We have some great new features in Azure AD Conditional Access, they are really taking it to a next level. Conditional Access has now tight integration with Cloud App Security. It’s now possible to fully control and secure our data and information when you collaborate with a partner (B2B) or within your own tenant.

Index:

1. Azure AD Conditional Access
2. Cloud App Security integration with Windows Defender ATP
3. Microsoft Secure Score
4. Identity Protection
5. Intune Updates

As you might probably now, Cloud App Security has tight integration with SharePoint already but now we can control on file level if a download for example is allowed or not. Check this screenshot below from the Ignite presentation:

Another great update is that we can now enable Conditional Access App Control for Office applications. Before this was only possible with SAML-based apps. Based on the risk level of a user’s session, information can be accessed or blocked. Also risky OAuth applications can now be blocked with Cloud App Security. These updates make Cloud App Security even more powerful. If you aren’t using it right now, you should! It makes your organization a lot more secure.

Well, enough updates around Conditional Access right? It goes even further. We can not only control Exchange, but specific mailboxes within an account. The command runs as follows to enable this feature:

This command does not work yet and to be honest, I am not sure what it will actually do as I cannot test it yet. But I expect we will have some sub-commands in the near future to further control this.

Cloud App Security integration with Windows Defender ATP

Cloud App Security is now integrated with Windows Defender ATP! At first, we needed to install a Cloud App Security client which was too much because we had already so many clients installed. So they came up with the Cloud App Security broker which was an improvement on the client side, but then we needed to proxy all our traffic through it. We now we have the best solution, integration with Windows Defender ATP! I personally love this because configuring a separate gateway is no longer necessary. All traffic can be routed through Defender ATP (and the Defender client is installed by default with Windows 10). This is a great way of securing your information and it makes controlling your devices very easy. Here you can see information is being fed from Windows Defender ATP.

In Windows Defender ATP, you only have to enable this.

After enabling this setting, it will Cloud App Security feed traffic and device information from Windows Defender ATP.

Microsoft Secure Score

We have heard in almost every session that we should enable Microsoft Secure Score. I do agree that we should enable it on all our tenants (so I am telling you again now :)) and it is also enabled now through Azure Active Directory (you can go to https://securescore.microsoft.com/ as well). It looks like this:

It looks good and it will only show the score that you have access too. Like if you don’t have EM+S E5, you won’t see identity protection related security scores.

Identity Protection

Identity Protection does now have integration with Azure ATP. Azure ATP is a security service based on DNS checks. Risky sign-ins from these two products can now be viewed from a single panel. And of course, we can apply conditional access on this. If Azure ATP feeds Identity Protection with a risky sign-on, it can be blocked, based on your Conditional Access settings. Combining these two sources, you have a very powerful solution. You see all high risk devices and users and all items that needs attention are presented through one combined interface.

Intune updates

As you might know by now is that my main focus is within the “Information Protection” field which includes parts of Cloud App Security and Intune as well. So I wanted to post some updates around Intune, Windows Information Protection (which is part of Intune) and device management. That’s why I visited the session “What’s new in Windows 10 mobile device management (MDM)” . But right from the start I thought: Are we really going to do this for 75 minutes? I barely heard anything new and I love to share new stuff to the world. For example the presenter said that we should focus on co-management, 1 of 3 points she gave as a call-to-action. Isn’t this already possible for years now?

Also, we were presented slides like this:

Really? I want to see what’s NEW. Anyway, a little good news however, Kiosk mode control is now generally available and we will get better security baselines for Microsoft Intune. Maybe you have another opinion about this session, I would love to hear from you through comments below.

So this is basically it. We saw a lot of sessions but a lot of sessions presented content already covered in day 1 and 2. I don’t expect much more announcements in day 4 and 5. Maybe I will wrap them together in one blogpost, depending on the content of tomorrow.

But still, Ignite brought me definitely the sessions above expectations!

The post Microsoft Ignite day 3 appeared first on Erjen Rijnders.

So, in case when you have an applicant on a job offer, the person sends you its resumé somehow (by e-mail, sharing through OneDrive etc.) and you download it to the company share (SharePoint Online or locally). In all scenario’s you need to make sure that, whatever way the resumé is received, you catch it and set an expiration date.

Note: Every product to accomplish this have its caveats. You need to make sure that you align the job applications with the way you handle your sensitive data.

Depending on the license you have, you can use these products for achieving above:

1. 1. Azure Information Protection;
   2. Cloud App Security;
   3. AIP Scanner;
   4. Data Loss Prevention;
   5. Exchange Online Retention Policies
   6. Conclusion

Let’s see how these products can achieve this.

1. Azure Information Protection

First you need to configure a label with content expiration. Go to the “Azure Portal > Azure Information Protection > Labels > Protect”. Under “Content expiration”, set the content to expire “By days” or “By date”. When the content expires, you can no longer decrypt the content which makes it unreadable:

Now classify the document You can easily do this by right clicking a PDF or Word document and click “Classify and protect”:

Click the label you configured with “Content expiration”:

If you view the custom properties of the document, you can see it’s now classified as “Confidential”:

In my opinion, the problem with this approach is the chance on forgetting classifying a document. So, if you choose Azure Information Protection for achieving this, make sure no documents get through without classification and give your users clear instructions.

