Using the eDiscovery tool for content search in the Microsoft 365 Compliance Center!
Dear Microsoft 365 Friends, This article is about the eDiscovery (content search) tool in Microsoft 365. Before we start, a quick word about licenses. In order to work with the tool, you need the necessary licenses. Please have a look at the following link: https://docs.microsoft.com/en-us/microsoft-365/compliance/get-started-core-ediscovery?view=o365-worldwide In my case I had to clarify the question, would emails with certain words be sent or received. To clarify this, I created a content search with eDiscovery. How this is done exactly, I will explain in the next steps. We start our investigation in the Microsoft 365 Admin Center. On the left side click on "Show All" (if not everything is displayed) and select the Complicane Center. In order to work with eDiscovery we need the necessary permissions. Click on Permissions. In the "Compliance Center" category, click "Roles". Search for eDiscovery Manager and click on this Role Group. This will give you the details of this Role Group. Navigate down and you will see "eDiscovery Manager" and "eDiscovery Administrator". For this demo, I added my account to the "eDiscovery Administrator". This is not necessarily following the concept of "working with the least privileges" (but absolutely OK for this demo). In a Productive environment, you can assign a person the role of "eDiscovery Manager" in an eDiscovery case (we'll get to that in a moment). Thus, this person only gets access to this one eDiscovery case. Click on "edit". Click on "edit" again. Find the user and click on "add" and then on "done". In the "Compliance Center", navigate to eDiscovery and select "Core". Click on "Create a case". Enter a name and if you want a description and click "save". We have now only created the "container" but not configured anything yet. We will change that in a moment. Navigate to "Searches" and click on "New search". Specify a name and description. Then click on "next". Now select the locations. This selection depends very much on your search. Then click on "next". For keyword I use as search term "Testversion". The goal is to find emails that contain this word. If you want you can work with conditions to limit this search. I like to start very general to get an overview, narrowing can be done later. Then click on "next". And now "Submit". Depending on the size of the organization and the number of objects that need to be examined, it can take a very long time until the status "Completed" is reached. Allow yourself time. If the status is "Completed", click on your search and you will get a "Summary". At the bottom click on "Review sample". Bingo! We see a list of emails, and in the first email we already see our keyword. Sure this wasn't super exciting, but I still wanted to share this information with you. I hope this article was helpful for you? Thank you for taking the time to read this article. Best regards, Tom WechslerIs there a way to force the security portal recommendations to update?
Hi all, I'm currently going through and either uninstalling or updating a large number of EOL software through the "Security recommendations" page on https://security.microsoft.com. Is there anyway I can force an update/sync from the computers once I've completed a recommendation so that my colleagues don't try fixing things that are already fixed? For example, I just finished uninstalling an EOL program from 10 computers, but the portal still shows the program as being installed on these 10 computers, can I force this (either through endpoint or SCCM) to display real-time or up to date data?Analyze Self Service Password Reset Log Events
Having implemented SSPR, how can the SSPR logs be analyzed to get Alerts / Risks in Azure AD Identity Protection or Azure Security Center based on use a case like large number of SSPRs from the same source or user, eg. 5 in 1 hour, and when such activity is seen, to create an alert and e-mail notification and automatic locking of the account?Automatically Enable Azure Security Center Standard Tier for new Subscriptions
This article describes the steps for a scenario where Azure Security Center Standard tier needs to be automatically enabled for all new subscriptions. To enable this scenario the following components will be used: Azure Management Groups Azure Automation Account Azure Security Center PowerShell modules In this scenario, all new subscriptions that are created under the Enterprise Management Group will automatically have Azure Security Center standard tier enabled: The Azure automation account will be running every hour (it could be less according to your business needs) and if identifies a new subscription that has Security Center Free tier, it will upgrade to Standard. Implementation steps In Azure Portal, click Automation Accounts. Click Add and the Add Automation Account blade appears Type the name of the Automation Account, select the subscription, the Resource Group and the Location. Make sure the option Yes is selected under Create Azure Run As account and click Create button. The new automation account will appear in the list, click on it to edit. Under Shared Resources section, click Modules and click Update Azure modules button. You may receive a warning like the one below, click Yes to proceed. Wait until you see the description that the modules were updated, as shown below: Open a new tab in your browser and navigate the following URL: https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.powershellgallery.com%2Fpackages%2FAzureRM.Security%2F0.2.0-preview&data=02%7C01%7Cyurid%40microsoft.com%7C0408a32becaf4a80651a08d644221657%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636771310540408779&sdata=ODXkvlo7IAs%2BPFQHhZBv4tMISMJk7%2F%2BKWu1gHAAQZXc%3D&reserved=0 Click Azure Automation tab and click Deploy to Azure Automation button. On the new blade that opens, under Automation Account option, select the Azure Automation Account that you are creating in this article: Click OK button, and once the OK button becomes gray out, close the blade. Go back to the previous tab, where you have the automation account properties, and click Connections under Shared Resources section, and select AzureRunAsConnection: Copy the ApplicationID to the clipboard. Note: this ApplicationID will be used later to provide the proper level of permission, which in this case is Security Administrator. Close this blade, and under Process Automation, click Runbooks. Click Add Runbook button and click Quick Create option. Under Name, type the name for this runbook, under Runbook type, select PowerShell and click OK button. Under the Edit PowerShell Runbook blade, type the code below: $connectionName = "AzureRunAsConnection" try { # Get the connection "AzureRunAsConnection " $servicePrincipalConnection=Get-AutomationConnection -Name $connectionName "Logging in to Azure..." Add-AzureRmAccount ` -ServicePrincipal ` -TenantId $servicePrincipalConnection.TenantId ` -ApplicationId $servicePrincipalConnection.ApplicationId ` -CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint } catch { if (!