Using Retention Policies in Office 365

Before we get into this article I need to reinforce the following:

Retention is NOT the same as backup

Thus, what I am going to cover here should NOT be considered as a replacement to any existing backup policy you have for Office 365. What I’ll cover here is retention of data based on policies you set. Retention can be a way to preserve data as well as delete data based on a set of defined rules. You should consider retention policies as part of your compliance strategy not as part of the disaster recovery strategy.

The great thing about retention policies in Office 365 is that they are generally available across all plans. So what I detail here should apply to all Office 365 tenants.

Office 365 has no retention policies in place by default. This means that any existing data has no additional protection. Importantly, this means that existing data will NOT be covered by the policy UNTIL the data has been changed. Thus, if you create a retention policy and then go and delete data BEFORE making any changes to it, the data will NOT be saved! Once in place, the policy ONLY applies to data that gets altered (i.e. updated or modified) from that point on.

With that in mind the first step in the process is to create a retention policy. You do this by navigating to the Security and Compliance center in Office 365. From there, select the Data Governance option from the menu on the left and then Retention from the submenu as shown above. You should see that there no policies in place yet.

To create a new policy select the Create button on the right hand side of the screen.

Give your new policy a name and description and press the Next button at the bottom of the screen.

Here is where you need to decide what rules your policy will have. In this case I have chosen to retain data for 7 years based on when it was created and to not delete it after this period.

You’ll note that you can create policies that also delete data so be very careful when you select those options.

The bottom of the page allows you to use more advanced retention settings. In here there should two options to select from as shown above.

The first option allows you to apply the policy via keyword or phrase. You simply enter those terms into the editor that is displayed when you select the option.

Once you have entered the keywords you wish, you’ll need to enter the standard retention options as shown above.

The second advanced retention option allows you to apply the policy based on ‘sensitive information’. As you can see from the above, you can select from a range of pre-configured sensitive information types that can be scoped to your country. Here, I am selecting Australian Financial Data.

If you look at the policy you will see what information it consider ‘sensitive’. In this case, the policy will match things like Australian SWIFT banking codes, Tax File Numbers, Bank Accounts and Credit cards.

Once you have set the data types for your policy, you’ll need to nominate which locations inside Office 365 this retention policy will apply to. You can apply the policy across all or specific data inside Office 365 as shown above.

You’ll see that you can target Exchange mail, SharePoint Online,

Groups (as well as Teams), Skype and Exchange public folders.

You’ll see that you can also include an/or exclude specific locations inside each service if you wish. Simply select the Choose hyperlink and make your selections as shown above.

Once you have completed all these options you can then Create this policy and apply it immediately or Save for later application.

In this case I’ll create the policy and apply it immediately. Note the message at the top of of the dialog that tells you it may take a full day for the policy to be applied. I would suggest that you do wait a full day for the policy to be applied throughout your tenant before you continue.

After creating the policy you will see that the Status is On but it is Pending as shown above.

If you select the information icon you’ll see that what you want to wait for is the On (Success) option to be displayed here.

After waiting a suitable amount of time and checking the policy status you will find that it has succeeded as shown above.

At this point the policy is in place and is protecting any data that is now changed.

With the retention policy in place let’s go to the location of some file data in a SharePoint Team Site, specifically a Document Library as shown above.

Before we do anything, let’s check out that the Site actually contains.

We see that there is nothing special as yet. There will be, just not yet.

The retention policy will only act on changed documents from the point it was enabled. So we select a document in the library and edit it.

The document is changed and saved back to the library.

Now the file is still in it’s original location and the retention policy is applied. As the original file still existing in its original location the retention policy doesn’t need to take any action.

However, if the original file is now deleted from its original location as shown above what will happen?

Any document deleted from a SharePoint Document Library is sent to the Recycle Bin.

If we look in Recycle Bin we see the deleted document as shown again. The retention policy still does not yet need to take any actions as the document is still available, however remember, that items don’t stay in the SharePoint Recycle Bin forever. They are aged out after a total of 93 days. Thus, the retention policy doesn’t need to do anything until this time period is exceeded.

However, it is also possible for the user to delete the file from their recycle bin as shown above.

Once the user has deleted the file from their recycle bin the file will move to an administrator recycle bin or the remainder of the 93 days. Again, the retention policy doesn’t need to take any actions until this time period is exceeded.

