This month's episode of Uncovering Hidden Risks will discuss Information Governance and the industry trends we are seeing in this space. Information governance is the overall strategy for managing information at an organization. It is a discipline that spans several markets, including data governance, security, compliance, data privacy, content services, and more. Recently, these markets have begun to converge, highlighting the sometimes conflicting requirements between these disciplines.

Joining our host Erica Toelle is our guest, Randolph Kahn. Mr. Kahn is a globally recognized leader in Information Governance, with his consulting team advising major multinational corporations and governments on various information management issues. He has been an expert witness in major court cases and is a trusted advisor to corporations and governmental agencies. Mr. Kahn is also an accomplished author, speaker, and adjunct professor of Law and Policy of Electronic Information and The Politics of Information.

Natalie Noonan joins us as our guest host. Natalie is one of Microsoft’s top information governance experts, and helps our customers to define and plan their strategies. She is also a former program manager in financial services.

Together, we'll explore how you can master information governance in your organization. 

In this episode, we'll cover the following: 

• Trends around the convergence of security, data governance, privacy, and compliance.
• How the increase in laws and regulations around the management of data, especially regarding privacy, affected these trends.
• How people can approach a data governance solution.
• What requirements as important for data governance.
• Options for implementing these requirements.
• Looking ahead to the future, what is coming for data governance.

Listen to this episode on your favorite podcast platform:

• Main show page
• Apple Podcasts
• Spotify
• Google Podcasts
• Amazon
• RSS Feed

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

Research suggests that ratings and reviews are critical in identifying trustworthy products. Customers can see these reviews across various industries and outlets, from Amazon's e-commerce platform, to TripAdvisor, and Yelp. This suggests that a similar approach can be adopted and ratings will be crucial to provide trust and confidence to users discovering data assets in Microsoft Purview data catalog for usage either in an analytical pipeline, reporting dashboard, etc. 

Imagine you are a data analyst tasked with building customer usage metrics for the last six months. Using Microsoft Purview data catalog, you can now search and find all the customer related data assets. However, you will now face the challenge that there are multiple data assets which have customer information, and you are not sure which one is the trusted one.  One way to understand this would be to get access to all the customer data assets which you think are relevant, read the data, and then determine which one to use. This process can be cumbersome and time consuming, and ratings can help alleviate some of the inefficiencies. As users in your organization use data assets, they can now provide a rating of 1- 5 and leave comments on the data asset. Now, as an analyst you can use these ratings and reviews to understand and use the most trusted and used data.

You can also provide your rating and leave comments on the data asset based on your experiences of using that data asset.

To learn more about this feature, see here.

We’re excited to announce that Exchange admin audit logs are now available from all geo locations for Multi-Geo tenants in Office 365. This feature is only applicable for tenants utilizing Multi-Geo Capabilities in Microsoft 365 using Multi-Geo license.  In a Multi-Geo environment, a Microsoft 365 Tenant consists of a Primary provisioned location (where Microsoft 365 subscription was originally provisioned) and one or more satellite locations.

Prior to the release of this feature, exchange admin audit events were available only for the Primary provisioned location. With the rollout of this feature, the exchange admin audit events are now available from satellite locations as well.

Tenant Admins can use Microsoft Purview and the Search-UnifiedAuditLog cmdlet to search the exchange admin audit log events generated from satellite locations. All tenants utilizing Multi-Geo Capabilities in Office 365 have this feature enabled by default if audit logging is turned on.

To verify that auditing is turned on for your organization, you can run the following command in Exchange Online PowerShell:

Get-AdminAuditLogConfig | Format-List UnifiedAuditLogIngestionEnabled

A value of True for the UnifiedAuditLogIngestionEnabled property indicates that auditing is turned on. A value of False indicates that auditing isn't turned on.

Let’s look at an example:

When EUR administrator changes the litigation hold on a mailbox using Set-Mailbox cmdlet, this event will be sent to Office 365 Audit storage via Auditing event pipeline.

PS C:\Users\euradmin> Set-Mailbox user@contoso.OnMicrosoft.com -LitigationHoldEnabled $false

Tenant administrators can use the following methods to search for this event:

• Using Search-UnifiedAuditLog:

Events can be searched between a specified date range, or the results can be filtered based on specific criteria, such as the user who performed the action or the target object.

$start = (Get-Date).AddDays(-1); $end = (Get-Date);

Search-UnifiedAuditLog -StartDate $start -EndDate $end -UserIds euradmin@contoso.OnMicrosoft.com

• Using Microsoft Purview:

• Using Office 365 Management APIs overview | Microsoft Learn

The Office 365 Management APIs provide a single extensibility platform for all Office 365 customers' and partners' management tasks, including service communications, security, compliance, reporting, and auditing.

Most auditing data will be available within 60-90 minutes, but it may take up to 24 hours after an event occurs for the corresponding audit log entry to be displayed in the search results. Refer Before you search the audit log that shows the time it takes for events in the different services to be available.

Note:

Exchange admin audit events from satellite location is not available through Search-AdminAuditLog.

Resources:

• Microsoft 365 Multi-Geo - Microsoft 365 Enterprise | Microsoft Learn
• Exchange Multi-Geo - Microsoft 365 Enterprise | Microsoft Learn
• Service Behavior in a Multi-Geo Enabled Environment - Microsoft 365 Enterprise | Microsoft Learn
• View the available Geography locations that are configured in your Exchange Online organization
• View the Primary Provisioned Geography location for your Exchange Online organization

Last week, the 2023 IAPP Global Privacy Summit was held in Washington DC. There, privacy professionals and leaders from around the world came together to promote learning and awareness for data privacy. IAPP GPS served as a platform for individuals and organizations to come together to put privacy at the forefront of business practices—showcasing that the right set of tools can help meet fast-paced privacy regulatory changes.  

Microsoft Priva

Microsoft Priva was launched in 2021 to help organizations in their privacy journeys. Microsoft Priva brings automated functionality to help organizations meet adapting privacy requirements related to personal data. Microsoft Priva solutions are:  

Priva Privacy Risk Management: Helps proactively identify and remediate privacy risks arising from data transfers, overexposure, and hoarding, and empowers information workers to make smart data handling decisions. 

Priva Subject Rights Requests: Helps manage subject rights requests at scale with automated data discovery and privacy issues detection, built-in review and redact capabilities, and secure collaboration workflows. 

What’s new with Priva Privacy Risk Management? 

Improved customization when creating policies. 

We are excited to announce that when configuring a data transfer policy, Priva Privacy Risk Management now enables organizations to define and customize boundaries using Azure Active Directory attributes. The ability to configure flexible boundaries is now generally available—these boundaries can be set by department and subsidiaries, Microsoft 365 Groups and SharePoint sites, and automatically detect and block personal data that crosses set boundaries. For example, when Bob from the US subsidiary tries to send personal data to Sam in the Germany subsidiary, the message can be automatically blocked with an option to override the policy.   

Figure 1. Options within Priva to choose boundaries for data transfer policies. 

When setting up policies in Priva, configuring alerts help privacy admins take action to remediate privacy risks. Now available is added customizability for setting alerts in Priva Privacy Risk Management. This can be especially useful as organizations might have different risk appetites or profiles when it comes to managing privacy data. With this update, admins can set up and customize alerts for high-risk violations—for instance, admins can set up an alert, like detecting and flagging incidents of large volumes of personal data or high impact regulatory personal data, and receive alerts based on their preferences. This functionality can help ensure that alerts are more relevant and thus easier to act upon. 

Figure 2. Alert customization options within the policy creation wizard in Priva Privacy Risk Management. 

Better together integration. 

Microsoft Purview Compliance Manager offers data protection and privacy assessment templates that correspond to compliance regulations and industry standards around the world. Now in preview is Microsoft Priva working hand in hand with Compliance Manager. With this update, admins can take specific actions within Microsoft Priva and see those actions reflected in their organization’s overall compliance score automatically. Additionally, it can detect whether admins have created data transfer, data minimization or data overexposure policies within Priva Privacy Risk Management, as well as enabling and enforcing data retention limits for data in Priva Subject Rights Requests—allowing for collaboration that yields better together productivity. 

Figure 3. Visual of Compliance Manager recognizing actions taken within the Priva solution in the “improvement actions” section of Compliance Manager. 

Additionally, insights from Compliance Manager will populate within Priva itself. This update in preview will bring recommendations on actions that will help admins align to regulations and improve their score in compliance manager. 

What’s new with Priva Subject Rights Requests? 

Added capabilities accelerate review. 

Priva Subject Rights Requests provides admins features that automate requests, so they can be fulfilled confidently, efficiently and at-scale. We are excited to share that Priva will now visually highlight data subject identifiers during review and enable admins to quickly navigate between these data subject references within content.  This update enables admins to better understand the context of how the data subject is mentioned and helps them determine relevancy to the request. 

Figure 4. Data subject identifiers highlighted within context on the “Plain Text” tab. 

Priva Subject Rights Requests has a new capability in preview to spotlight items collected with potential data governance implications within your organization.  This is powered by a new priority item detection type called “Record”.  

Your organization may be controlling retention on items that can directly conflict with a data subject’s delete request—we are enhancing our right to be forgotten preview capability to provide just in time awareness to collaborators during review when Priva detects an item with an applied retention label.  This comes with streamlined workflows that let you apply review tags and file notes to better facilitate collaboration with other SMEs in your organization to resolve conflicts.  Note: In addition to surfacing this insight during review, Priva Subject Rights Request will check for conflicts when executing the delete workflow as well.  

Figure 5. Tab populating within Priva where tags and notes can be applied. 

Newly released to general availability for Priva Subject Rights Requests is the ability for admins to focus their review with additional filters for data collected, including a powerful keyword filter. This allows admins to type in one or more word(s), and if matched in the collected content, it will filter to that. Previously, admins were only able to search for limited data, like documents titles. Now admins have improved options to focus their review experience with the ability to use powerful keyword searches and other filters to target content.  

Figure 6. Keyword search in progress within the data collected tab within the Priva solution. 

More flexibility to manage requests. 