Another way with Azure Information Protection is the automatic labeling function. You can do this, based on document content. With PDF-files however (and any filetype other than docx, pptx, xlsx), you can only achieve this with the AIP scanner (check point 3). To configure automatic labeling, take the same steps as before but also configure a condition and create a regex policy or fill in predefined keywords:

2. Cloud App Security

Using Cloud App Security, you can automatically classify documents when they reside in a specific folder or when the document contains sensitive information. Personally, I would love the last one, but it’s currently not possible to scan PDF files with Cloud App Security so the first option is the only working option at the moment.

We will discuss both options however. First let’s see how it works when sensitive files are stored in a specific folder. Go to https://portal.cloudappsecurity.com/, click “Control > Policies > Create policy > File policy”:

Select as condition “Parent folder” and select the folder:

Apply a classification label beneath “Microsoft OneDrive for Business” and “Microsoft SharePoint Online”:

Create the policy, now all content in that folder will have automatically the content expiration activated. Of course, you need to configure content expiration for the label set. See step 1 for more details.

Let’s see how automatic labeling with Cloud App Security works. Create a File policy again and scroll down till the “Inspection method” part. We skip the conditions for now since we did that just before and it’s straight forward as well.

Select “Data Classification Service > Match if Any of the following occur > Choose inspection type… > Select a sensitive information type”:

Here you can select a sensitive information type, or you can add a custom information type. You need to know regular expressions, but it’s not too hard.

For adding a custom information type, click the + button on the right:

Once added, click “Done” and navigate to the bottom. Now again select the classification label you want to apply for “Microsoft OneDrive for Business” and “Microsoft SharePoint Online”:

All matched files are now automatically classified with “Confidential” (make sure you configure the content expiration again in Azure Information Protection).

Remember, it’s not working yet with PDF-files but will be available in future versions.

3. AIP Scanner

This is more or less the same as step 2, only the tool is different and it’s possible to scan PDF files. You still need to know regular expressions (or you need to choose predefined templates like “Credit Card Number”). the scanner uses the Office 365 data loss prevention (DLP) service. For configuration of the filetypes in DLP, see point 4.

The actual configuration of the AIP scanner is not covered in this post, since there are already many great posts how to do this.

4. Data Loss Prevention

DLP has great potential for achieving this task, especially because you can connect with Exchange Online which means you can scan e-mail attachments and restrict or encrypt the content when a condition matches.

However, one big flaw is that DLP cannot scan PDF files (yet), same goes for Cloud App Security. They both use the same core functionality, but I expect this possibility the coming months. Till then, we cannot use this functionality for scanning PDF files.

To create a custom classification type to use within a DLP policy, go to “https://protection.office.com > Classifications > Custom sensitive information types”:

Now click “Create” and add a Regular expression:

At this point, click “Finish” and add a DLP policy. Click on “Data loss prevention > Policy > Create a policy”. Walk through the steps, at the “Policy settings” tab click “Use advanced settings”:

Click “New rule” and within the “Conditions” tab, click “Content contains > Sensitive info types”:

Now select your just created custom policy. On the “Actions” tab, select “Block people from sharing and restrict access to shared content” and “Everyone. Only the content owner, the last modifier, and the site admin will continue to have access”:

Fill in the other desired settings and save the policy.

5. Exchange Online retention policies

With Exchange Online retention policies, you can achieve best of all worlds. You can just delete content matching a custom information type that you created with regex. So, it’s possible to apply this to Exchange, SharePoint and OneDrive!

Go to “https://protection.office.com > Data governance > Retention > Create”. Create a custom retention policy and add a “Sensitive info types”:

Make sure you delete the content after the period you define, from the data when it was labeled.

One caveat with this option is that you don’t have much conditions. You can only choose to which location you want to apply it (SharePoint Online, OneDrive or Exchange Online).

Conclusion

As you figured out by now, it’s impossible to use one tool for scanning your complete environment (if you both use on-premises file server and cloud-based file servers). Also, scanning PDF-files is apparently hard and even impossible to scan Exchange Online PDF files with a tool like Azure Information Protection, Data Loss Prevention or Cloud App Security. Fortunately, it’s possible with retention policies.

In the scenario where you only use SharePoint, OneDrive and Exchange Online and you also want to scan PDF-files, the best option would be using retention policies. Keep in mind that you do not have much options in conditions. In case you need more freedom in conditions and still need to scan PDF-files, you have to wait for this functionality to become available in AIP, DLP and MCAS.

You might have an on-premises file server as well, where you want to apply labels automatically, you need the AIP-scanner since it can scan PDF files.

If you have any questions, feel free to contact me or place a comment below.

The post GDPR: how to automatically delete sensitive content appeared first on Erjen Rijnders.