At the point at which the file is going to be purged from the Office 365 environment the retention policy that was configured kicks in. It creates a new document library in the Team Site called Preservation Hold Library as shown above.

This new document library is only available for administrators to view and when you look in here you will see all versions of the deleted file. Remember, that every time you change a file in SharePoint it create a previous copy.

Thus, as an administrator, we can recover a file from this location for the period of the retention policy, which in this case is 7 years. Once the conditions of the retention policy no longer apply to the file (here it is > 7 years) the file will be removed permanently within 7 days from the tenant.

You can find lots more information about Office 365 retention policies here:

Overview of retention policies

In there, you will note for email data:

To include an Exchange Online mailbox in a retention policy, the mailbox must be assigned an Exchange Online Plan 2 license. If a mailbox is assigned an Exchange Online Plan 1 license, you would have to assign it a separate Exchange Online Archiving license to include it in a retention policy.

So, retention policies are a good way to manage the compliance of your data. As I said at the start, they are NOT a replacement for backup, however they do provide an extra layer of protection for you information and can be implemented quite easily as you can see above.

The last thing to remember is that retained data has to live somewhere and will consume you tenant space availability across the difference services. The more locations and data protect, the more copies of previous data you will have. So keep it simply and limit what you want to retain. This means planning your retention strategy in advanced rather than bulk applying it to all data in all locations.

Finally, remember that retention policies are available across the range of Office 365 license and I would encourage you to take advantage of them.

Create Office 365 Alerts

Another option that all Office 365 plans support is the ability to create your own custom alerts. Before you do this though, you’ll need to ensure that you have enabled the activity auditing in Office 365. Here’s an article I wrote that shows you how to do this:

https://blog.ciaops.com/2018/02/enable-activity-auditing-in-office-365.html

It will take 24 hours or so for the activity logging to be fully enabled but you can still go in and create alerts. You’ll need to navigate to the Security and Compliance center. From the menu on the left expand the Alerts option and then select Manage alerts.

You will probably see that there are currently no alerts configured as shown above. To configure an alert simply select the New alert policy button at the top of the page.

This will open the options window shown above. Give the alert a name and a description.

All Office 365 plans will have the choice to make the alert to be Custom or Elevation of privilege as shown above. Other plans may have additional options, but you should select the Elevation of privilege and configure that as your first alert.

If you repeat the alert creation process but this time select to create a Custom alert you can then choose from a wide variety of activities to trigger the alert as shown above.

You can filter the list to the choices you wish using the search field at the top. Here I am filtering for any password activities.

I simply select the activities I want included in the alert as shown above. When I select an option, a check appears to the right of the item.

You then optionally set the users you wish to monitor for this activity (leaving the field blank applies it to all users) and finally whom you send any alerts to in your tenant (typically an administrator).

You then save the new alert and you should now see it in the Manage Alerts area as shown above.

Now when an alert triggers you get an email alert as shown telling you about the activity.

The alert email has lots of links that allow you to go and view the details in various places, typically in the audit log, which is why you need to turn that ability on first.

When we look in the audit log we see the activity and can investigate further.

As I said, all the Office 365 plans allow you to do the basic alerting as I have shown, however with the Enterprise plans you get a whole range of additional abilities and alerts as shown above.

You also get additional categories as you see above. If you are serious about the security of your Office 365 tenant then I would highly recommend you consider Enterprise rather than business plans.

In summary, every Office 365 plan includes the ability to configure custom activity alerts which is something you should do. There are lots of activities you can alert on so be judicious on what you activities you alert on, as it is very easy to get overwhelmed by spurious alerts.

My general recommendation would be to set up the above list of alerts as a minimum but suggest you start with a handful and increase and refine overtime.

As I said, I would also recommend looking at Enterprise plans to provide additional alerting abilities and functionality, however no matter which plan you have, go in and add some for of alerting that makes sense for your tenant as there is typically nothing there by default.

Microsoft Cloud options

Here’s a video of a webinar I did recently on the options you now have with the Microsoft Cloud. I provide an overview of services like Office 365, Enterprise Mobility and Security, Microsoft 365 as well as Windows 10.

Microsoft Cloud options from Robert Crane

The slide can be viewed above or downloaded from:

https://www.slideshare.net/directorcia/microsoft-cloud-options

In short, there are so many options now available to you with the Microsoft Cloud to help you solve just about any business challenge.

