eDiscovery for Exchange Online Data at Rest

  • It is not possible to search for sensitive information types when selecting Exchange Online mailboxes as the data source , Office 365 User Voice REQUEST
  • It is possible to search for the items specified in this Microsoft ARTICLE and via KeyWord

The screen shot below is from an Office365 E5 Advanced eDiscovery query that shows these types of searches are not supported


Office365 & AIP Sensitive Information Types

  • Sensitive Information Types defined in Azure Information Protection are not visible in the Office365 Security Center
  • Sensitive Information Types defined in the Office365 Security and Compliance center are not visible in Azure Information Protection
  • So this means sensitive information types need to be defined in each service.
  • @MSignite2018 Microsoft announced a change in search technology in Exchange Online and Exchange 2019 , they will now use Bing technology. The front end of the Office365 Security and Compliance Center seems to be using SharePoint search technology. I would love Microsoft to enable Exchange Online, AIP, & Sharepoint Online to use the same search technology used in Azure Log Analytics.
  • Microsoft state that when creating custom sensitive information types via an XML file and then importing them into the Security and Compliance center that it is not possible to have multiple regex values. It is possible to combine multiple regex values by using the PIPE value |. When combining multiple regex values , they can be tested in Office365 and in RegEx101.com
  • Using multiple regex values in AIP can also be combined by using the PIPE value |
  • This is an example of a regex for different pattern types for Irish mobile phone numbers that could be used in the Security and Compliance center GUI or the AIP GUI when defining regex sensitive information types.
    notice the | that defines the different type of patterns.

How to Identify Your Enterprise’s High-Level Sensitive Data with Microsoft

By Seán O’Farrell

Too often companies engage with Security professionals when a breach has occurred. They rush to resolve it as quickly as possible without thinking of how to prevent it from happening. Instead, organisations should be considering building a Security Road Map.

Here are some technical aspects that need to be considered if enterprises are to best leverage the Microsoft security suite. Generally speaking, the current high-level challenges that we come across often when speaking with EMEA clients, are:

  • GDPR
  • Personally Identifiable Information
  • Freedom of Information (for Irish Public Services)
  • Client sensitive information
  • Intellectual Property

The Microsoft Information Protection Suite

Microsoft’s Information Protection solutions such as Data Loss Prevention (DLP) are crucial in the protection of data, especially when the following Microsoft technologies are all implemented:

  • Office365 DLP
  • Azure Information Protection
  • Cloud App Security
  • Conditional Access
  • Intune Application Protection Policies
  • Windows Information Protection
  • Intune managed Bit Locker
  • Azure ATP
  • Windows Defender ATP
  • Office365 ATP

All of these technologies will help build a hardened stance against cyber threat. But when companies fail to define what sensitive data, customer or personally identifiable information types they are hosting, they quickly find themselves in the murky waters of becoming data uncompliant.

How do you identify all of the high-level sensitive information types?

My recommendation is to start with Azure Information Protection (AIP) scanner with Azure Log Analytics integration in discovery mode to assess your environment.

When I present the results of the analysis to my customers regarding their data analysis, they often have mixed reactions. Firstly, there’s delight that they can have instant business intelligence reports on their data. Then the delight is followed promptly by the worry that they are uncompliant. This process outlined below will hopefully allay the fear around compliance.

Begin with a small amount of possible sensitive information types that has been configured as part of an Azure AIP Scanner policy integrated into Azure Log Analytics.

How to configure the Azure Information Protection policy

Once this data is enabled, it empowers a business to slowly start defining what data is critical to the business and their customers. A good first sensitive information type to start with is a credit card number to familiarise the organisation’s staff on how to use this service.

TIP: To assign the responsibility to one person to review 30TB of data will not be productive. Azure role-based access control can be implemented so that Department Heads or Compliance Officers only review data that they have the right to review.

Defining sensitive information types and then continuing to update your sensitive information type library will be an ongoing process which should also include the process of upskilling existing employees. The engagement becomes difficult if the customer does not have the required Microsoft Cloud and desktop operating system versions.

Exchange Hybrid Agent


During one of my favorite sessions in Ignite last year, Microsoft announce a new feature : Hybrid Agent displayed in the image above. The next part of this blog is step by step screenshots displaying the configuration of Hybrid Agent on two Exchange 2016 CU10 servers.

First of all run this powershell command on all Hybrid servers.
Set-WebServicesVirtualDirectory -Identity “EWS (Default Web Site)” -MRSProxyEnabled $true

Most organisations route outbound external smtp traffic via a smarthost which can normally be an appliance like Cisco Ironports and do not permit outbound port 25 traffic from Hybrid servers.  I would suggest temporarily allowing smtp traffic outbound from the Hybrid servers until the Hybrid agent installation completes then block outbound port 25 again on the hybrid servers.

The next steps run through the Hybrid agent setup.



Now when attempting to migrate mailboxes note the change in the migration endpoint highlighted in the image below


Azure Privileged Identity Management – Office365 Roles

Privileged Identity Management is an amazing new service that Microsoft has made available via the following licensing skus.

  • Enterprise Mobility + Security (EMS) E5
  • Microsoft 365 M5
  • Azure Active Directory Premium Plan

This blog post is related to Office365 roles.

I will create a new blog for using PIM with Azure resources, an example could be a workflow that requires financial approval to deploy virtual machines.

