Monday, July 1, 2013

Office 365 Compliance Solutions


In this blog I am going to show you some really cool stuff Office 365 can do from a compliance perspective across Exchange Online, SharePoint Online and Lync Online. The great thing about Office 365 is that there are compliance solutions built into across all the technologies. There is retention and records management, archiving, journaling, data loss protection, eDiscovery, Legal Hold, Data Loss Protection and Reporting.

In this blog I am going to show several of these features really quickly from a tenant that I created really quickly.

My objective in this blog is to show you really quickly that Office 365 has really strong compliance solutions which will help an organization have confidence in using Office 365. From this blog I suspect you will want to do deeper reading and analysis on topics.

For deeper information, I recommend you read the following articles from the Office 365 Service Descriptions:

There are tons of links for more detailed information off these three links. Start and you will find a ton of information.

Exchange Online Retention Policies

In Exchange Online you have the ability to create what are called Retention Tags. Tags can be:

  • Assigned as default retention tags for the entire mailbox (one has not been set in the screenshot but it is common to require that all email me maintained for X days).
  • They can be applied to specific folders (like default 30 days retention for Deleted Items folder).
  • Users can be given access to them so they can apply the retention policies themselves (personal retention tags). Users can do this in either Outlook or OWA.
  • There are also archive policies which can be used to move items out of the primary mailbox to the archive mailbox for each user.

Organizations have a lot of flexibility to create policies around how long they want email to be retained.


Once you have created all the retention tags that you want to create, you then have the ability to group those retention tags into a retention policy. Those retention policies are then applied to mailbox users. It is possible to create different policies for different users.


As I mentioned, the policies are available in OWA and Outlook. Below is a screen shot of a how a personal policy can be applied in OWA. Also you can see the email will show the user what is the retention policy that is currently applied to the email.


Side note, if you do not see you retention policies immediately because you created a new tenant or made some changes, run following PowerShell command - Set-Mailbox "username" -RetentionPolicy "Default MRM Policy" - This will kick in the policy immediately.

In-Place Archiving

With Exchange Online you have the ability to enable what we call the Personal Archive mailbox. With Exchange Online Plan 2 organizations have the ability to store indefinite amount of data in the Personal Archive.

This is huge for organizations who are really trying to save costs.

  • Microsoft provides the ability to stop having to managing on-premise archiving solutions.
  • It is a solution completely integrated into Exchange Online itself. Users do not have to jump around to do different solutions.
  • End users can have direct access to their archived email.
  • Administrators can search, discovery, retain and place items on legal hold ALL IN ONE PLACE.
  • It provides a solution to avoid having PSTs floating around.

As you can see here, all you need to do is add the personal archive mailbox to a user in the EAC.


Once this is done, the end user will see a second mailbox in Outlook and OWA. As you can see in the OWA screenshot the user can the personal archive. They have the ability to search across both mailboxes with a single query. It is very convenient.

Users can then use personal archive polices or rely on corporate archive policies that will move email from their primary to their archive mailbox. And again, the organization can use retention policies across both the personal and archive mailbox to control how long the email will be retained.



Note that it is still possible to set up journaling rules if you want to continue to do journal to an existing archiving solution. This can be quickly set up through the EAC.


Roles Based Access Permissions

It should be noted that in Exchange Online you have ability to control who can have access to all these compliance capabilities. This allows organizations to delegate these duties to specific user. This becomes really import when discussing eDiscovery (which I will be talking about later in this blog).


SharePoint Records Management

Since we were talking about retention management in Exchange Online, it is a good time to discuss records management in SharePoint Online.

The new SharePoint Online the Records Center template is now available in Exchange Online. This is the same capability that people are familiar with SharePoint 2013 on-premise.

You have the ability to create Send To Connections in SharePoint Admin Center (screenshot below). This allows you to send a document from any location to the SharePoint Records center.


I am also commonly asked, is it possible to send email from Exchange Online to the SharePoint Online Records Center. The answer is yes, but you will need to write some code that will move the email and all its metadata to SharePoint Online. It is possible to use the new Apps Model in Outlook 2013 and OWA to write code that will move the email do the drop-off library in the SharePoint Online Records Center. If you are using older versions of Outlook you can write new code that move the item. Really it is just a simple is adding a new button the ribbon and then calling the SharePoint Online REST services to move up the email. There are also some third-party solutions providers that provide these solutions.

An important part of doing records management in SharePoint is creating common definitions of content. In SharePoint Online the Content Type Hub is supported; all you need to do is turn it on.


Once you turn on the content type hub, you have the ability to create centralized content type definitions and then publish them to all the site collections you have in SharePoint Online.


