Office 365 Event Driven Retention

There was interesting announcement last month for a new feature being released call Event Driven Retention.  Microsoft has been making tons of investments into Data Governance, and there is a specific feature called Office 365 Labels.  It is very exciting to see these mature, enterprise features being incorporated into the Office365.

So if you have content in Office 365 that has been labeled, when a business event occurs, retention will be applied based on that events occurrence.  For instance, lets say there is a business rule that you have to keep all contact information for 5 years when the contract expires.  With this solution, what that contract expires, the retention period will be enforced proactively for you.

If you dig a little deeper, there is really interesting capability within Office 365 Labels that automatically apply labels to content for you.  This drives down the responsibility we have placed on users in the past to manually classify and set retention periods for files.

Overview of event-driven retention - https://support.office.com/en-us/article/Overview-of-event-driven-retention-dd851332-747b-45b9-82de-e3cd7d01c8a7

Overview of labels - https://support.office.com/en-us/article/Overview-of-labels-af398293-c69d-465e-a249-d74561552d30

Office 365 Mult-Geo goes Generally Available

Office 365 multi-geo has now gone GA.  This is a significant feature release that allows a single Office 365 tenant to span across multiple Office 365 datacenter geographies.  This allows companies and organizations to store data-at-rest, on-a-per-user-basis in a chosen geography. 

This allows organizations to support data residency guidelines they have been asked to address in the cloud.  To date, many organizations have had to address these solutions through cloud hybrid solutions and retaining locally hosted services on-premises within those countries.  It worked, but customers were stilled required to invest in on-premises solutions.

This solution has been launched for the Exchange Online and OneDrive for Business services.

Announcement - https://techcommunity.microsoft.com/t5/Security-Privacy-and-Compliance/Get-global-data-location-controls-with-Multi-Geo-Capabilities-in/ba-p/182710

Announcement - https://www.microsoft.com/en-us/microsoft-365/blog/2018/04/16/preparing-for-a-new-era-in-privacy-regulation-with-the-microsoft-cloud/

Product Home Page - https://products.office.com/en-us/business/multi-geo-capabilities

OneDrive Multi-geo Page - https://docs.microsoft.com/en-us/office365/enterprise/multi-geo-capabilities-in-onedrive-and-sharepoint-online-in-office-365

Exchange Online Multi-geo Page - https://docs.microsoft.com/en-us/office365/enterprise/multi-geo-capabilities-in-exchange-online

Office 365 Privileged Access Management

There was a Preview announcement for the Privileged Access Management feature.  This feature is super exciting to hear about and really demonstrates how mature Microsoft Office 365 is in its delivery of security services for their customers.

Privileged Access Management is a feature to help customers provide limited privileged rights to administrator functions.  Doing this provides greater control, oversight and audit trail to what customer Office 365 administrators can do.

Since the beginning, Microsoft has had a solution called the Lockbox.  This is a Just-in-time (JIT) access solution that manages all Microsoft administrator access to Office 365 itself.  Microsoft has standing privileges to Office 365 and all our access to the environment is controlled through this.  We even created a solution called Customer Lockbox, which allows customers to approve Microsoft to manage aspects of the Office 365 environment if access to their customer data was needed as part of a support operation.

Apparently, customers liked the Lockbox concept so much, they wanted a similar capability to manage their Office 365 Admin users.  This is the new Privileged Access Management solutions.  Customers have the ability to create policies where Office 365 Administrators can make requests to perform specific actions.  This will initiate workflow approvals to allow them to perform those actions for a specified period of time.  All of this auditable.  Wow.  This is huge.

Customers always have risks of insider threats, and this can help control that access.

Note this solution does required the Advanced Compliance Office 365 E5 SKU.

Reference - https://techcommunity.microsoft.com/t5/Security-Privacy-and-Compliance/Announcing-preview-of-privileged-access-management-in-Office-365/ba-p/183743

SharePoint Online Storage Increase!

Major announcement was made in late April that SharePoint Online storage allocation is increasing significantly.

Previously SharePoint Online storage was 1 TB plus .5 GB per user license purchased.