When I first set this up I followed the Microsoft guide lines but found it hard to understand how to start protecting privileged roles with PIM
This blog post will outline the steps required to manage some specific Office365 roles.

FIRST STEPS to enable Azure PIM 

Browse to this Microsoft Site – Getting started  with Azure PIM
Complete the following two sections
Enable PIM
Sign up PIM for Azure AD roles

It is critical for an Azure PIM administrator to be  a member of the ‘Privileged Role Administrator’ role so that the admin can assign users for eligibility to relevant roles.

Azure PIM sample use cases with Office365 

Global Administrator
License Administrator
Compliance Administrator ( This is probably the best use case for Azure PIM in Office365)
Exchange Administrator
Sharepoint Administrator
Service Administrator
(Office365 Premier Support tickets now need to be logged through the Office365 admin portal. Support staff only need this role and not global admin)

Add eligible users to privileged roles

The next steps will look at how we can make a user eligible for  privileged role access and some of the options available.

  1. Assigning  a user for eligibility to privileged roles, Browse to the manage section and select settings and then roles
  2. Select the roles that you want to assign eligible users to
  3. Select the options displayed in the image below and add approval users. Not all rules may require MFA enforcement. But some will, like the Global Admin or Compliance Admin Role.
  4. Add Approval Users
    Most admin accounts do not have a license and therefore have no mailbox and cannot receive a mail notification for a request to approve access. It is possible to add approval accounts to ‘Privileged Authentication Administrator’ role and this enables the approval hyperlink within email notification to be re-directed to the Azure PIM request approval portal and approve the request. When Azure Seamless sign on is enabled the approver is directed to the Azure PIM request portal with single sign on and the process can be very quick.

The next steps demonstrate an end user or external guest account requesting access to the Office365 licensing portal.

  1. The user requesting access would click on this URL
  2. The user will then be presented with an Azure page that he\she can request access to their eligible roles.
  3. Then click on the next Activation link
  4. Then fill in the details for the request and select activate
  5. This will then submit an email to a defined approval user, and the approval user will receive an email notification displayed in the image below
  6. The approval user will then be directed to the Azure PIM request portal and can then choose to approve or deny the request.


The final section to note is – Azure PIM auditing  is excellent and when Azure PIM is enabled it will send out notifications when users privileges have been elevated in the Office365 portal or Office365 service like Exchange Online or Sharepoint Online. Once PIM is in place the only place roles should be elevated is in Azure PIM and never never use generic admin accounts.


Azure Information Protection Custom Labels & Protection

I recently rolled out AIP in one my customer sites and they presented me with an interesting challenge. One of their departments wanted the option to choose whether or not to classify and protect data.

This has been made possible with custom configurations to the AIP client. At the time of writing this post there are 18 items that have custom configurations available.
More info HERE

The next part of this blog is a step by step guide on how to set up a custom label that will recommend that the user apply the label, protection.

  1. Login to the Azure Information Protection portal in Azure and create  a new label as per the image below.
  2. Select Protect and accept defaults and add the users assigned to the label or Security Group, as per image below
  3. Add a keyword condition, as per image below
  4. Select the protect option , accept the defaults and add the users or security group that the label will apply to, as per image below
  5. Save the configuration changes, next we will create a policy.
  6. Create a policy, I always match the name of the label that the policy will apply to, add the users or security group and accept defaults except for one item. Change the selection to recommended as per the image below
  7. Add the new label created in the previous section and ensure default label remains set to none
  8. The final piece is to modify the advanced settings of the policy, as per the image below
  9. Use the values specified in the image below
  10. Attempting to save a word document with the keyword specified, prompts the user as follows, giving the user a recommendation and not enforcing protection or classification
  11. When attempting to send an email which the key word specified, a pop up is presented from the AIP client as per the image below.


  • The Azure Information Protection custom features,  is currently in PREVIEW
  • Always use the latest version of AIP client
  • If the label is not appearing in the Windows client , It may be due to too many Modern Authentication tokens in credential manager. This is something that happened on my laptop due to connecting to multiple Office365 tenants.
  • I will post some new blogs on more custom options,custom sensitive information types & AIP scanner.
  • When data is protected in the sample label above, Only users that are specified in the label and policy will be able to access the data.
  • Always ensure users that the label and policy applies to have an AIP license.



Microsoft Information Protection

What is Microsoft Information Protection. The Infograph displayed below , Shows all of the different areas covered by Microsoft Information Protection and it really is the fastest evolving suite of technologies in the Microsoft stack.

Microsoft recently announced two new Security SKUs which was a real sigh of relief to tell my customers that they no longer need to buy an Office365 E5 license to get all of these features.

Identity & Threat Protection—This new package brings together security value across Office 365, Windows 10, and EMS in a single offering. It includes best of breed for advanced threat protection services including Microsoft Threat Protection (Azure Advanced Threat Protection (ATP), Windows Defender ATP, and Office 365 ATP including Threat Intelligence), as well as Microsoft Cloud App Security and Azure Active Directory. This offer will be available for $12 per user per month.*

Information Protection & Compliance—This new package combines Office 365 Advanced Compliance and Azure Information Protection. It’s designed to help compliance and IT teams perform ongoing risk assessments across Microsoft Cloud services, automatically protect and govern sensitive data throughout its lifecycle, and efficiently respond to regulatory requests leveraging intelligence. This offer will be available for $10 per user per month.*