$servicePrincipalConnection) { $ErrorMessage = "Connection $connectionName not found." throw $ErrorMessage } else{ Write-Error -Message $_.Exception throw $_.Exception } } #loop through all subscriptions Get-AzureRmContext -ListAvailable -PipelineVariable AzureRMSub | Set-AzureRmContext | foreach{ $tier = get-AzureRmSecurityPricing if ($tier.PricingTier -like 'Free') { Set-AzureRmSecurityPricing -Name "default" -PricingTier "Standard" } } Note: after the Set-AzureRMSecurityPricing command, you can also add other commands to pre-configure some settings in Azure Security Center, such as the email contact. For more examples, read this https://azure.microsoft.com/en-us/blog/programmatically-onboard-and-manage-your-subscriptions-in-azure-security-center/. Click Save button, and click Publish button Under Resources section click Schedules and click Add a schedule. Click Link a schedule to your runbook, click in the Schedule blade, and click Create a new schedule. In the New Schedule blade, under Name, type the name of the schedule, click Recurring button, and select the frequency that you want, and click Create button. In the Schedule Runbook blade, click OK, and close this blade. At this point the Azure Automation account is created, the Runbook with the PowerShell script is configured, and the schedule is set. Now you need to grant Security Administrator permission to this account. Follow the steps below: In the Azure Portal, click All services, and type Management Groups. Click in the management group that will have the future subscriptions. Click details hyperlink besides the management group name. Click Access Control (IAM) option and click Add button. In the Add Permission blade, under Role, select Security Admin. Under select, type the name of the Azure automation account, and as you type, the account should appear. Click on it and notice that the account was added to the Selected members field. Click Save button. Confirm that the account appears as Security Admin rights as show the example below: Authors Yuri Diogenes, Senior Program Manager (CxE Security) John Knightly, Senior PFE (Cybersecurity)
Azure Active Directory Premium P1 - Windows 7 - Group Policy
Azure Active Directory Premium P1 - Windows 7 - Group Policy Want to roll out a domain customer has Office365 currently but has mostly Windows 7 Pro machines with some Windows 10 Pro. Does Azure Active Directory Premium P1 support Windows 7 and does it work well for Group Policy, Roaming Profiles etc? Or do i require 2 x Virtual machines 8Gb Ram 256 SSD 4x Cores 1x vNet 1x VPN Bandwidth for vNet Bandwidth for VPN VPN Tier 1 for more than 10 sites and 650Gb bandwidth? Then build VPN tunnels from sites to Azure VPN Then setup the servers to be domain controllers. Would like Azure Active Directory Premium P1 if possible with it offering self service password resets, MFA etc but cannot find anything clear on managing the GPOs, Roaming profiles and Windows 7. Thanks in advance for any advise.Do I need to republish Label Policies after updating Sensitivity Labels?
Hello folks, First post on the Tech Community. We are testing the use of Sensitivity and Retention labels within our organisation. We have a number of labels created and published. I want edit and update a couple of the Sensitivity labels: (a) will they auto update within their published polices? or; (b) do I edit/republish the policies affected? or; (c) do I create new policies for the updated labels? Also on the subject of label policies, is it best practise to have as few policies as possible (with multiple labels published within these policies) or should we have numerous policies also? My preference is to have numerous labels, minimal policies. Many thanks, KeithAzure Security Center Guide and Demo
I thought these recent Azure Security Center resources may be of interest. TechNet UK Your 2017 guide to Azure Security Center https://blogs.technet.microsoft.com/uktechnet/2017/02/17/your-2017-guide-to-azure-security-center/ As ransomware attacks become more sophisticated, cloud based applications are at an increased risk. Professionals using Microsoft Azure must now take full advantage of the recently introduced Security Center to defend their cloud infrastructure and applications. With support for Windows Server 2016 recently announced and a host of new updates planned for 2017, organisations will be missing out if they fail to make the most of Azure Security Center. Microsoft Ignite Australia 2017 Leverage Azure for the most Stringent Security and Compliance Requirements https://channel9.msdn.com/Events/Ignite/Australia-2017/CLD327 See how Azure meets the security and compliance requirements of some of our most security conscious customers in financial services and public sector. We will cover some of the common concerns of a CSO/CISO and how Azure addresses them. Learn how you can leverage Azure’s massive investments in compliance certifications. Learn how to leverage Azure security center to manage and monitor your enterprise’s Azure deployments or import the logs into other SIEM tools. See demos of the Azure security center, Azure’s network security capabilities and some partner solutions available off the Azure marketplace. https://view.officeapps.live.com/op/view.aspx?src=https%3a%2f%2fignite2017au.blob.core.windows.net%2fignite%2fExports%2fDay2%2fCLD327%2fCLD327.pptxIntroducing the redesigned Security Center Overview dashboard
Azure Security Center’s dashboard has been redesigned to provide cross-subscription, organizational level reports of the most important metrics that influence the organizational security posture, as well providing actionable insights to help organizations improve their overall security posture. The redesigned dashboard also introduces two new concepts in Security Center. Read about it in the https://azure.microsoft.com/en-us/blog/introducing-the-redesigned-security-center-overview-dashboard/.