Now generally available is the ability for admins to import files from non-Microsoft 365 environments,  such as on-premises storage locations, or cloud-based systems where files exist for the data subject (individual files have a max limit of 500MB). This enables admins to consolidate response efforts and adds flexibility for imported data to leverage the review and collaboration features of Priva Subject Rights Requests. 

Figure 7. Icon in the upper right menu area of a request is accessible while in the "Review Data" stage, providing access to import files. 

In addition to importing non-M365 files, Priva Subject Rights Requests can now download items not supported by in-line review or annotation.  

Finally, the Microsoft Graph APIs for Priva subject rights requests provides functionality for organizations to automate repetitive tasks and integrate with existing line of business apps or business processes. You can use the Priva Subject Rights Requests API to help you automate and scale your organization's ability to perform subject rights requests searches in Microsoft 365 and help meet industry regulations more efficiently.  We have released the preview for right to be forgotten support for the Priva API.  If you’re new to working with the Microsoft Graph API, you can check out this video to get oriented on how to get started with the Priva API. 

Learn more 

Organizations today face many challenges in protecting personal data, while also meeting the demands of a changing privacy landscape—Microsoft Priva can help. We welcome you to learn more about Microsoft Priva by visiting our website and trying Microsoft Priva free with our 90-day trial. 

Did you know? The Microsoft 365 Roadmap is where you can get the latest updates on productivity apps and intelligent cloud services. Check out what features are in development or coming soon on the Microsoft 365 Roadmap. 

Welcome back to the quarterly newsletter from Word, Excel, PowerPoint, and Outlook discussing what’s new and coming soon with sensitivity labels, powered by Microsoft Purview Information Protection. We pick up where we left off in January 2023.

From Bolt-On to Built-In: Recap

In March 2023,

• We started rolling out to Current Channel the new configuration for M365 Apps that disables the AIP add-in by default, alongside a slew of new features that replace the capabilities of the add-in.

From Bolt-On to Built-In: April 2023

Using the various feedback channels and quality signals we rely on, we’ve been learning how this change is impacting customers who have already experienced the new configuration and features that launched in March.

We’re deeply grateful for the customer feedback so far and all our signals that point to improvements in app performance, reliability, and label-usage metrics. A HUGE thanks to all our customers who have participated in the preview channels and shared their feedback.

As of today:

• The new configuration in M365 that disables the AIP add-in by default is now fully available to all users in Current Channel.
• For users on Monthly Enterprise Channel, we’re extending the start date by 1 month to give customers more time to evaluate their organization’s readiness and compatibility with the new changes
• The AIP add-in enters its final phase in its support lifecycle with the announcement of its retirement timeline.

Please review the information below if your organization uses the Azure Information Protection (AIP) Add-in. The table summarizes the changes to the minimum version and dates for the new configuration. We're committed to helping organizations manage this transition at their own pace. If the release timeline isn't appropriate for you while the AIP add-in is in support, you can opt-out of the new configuration at any time, even if the Office build hasn't been deployed in your organization yet.

Unsure where to begin? Head to https://aka.ms/AIP2MIP/HowTo/GetStarted for resources and options to get added assistance.

System administrators can review the Microsoft 365 admin message center for information about this update.

What’s New and Coming Soon

In case you missed it, check out What’s New with sensitivity labels alongside other new capabilities from Microsoft Purview. These features are exclusively available with the built-in labeling client for Office; none of these features are available with AIP Add-in. Review a complete list of features for built-in labeling and their availability on other platforms or release channels.

Check out many of these capabilities in action in this Microsoft Mechanics video!

To keep an eye out for upcoming capabilities that will help you organization transition from the AIP Add-in, take a look at our comparison guide that highlights features that are available in preview, in development, or in planning.

Get started today

Whether you’re a new customer starting to use sensitivity labels in Office for the first time or are transitioning from the legacy AIP Add-in, we invite you to review the playbook for an in-depth walkthrough of the migration process and relevant resources to help you plan the transition.

Need help?

If you have questions or need assistance with migrating to the built-in sensitivity labeling client, leverage your Microsoft account team.

The Azure Information Protection (AIP) Unified Labeling add-in for Office has been in-market for close to eight years. In that time, it has grown in functionality and usage, becoming deeply embedded in the information protection strategy for thousands of organizations and used daily by millions of users. Since October 2019, Microsoft 365 Apps for Enterprise has been building the same functionality into Word, Excel, PowerPoint, and Outlook and has expanded sensitivity labels across Windows, Mac, Web, and Mobile for a comprehensive, consistent, and seamless experience for end-users and admins. Microsoft 365 Apps now have most of the capabilities found in the AIP Unified Labeling add-in for Office, as well as advanced capabilities not possible with the AIP Unified Labeling add-in for Office.

In this blog post we will cover some essential information that you should know about the retirement along with resources to help the transition and ways to reach out about additional questions you may have. Read all the way to the end, and do not hesitate to reach out for help.

Q.  What is the replacement for the AIP Unified Labeling add-in for Office apps?

Since we are talking about Office apps, we now have sensitivity labeling built directly into Office apps – with no need for an add-in on Windows. Learn more about migrating to Office built-in labeling. You will need to deploy a subscription edition of Office (now called Microsoft 365 Apps) as built-in labeling is not available with standalone editions of Office (sometimes called “Office Perpetual”).

Q.  What will happen to the AIP Unified Labeling client? Will the AIP Viewer on Windows go away?

We are focused on retiring only the add-in for Office apps for Windows. As we called out in the last modernization blog post, all the other capabilities you use will continue to be supported. To be explicit, we are not retiring the AIP Viewers on Windows/iOS/Android, the AIP PowerShell extension, the right-click Classify & Protect, or the Scanner.

Once the AIP Unified Labeling add-in for Office has reached retirement following the 12-month period, it will be removed from the Download Center package – leaving the other components of the package as-is. Over time we will rebrand these other capabilities under Microsoft Purview, and we continue to recommend using these to cover your labeling scenarios outside of Office apps.

Q.  Why are you doing this? Why now?

Those of you who have been with us since the early days of the add-in have seen this journey play out once already with the AIP Classic add-in as it was replaced with the AIP Unified Labeling add-in. The standard procedure was to have both versions available in-parallel for a while, then put one in maintenance mode while all updates went to the new version, and then eventually retire the older version.

We are now repeating that process with the AIP Unified Labeling add-in and Office built-in labeling: both have been available in-parallel for a while, we then set the AIP Unified Labeling add-in in maintenance mode on January 1, 2022, and put our energies toward Office built-in labeling, and now we are retiring the AIP Unified Labeling add-in. 

We have reached a point with the Office built-in labeling where it can take over from the AIP Unified Labeling add-in, providing better performance, reliability, data classification, and other advanced feature capabilities not possible with the add-in. In most cases, customers can disable the add-in without impacting functionality, resulting in a behavior that is consistent across platforms and is geared towards the additional of advanced capabilities now and in the future.

Q.  How do I start planning for this change?

The best resource is the migration playbook at https://aka.ms/AIP2MIP/HowTo/GetStarted. It has a five-step guide to help you learn, evaluate, and execute the replacement of the add-in.

Q.  Is it as simple as turning off the AIP Unified Labeling add-in for Office?

For a lot of customers – yes, it is that simple. We have worked to provide feature parity between the add-in and Office built-in labeling. With Microsoft 365 Apps version 2302 we are also switching to built-in labeling by default, and customers must explicitly opt-out to continue using the add-in. 

However, there are differences that need to be accounted for. For example, the look and feel of the labeling experience in Office is different from the labeling experience in the add-in. Your users might need to be made aware of these differences beforehand and might need additional training. All this can add calendar time to your migration even if the actual switch-over is simple.

If there are capabilities in the add-in being actively used and are not yet available in Office built-in labeling, the migration playbook will help you understand the roadmap and delivery date for these features. If you cannot find what you are looking for, reach out to your Microsoft account team or to Microsoft Support to get help.

Our recommendation is to use the self-evaluation questionnaire and the migration playbook extensively. Try out the features too. You will quickly get an idea of where you should devote your planning energy to get the best ROI.

Q. About this 12-month period – does it apply to everyone? What if I need more time?
Yes - this retirement notification applies to every AIP customer. After the standard 12-month timeframe, the add-in is retired, and customers will not be able to use the add-in with sensitivity labels. We expect most of our customers to migrate to Office built-in labeling within this timeframe.
However, there will be exceptions:

1. Customers using AIP in China do not have a specific retirement date yet and will be informed about their specific retirement date in a future message center post.
2. Customers with complex AIP deployments can request an extension through Microsoft Support or through their Microsoft account team. NOTE: Granting the extension is not automatic.

Q. I need more help, who can I reach out to?
Depending on your size and the complexity of your environment, you have a few options:

• Reach out to your Microsoft account team.
• Reach out to Microsoft FastTrack and request help with the migration.
• Reach out to Microsoft Support with specific questions.
• Reach out to Microsoft MVPs who specialize in Information Protection.
• Use the Information Protection Yammer group (NDA customers only) to reach out directly to the product group and leverage the community for answers.
• Reach out to AIP2MIPGetHelp@microsoft.com distribution list that is being monitored by the product group.

We're pleased to announce that the Microsoft Information Protection SDK version 1.13 is now generally available via NuGet and Download Center.

In this release of the Microsoft Information Protection SDK, we've focused on adding preview support for offline publishing and have made changes in how MIP SDK consumes Office documents and emails protected with AES in cipher block chaining (CBC) mode.

Offline Publishing

Until now, applying protection to a file required an online call to fetch a publishing license from the rights management service. In MIP SDK 1.13, we've added public preview support to enable offline publishing. Now, after making an initial connection to the service, the client no longer needs to have internet connectivity or make a service call to protect content. This feature is in public preview for the 1.13 release.

To learn more, check out the MIP SDK documentation: https://aka.ms/mipsdkofflinepublishing 

CBC Mode Updates

We've made updates to how MIP SDK consumes and publishes Office files, including Word, Excel, and PowerPoint documents as well as emails protected by Microsoft Purview Information Protection. In the second half of 2023, M365 Apps on Current Channel and Monthly Enterprise Channel, Exchange Online, and SharePoint Online will default to publishing Office documents and emails using 256-bit AES encryption in CBC mode.  Applications using the Microsoft Information Protection File SDK must be updated to version 1.13 to support consumption of these files. 

