There are many benefits of the more advanced Office 365 plans. One of the benefits you receive with E3 licenses and above is Rights Management:

If you visit the E3 product page at:

https://products.office.com/en-us/business/office-365-enterprise-e3-business-software

You will find the above focus on the included Information Protection features. One of the ways this is provided is via Rights Management.

https://technet.microsoft.com/en-us/network/dn858608.aspx

If you visit the above link you’ll find the table that compares the Rights Management features you receive in Office 365 E3 or better and with Azure Rights Management Premium.

 

Although Office 365 Rights Management isn’t as full featured as the premium product it does most things a business needs. It will basically protect documents no matter where they are located. Rights Management basically will encrypt documents and embed permissions inside the document. Thus, the permissions go wherever the document goes, inside or outside the business.

This is unlike most documents today that are only protected by the location in which they are stored. If you have a sensitive document on your file server, it is generally locked down via server permissions. However, that doesn’t prevent someone with the appropriate permissions sending that document, as an email attachment say, another person who doesn’t normally have permissions. That is because once the file is removed from its secure container it effectively is no longer protected. That’s because only the container the file lives in has permissions, not the file itself. With Rights Management, the permissions are embedded into the file, ensuring it is protected where ever it goes.

So, if you have Office 365 E3 or better, what’s the easiest way to start using the included Rights Management abilities you get with Office 365?

The easiest way is to configure information to be directly protected from the file system and desktop applications.

If you look at the above screen shots of PowerPoint and Windows Explorer you see there is no option to apply Rights Management. To provide that we need to firstly install the Rights Management agent software on the desktop.

To download the agent software, navigate to the Microsoft Rights Management download portal at:

https://portal.aadrm.com/Home/Download

Simply select the icon that matches your device. In this case we’ll select the Windows computer icon.

When the software has downloaded, run it.

Select Next to continue.

You’ll see the software configure and install Microsoft RMS for you.

After the installation is complete you’ll now need to Restart your system.

Now when you look at your Office applications you’ll see a new button called Share Protected as shown.

You’ll also find that Rights Management has been embedded into the file manager. Just right mouse click on any file and you’ll see the Protect with RMS option in the menu as shown.

I’ll cover off how you actually use this inbuilt Rights Management functionality to protect your information in an upcoming article, so stay tuned. However, at least now you have the agent installed on your desktop to make protecting your information with Rights Management easy.

Remember, Rights Management with Office 365 is currently only available with E3 or better suites but is also available as a stand alone purchase if you want it.

One of the handy features of Azure AD Premium was the ability to install a small program on each workstation and then have it report on cloud based applications used. All the data was collected by Azure and then reported in a handy dashboard.

That way you could see what cloud based applications were in use, how much data was flowing through them and whether they were being used outside the Azure AD Single Sign On Web Portal.

A good example I have seen is where cloud app discovery uncovered the fact that a number of employees were sharing large amounts of corporate information using Dropbox which had been banned from the workplace. Cloud Discovery allowed these users to be identified along the times sharing was taking place. The business could then take appropriate action.

According to this post from Microsoft:

https://blogs.office.com/2016/02/25/new-security-management-and-transparency-capabilities-coming-to-office-365/

Cloud App discovery is a new feature, amongst others, coming to Office 365. To quote:

Office 365 cloud app discovery gives you the ability to understand which other cloud services your users are connecting to. From the Office 365 admin portal, you can view a dashboard on network activity. For example, you can see where users are storing and collaborating on documents and how much data is being uploaded to apps or services outside of Office 365.

Not quite sure how exactly it works but I expect it will be a slightly cut down version of what is available in Azure AD Premium, like many other enhanced features of Office 365 are.

There are also some other great security enhancements announced in that blog post so check it and be ready for the new features arriving in an Office 365 near you soon!

Microsoft already has a very secure process about when and how support staff may access your Office 365 tenant data. Here’s a great video that explains this:

The recent addition of Customer Lockbox provides additional control for the customer.

Basically, once Customer Lockbox has been enabled the user has the final say over when and for how long Microsoft may access the tenant data to provide support.

To enable Customer Lockbox you’ll need to have the appropriate license (i.e. the new E5 SKU includes Customer Lockbox for example), then you’ll need to login as an administrator to the Office 365 admin center.

If you then locate and expand the Service Settings option on the left hand side of the screen, you should see the list shown above. In the list is the option Customer Lockbox, which you should select.

 

Now on the right you should see the above screen. To eanble Customer Lockbox simply change the switch to ON (i.e. move to right).

You’ll then receive the above warning. Select Yes to enable.

You should now see that Customer Lockbox is enabled as shown above.

To find out more about Customer Lockbox visit:

Office 365 Customer Lockbox Requests

and note once Customer Lockbox has been enabled:

If a content access request is denied or isn’t approved within 12 hours, the request expires. If this happens, you might continue to experience a specific service issue that could be resolved by allowing an engineer to access the content. We’ll (Microsoft) let you know if this happens.

So in summary, Customer Lockbox is a feature you can add on to Office 365 to prevent Microsoft accessing your data with out your specific permission once enabled.

Here is also an overview video from Microsoft: