How to Identify Your Enterprise’s High-Level Sensitive Data with Microsoft

By Seán O’Farrell

Too often companies engage with Security professionals when a breach has occurred. They rush to resolve it as quickly as possible without thinking of how to prevent it from happening. Instead, organisations should be considering building a Security Road Map.

Here are some technical aspects that need to be considered if enterprises are to best leverage the Microsoft security suite. Generally speaking, the current high-level challenges that we come across often when speaking with EMEA clients, are:

  • GDPR
  • Personally Identifiable Information
  • Freedom of Information (for Irish Public Services)
  • Client sensitive information
  • Intellectual Property

The Microsoft Information Protection Suite

Microsoft’s Information Protection solutions such as Data Loss Prevention (DLP) are crucial in the protection of data, especially when the following Microsoft technologies are all implemented:

  • Office365 DLP
  • Azure Information Protection
  • Cloud App Security
  • Conditional Access
  • Intune Application Protection Policies
  • Windows Information Protection
  • Intune managed Bit Locker
  • Azure ATP
  • Windows Defender ATP
  • Office365 ATP

All of these technologies will help build a hardened stance against cyber threat. But when companies fail to define what sensitive data, customer or personally identifiable information types they are hosting, they quickly find themselves in the murky waters of becoming data uncompliant.

How do you identify all of the high-level sensitive information types?

My recommendation is to start with Azure Information Protection (AIP) scanner with Azure Log Analytics integration in discovery mode to assess your environment.

When I present the results of the analysis to my customers regarding their data analysis, they often have mixed reactions. Firstly, there’s delight that they can have instant business intelligence reports on their data. Then the delight is followed promptly by the worry that they are uncompliant. This process outlined below will hopefully allay the fear around compliance.

Begin with a small amount of possible sensitive information types that has been configured as part of an Azure AIP Scanner policy integrated into Azure Log Analytics.

How to configure the Azure Information Protection policy

Once this data is enabled, it empowers a business to slowly start defining what data is critical to the business and their customers. A good first sensitive information type to start with is a credit card number to familiarise the organisation’s staff on how to use this service.

TIP: To assign the responsibility to one person to review 30TB of data will not be productive. Azure role-based access control can be implemented so that Department Heads or Compliance Officers only review data that they have the right to review.

Defining sensitive information types and then continuing to update your sensitive information type library will be an ongoing process which should also include the process of upskilling existing employees. The engagement becomes difficult if the customer does not have the required Microsoft Cloud and desktop operating system versions.

Exchange Hybrid Agent


During one of my favorite sessions in Ignite last year, Microsoft announce a new feature : Hybrid Agent displayed in the image above. The next part of this blog is step by step screenshots displaying the configuration of Hybrid Agent on two Exchange 2016 CU10 servers.

First of all run this powershell command on all Hybrid servers.
Set-WebServicesVirtualDirectory -Identity “EWS (Default Web Site)” -MRSProxyEnabled $true

Most organisations route outbound external smtp traffic via a smarthost which can normally be an appliance like Cisco Ironports and do not permit outbound port 25 traffic from Hybrid servers.  I would suggest temporarily allowing smtp traffic outbound from the Hybrid servers until the Hybrid agent installation completes then block outbound port 25 again on the hybrid servers.

The next steps run through the Hybrid agent setup.



Now when attempting to migrate mailboxes note the change in the migration endpoint highlighted in the image below


Azure Privileged Identity Management – Office365 Roles

Privileged Identity Management is an amazing new service that Microsoft has made available via the following licensing skus.

  • Enterprise Mobility + Security (EMS) E5
  • Microsoft 365 M5
  • Azure Active Directory Premium Plan

This blog post is related to Office365 roles.

I will create a new blog for using PIM with Azure resources, an example could be a workflow that requires financial approval to deploy virtual machines.

When I first set this up I followed the Microsoft guide lines but found it hard to understand how to start protecting privileged roles with PIM
This blog post will outline the steps required to manage some specific Office365 roles.

FIRST STEPS to enable Azure PIM 

Browse to this Microsoft Site – Getting started  with Azure PIM
Complete the following two sections
Enable PIM
Sign up PIM for Azure AD roles

It is critical for an Azure PIM administrator to be  a member of the ‘Privileged Role Administrator’ role so that the admin can assign users for eligibility to relevant roles.

Azure PIM sample use cases with Office365 

Global Administrator
License Administrator
Compliance Administrator ( This is probably the best use case for Azure PIM in Office365)
Exchange Administrator
Sharepoint Administrator
Service Administrator
(Office365 Premier Support tickets now need to be logged through the Office365 admin portal. Support staff only need this role and not global admin)

Add eligible users to privileged roles

The next steps will look at how we can make a user eligible for  privileged role access and some of the options available.

  1. Assigning  a user for eligibility to privileged roles, Browse to the manage section and select settings and then roles
  2. Select the roles that you want to assign eligible users to
  3. Select the options displayed in the image below and add approval users. Not all rules may require MFA enforcement. But some will, like the Global Admin or Compliance Admin Role.
  4. Add Approval Users
    Most admin accounts do not have a license and therefore have no mailbox and cannot receive a mail notification for a request to approve access. It is possible to add approval accounts to ‘Privileged Authentication Administrator’ role and this enables the approval hyperlink within email notification to be re-directed to the Azure PIM request approval portal and approve the request. When Azure Seamless sign on is enabled the approver is directed to the Azure PIM request portal with single sign on and the process can be very quick.