For a full list of changes to the SDK, please review our change log.

Links

• Docs
• Samples
• NuGet
• Download Center
• Microsoft Information Protection on Stack Overflow

To increase our developer experience landscape and to allow customers to interact and extend Microsoft Purview functionality using software technologies and tools in their organization, we are happy to announce that REST APIs and SDKs for workflow data plane in public preview. Software engineers or developers in your organization can now leverage these APIs/SDKs to programmatically create or update a workflow, submit a workflow, approve or reject an action, update or re-assign an approval or task action, list or cancel workflow runs, and more.

In order to use any Microsoft Purview data plane APIs you need to first create a service principal and assign it to the right Microsoft Purview role before invoking the APIs. This is needed to establish trust between the service principal and the Microsoft Purview account. For example, to create a new self-service data access request workflow and bind the same to root collection, you need to provide 'Workflow Admin' role to the service principal at the root collection level. 

This tutorial covers details on how to create service principal, set up authentication using the service principal, get token and use the token to call Microsoft Purview data plane APIs.

To get started with workflow data plane APIs and SDK's please see the below links:

• Workflow data plane APIs, see here.
• Workflow data plane C# SDK, see here.
• Workflow data plane Java SDK, see here.
• Workflow data plane Python SDK, see here.
• Workflow data plane Java script SDK, see here.

In a prior blog, we announced the General Availability (GA) of the Microsoft Purview DevOps policies integration with SQL Server 2022 (Arc-enabled). Today, we are launching DevOps policies for Azure SQL Database into GA.

In a nutshell, you can use DevOps policies to provision access to database system metadata at-scale, securely and inexpensively. Who needs that access? Your internal IT/DevOps personnel or your external contractors that are tasked with monitoring health, tuning performance, and reviewing audit information in SQL systems.

With DevOps policies, you can now manage access to SQL Dynamic Management Views and Functions (DMVs and DMFs) from a central place in the cloud, in a simple experience that provides visibility on who has access to what. No need to directly connect to databases or to explicitly create logins or users on a server.

In the screenshot below, you see DevOps policies for Azure SQL Database, SQL Server 2022 (Arc-enabled), Azure SQL MI, and also on an entire Azure resource group.

Figure 1: Example of DevOps policies

The benefits of Microsoft Purview DevOps policies have been discussed in prior blogs. We link here them and a few more resources, to answer some common questions:

• What do you mean by "provision access" at-scale?
• How can DevOps policies help me enhance the security?
• How can I configure DevOps policies as an inexpensive solution?
• Can you quickly show me the experience?
• Can I see a quick demo video? 
• I'd like to learn more. Can you point me to the documentation?
• I'd like to try this experience. How do I get started?
• Can you give me examples of what a user that is granted access as SQL Performance Monitor or as SQL Security Auditor can do?
• How can I enroll in the private preview of DevOps policies for Azure SQL MI?

Thanks for reading!

Microsoft Secure 2023 may be over, but the learning continues. We have a range of learning opportunities for you that complement key topics and themes from the event, including a series of four Microsoft Secure Learn Live episodes you can join in real-time or watch on demand.  

Each Learn Live episode is a live, guided experience where participants work through a single Microsoft Learn module together. Microsoft experts lead the session, providing helpful commentary and insights and answering participants’ questions. It’s a great opportunity to earn badges, prepare for certifications, and gain new technical skills. If you can’t tune in live, you can watch all the episodes on demand at your own pace.   

Go to the Microsoft Secure 2023 Learn Live series to start learning now or keep reading for details.  

Catch two more Microsoft Secure Learn Live episodes in April, with the final two episodes in our four-part series feature Microsoft Entra and Microsoft Defender for Cloud.  

Enable and manage Microsoft Defender for Cloud 

April 12, 2023, 10:00 AM—11:30 AM (PDT) 

This episode will take you through the intermediate-level Enable and manage Microsoft Defender for Cloud module, which shows you how to use Microsoft Defender for Cloud and Secure Score to track and improve your security posture. In this episode, you’ll learn how to: 

• Define the most common types of cyber-attacks. 
• Configure Microsoft Defender for Cloud based on your security posture. 
• Review Secure Score and raise it. 
• Lock down your solutions using Microsoft Defender for Cloud. 
• Enable just-in-time access and other security features. 

Create, configure, and manage identities 

April 19, 2023, 10:00 AM—11:30 AM (PDT) 

Working through the advanced-level Create, configure, and manage identities module will build your skills with Azure Active Directory, part of Microsoft Entra. In this episode, you’ll learn how to: 

• Create, configure, and manage users. 
• Create, configure, and manage groups. 
• Manage licenses. 
• Explain custom security attributes and automatic user provisioning. 

Missed the first two episodes in March? Watch anytime on demand. The first two Learn Live episodes took place on March 28. during Microsoft Secure—but if you didn’t catch them, you haven’t missed out completely. View the recorded episodes on demand whenever you want for an in-depth walk-through of training modules focused on Microsoft Sentinel and Microsoft Purview.  

Threat hunting with Microsoft Sentinel  

This episode works through the intermediate-level Threat hunting with Microsoft Sentinel module. You’ll learn how to:  

• Use queries to hunt for threats. 
• Save key findings with bookmarks. 
• Observe threats over time with livestream. 

Manage insider risk in Microsoft Purview​  

This episode takes you through the intermediate-level Manage insider risk in Microsoft Purview module. By the end, you’ll be able to: 

• Explain how Microsoft Purview Insider Risk Management can help prevent, detect, and contain internal risks in an organization. 
• Describe the types of built-in, pre-defined policy templates. 
• List the prerequisites that need to be met before creating insider risk policies. 
• Explain the types of actions you can take on an insider risk management case. 

Participate in the Microsoft Secure Learn Live series today!

This post starts a series explaining why we at Microsoft Security Services for Incident Response recommend some of our favorite protections. Our first post in the series talks about identity hygiene.

If you’re new to our services, we’re a team of cyber-security experts at Microsoft who help companies get global response with investigation and recovery by applying proven practices against various types of attacks before, during and after a security incident. You’ll learn more about us and what to do in our page here: https://aka.ms/MicrosoftIR

Our goal with this post is to highlight the importance of getting the right privileges as a protection mechanism to prevent a cyber-attack. The post will cover some definitions and some calls to action so your company can be better protected though identity hygiene.

When we mention identity hygiene you might think of shiny-bright and clean identities. And yes, at some point, they look like this because it takes some brush-up and polishing of your current, and maybe new identities. Identity hygiene process is a series of steps that we follow when we’re helping customers recover from attacks, it starts with a discovery of the environment and its configurations and of course, some of these configurations include identities and these are subject to be cleaned up.

Why is this technique needed at all? Imagine Magda, the administrator of your company's file server. When she's about to enter a meeting, she gets an urgent call from her manager, saying that he is not able to access some important files he needs. She's in a hurry, but can't leave her manager unable to work, so she quickly gives him full control permission over the files so he can’t complain.

In an ideal world this shouldn’t have happened at all, but, if for any strange reason her manager had gotten these excessive permissions, she should analyze what just happened and would correct this by putting the least permissions required for the manager to access the files. Yeah, but that’s the ideal world… Unfortunately, many times this happens in a less-than-ideal way. When we look at customers’ environments after a compromise, we find all kinds of excessive permissions being applied to files, folders, identities, directory structures, resources, organizational units, storage accounts, group policies and all kinds of assets in a company's environment. This sort of situation happens every day, in most companies, and keeps happening over the years! Imagine cleaning up all this mess after years of hurries!

When we talk about de-privileging in cybersecurity, and especially in Microsoft Security Services for Incident Response, we're talking about taking away from an entity those permissions and features that make it relevant for a security investigation, or for an attacker to own control of it. If an account has many permissions applied (and that’s noticeable!) An attacker will likely try to get a hold of that account to perform their activities, as they would expect that the account has some sort of special value and, because of that, it has been given those extensive permissions.

Figure 1: AI-generated image of a person's face with neon-like shines wearing an audio headset circled by a blue coin-like shape in front of a circuit-like background.

De-privileging is key in our compromise recoveries, but, unfortunately, you cannot just strip privileges to ALL your identities… there must ALWAYS be at least some privileged identities in the system… otherwise how would you delegate permissions to others to help you in your job if they don't have at least some privileges?

Removing privileges is not only about cleaning up existing accounts, but sometimes also we find accounts that are no longer used (never logged on in months!) or have not changed their passwords in a long time (meaning that an old attack might be replayed), or accounts might have been disabled without removing their permissions first, allowing for a potential escalation should that account gets re-enabled. These situations should also be avoided, and their prevention should be part of the credential hygiene process.

What are we doing here?

Privileges can be permanent, or they can be temporary, the most common way nowadays to have temporary permissions is to use solutions like Azure Privileged Identity Management (described here: https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure) or solutions from some of our partners in the industry. Any of these are good if they cover your business' specific needs and preferences. It's always a good idea to evaluate several of them and ideally choose the one, or ones, that best suit your case. The ability to grant privileges temporarily is a great idea as it allows you to build a process to audit, revoke and integrate the identity lifecycle in a way that makes sense for your company.

