal with my admin account. but today when I try that Email has lost it's admin privileges. And so to recover that account I tried directly connecting through the phone call which also had to go through an automated voice assistant. And even after finally connected with the call. the only way they were about to provide a help was to telling them what is the current admin account's email address. which is like the reason why we called them because we have a security breach and don't know who did that. And I had all my previous admin accounts with credentials and all payment details etc. but I had to talk to some guy for like 20 minutes that just repeating the same thing like tell me the current admin email so w can help you further. Like if I know that why would I even call them. And I have all the details of my previous info but how can I know what the email that the attacker has used in just one day.175Views0likes1CommentConnect-Aipservice is not working
Hello everyone, Please is anyone able to connect to the aip service using powershell version 5.5 and above? Even after installing and importing the aip service module, the connect-aipservice failed to work with all its parameters. However, creating and publishing sensitivity label policy is working. Thanks.729Views0likes6CommentsHow to Handle an Unwanted Sensitivity Label
Sometimes sensitivity labels defined for use within a Microsoft 365 tenant turn out to be unnecessary. The question then is what to do with these unwanted sensitivity labels. The answer is to pause for thought, gather information, and then make an informed decision, all of which we discuss here. https://practical365.com/how-to-handle-an-unwanted-sensitivity-label/175Views0likes0CommentsC# application with MIP SDK fails creating the FileEngine
Hi! I have a C# application which tries to create a FileEngine to unprotect AIP protected files. The application runs in Azure. Network connectivity is available. The MIP SDK logs look like this: Info 2024-06-05 11:49:15.652 common/api_utils.h:195 w3wp (6324) "Start calling success callback for API: protection_profile_load_async" mipns::TryExecuteSuccessCallback::<lambda_aa4c0887fcc47f487d59891ccfa0eff4>::operator () 5396 Info 2024-06-05 11:49:15.652 common/api_utils.h:197 w3wp (6324) "Ended calling success callback for API: protection_profile_load_async" mipns::TryExecuteSuccessCallback::<lambda_aa4c0887fcc47f487d59891ccfa0eff4>::operator () 5396 Info 2024-06-05 11:49:15.652 policy_profile_impl.cpp:522 w3wp (6324) "Starting API call: profile_add_engine_async scenarioId=55a8c9cb-bbe6-40bb-992f-10b54066f182" mipns::ProfileImpl::AddEngineAsync 1048 Info 2024-06-05 11:49:15.652 policy_profile_impl.cpp:522 w3wp (6324) "Ended API call: profile_add_engine_async" mipns::ProfileImpl::AddEngineAsync 1048 Info 2024-06-05 11:49:15.652 policy_profile_impl.cpp:522 w3wp (6324) "Starting API task: profile_add_engine_async" mipns::ProfileImpl::AddEngineAsync 1700 Info 2024-06-05 11:49:15.652 policy_profile_impl.cpp:522 w3wp (6324) "Starting API task: profile_add_engine_async scenarioId=55a8c9cb-bbe6-40bb-992f-10b54066f182" mipns::ProfileImpl::AddEngineAsync 1700 Info 2024-06-05 11:49:15.652 policy_profile_impl.cpp:244 w3wp (6324) "Starting to add policy engine with engine id: 09342290-3990-4ef9-bdeb-611113bcccee" `anonymous-namespace'::CreateEngineAsync 1700 Warning 2024-06-05 11:49:15.652 policy_engine_manager_impl.cpp:275 w3wp (6324) "Inconsistent label & sensitivity policy detected. Removing both from cache if it exists." mipns::PolicyEngineManagerImpl::DeletePolicyFromStorage 1700 Info 2024-06-05 11:49:15.652 policy_engine_manager_impl.cpp:358 w3wp (6324) "Loading new policy engine (requires fetch): 09342290-3990-4ef9-bdeb-611113bcccee" mipns::PolicyEngineManagerImpl::LoadNewEngineAsync 1700 Warning 2024-06-05 11:49:15.652 policy_engine_manager_impl.cpp:361 w3wp (6324) "New PolicyEngine was created without an identity. Dynamic content marking will be partially disabled, and URL redirect caching will be fully disabled." mipns::PolicyEngineManagerImpl::LoadNewEngineAsync 1700 Info 2024-06-05 11:49:15.652 auth_request_transformer.cpp:155 w3wp (6324) "Requesting auth token from app. Resource: 'https://syncservice.o365syncservice.com/', Authority: 'https://login.windows.net/common', Scope: '', Claims: ''" mipns::AuthRequestTransformer::GetAuthToken 1700 Info 2024-06-05 11:49:15.917 auth_request_transformer.cpp:169 w3wp (6324) "Authentication response time (seconds): 0.264937" mipns::AuthRequestTransformer::GetAuthToken 1700 Info 2024-06-05 11:49:15.932 http_director_impl.cpp:141 w3wp (6324) "Sending HTTP request: ID: {C3D930DE-50B3-40A8-8C44-0ED22007A6FB}, Type: GET, Url: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies?supportedMaxVersion=1.0.50.0, Body Size: 0, Headers['ClientInfo'] = 'mip_ver=1.14.128;os_name=win;os_ver=10-0-20348;runtime=msvc-1929;arch=x86', Headers['Capabilities'] = 'BestEffortEntityMatch,BestEffortCCSIMatch,SchematizedDataContentType', Headers['Content-Type'] = 'application/xml;charset=utf-8', Headers['Authorization'] = 'UOID:2d3ea670-a6d7-4a66-85fe-0bcc9b5f563a;Tenant:tenant id;Audience:https://syncservice.o365syncservice.com/;Roles:UnifiedPolicy.Tenant.Read;" mipns::HttpDirectorImpl::DoSendHttp 1700 Info 2024-06-05 11:49:16.104 http_client_base.cpp:44 w3wp (6324) "HTTP response time (seconds): 0.185885 ID: {C3D930DE-50B3-40A8-8C44-0ED22007A6FB}" mipns::HttpClientBase::SendAsync::<lambda_b2b0e837acbc3dca3dadb2856c35cf30>::operator () 5756 Info 2024-06-05 11:49:16.120 oneds_helper.cpp:532 w3wp (6324) "OneDsHelper::WriteTelemetryEvent(policy_sync_acquire_policy)" mipns::OneDSHelper::WriteTelemetryEvent 5756 Info 2024-06-05 11:49:16.120 diagnostic_utils.cpp:80 w3wp (6324) "Send Telemetry. Event Name : [policy_sync_acquire_policy] App.ApplicationId: [application id], Pii: [None] App.ApplicationName: [AR_COSI_TEST_AIP], Pii: [None] App.ApplicationVersion: [1.0.0], Pii: [None] App.SessionId: [], Pii: [None] Engine.SessionId: [], Pii: [None] Event.CorrelationId: [3f4d9f3a-a5a1-40fc-bbdb-049f4d40889f], Pii: [None] Event.CorrelationIdDescription: [HttpDirector], Pii: [None] Event.Duration: [0.187074], Pii: [None] Event.ErrorType: [NetworkError], Pii: [None] Event.Failed.File: [src\core\api_impl\http\http_director_impl.cpp], Pii: [None] Event.Failed.Func: [mipns::HttpTelemetryHelper::NotifyOperationComplete], Pii: [None] Event.Failed.Line: [374], Pii: [None] Event.Failed.Message: [No HTTP response. Failed with: [NetworkError: 'HTTP connection failure Inner exception: [http_exception: 'WinHttpSendRequest: 12029: A connection with the server could not be established'], NetworkError.Category=NoConnection, HttpRequest.SanitizedUrl=https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies, HttpRequest.Id={C3D930DE-50B3-40A8-8C44-0ED22007A6FB}']], Pii: [None] Event.ParentCorrelationId: [948d1c35-91a9-47be-af1f-6d6a241125e5], Pii: [None] Event.ParentCorrelationIdDescription: [PolicyProfile], Pii: [None] Event.UniqueId: [eacab4b6-2048-4cf0-8d5c-cba215bcb6a0], Pii: [None] EventInfo.Level: [10], Pii: [None] EventInfo.PrivTags: [33554432], Pii: [None] MIP.Version: [1.14.128], Pii: [None] Request.CorrelationId: [{C3D930DE-50B3-40A8-8C44-0ED22007A6FB}], Pii: [None] Request.IsAsynchronous: [true], Pii: [None] Request.RequestBodySize: [0], Pii: [None] Request.TokenTenantId: [tenant id], Pii: [None] Request.Url: [https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies], Pii: [None] iKey: [ce9aa5fb5a414ecebb15af10715bd8ff-831d197e-fc97-4df6-b998-c8c13a0fc3ce-6768], Pii: [None] " mipns::WriteTelemetryEventToLog 5756 Info 2024-06-05 11:49:16.120 http_director_impl.cpp:38 w3wp (6324) "Received HTTP response: " `anonymous-namespace'::LogHttpOperationDetails 5756 Error 2024-06-05 11:49:16.120 http_director_impl.cpp:42 w3wp (6324) "HTTP operation {C3D930DE-50B3-40A8-8C44-0ED22007A6FB} failed: Failed with: [NetworkError: 'HTTP connection failure Inner exception: [http_exception: 'WinHttpSendRequest: 12029: A connection with the server could not be established'], NetworkError.Category=NoConnection, HttpRequest.SanitizedUrl=https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies, HttpRequest.Id={C3D930DE-50B3-40A8-8C44-0ED22007A6FB}']" `anonymous-namespace'::LogHttpOperationDetails 5756 This error does not occur on every tenant! Does anyone have a clue why this error occurs?373Views0likes0CommentsUnable to create a centralised email address containing ”.admin” when ending in @outlook.com