The next steps demonstrate an end user or external guest account requesting access to the Office365 licensing portal.

  1. The user requesting access would click on this URL
  2. The user will then be presented with an Azure page that he\she can request access to their eligible roles.
  3. Then click on the next Activation link
  4. Then fill in the details for the request and select activate
  5. This will then submit an email to a defined approval user, and the approval user will receive an email notification displayed in the image below
  6. The approval user will then be directed to the Azure PIM request portal and can then choose to approve or deny the request.


The final section to note is – Azure PIM auditing  is excellent and when Azure PIM is enabled it will send out notifications when users privileges have been elevated in the Office365 portal or Office365 service like Exchange Online or Sharepoint Online. Once PIM is in place the only place roles should be elevated is in Azure PIM and never never use generic admin accounts.


Azure Information Protection Custom Labels & Protection

I recently rolled out AIP in one my customer sites and they presented me with an interesting challenge. One of their departments wanted the option to choose whether or not to classify and protect data.

This has been made possible with custom configurations to the AIP client. At the time of writing this post there are 18 items that have custom configurations available.
More info HERE

The next part of this blog is a step by step guide on how to set up a custom label that will recommend that the user apply the label, protection.

  1. Login to the Azure Information Protection portal in Azure and create  a new label as per the image below.
  2. Select Protect and accept defaults and add the users assigned to the label or Security Group, as per image below
  3. Add a keyword condition, as per image below
  4. Select the protect option , accept the defaults and add the users or security group that the label will apply to, as per image below
  5. Save the configuration changes, next we will create a policy.
  6. Create a policy, I always match the name of the label that the policy will apply to, add the users or security group and accept defaults except for one item. Change the selection to recommended as per the image below
  7. Add the new label created in the previous section and ensure default label remains set to none
  8. The final piece is to modify the advanced settings of the policy, as per the image below
  9. Use the values specified in the image below
  10. Attempting to save a word document with the keyword specified, prompts the user as follows, giving the user a recommendation and not enforcing protection or classification
  11. When attempting to send an email which the key word specified, a pop up is presented from the AIP client as per the image below.


  • The Azure Information Protection custom features,  is currently in PREVIEW
  • Always use the latest version of AIP client
  • If the label is not appearing in the Windows client , It may be due to too many Modern Authentication tokens in credential manager. This is something that happened on my laptop due to connecting to multiple Office365 tenants.
  • I will post some new blogs on more custom options,custom sensitive information types & AIP scanner.
  • When data is protected in the sample label above, Only users that are specified in the label and policy will be able to access the data.
  • Always ensure users that the label and policy applies to have an AIP license.



Microsoft Information Protection

What is Microsoft Information Protection. The Infograph displayed below , Shows all of the different areas covered by Microsoft Information Protection and it really is the fastest evolving suite of technologies in the Microsoft stack.

Microsoft recently announced two new Security SKUs which was a real sigh of relief to tell my customers that they no longer need to buy an Office365 E5 license to get all of these features.

Identity & Threat Protection—This new package brings together security value across Office 365, Windows 10, and EMS in a single offering. It includes best of breed for advanced threat protection services including Microsoft Threat Protection (Azure Advanced Threat Protection (ATP), Windows Defender ATP, and Office 365 ATP including Threat Intelligence), as well as Microsoft Cloud App Security and Azure Active Directory. This offer will be available for $12 per user per month.*

Information Protection & Compliance—This new package combines Office 365 Advanced Compliance and Azure Information Protection. It’s designed to help compliance and IT teams perform ongoing risk assessments across Microsoft Cloud services, automatically protect and govern sensitive data throughout its lifecycle, and efficiently respond to regulatory requests leveraging intelligence. This offer will be available for $10 per user per month.*

Securing Intune Enrolment

I have been working a lot with Intune for Android & IOS MDM. This post is focused on securing enrollment for Android & IOS devices. There are different methods available for Windows 10 devices which will be covered in a later post.

The Intune enrollment process can be secured via Conditional Access & Azure MFA and Microsoft have an article available HERE that describes how to secure the Intune Enrollment APP via Azure MFA.

But first we need to secure the Azure MFA registration process, If an attacker has obtained a user’s credentials and the user that has been compromised has not registered for MFA, the attacker could use his\her phone to register for MFA.

So there are 3 methods to secure the MFA registration process.

  1. Multi-factor authentication registration policy 
  2. User risk Sign In Policy
  3. Populating the phone numbers as described in this ARTICLE
If using method 3 and using a text message or call authentication process, The organisation admins can populate the mobile phone number per user and manage the MFA registration process.

Some helpful commands

##Using MSONLINE module, Query what the existing MFA auth method is
get-msoluser -UserPrincipalName | Select-Object -ExpandProperty StrongAuthenticationMethods

##Using MSONLINE module to cancel existing MFA Auth methods
set-msoluser -UserPrincipalName -StrongAuthenticationMethods $null

##Export all MFA enabled users to a csv
Get-MsolUser -All | where {$_.StrongAuthenticationMethods -ne $null} | Select-Object -Property UserPrincipalName | export-csv “CSV PATH”

Once we have followed the guidelines in the Microsoft article to secure the Intune enrollment process with MFA , We can proceed to create our policy for Android & IOS

In the conditional access policy for Android & IOS devices, The final actions are listed below, Devices must be compliant but the compliance enrollment process is secured with MFA