Another important discipline you can (and should) use is performing Access Reviews. An access review is an activity where you ask the user, or the person responsible for their access, if the outstanding privileges are still needed by that user. You cannot ask for access reviews every day to every user, (it would make users hate (even more!) their security departments!), you need to learn the art of balancing the opportunity, the value of the assets being protected and the process that it takes to perform the access review, which is also key in its success. You can visit this page to see an example of how access reviews work in our Azure AD platform: https://docs.microsoft.com/en-us/azure/active-directory/governance/access-reviews-overview

When we have this feature, revoking privileges and making things clean is easily done. However, many systems still allow you to provide users with permanent privileges. This is, by the way, the default way in most running operating systems and applications which have been designed with this concept in mind, so we can say it is present in most of the customers we work with. The problem with permanent privileges is that they are easy to forget, so it is easy to end up having users who have more power than desired… sadly, attackers are very good at finding these and will go after those credentials to perform their attack (most of the times through lateral movement  (http://en.wikipedia.org/wiki/Network_Lateral_Movement)

Unused privileges is another problem, people might have been granted temporary access to assets but then they’re not needed anymore. With the help of tools such as Microsoft Entra Permissions Management we can discover, remediate and monitor the permission “creep” that can be created, and we can even fix it across multi-cloud environments. There’s a nice article here: https://learn.microsoft.com/en-us/azure/active-directory/cloud-infrastructure-entitlement-management/overview, that introduces the concepts behind Entra Permissions Management

One of the techniques we use in Microsoft Security Services for Incident Response during our interactions with customers is to de-privilege those accounts that we found with excessive power over the systems which are more critical for managing the environment. We will discuss which kind of systems those are in a future post. By de-privileging we attempt to leave identities with the minimum required access to perform the tasks they are supposed to do, and we encourage the use of the delegation tools available in the system to manage the permissions according to the best practices.

The value of de-privileging

Let's suppose that every account that has excessive permissions was worth $1000 (It can actually give an attacker way more value than that!). Often, when we analyze a customer’s environment, we find hundreds of accounts that have more privileges than required. For the attacker it is just a matter of finding the right account to have success in their attack.

If we analyze recent environments where we have worked, we've managed to find that over 4/5ths of the accounts they had configured to have excessive permissions could be de-privileged to leave them either as standard users or properly delegated administrators. In some cases, we prefer to remove those accounts and create new accounts which have passed through the right delegation process.

Another way of looking at the value of de-privileging is looking at the exposure surface you have in your system. Imagine that you have 100 accounts, if 80 of those accounts have more privileges than required, you have an exposure of 80%. This means that a potential attacker has an 80% success rate to get a hold of a privileged account, making it possible for them to cause a lot of harm in your environment or your data.

The process of de-privileging takes time. You need to understand why each user has the current privileges, and you need to assess how harmful it is to remove those privileges in terms of the ability for the user to perform the task they have in assigned to. If you don’t have an access review process in place, the understanding of the status of your user accounts is going to take a big effort to get.

How to avoid de-privileging?

For a new system, it is easy to build some sort of privilege-granting rule. You need to make sure that everybody who can grant a privilege is conscious of the implications of granting that permission. This is one point to consider. Education, in this case it’s not for the end user, but for the team administering your systems, so they keep conscious about this fact. Education for your end users to reject and report when they see they have too many rights would be ideal, but that’s very hard to achieve and then unlikely to happen.

For existing systems, you really want to make sure what permissions are outstanding. To do that, you will need some sort of tool that will collect information about your current permissions. These tools are not easy to find in the market and sometimes they are expensive. If you happen to be working with our Microsoft Support services or with our Microsoft Security Services for Incident Response, you will have several tools included in your engagement. And you can keep using it for some time after we leave.

Apart from the education and the tools, you need a team. When we’re engaged with you, teamwork is essential in getting to a successful eviction or recovery, we have learned with our engagements, that building a team of people creates powerful responses to attacks. Communication, clarity, and agility make great skills to a team that helps protect your environment. A well-formed team is, indeed, one of the best ways to avoid having to de-privilege identities in your systems.

TL;DR (well, you read already!)

Cleaning up your permissions will help you be more resilient to attacks. Of course there are more techniques and we will be covering those soon but, for now, make sure your important permissions are given ONLY to the right identities you’re expecting to use it. Uncontrolled permissions might be a source for someone to get control of your environment.

We hope you’ve enjoyed this post, let us know what you think, share it on your social networks and comment on your stories, techniques, and points of view.

@Mauricio Tamayo Ortega 

Data has become the lifeblood of every business, but with the shift to hybrid work and unprecedented levels of digital transformation, an organization’s data now lives outside of the traditional borders of business. Over 30% of decision makers do not know where or what their sensitive business-critical data is[1], making it impossible for organizations to protect that data, close exposure gaps, or comply with regulatory requirements.

Just like seatbelts and speed limits took some time to protect passengers riding vehicles, privacy regulations are just catching up to the pace of digital transformation. It is just a matter of time for the world to catch up to regulatory requirements. The office of the attorney general is now tasked with enforcing legal action for any breaches. Compliance has gone from a should – to a must, and in 2023, it has become a board level topic. When organizations manage risks well, compliance becomes a natural outcome.

At Microsoft, we are focused on helping customers simplify their compliance journey, which is why we created Compliance Manager in the first place. Microsoft Purview Compliance Manager helps organizations get compliant, stay compliant, and scale their company’s compliance by helping them aggregate and automate compliance in one tool that works right out of the box.

Announcing new capabilities to aggregate and automate your multi-cloud compliance posture

Today, we are excited to announce the public preview of the integration between Microsoft Purview Compliance Manager and Microsoft Defender for Cloud to address our customers’ multi-cloud reality. As organizations continue their hybrid environment journeys, it’s more important than ever to have visibility into their entire digital estate from a single pane of glass. This integration enables organizations to automatically manage technical controls coming from Defender for Cloudincluding Azure, AWS (Amazon Web Services), GCP (Google Cloud Platform) services – from one . If you use Defender for Cloud to monitor your cloud compliance today, you can bring in those insights into Compliance Manager with a few simple clicks. For a common regulation like GDPR (General Data Protection Regulation), customers will now be able to track their compliance requirements across their Infrastructure (IaaS), Software (SaaS), and Platform (PaaS) as a service.

Figure 1: GDPR assessment across multiple services

Enhancing the user experience

We’ve added more capabilities to searching, sorting, and accessing the platform in a better way. The new functionality allows for a more intuitive page navigation experience and better overview of the available assessment templates. Below are 3 items you can’t miss out of Compliance Manager.

1. Use your included templates – if you are a Microsoft 365 E5 Customer, you’re entitled to free templates!
2. Create assessments for more than just Microsoft 365 – leverage universal assessments to assess risk for multiple services.
3. Save time by automating technical controls – set up automatic actions and get alerts when we identify vulnerabilities.

Get started today!

We are committed to helping organizations do more with less by delivering capabilities that make the end-to-end compliance management experience more efficient. Get started with Compliance Manager through the Microsoft Purview portal. If you are a Microsoft 365 E5 customer, try out your free templates today!

Additional resources:

• Recent blogs on pricing announcements
• Check out our Microsoft Mechanics Video and 60 second overview video!
• Register for the recent CCPA Compliance webinar
• Visit the Technical Documentation to get started.
• Sign up for a free Compliance Manager trial.

[1] 10 Reasons Why Your Organization Still Isn’t Data-Driven (forbes.com)

Did you know that 88% of organizations lack the confidence to prevent sensitive data loss?¹ Data discovery and classification are the important first steps for organizations who want to better protect sensitive PII and corporate intellectual property; you can’t prevent data loss with policies if the right files aren’t correctly labeled and aren’t protected to begin with.

With Microsoft Purview, our goal is to provide a built-in, intelligent, unified, and extensible solution to protect sensitive data across your digital estate. This includes Microsoft clouds such as Microsoft 365 and Azure, as well as on-premises, hybrid and third-party clouds, and SaaS applications. With Microsoft Purview Information Protection, we are building a unified set of capabilities for data classification, labeling, and protection for our customer’s multicloud and multiplatform IT landscape. 

At Microsoft Secure, we are highlighting several new Information Protection product capabilities, including:

1. Optical character recognition (OCR) support for various workloads and data security solutions including Endpoint DLP, Information Protection,  Insider Risk Management  and Data Lifecycle Management is coming soon to public preview.
2. Context-based classification with default site labels is generally available today, and coming soon to public preview are contextual summary support and new contextual predicates.
3. Smart alerts and alert insights that provide system admins with top risks is coming soon to public preview.
4. Extending sensitivity labels to Outlook meetings and Teams is now generally available.
5. An enhanced pre-trained source code classifier is now generally available.
   
   

Expanded OCR support for more comprehensive sensitive data discovery and data loss prevention

We’ve listened to customers’ requests to expand the workloads and platform support for OCR. OCR is already generally available for Communication Compliance and eDiscovery Premium. We’re pleased to announce that OCR will soon be in public preview for additional data security solutions: Data Loss Prevention, Insider Risk Management, Information Protection and Data Lifecycle Management and the following workloads: Exchange email, SharePoint sites, OneDrive accounts, Teams chat and channel messages and Windows devices.

Figure 1. Specifying workloads for OCR scans

Figure 2. Selecting sensitive information types to be covered by a DLP policy

Once the OCR settings are configured for different workloads and locations, all your existing DLP, auto labelling, Insider Risk Management, and Data Lifecycle Management policies will start applying to images also if there is any sensitive content in them. For example, if you have configured the DLP condition “content contains sensitive information” and used any classifier or sensitive information type (e.g., a built in SIT like credit card number, custom SIT, exact data match, or trainable classifiers), these classifiers will now scan the content in images and apply the DLP actions if the sensitive content is found in image. There is no need to update existing policies across any of these data security solutions.

Figure 3. An attempt to send a credit card image over Teams is automatically blocked

Context-based classification for improved classification granularity and coverage

To improve the ease of use for system admins, support for contextual summary in simulation mode for service side auto-labeling is coming soon to public preview. When reviewing matched items in the Contextual Summary tab, system admins will be able to easily review what sensitive information type was found as a match in the document. This enables them to further optimize their policies before production deployment, for improved accuracy and reduced false positives.

To improve classification granularity and coverage, new contextual predicates shown below will enable system admins to leverage a document’s context, such as document property, file extension, size, author/owner and document name in auto-labeling policies. This will make it easier and faster to auto-label specific files that aren’t currently possible using other advanced classifiers.  