Here is the records center in SharePoint Online. The only consideration around doing records management in SharePoint Online is understanding your content acquisition strategy. I recommend that your review SharePoint Online storage here - The overall amount of size of the data as well as thresholds on site collections will require organizations to plan on how many record centers will be utilized.


You have the ability to manage the records center just like SharePoint on-premise. You can see here you can manage content types, retention polices, create organizer rules and run reports.


The content type hub is important because when you send data from a site collection to the records center, you want to make sure that all the metadata for the document is maintained. Why? Because you when the document arrives you will want to use that metadata as part of a file plan.


Here is the details of a content organizer rule. In this one it is looking for a specific content type and then looks at the metadata and will store the document the appropriate location.


Then once in the records center you can use all the metadata to navigate through the documents being archived. You can also use SharePoint Search too.


Finally you can run the report in SharePoint Online to get details about the documents that are being stored.

Note another benefit for the content type hub is that you can centrally define retention rules for content type definitions. So when an item arrives in SharePoint Online, the retention rule that was defined centrally will be applied.


SharePoint Site Policies

Here is another new capability of SharePoint 2013 that is available in SharePoint Online which has to do with retention. It is common that SharePoint because very popular and there is old content that is being managed. Site Policies do help with governance but they also help from a legal perspective if you need old data to be deleted.


Exchange Multi-Mailbox Search & Legal Hold

Now that we have discussed retention and records management for Exchange and SharePoint Online, let’s discuss Legal Hold.

In Exchange Online there is a built-in capability to do eDiscovery. In the past it was referred to as multi-mailbox search. In the new EAC panel users with permission initiate an eDiscovery and then add a Legal Hold to the items returned in the search.


First you are given a screen to give a name and description to the search.


Next you then scope the eDiscovery search. You can have it go against specific mailboxes or against all of the mailboxes.


Then you can define criteria to find items.


You also have the ability to select which items you want to discover. One thing I like to call out is the Lync items checkbox. This will allow you not only to discuss Exchange items but also Lync items such as instant messages.


This is probably the most interesting screen (below). Once you have defined you query you can then make a decision if you are going to place on a legal hold. There are some options here that are a real game change with the new Exchange Online.

Let’s say that ware going to put the items on legal hold. Here are some options to think through.

  • Indefinite Legal Hold – Pretty simple to understand. If I had not entered any criteria, a legal hold would be placed on the mailbox including Lync items. As new items show up or are deleted by the user they are caught and not deleted until the Legal Hold is released.
  • Query Based Legal Hold – A new capability of Exchange Online is query based legal hold which will only place items that meet the query on legal hold. As new items arrive that meet that query, those items will also be placed on legal hold. This nice thing about this is the entire mailbox does not have to be placed on legal hold.
  • Time Based Legal Hold – As you can also see there is a new option to place a time based legal hold. Think of it as a retention based legal hold. Why is this needed? Many organizations will consider doing this if they business rules that state that no email can be deleted in X days or Y years. The retention policies we discussed early in the blog will place items on retention but a user can still delete items before a retention is complete. A Time Based Legal Hold will complement your retention policies.

As you can see this is really powerful and it is integrated right into Exchange Online. No third solutions needed when you have the archive, eDiscovery and legal hold all in one place.


All of the queries and legal holds are manageable form the EAC. There is an export button in the EAC panel that will generate a PST download of all the data (no more having to connect it to a Outlook <g>).


You also have the ability to see a preview of all the items out of the EAC. If you select preview the search if run again and this screen comes up with allows you to navigate through the data.


SharePoint Online In-Place Hold

Now let’s round out the story with SharePoint Online. First with SharePoint Online Plan 1, there is an In-Place legal hold capability. For SharePoint people, this is actually the eDiscovery and Legal Hold capability that has been around since SharePoint 2010.

When you activate the Hold feature, you will see the Hold features in the Site Collection Administration site. You have the ability to manage all of the legal holds you have run, release them and run reports about those legal holds.


Here is the screen where you can create a search and then optionally place the items on legal hold (or have the items copied to another location).


eDiscovery Center in SharePoint Online

With the new SharePoint Online and if you buy SharePoint Online Plan 2, you have access to the new eDiscovery Center. This is a really powerful capability which allows you to unified eDiscovery and Legal Hold across SharePoint, Exchange and Lync Online all in one location.

On little house keeping item you need to do is add Exchange Online as a source for SharePoint Online to search against.


When you create a new source, you need to select Exchange and AutoDiscover. If you forget to do this, your SharePoint Online eDiscovery Center will not be able to search the Exchange and Lync Online.


Next you need to create a site collection to do all your eDiscovery from. Just select an eDiscovery Center.


This is what the eDiscovery landing page looks like. From here you can create a new Case.


Once your new case has been created, the first thing you need to do identify data sources for eDiscovery on and if you want if you want to place items on Legal Hold.