Seeking some guidance how it would be possible to create a centralised email address containing xxxx”.admin” to an @outlook.com email address? The “.admin” address will be used as the front desk / home base for (non-personal) incoming emails and enquires, as well as a central calendar account.366Views0likes0CommentsEnable Sensitivity Labels for Containers - Learn Article Query
We have a QA and Production 365 tenant and are looking to enable sensitivity labels for containers. Checking the both tenants using: $Setting = Get-MgBetaDirectorySetting | where { $_.DisplayName -eq "Group.Unified"} $Setting.Values I can see that these labels have been enabled in QA and that Production shows that the labels are not yet enabled. Unfortunately, QA was enabled some time in the past. Rather than jumping straight into Production, I'd like to disable labels in QA and then reenable them. This will allow me to check the validity of the MSFT learn commands shown on :Assign sensitivity labels to groups - Microsoft Entra ID | Microsoft Learn The following article Use sensitivity labels with Microsoft Teams, Microsoft 365 Groups, and SharePoint sites | Microsoft Learnhas a section on how to disable labels for containers. However, it doesn't make sense to me. It states'to disable the feature, in step 5, specify$setting["EnableMIPLabels"] = "False"'. I can't see how applying this command to step 5 does anything. Step 5 is about checking whether a change has been made, not making the change. Step 4 is where the setting change is made (set EnableMIPLabels to True). To me, the command to run would be: $params = @{ Values = @( @{ Name = "EnableMIPLabels" Value = "False" } ) } Update-MgBetaDirectorySetting -DirectorySettingId $Setting.Id -BodyParameter $params What are people thoughts. I'm calling the process into questions as Step 3 also doesn't work as the article suggests. If I run$grpUnifiedSetting = Get-MgBetaDirectorySetting -Search DisplayName:"Group.Unified" in QA, where I know the setting is enabled, nothing happens. The article says if nothing happens, then labels haven't been enabled, which I know is incorrect. (for me the above command doesn't do anything, only set a variable to contain a value.365Views0likes0CommentsMS 365 DLP not triggering alert for print audit action.
Hi MS Community I'm facing a weird problem with MS 365 DLP solution (compliance.microsoft.com) I have 2 machines 1) Win 10 Desktop 2) Win 10 Azure AVD. Both machines have latest Defender version. as shown below. Background of DLP policy: I have 7-8 Endpoint policy which has audit enable for print and copy to USB option. Both device showing policy updated and sync with latest. Currently Testing a policy where if someone print a business document it should trigger alert. The policy has 1)SIT with few words sensitive words matching 2) A trainable classifier. 3) Extension: PDF WORD PPT Problem: When i try to print a business document, the alert is triggering for desktop machine but not for my AVD machine. even though both machines are scoped for policy, MDE Onboarded, and defender is latest. also, policy is synched. Somewhere its not detecting the print action initiated on AVD machine. The Print action is not working for any policy for AVD machine. Regards Mohammed2.6KViews0likes2CommentsThe Question of Information Protection Sublabels
The use of Information Protection sublabels is one of the questions for teams implementing sensitivity labels in Microsoft 365 tenants. Some like the granular appearance of sublabels and consider them a valuable guide to assist users to pick the most appropriate label. Others prefer a simple list of sensitivity labels. Both approaches work well. It’s up to you to decide. https://office365itpros.com/2024/03/06/information-protection-sublabel/303Views0likes0CommentsE-mail encryption OME Support Req OTP Read E-mail internal Org Microsoft365 ?
Hi Every One , Now I have a problem. If I have encrypted and sent an E-mail to a destination that is Hosting Mail, gmail, Hotmail, when the recipient opens and reads the E-mail, they must Req OTP. It can work. But if I send it to Employees in the organization , And External Org User Microsoft 365 There is no Req OTP required to read the email. I need it to work like if I sent it outside but every time I read that email I need to request an OTP Can it be done? Request additional methods Thanks you855Views0likes2Comments