• New contextual predicates include:
  • Document property is
  • File extension is
  • Document size equals or is greater than
  • Document created by (only available in advanced rules in OneDrive and SharePoint locations)
  • Document names contain words or phrases
    
    

Proactive smart alerts for system admins on risky user behavior are coming soon in public preview

While system admins can use content explorer and activity explorer to monitor and analyze where sensitive files are stored across their digital estate and how they’re being used, currently they must first have manual or auto labeling and DLP policies that label the sensitive data and files already in place. What if system admins could proactively be shown alerts and insights of risky user behavior without having to first implement specific policies – reinforcing our Zero Trust and secure by default promise where the organizations are aware and protected from the riskiest events.  We’re pleased to announce that smart alerts, which can help improve visibility of risky behavior and eliminate blind spots of sensitive data exposure for system admins, is coming soon to public preview.

Smart alerts are out-of-the-box alerts/insights for admins that are system generated and surface the top risks admins can triage as a priority. These are intelligent alerts that leverage various signals including user activity, source and target domains, across workloads and then combine them within and across solutions to flag high risk detections to system admins. They are not dependent on policies, and admins can benefit from these detections even if they don’t have policies in place.

Figure 4. View Smart Alerts incidents in the M365 Defender portal, part of the incident management queue for DLP.

Extending sensitivity labels to Outlook invites and Teams meetings for secure collaboration

For many organizations, highly confidential information may be discussed or shared in meetings, where the meeting content needs to be protected (e.g., mergers and acquisitions). We are pleased to announce the general availability of extending sensitivity labels to Outlook meeting invites, appointments, and Teams meetings. This feature helps organizations ensure that sensitive information is only shared with authorized individuals and that they are aware of the sensitivity level. This can also help address compliance with data protection regulations.

System admins can configure meeting settings for various sensitivity labels in the Microsoft Purview compliance portal, such as protecting and encrypting the meeting content (body and attachments) that meeting owners can apply to their meetings based on the sensitivity level. For a more detailed description of capabilities, check out these Outlook and Teams blogs that also describe the Teams Premium and other license requirements.

Figure 5. Apply a sensitivity label to classify and protect Teams meetings.

Figure 6. Add a watermark to prevent screenshots and taking photos of sensitive content shared onscreen.

Figure 7. Prevent copying Teams chat messages to other applications.

General availability of an enhanced pre-trained source code classifier  

Unauthorized exfiltration of source code by insiders can expose organizations to great risk of intellectual property loss and potential damages. In February we announced the public preview of this enhanced source code classifier that supports more extensions (70+), 23 programming languages, addresses customer inputs, and can detect embedded and partial source code and can even work on shorter text (approximately 50 words or phrases) in conversations in Teams and mail. We are pleased to announce that this source code classifier is now generally available and can be directly used in auto-labeling and data loss prevention policies.  

Figure 8. Screenshot of the new enhanced source code classifier in action with DLP policies.

Our recent GA of this and 23 other ready-to-use business category trainable classifiers help organizations more quickly and comprehensively discover, label, and protect massive volumes of sensitive data across their digital estate. These classifiers can detect some of the most critical sensitive content such as IP and Trade Secrets, Material Non-Public Info, Sensitive health and medical files, business sensitive financial info and PII for GDPR compliance. Our engineering team leveraged Microsoft’s broad and deep machine learning expertise and leading frameworks, platforms, and development environments that include proprietary and open-source platforms (e.g., Porch, ML.NET, Babel, ONNX) in the model generation, building, peer review, testing (includes real-time) and feedback in the development workflow for these trainable classifiers.  

To help provide you with an overview of which trainable classifiers to use for specific use cases and a short tutorial on machine learning, please check our new trainable classifiers eBook in the blog attachments below. For those who want a deeper technical dive, understand the process of how our engineering team built and optimized our ML-models, and how they can be used with our (Microsoft Purview) Information Protection, Data Loss Prevention, and Data Lifecycle Management compliance solutions, please check out our new trainable classifiers whitepaper in the attachments below. 

How to Get Started 

Get access to Microsoft Purview solutions directly in the Microsoft Purview compliance portal with a trial. By enabling the trial in the Purview compliance portal, you can quickly access these advanced classifiers. Visit your Microsoft Purview compliance portal for more details or check out the Microsoft Purview solutions trial.

¹ Forrester, Security Concerns Security Priorities Survey 2020.

Data security continues to be top of mind for business leaders. Data security continues to be top of mind for business leaders. The high data breach costs concern everyone, and these costs keep increasing each year. Let’s look at some of the data from 2022[1].

• The worldwide average data breach cost was 4.35 million dollars per breach. This cost increased by almost 13% from 2020.
• The average cost of destructive attacks is even higher. A destructive attack involves encrypting files, deleting data, or executing malicious code. The average cost of a destructive breach in 2022 was 5.12 million dollars, which is 16% higher than the cost of an average data breach.
• A data breach is not a one-time event. The study data reports that 83% of organizations have experienced more than one data breach.
• If we average the cost of a data breach across the number of sensitive files compromised, the cost per file averages $164. That is a lot of money for a single file.

Fortify data security with a defense in depth approach

As organizations think about protecting their sensitive data, they must create a defense-in-depth approach around it. A defense-in-depth approach uses many layers of security that work together to protect and secure your data. One of these layers is to govern the data lifecycle.

This layer helps to ensure that people can't accidentally or maliciously delete your sensitive data. It also helps to ensure the timely deletion of sensitive data in alignment with your organization's policies. It ensures that if you do have a data breach, you only have those files which still have business value in your environment, potentially lowering the overall cost of a breach and the cost per file.

Now let's get into our new feature announcements, which help to accomplish this vision. You can also watch our Microsoft Secure on-demand session covering these announcements here: https://aka.ms/DLM/SimplifyLifecycle

Scope the administration of Data Lifecycle Management

Today's first announcement is a new way to assign administrative privileges in the Microsoft Purview Data Lifecycle Management solution. Zero trust architecture suggests providing users with the least amount of administrative access they need to perform their job duties, called least privileged access. For example, operationalizing this best practice usually requires specifying different administrators for a specific geography, department, or business division.

Today, we announce the public preview of scoped administration in Data Lifecycle Management. Scoped administration leverages the Administrative Units feature in Azure Active Directory. Administrative units define which users can perform certain tenant-level functions for that unit. For example, you might have a unit for Germany, create a unit for the finance department, or use any other sub-division of your organization.

Example administrative units and Data Lifecycle Management admins

Scoped administration in Data Lifecycle Management enables you to assign an administrator to configure retention and label policies for only one or more administrative units. They can only see their administrative unit's policies in the Microsoft Purview compliance portal. Previously, you could only assign a tenant-wide admin for Data Lifecycle Management.

The public preview of scoped administration for Data Lifecycle Management is coming in April 2023.

Leverage organization events in Data Lifecycle Management

Our second announcement enables organizations to use events from a line of business applications and systems to manage the lifecycle of files. Today we announce the General Availability of our Microsoft Graph APIs to manage lifecycle events. For example, these new APIs can recognize a resignation event in an HR system and automatically record the event in Microsoft Purview Data Lifecycle Management to trigger the appropriate deletion of data associated with that person.

An example employee resignation event automated with the Microsoft Graph APIs

You can now use our Data Lifecycle Management APIs with application or user permissions.

The Microsoft Graph API to manage event-based retention is Generally Available today in all commercial and government tenants.

Integrate Data Lifecycle Management into business processes

Our third announcement helps you integrate lifecycle management into your existing business processes using Power Automate. Today we are releasing a new Power Automate action to apply a retention label to files in SharePoint and OneDrive as a step in any workflow.

Applying a retention label to a file using an automated workflow ensures your organization follows these policies consistently. You don't have to rely on an end user to remember to act. You can add this action to your existing Power Automate workflows or create a new flow. Power Automate uses a visual no-code interface where you can automate your processes using a trigger and actions.

Our new Power Automate action to apply a retention label to files in SharePoint and OneDrive is now available in Public Preview in all commercial tenants and is coming soon to government tenants.

Please let us know what you think of these announcements in the comments!

Data Lifecycle Management resources

• Start a free trial: https://aka.ms/DLM/FreeTrial
• Customer stories: https://aka.ms/DLM/Stories
• Set-up guide: https://aka.ms/DLM/Guide
• Blog: https://aka.ms/DLM/Blog
• Roadmap: https://aka.ms/DLM/Roadmap
• Licensing: https://aka.ms/DLM/Licensing

[1] Cost of a Data Breach Report, 2022. Research independently conducted by Ponemon Institute, and featuring analysis by IBM Security

In today’s modern workplace data security incidents can happen any time as users collaborate on data across a myriad networks, devices, and applications. And the volume of data, people who interact with the data, and activities around the data are all constantly changing. All of this means that the data security risks are increasing exponentially, and many organizations are struggling to keep up given their limited resources. This comes at a time when a recent Microsoft study showed that two in five security leaders feel at extreme risk due to cybersecurity staff shortage [1]. Organizations are looking for a solution that can provide comprehensive coverage across apps and devices to address these risks and is also easy to deploy and manage.

At Microsoft, we are committed to providing a unified and cloud-native solution that can help you prevent the loss of your sensitive data across your applications, services, and devices without the need to deploy and maintain costly infrastructure or agents. Microsoft Purview Data Loss Prevention (DLP) is an integrated, and extensible offering that allows organizations to manage their DLP policies from a single location and has a familiar user experience for both administrators and end-users. DLP is easy to turn on, doesn't require any agents and has protection built-in to Microsoft 365 cloud services, Office apps, Microsoft Edge (on Windows and Mac), and on endpoint devices. DLP controls can also be extended to the Chrome and Firefox browsers through the Microsoft Purview extension and to various non-Microsoft cloud apps such as Dropbox, Box, Google Drive, and others through the integration with Microsoft Defender for Cloud Apps.

Today, we are extremely excited to announce several new capabilities in public preview in Microsoft Purview DLP across three categories:

1. Increasing the depth of protection to help protect all types of sensitive information with comprehensive coverage, including support for optical character recognition (OCR), fingerprinting, proactive protection to endpoint devices, support for password protected 7zip and .rar files, as well as enhancement to the policy enforcement engine.
2. Further extending protection to additional planes and platforms to help support your diverse digital estate, including virtualized environments and remote and mapped network drives as well as making the endpoint DLP on macOS comprehensive
3. Empowering admins and users to be efficient by making their everyday tasks easier and educating them to better handle sensitive information, including enhancements to policy tips for Windows and visibility into device deployment and policy sync status, matched conditions in DLP policies, and the document that resulted in DLP policy match on endpoint.  