Now SharePoint Online storage is 1 TB plus 10 GB per user license purchased.

So, if you have 100,000 users in your organization, you have 1001 TBs of storage.  Wow!

This is usage and it being driven by the usage and consumption of file storage in SharePoint Online.

Reference - https://techcommunity.microsoft.com/t5/SharePoint-Blog/Increase-in-SharePoint-Online-storage-allocation/ba-p/187617

Office 365 Endpoint Management

Microsoft Office 365 just released a preview new capability that publishes end points using a new set of web services.  This will make it significantly easier for organizations to evaluate, configure and stay up to date with changes to Office 365 endpoints.  Today customers have had to watch a public webpage and sign-up for a RSS feed; which is not always the most efficient.

With this new solution customers will have the ability to automate endpoint changes with their environment.

Reference - https://techcommunity.microsoft.com/t5/Office-365-Blog/Announcing-Office-365-endpoint-categories-and-Office-365-IP/ba-p/177638

Azure Information Protection Scanner

I just learned about a really neat solution called Azure Information Protection Scanner.  This is a solution that has the ability to scan on-premises file shares and SharePoint.  This solution will discover, classify, label and protect files that are out there based on criteria you set.  For instance, it can go out there and put protection policies against confidential data.

Azure Information Protection Scanner is an on-premises solution.  There is a counterpart solution in the Office 365 service under Data Governance (E5) and Information Protection Plan 2 that will do the same for the cloud.

Preview Announcement - here

Tech Guide - here

General Availability Announcement - here

Office 365 Customer Key

There have been many questions over the years many organizations have asked, is it possible for customers to apply their own encryption keys to data at rest stored in Office 365.  Office 365 already utilizes several encryption at rest solutions for all data in Office 365, but sometimes customers have compliance regulations that they must support so that they can have control of an encryption key to their data in Office 365.  Customer Key for Office 365 can be used to satisfy those requirements.

There are several considerations you should think about before using this solution.  Read the FAQs on this solution.  Key management becomes critical and there is a recovery key process.

Finally, this solution will provide encryption at the root and its intended purpose is for customers to use this key as a way to protect data if the customer ever intends to leave the Office 365 service.  Customer keys can be destroyed when leaving the Office 365 service ensuring that no one has access to data will the data is going through it final deletion stages.  This solution is not intended to change the dynamics of Online Service Terms for third-party data requests to Microsoft nor does it change access rules for customer data for Microsoft personnel who are supporting the service.  There are other capabilities like Customer Lockbox which can mitigate a customer’s concern for how Microsoft personnel access customer data.

To get this solution, you must purchase Office 365 Advanced Compliance which is part of the E5 Suite, plus customers must purchase Azure Key Vault licenses.

Please read all these references.
Customer Key General Availability Announcement - https://techcommunity.microsoft.com/t5/Security-Privacy-and-Compliance/GA-of-Customer-Key-in-Office-365-at-Ignite/ba-p/115134

Announcement - https://techcommunity.microsoft.com/t5/Security-Privacy-and-Compliance/Bringing-deeper-integration-and-new-capabilities-to-Office-365/ba-p/109409
https://techcommunity.microsoft.com/t5/Security-Privacy-and-Compliance/Bringing-deeper-integration-and-new-capabilities-to-Office-365/ba-p/109409

Presentation from Ignite - https://myignite.microsoft.com/sessions/53748?source=sessions

Video of How it works with SPO - https://youtu.be/y-BSmEhdk7c?t=8m18s

Customer Key FAQs (highly recommend reading) - https://support.office.com/en-us/article/Customer-Key-for-Office-365-FAQ-41ae293a-bd5c-4083-acd8-e1a2b4329da6

Overview and Configuration Instructions - https://support.office.com/en-us/article/Controlling-your-data-in-Office-365-using-Customer-Key-f2cd475a-e592-46cf-80a3-1bfb0fa17697

Azure Key Vault Reference - https://docs.microsoft.com/en-us/azure/key-vault/
https://docs.microsoft.com/en-us/azure/key-vault/