Enable mailbox auditing in Exchange Online

Office 365 has the ability to log and audit a lot of actions in your tenant, however much of this logging is not enabled by default but should be by an administrator in my opinion.

Another point to consider is that you have to use Exchange Online PowerShell to enable mailbox audit logging. You can’t use the Office 365 Security & Compliance Center or the Exchange admin center (i.e. the web interface).

After you have connected to Exchange Online using PowerShell, run the following command to view what audit settings are currently enabled for your mailboxes:

Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq “UserMailbox”} | FL Name,Audit*

That should produce a result as shown above. As you can see the AuditEnabled option is current set to False for all mailboxes per:

By default, mailbox auditing in Office 365 isn’t turned on. That means mailbox auditing events won’t appear in the results when you search the Office 365 audit log for mailbox activity. But after you turn on mailbox audit logging for a mailbox, you can search the audit log for mailbox activity. Additionally, when mailbox audit logging is turned on, some actions performed by administrators, delegates, and owners are logged by default.

which is detailed here:

https://support.office.com/en-us/article/enable-mailbox-auditing-in-office-365-aaca8987-5b62-458b-9882-c28476a66918#ID0EABAAA=Step-by-step_instructions

So to turn auditing on for all mailboxes execute the following PowerShell commands.

Get-Mailbox -ResultSize Unlimited | Set-Mailbox -AuditEnabled $true

If you wish to modify what events are actually audited you can use the following. Note, there is a separate one for administrators, delegates and owners of the mailboxes:

Get-Mailbox -ResultSize Unlimited | Set-Mailbox -Auditadmin @{Add=”Copy”,”Create”,”FolderBind”,”HardDelete”,”MessageBind”,”Move”,”MoveToDeletedItems”,”SendAs”,”SendOnBehalf”,”SoftDelete”,”Update”,”UpdateFolderPermissions”}

Get-Mailbox -ResultSize Unlimited | Set-Mailbox –Auditdelegate @{Add=”Copy”,”Create”,”FolderBind”,”HardDelete”,”MessageBind”,”Move”,”MoveToDeletedItems”,”SendAs”,”SendOnBehalf”,”SoftDelete”,”Update”,”UpdateFolderPermissions”}

Get-Mailbox -ResultSize Unlimited | Set-Mailbox –Auditowner @{Add=”Copy”,”Create”,”FolderBind”,”HardDelete”,”MessageBind”,”Move”,”MoveToDeletedItems”,”SendAs”,”SendOnBehalf”,”SoftDelete”,”Update”,”UpdateFolderPermissions”}

You’ll find all the details about these commands here:

Set-mailbox = https://technet.microsoft.com/en-us/library/bb123981(v=exchg.160).aspx

In true PowerShell tradition, when you execute these commands correctly, you’ll just be returned to the command line as shown above.

If we re-examine our mailboxes we now see that auditing is enabled and that more actions are audited as expected.

By default, entries in the mailbox audit log are kept for 90 days. When an entry is older than 90 days, it’s deleted. You can use the Set-Mailbox cmdlet to change this setting so items are kept for a longer (or shorter) period of time like so:

Get-Mailbox -ResultSize Unlimited | Set-Mailbox -AuditLogAgeLimit 180

which extends the entry limit retention to 180 days.

So, another way to improve the security of your Office 365 tenant is to enable mailbox auditing and extending the properties that are audited. You can only do this with PowerShell but once you have the the script you can re-run it as many times as you like. The power of PowerShell!

Need to Know Podcast–Episode 175

Brenton and I talk about the importance of data compliance in light of recent legislation updates in both Australia and overseas. This means that it is very important to firstly understand what your obligations are when it comes to personal data but to also ensure you own systems are compliant. Technology is not the only solution required here, you’ll need policy as well as training to help people better understand what their responsibility is. We cover off all the major highlights as well as give you some suggestions of how you should be approaching this with your Office 365 tenants.

Take a listen and let us know what you think –feedback@needtoknow.cloud

You can listen directly to this episode at

https://ciaops.podbean.com/e/episode-175-compliance/

Subscribe via iTunes at:

https://itunes.apple.com/au/podcast/ciaops-need-to-know-podcasts/id406891445?mt=2

The podcast is also available on Stitcher at:

http://www.stitcher.com/podcast/ciaops/need-to-know-podcast?refid=stpr

Don’t forget to give the show a rating as well as send us any feedback or suggestions you may have for the show.

Resources

@contactbrenton

@directorcia

Non Azure AD accounts can now join Microsoft Teams

Azure AD Connect: Version release history

How Office 365 protects your organisation from modern phishing campaigns

Azure migrate is now generally available

Introducing Azure Advanced Protection

Check those Office 365 forwards

Extending Exchange Online Deleted Items retention period

Many people are unaware of the fact that ALL (yes, I said ALL) Exchange Online plans are configured by default, to ONLY retain deleted items for 14 days. Yes, I said ALL Exchange Online plans, and I quote:

“How long deleted items are kept in the Deletions folder depends on the deleted item retention period that is set for the mailbox. An Exchange Online mailbox keeps deleted items for 14 days, by default. Use the Exchange Management Shell, as shown above, to change this setting, to increase the period up to a maximum of 30 days.”

this is from:

https://technet.microsoft.com/en-us/library/dn163584(v=exchg.160).aspx

You will also note that you can extend this to a maximum of 30 days using PowerShell, which is exactly what you should do IMMEDIATLY you add a user account I would suggest.

To do this you firstly need to connect to Exchange Online using PowerShell. Then to view the current retention periods run the following:

that should then display something like:

As you can see from the above, all the mailboxes listed are currently only set to a MAXIMUM of 14 days for retention (which is the default).

To extend this to the maximum of 30 days for ALL plans, execute the following command:

Now when you re-examine all the deletion period for all mailboxes you should see:

they have all been extended to the maximum of 30 days, which should make everyone much happier and provide you the ability to recovered deleted email data out to the maximum period of 30 days for ALL plans. After 30 days however, the deleted data will still be purged and unrecoverable.

If you wish to retain deleted email data beyond the maximum 30 days that can be provisioned generally you’ll need to add the legal hold service to the mailbox and ENABLE it! The legal hold service is available on Exchange Online Plan 2 mailboxes, E3 and E5 suites typically.

To my way of thinking, extending the deleted item retention period of all mailboxes in a tenant is something that should be done immediately and using the above PowerShell commands it is really easy to do. So there should be NO excuse!

Improved security is a shared responsibility

The Internet has ensured that everyone who is connected is connected together. Everyone being connected together has some massive advantages but it also makes us vulnerable to those who wish to exploit this fact. The reason we all get so much spam is because it is so easy and so cheap to send. However, after all these years, why is the dominate email traffic source always spam? It’s because it morphs and evolves to avoid detection. The same applies for other threats such as phishing.

Technology provides some great tools to deal with spam and phishing but they can’t remove 100% of the threats that are out there. Many also rely on people reporting attacks and suspect item in their inbox to security vendors so they can analyse the results and improve their own detection.

The problem with reporting incidents you come across in your own inbox has been a challenge. Who or where do you send your reports to? Now Microsoft has a free add in for Outlook that allows you to quickly and easily report spam and phishing directly to them.

To do this visit:

https://appsource.microsoft.com/en-us/product/office/WA104381180?src=office

and install the Report Message add in for Outlook to your environment.

Then when a suspect email is detected you can easily report it via a few clicks.

For more information about installing and configuring the Report Message add-in across your Office 365 environment see:

Enable the Report Message add-in

Don’t just sit there and ignore spam and phishing attacks. Report them and potentially help save someone else from becoming a victim! When you connect to the Internet you become part of a global community. Help the community fight back again those seeking to take advantage of others. The more we all report attacks the less there will be.

Join me in the fight to take back the Internet!

Check those Office 365 email forwards

One of the most common tasks that hackers perform after they have compromised accounts in Office 365 (usually via a poor password or phishing attack) is to set up an email forwarding rule on mailboxes so they receive a copy of emails to that user.

Thus, it is good security practice to ensure that you are aware of all the email forwarding configurations that are enabled on your tenant. To do this you simply need to run the following PowerShell command once you have connected to Exchange Online:

Get-Mailbox | select UserPrincipalName,ForwardingSmtpAddress,DeliverToMailboxAndForward

This will produce a result like:

which tells you whether forwarding has been enabled and to which address emails are being sent. Obviously, if you don;t recognise any of these you should investigate further.

There are plenty of ways to run this script on a regular basis but I’m not going to cover that here.