These capabilities will be rolling out to tenants in the coming weeks.

Increasing the depth of protection

The first capability in this category is support for optical character recognition (OCR). The DLP engine will be able to extract text from images, quickly recognize if the image contains sensitive information such as credit card or social security numbers, and prevent users from sharing such images. OCR will be available across Exchange Online, SharePoint Online, One Drive for Business, Teams, as well as Windows endpoints and supports over 150 languages. You can enable OCR within the Microsoft Purview compliance portal Settings page. 

Figure 1: Blocking a user from sending a screen capture of sensitive document in Microsoft Teams

Further expanding the classification type, we are making several enhancements to the fingerprinting capabilities including extending the support for document fingerprinting to cover additional workloads such as SharePoint Online, One Drive, Teams, and Windows endpoint. You will now be able to:

• Create a fingerprint sensitive information type (SIT) from within the Data classification page in the Microsoft Purview compliance portal. You will also be able to set confidence thresholds (high, medium, low) for the percentage of text that the SIT should detect in the document and configure different restrictions based on the thresholds
• Edit and test the fingerprint so that you can fine tune it before rolling it out to your organization
• Use the fingerprint as you would any other SIT in the content contains condition as you configure your DLP policies

If you are already using Fingerprint SITs today, you can migrate them using the new user experience in the Microsoft Purview compliance portal or PowerShell. 

Figure 2: Blocking a fingerprint SIT on Windows endpoint

Additionally, we are announcing just-in-time protection, a capability that enables you to proactively protect files on your Windows endpoint devices. With this capability every document on your endpoint is scanned at the time of egress to determine sensitivity, no matter whether it contains sensitive information or not or when it was created or modified. If the file being egressed has sensitive content that violates any of your DLP policy rules, the appropriate restrictions are applied and if the file doesn’t contain any sensitive content, the action is allowed. This capability provides proactive protection at the time of egress for files on your endpoint devices that might not have been interacted with for a long time but could potentially contain sensitive information. Learn more here. 

Figure 3: Configure scope and behavior for Just-in-time protection

Figure 4a: An old document being proactively blocked from being uploaded to cloud until its sensitivity is determined

Figure 4b: Upload is successful once the document is assessed to contain non-sensitive content and action is tried again

The next capability provides organizations the ability to detect the presence of password protected 7zip and .RAR files on the endpoint devices and configure specific restrictions for these files. This can be done by leveraging the condition ‘Document or attachment is password protected’. Learn more here.

And finally, we have made enhancements to our policy enforcement capabilities for files on Windows endpoint devices such that most restrictive actions amongst audit, block with override, or block across multiple matching DLP rules will apply on files that match a DLP policy. With this enhancement the DLP rules with the most restrictive action (block being the most restrictive, followed by block with override, and then audit) will apply when an egress activity is performed on a sensitive file on an endpoint device. Learn more here.

Extending protection to additional planes

We understand that most customers have a multicloud and multiplatform strategy, and we are investing heavily to support that reality. We are excited to share that organizations can now extend existing protection for sensitive files resting on endpoint devices against actions such as print, copy to USB, upload to cloud, and copy to clipboard, and more to virtualized environments including Windows Virtual Desktop, Citrix, AWS workspace, and Hyper-V platforms. Organizations can now protect sensitive data accessed via single and multi-session Windows 10 and 11 environments across several virtualized environments. Learn more here.

Figure 5: Sensitive content is blocked from printing on a Citrix virtual machine

Next, we are also extending DLP protection for sensitive files stored on network shares. With this capability common egress actions such as copy to USB, print, upload to cloud and more on files containing sensitive information on network locations can be restricted as per organization’s DLP policies. Learn more here. 
Figure 6 : Blocking copy to USB of a sensitive document stored in Network share

In addition, we are continuing to make the DLP solution on macOS comprehensive. You will now be able to protect sensitive file exfiltration through Bluetooth on Mac devices. We are extending the flexibility to create groups of apps and configure how sensitive data can be accessed by each of the apps as you define your DLP policy for Mac devices. Additionally, you will be able to customize notifications and policy tips to better educate users on handling sensitive data while using Mac devices. 

Figure 7: Preventing exfiltration over Bluetooth on macOS

Lastly, we are also announcing support for advanced classification for Mac devices that enables you to leverage classification techniques like fingerprinting, exact data match, trainable classifiers, named entities, and more to detect sensitive content on Mac devices. Learn more about the capabilities supported on mac devices here.

Empowering admins and users to be efficient

Empowering admins to effectively perform their day-to-day tasks and educate end users to better handle sensitive data is critical to effective protection of data. Admins will now be able to see additional details about the device health as well as configuration status of all onboarded endpoint devices in the Device Onboarding tab in the Microsoft Purview compliance portal. Admins will get rich contextual information about the health of the device and visibility into which policies have synced to and apply on files for that device, allowing them to quickly identify and remediate any device misconfigurations as well as debug and self-heal common issues in their endpoint devices setup. 
Figure 8: Details on device deployment and policy sync status
We have heard from customers that they need granular visibility to understand the exact cause of a DLP policy violation to perform necessary and quick remediation. In addition to the matched sensitive content and surrounding metadata, which we already provide, we are excited to share that DLP admins will now get visibility into matched DLP conditions configured as a part of DLP policies such as ‘Document type/extension is’, ‘Recipient or sender is a member of’, ‘Subject contains words’, ‘Content is received from’ and more, in the events tab on DLP Alerts page. The same information about the matched condition will also be available in the DLP alerts in the Microsoft Purview Audit logs, Microsoft 365 Defender portal, and Office365 Management Activity API. Learn more here.
Figure 9: DLP alerts showing the matched condition

In addition to the matched condition, we are also providing visibility into the document that resulted in the DLP policy match on the Windows endpoint. This level of visibility will enable organizations to better triage false positives and fine tune their DLP policies to reduce noise. Additionally, in situations where the DLP alerts need further investigation, admins will be able to easily investigate the matched content and use it in case escalations. Customers will be able to provide a custom location as part of endpoint DLP settings where the files violating DLP policies will be stored. A link to the file uploaded on the customer-provided location will be made available as a part of the alert metadata at the time of investigation. Follow the steps below to get started:

1. Navigate to endpoint DLP settings page in Microsoft Purview compliance center and enable the Store, which is turned off by default.
2. Provide a valid URL to the Azure blob storage.
3. Create and scope the policy to file activities for which you need to capture the original copy of the file.
4. Navigate to the Activity Explorer page on the DLP tab and click on Details tab to view the link to file.

Figure 10a : Adding an Azure blob storage in endpoint DLP settings

 Figure 10b: Selecting the actions for which collection needs to be enabled as part of the DLP policy authoring

Recent research showed that 52% of respondents said educating their employees on safe data handling practices was a big challenge[2]. Microsoft Purview DLP has long supported policy tips and user notification, which educate users in real time when they are about to take a policy violating action, thus helping minimize the risk of accidental data loss. Administrators can configure policy tips such that users can be warned, blocked from performing the action, or blocked but allowed to perform the action with justification. Today, we are excited to share enhancements to the DLP policy tips for Outlook desktop for Windows. Users will now be able to see policy tips when working with advanced classifiers such as named entities, exact data match, credential scans, as well as trainable classifiers. Additionally, we are adding eight new predicates including ‘Sender is’, ‘Sender is a member of’, ‘Sender domain is’, ‘Recipient is’, ‘Recipient is a member of’, ‘Recipient domain is’, ‘Content contains sensitivity label’, and ‘Subject contains words’. As an example, you can now configure DLP policies such that if a user in your finance team is sending a labeled email on Outlook, the DLP engine will be able to analyze it and show the appropriate policy tip. 
Currently these enhancements are available to E5 users in online mode with connected experiences turned on in Outlook settings. We will be making these capabilities available to Outlook on the web and other Office apps in the coming months. 
Figure 11: Policy tip triggered as the user is trying to share an email with a specific sensitivity label and sensitive financial content with a user in an untrusted domain

In addition to these public preview capabilities, we are also announcing the general availability of:

• Microsoft Purview Extension for Firefox to help organizations prevent sensitive data exfiltration while using the Firefox browser. With this capability users are automatically alerted when performing a risky action such as uploading a sensitive file to an unsanctioned application or printing sensitive content and are provided with actionable policy tips and remediation guidance. Learn more here.
• Contextual summary, including matched sensitive content and surrounding characters for DLP incidents and alerts for sensitive files on Windows endpoint devices. You can see the contextual evidence for Microsoft Office and PDF file matches on endpoint devices in the following places:
  1. In audit logs within activity explorer for DLP rule matches
  2. In the events details in DLP alerts page in the Microsoft Purview compliance portal
  3. In Microsoft 365 Defender portal as part of the DLP events details 

Learn more here.

And finally, we have made enhancements (in public preview) to the Microsoft Purview DLP migration assistant for Symantec including

1. checking if a SIT already exists before creating an identical SIT during the migration process,
2. ability to include multiple keyword pairs in a DLP rule condition, and
3. support for policy, file, and SIT names in additional languages such as Chinese, Japanese, Filipino, French, Spanish, German and more.

You can learn more about the migration assistant here and download it here.

Get started!

Get started today by turning on endpoint DLP as it is built into Windows 10 and 11 and doesn’t require an on-premises infrastructure or agent. Learn more about endpoint DLP here. You can try Microsoft Purview DLP and other Microsoft Purview solutions directly in the Microsoft Purview compliance portal with a free trial! 

And don’t forget to watch the Microsoft Secure Breakout sessions - BRK31: Building out your data protection strategy and BRK32: Secure data with an intelligent and people-centric approach that showcase the new DLP capabilities.

Additional resources

• DLP whitepaper on moving from on-premises to cloud native DLP
• Uncover Hidden Risks podcast episode on adopting a cloud native DLP solution
• Mechanics video on how to create one DLP policy that works across your workloads
• Updated interactive guides on DLP policy configuration and management, and investigations
• Frequently asked questions on DLP for endpoints
• Guidance on optimal DLP incident management experience
• Investigating Microsoft Purview DLP alerts in Microsoft 365 Defender portal
• Latest announcements for Microsoft Purview Information Protection

And, lastly, join the Microsoft Purview DLP Customer Connection Program (CCP) to get information and access to upcoming capabilities in private previews in Microsoft Purview Data Loss Prevention. An active NDA is required. Click here to join.

We look forward to your feedback!

Thank you,

The Microsoft Purview Data Loss Prevention Team

[1] “Cyber Resilience”. May 2021, Microsoft Security Insider
[1] Survey of 297 DLP professionals at U.S. enterprise organizations, December 2022 by Concentrix, commissioned by Microsoft

Data security incidents are commonly caused by insider actions, accounting for nearly 35% of all unauthorized incidents*. Even the strongest cybersecurity programs can be undermined by insiders who either intentionally or unintentionally compromise an enterprise. Insider risks such as data leakage and data theft are particularly common, and it has become crucial for all organizations to address, especially in today’s hybrid work environment. Gartner® predicts, “By 2025, insider risk will cause 50% of organizations to adopt formal programs to manage it, up from 10% today.”**.

Combating evolving data security risks requires a concerted effort across the organization to mitigate user error and malfeasance. In fact, Bret Arsenault, Microsoft’s Chief Information Security Officer, recently shared four lessons on managing insider risks within a company in a new Harvard Business Review article, Your Biggest Cybersecurity Risks Could Be Inside Your Organization. He explained how he matured a small internal initiative into a business unit that reports directly to the CEO, emphasizing the importance of proactively managing the risks posed by insiders.

In the article, Arsenault highlighted how using machine learning tools helped his team do more with less and how adaptive security capabilities can detect risky activities and mitigate potential impact while maintaining productivity. Research shows that organizations with fully deployed AI/ML and automation security technologies experienced almost 65.2% less cost compared to those with no AI/ML and automation deployed when a data breach happened***. By combining human expertise with the power of technology, we can work toward a safer, more secure digital future.

With this in mind, we are pleased to announce the public preview of new features to help organizations manage insider risks more effectively by leveraging intelligence through AI/ML and automation:

• Leverage Optical Character Recognition (OCR) to detect insider risks around sensitive data in image formats
• Finetuning insider risk policies with real-time analytics
• Reduce noise with automated email signature exclusion

Microsoft Purview Insider Risk Management correlates various signals to identify potential malicious or inadvertent insider risks, such as IP theft, data leakage, and security violations. Insider Risk Management enables customers to create policies to manage security and compliance. Built with privacy by design, users are pseudonymized by default, and role-based access controls and audit logs are in place to help ensure user-level privacy.

Leverage OCR to detect insider risks around sensitive data in image formats
Sensitive data can take many forms beyond text, including images such as driver's licenses and scanned contracts saved in PDF format. We're pleased to announce that Insider Risk Management now supports the detection of risky activities around images and PDFs containing sensitive data in SharePoint, Teams messages, and endpoints. This is made possible through the AI/ML-powered Optical Character Recognition (OCR) technology, which can extract text from images and PDFs and support over 150 languages. By leveraging OCR, which is also supported in Microsoft Purview Information Protection and Data Loss Prevention, Insider Risk Management can help detect potential data leaks or theft and mitigate the risk of data exfiltration. This announcement underscores our commitment to providing an integrated platform approach to fortifying data security.

Figure 1: Insider Risk Management detects potential personal data leak in image formats

Fine-tuning insider risk policies with real-time analytics
As organizations have varying risk appetites and evolving priorities, detecting insider risks that may lead to a data security incident cannot be a one-size-fits-all approach. Customizing policies is essential but fine-tuning them can be a frustrating and time-consuming task. Typically, admins have to wait for several days to see if the policy works as expected.

With a new update set to roll out in the next few weeks, admins can leverage real-time analytics in the policy wizard to help predict the number of users that could potentially match a given set of policy conditions. This feature enables admins to quickly adjust the selection of indicators and thresholds of activity occurrence, so they can efficiently translate their insider risk strategies into pragmatic controls. This update is yet another step toward making the process of detecting and mitigating insider risk more efficient for organizations.

Figure 2: The policy wizard estimates the number of users who will match the policy condition in real time

Reduce noise with automated email signature exclusion
We understand that noisy alerts can make the investigation process frustrating. In our last blog, we announced the deduplication work for the most common 13 signals, including SharePoint file download, File print, File upload to cloud. In addition to the noise coming from the system itself, another main source of noise is email signatures, which are often detected as attachments in emails, leading to false positives of users trying to send potentially confidential files via email.

We are excited to announce the public preview of the email signature exclusion feature, which will be rolled out in the next few weeks. With this feature, admins will no longer need to manually dismiss alerts that involve email signatures. Once admins opt-in to email signature exclusion in insider risk settings, policies will automatically exclude email signatures as potentially risky activities, improving the accuracy and efficacy of insider risk alerts.

Figure 3: Admins can turn on email signatures exclusion in insider risk settings

NTT Communications addresses insider risk with Microsoft Purview
Data security is a top priority for many organizations, and NTT Communications Corporation, based in Tokyo, Japan, is no exception. To enhance the protection of its information assets and mitigate evolving threats, NTT Communications adopted a new approach that leverages Microsoft Purview. One of the primary focuses was on improving the transparency of internal risks, which was enabled by Microsoft Purview Insider Risk Management and Microsoft Purview Information Protection.

“We completed our Information Protection and Insider Risk Management deployments thanks to the high affinity of features within the comprehensive package of Microsoft 365 E5. We were successful in achieving satisfactory results within six months after deployment.” – Hideharu Inoue, Information Systems Department Supervising Director, Digital Transformation Promotion Division, NTT Communications Corporation

You can learn more about their story in this article.

Get started with Insider Risk Management today
We are thrilled to share these announcements with you. Here is a summary of next steps and other resources to help you and your organization get started with these capabilities:

• Watch the Microsoft Secure breakout session: Secure data with an intelligent and people-centric approach, where I introduced and demonstrated Adaptive Protection in Microsoft Purview, the new capability that leverages more than 100 built-in and ready-to-use indicators and machine learning models in Insider Risk Management to help understand how users are interacting with data, assign risk levels and automatically tailor DLP controls.
• Learn more about Insider Risk Management in our technical documentation.
• Insider Risk Management is part of the Microsoft Purview suite of solutions designed to help organizations manage, govern and protect their data. If you are an organization using Microsoft 365 E3 and would like to experience Insider Risk and other Purview solutions for yourself, check out our E5 Purview trial.
• If you own Insider Risk Management and are interested in learning more about Insider Risk Management, leveraging Insider Risk Management to understand your environment, or building policies for your organization or investigate potential risky user actions, check out the resources available on our “Become an Insider Risk Management Ninja” resource page.

- Erin Miyake, Principal Product Manager, Microsoft Purview Insider Risk Management

*Insider threat peaks to highest level in Q3 2022
**Gartner, Predicts 2023: Cybersecurity industry focuses on the human deal, Jan 25, 2023
GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.
***Cost of a Data Breach, IBM, 2022

We're so excited to announce the Microsoft Tech Accelerator, coming to you live April 11-13, 2023. This virtual event is focused on providing organizations and IT professionals with technical depth so they can use our products successfully. We'll also feature a closer look at everything that was presented at Microsoft Secure. Join us for three days of demos, technical deep dives, and, of course, everyone's favorite – Ask Microsoft Anything (AMA).

All sessions will be streamed live on the Microsoft Tech Community, Twitter, and YouTube. Tune in, ask ALL the questions, skill up, and have fun. Registration is not required. RSVP to stay up to date on the events –and add individual sessions to your calendar.

Microsoft Intune Suite (April 11-12)

The Microsoft Intune Suite is now generally available, providing a set of advanced endpoint and security management solutions unified in Microsoft Intune. And, as you are always our number one priority, we are committed to equipping you with the information and technical details needed to adopt these new advanced solutions. To get up to speed on all the great features within the Intune Suite, we invite you to visit the Tech Accelerator: Microsoft Intune Suite page to RSVP and start building your schedule.

Microsoft Secure (April 13)

We hope you were able to join us at Microsoft Secure! As a follow-up, we will be hosting a deeper dive into the content that was presented and give you the chance to ask our product teams questions. Our goal is to equip you with the technical information that will help you and your team implement our comprehensive security solutions in your business. We invite you to visit the Microsoft Secure Tech Accelerator page to RSVP and start building your schedule!

Day 1: Tech Accelerator – Microsoft Intune Suite (April 11, 2023)

Day 2: Tech Accelerator – Microsoft Intune Suite (April 12, 2023)

Day 3: Tech Accelerator – Microsoft Secure (April 13, 2023)

Sometimes success in life depends on little things that seem easy. So easy that they are often overlooked or underestimated for some reason. This also applies to life in IT. For example, just think about this simple question: "Do you have a tested and documented Active Directory disaster recovery plan?”

This is a question we, as Microsoft Global Compromise Recovery Security Practice, ask our customers whenever we engage in a Compromise Recovery project. The aim of these projects is to evict the attacker from compromised environments by revoking their access, thereby restoring confidence in these environments for our customers. More information can be found here:  CRSP: The emergency team fighting cyber attacks beside customers - Microsoft Security Blog

Nine out of ten times the customer replies: "Sure, we have a backup of our Active Directory!”, but when we dig a little deeper, we often find that while Active Directory is backed up daily, an up-to-date, documented, and regularly tested recovery procedure does not exist. Sometimes people answer and say: "Well, Microsoft provides instructions on how to restore Active Directory somewhere on docs.microsoft.com: so, if anything happens that breaks our entire directory, we can always refer to that article and work our way through. Easy!". To this we say, an Active Directory recovery can be painful/time-consuming and is often not easy.

You might think that the likelihood of needing a full Active Directory recovery is small.  Today, however, the risk of a cyberattack against your Active Directory is higher than ever, hence the chances of you needing to restore it have increased. We now even see ransomware encrypting Domain Controllers, the servers that Active Directory runs on. All this means that you must ensure readiness for this event.

Readiness can be achieved by testing your recovery process in an isolated network on a regular basis, just to make sure everything works as expected, while allowing your team to practice and verify all the steps required to perform a full Active Directory recovery. 

Consider the security aspects of the backup itself, as it is crucial to store backups safely, preferably encrypted, restricting access to only trusted administrative accounts and no one else!

You must have a secure, reliable, and fast restoration procedure, ready to use when you most need it.

Azure Recovery Services Vault can be an absolute game changer for meeting all these requirements, and we often use it during our Compromise Recovery projects, which is why we are sharing it with you here. Note that the intention here is not to write up a full Business Continuity Plan. Our aim is to help you get started and to show you how you can leverage the power of Azure.

The process described here can also be used to produce a lab containing an isolated clone of your Active Directory. In the Compromise Recovery, we often use the techniques described here, not only to verify the recovery process but also to give ourselves a cloned Active Directory lab for testing all kinds of hardening measures that are the aim of a Compromise Recovery.

What is needed

This high-level schema shows you all the components that are required:

At least one production DC per domain in Azure

We do assume that you have at least one Domain Controller per domain running on a VM in Azure, which nowadays many of our customers do. This unlocks the features of Azure Recovery Services Vault to speed up your Active Directory recovery.

Note that backing up two Domain Controllers per domain improves redundancy, as you will have multiple backups to choose from when recovering. This is another point in our scenario where Azure Recovery Vault’s power comes through, as it allows you to easily manage multiple backups in one single console, covered by common policies.

Azure Recovery Services Vault

We need to create the Azure Recovery Services Vault and to be more precise, a dedicated Recovery Services Vault for all “Tier 0” assets in a dedicated Resource Group (Tier 0 assets are sensitive, highest-level administrative assets, including accounts, groups and servers, control of which would lead to control of your entire environment).

This Vault should reside in the same region as your “Tier 0” servers, and we need a full backup of at least one Domain Controller per domain.

Once you have this Vault, you can include the Domain Controller virtual machine in your Azure Backup.

Recovery Services vaults are based on the Azure Resource Manager model of Azure, which provides features such as:

• Enhanced capabilities to help secure backup data: With Recovery Services Vaults, Azure Backup provides security capabilities to protect cloud backups. This includes the encryption of backups that we mention above.
• Central monitoring for your hybrid IT environment: With Recovery Services Vaults, you can monitor not only your Azure IaaS virtual machines but also your on-premises assets from a central portal.  
• Azure role-based access control (Azure RBAC): Azure RBAC provides fine-grained access management control in Azure. Azure Backup has three built-in RBAC roles to manage recovery points, which allows us to restrict backup and restore access to the defined set of user roles. 
• Soft Delete: With soft delete the backup data is retained for 14 additional days after deletion, which means that even if you accidentally remove the backup, or if this is done by a malicious actor, you can recover it.  These additional 14 days of retention for backup data in the "soft delete" state don't incur any cost to you.  

Find more information on the benefits in the following article: What is Azure Backup? – Azure Backup | Microsoft Docs

Isolated Restore Virtual Network

Another thing we need is an isolated network portion (the “isolatedSub” in the drawing) to which we restore the DC. This isolated network portion should be in a separate Resource Group from your production resources, along with the newly created Recovery Services Vault.

Isolation means no network connectivity whatsoever to your production networks! If you inadvertently allow a restored Domain Controller, the target of your forest recovery Active Directory cleanup actions, to replicate with your running production Active Directory, this will have a serious impact on your entire IT Infrastructure. Isolation can be achieved by not implementing any peering, and of course by avoiding any other connectivity solutions such as VPN Gateways. Involve your networking team to ensure that this point is correctly covered.

Bastion Host in Isolated Virtual Network

The last thing we need is the ability to use a secure remote connection to the restored virtual machine that is the first domain controller of the restore Active Directory. To get around the isolation of the restoration VNET, we are going to use Bastion Host for accessing this machine.

Azure Bastion is a fully managed Platform as a Service that provides secure and seamless secure connection (RDP and SSH) access to your virtual machines directly through the Azure Portal and avoids public Internet exposure using SSH and RDP with private IP addresses only.

Azure Bastion | Microsoft Docs

The Process

Before Azure Recovery Vault existed, the first steps of an Active Directory recovery were the most painful part of process: one had to worry about provisioning a correctly sized- and configured recovery machine, transporting the WindowsImageBackup folder to a disk on this machine, and booting from the right Operating System ISO to perform a machine recovery. Now we can bypass all these pain points with just a few clicks:

Perform the Virtual Machine Backup

Creating a backup of your virtual machine in the Recovery Vault involves including it in a Backup Policy. This is described here:

Azure Instant Restore Capability - Azure Backup | Microsoft Docs

Restore the Virtual Machine to your isolated Virtual Network

To restore your virtual machine, you use the Restore option in Backup Center, with the option to create a new virtual machine. This is described here:

Restore VMs by using the Azure portal - Azure Backup | Microsoft Docs

Active Directory Recovery Process

Once you have performed the restoration of your Domain Controller virtual machine to the isolated Virtual Network, you can log on to this machine using the Bastion Host, which allows you to start performing the Active Directory recovery as per our classic guidance.

You login using the built-in administrator account, followed by the steps outlined in the drawing below under “Start of Recovery in isolated VNet” :

All the detailed steps can be found here Active Directory Forest Recovery Guide | Microsoft Docs and we note that the above process may need to be tailored for your organization.

Studying the chart above, you will see that there are some dependencies that apply. Just think about seemingly trivial stuff such as the Administrator password that is needed during recovery, the one that you use to log on to the Bastion.

• Who has access to this password?
• Did you store the password in a Vault that is dependent on a running AD service?
• Do you have any other services running on your domain controllers, such as any file services (please note that we do not recommend this)?
• Is DNS running on Domain controllers or is there a DNS dependency on another product such as Infoblox?

These are things to consider in advance, to ensure you are ready for recovery of your AD.

Tips and Tricks

In order to manage a VM in Azure two things come in handy:

• Serial console- this feature in the Azure portal provides access to a text-based console for Windows virtual machines. This console session provides access to the Virtual Machine independent of the network or operating system state. The serial console can only be accessed by using the Azure portal and is allowed only for those users who have an access role of Contributor or higher to the VM or virtual machine scale set. This feature comes in handy when you need to troubleshoot Remote Desktop connection failures; suppose you need to disable the Host Based Firewall or need to change IP configuration settings. More information can be found here: Azure Serial Console for Windows - Virtual Machines | Microsoft Docs
• Run Command- this feature uses the virtual machine agent to run PowerShell scripts within an Azure Windows VM. You can use these scripts for general machine or application management. They can help you to quickly diagnose and remediate Virtual Machine access and network issues and get the Virtual Machine back to a good state. More information can be found here: Run scripts in a Windows VM in Azure using action Run Commands - Azure Virtual Machines | Microsoft Docs
  
  

Security

We remind you that a Domain Controller is a sensitive, highest-level administrative asset, a “Tier 0” asset (see for an overview of our Securing Privileged access Enterprise access model here: Securing privileged access Enterprise access model | Microsoft Docs),  no matter where it is stored. Whether it runs as a virtual machine on VMware, on Hyper-V or in Azure as a IAAS virtual machine, that fact does not change. This means you will have to protect these Domain Controllers and their backups using the maximum level or security restrictions you have at your disposal in Azure. Role Based Access Control is one of the features that can help here to restrict accounts that have access.

Conclusion

A poorly designed disaster recovery plan, lack of documentation, and a team that lacks mastery of the process will delay your recovery, thereby increasing the burden on your administrators when a disaster happens. In turn, this will exacerbate the disastrous impact that cyberattacks can have on your business.

In this article, we gave you a global overview of how the power of Azure Recovery Services Vault can simplify and speed up your Active Directory Recovery process: how easy it is to use, how fast you can recover a machine into an isolated VNET in Azure, and how you can connect to it safely using Bastion to start performing your Active Directory Recovery on a restored Domain Controller.

Finally, ask yourself this question: "Am I able to recover my entire Active Directory in the event of a disaster? If you cannot answer this question with a resounding "yes" then it is time to act and make sure that you can.

Authors: Erik Thie & Simone Oor, Compromise Recovery Team

To learn more about Microsoft Security solutions visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

Data loss prevention (DLP) is a layer of an organization's data security strategy. It helps protect sensitive data by preventing users from inappropriately sharing it with people who shouldn't have it. Forward-thinking organizations are seeking to future-proof their DLP strategy with a comprehensive solution that scales across all applications, services, endpoints, and platforms.

In this month’s episode of Uncovering Hidden Risks, we discuss some recent DLP research and what's coming up in this space. Microsoft spoke to more than 300 data and compliance professionals to create the whitepaper “Data Loss Prevention: From on-premises to cloud.” 

Joining us as a guest is Maithili Dandige, Partner Group Product Manager for several Microsoft Purview products. Maithili’s team is behind products such as Information Protection, Data Loss Prevention, Data Lifecycle Management, Records Management, eDiscovery, and Audit. Also joining us as a guest host is Shilpa Bothra, a senior product marketing manager for Microsoft Purview Data Loss Prevention.

Together, we will explore cloud native Data Loss Prevention and why it is the future of data security.

In this episode, we will cover the following:

• Where the market is today in our DLP solution journey
• What are you hearing from customers regarding the evolution of DLP
• Key findings, recommendations, and best practices from the whitepaper Data Loss Prevention: From on-premises to cloud
• The benefits of adopting a cloud native solution
• How customers can get started with DLP
• Thoughts on the future of DLP

Listen to this episode on your favorite podcast platform: 

• Main show page 
• Apple Podcasts 
• Spotify 
• Google Podcasts 
• Amazon 
• RSS Feed 

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.