Here is the page where you will create eDiscovery Set. In here you can see in the Sources I have selected several mailboxes as well as some SharePoint sites. I have also put in some simple criteria (yes you can do complex queries with Boolean logic, etc.). At the bottom you can see that I have option to place items on legal hold or not.

One other new capability of SharePoint 2013 in the cloud is the Preservation Library. It is part of SharePoint Online Plan 2. What this does is if a SharePoint item is placed on legal hold, end users can continue to work on those items. In the past the items on legal hold were locked and the user could not continue to work. The Preservation Library will ensure that if there are deletes or edits to those items, they will be captured, maintained and discoverable.


Here is a screenshot of the of the preview results screen. As you cans see here I can see all of the Exchange and Lync Online data returned in the query. If I were to click on any of the items I can actually see the item right there.


Here is a screenshot of the SharePoint Online items in the preview results. You may notice item in there with the GUID appended to the file name. That is actually an item that met the criteria that is coming out to the preservation library.


Here is something also really neat. If you go back to the Site Collections management screen you will see a lock icon next to one of the site collections. This is basically saying that this site collection cannot be deleted because there are legal holds on within it.


As well, if you go to the Exchange Online EAC, you will see a legal hold with GUID as a title. This is the actual legal hold that was initiated from the SharePoint Online eDiscovery Center.


Once the legal hold has been created, you have the ability to create new searches across the items on legal hold. It is very common to place a broader legal hold and then eDiscovery managers will research and refine the data. Again more searches can created to filter down the results.


Discovery managers can preview the data right in these screens.


Finally Discovery managers can export the data from Exchange, Lync and SharePoint Online.

This is really powerful as it provides organizations the ability a one stop shop to do all of the retention, archiving, eDiscovery and legal hold.


Exchange Online DLP

When it comes to compliance with Office 365, there is still more. We have talked about retention, records, eDiscovery and Legal Hold. Now let’s review some of Data Loss Protection capabilities.

For Exchange Online there is the new DLP solution. With this capability you have the ability to create rules that will inspect email data. This is a new capability that is built on top of Transport Rules in Exchange. The references I provided at the beginning of this blog provide additional information on it.

As you can see here I created a simple policy that will check for SSNs that are sent outside of the organization.


Here is where the rule is defined. One really cool feature of this is you can enable what are called Policy Tips. Policy Tips are displayed to users in Outlook as they author their email. The user will be notified they are violating policy before they actually hit the send button. There are additional rules you can define that will allow the user to send if they provide an explanation, have a manager review the email, etc.


Here is the actual DLP rules that I set up. It is a really basic rule that is looking to SSNs going outside of the organization. It provides some notifications if this occurs. There are tons of other options and operations I could apply to manage. For instance I could block the email all together, require it go through an approval, create exceptions for certain people to still send the email, etc. Again this is a really powerful capability.


AD RMS DLP for Office, Exchange and SharePoint Online

Exchange Online continues to support the ability to work with an AD Rights Management Server (ADS) server that is hosted on-premise.

With the new Office 365, there is the ability purchase an add-on that will host AD RMS in the cloud. Here is a good reference -


First all you need to do is activate the AD RMS Service.


Once you have done that, for SharePoint Online you just need to turn in on.


Then in a SharePoint Online document library all you need to do is click on Information Rights Management.


Then you can create an IRM policy. When an Office document is downloaded out of a document library, AD RMS rules will be applied to those documents. This is really powerful if you have content that is being stored in SharePoint that you want to ensure if someone downloads the document, that only people who have rights to the document can view it.


Additionally inside of Office, you have the ability to Restrict Access and apply IRM policies directly to Office.


And the same goes for Exchange Online. In either Outlook or OWA users can put on AD RMS rules on email to ensure the email stays within the organization, cannot be printed, forwarded, etc. You can even create DLP rules that work with AD RMS. For instance if a DLP rule catches an email, it can pro-actively assign an AD RMS policy for the user so if the email does go outside of the organization, no one will be able to read it. Again a very powerful capability.



Finally the last aspect of compliance I will be covering is reporting. We have covered the important stuff to ensure we can retain, discovery, and place data on legal hold. But in legal situations it is also important to know who has had access to the data.

For Exchange Online (along with the Lync data in the conversation view) there is some good stuff.

First there are auditing reports. There are administrator auditing reports that record actions performed by an administrator as well as mailbox audit logging reports. You can know who has had access to specific mailboxes and actions they may have taken on them.


Additionally there are delivery reports and message trace reports in Exchange Online that helps you track messages.


For SharePoint Online there are Audit Log reports that are available. They can be configured at the Site Collection, Site, Library and documents levels. You can create rules on how long the logs are maintained and where you would like them stored at.


Additionally here are the reports that you can run.



In closing, I hope this was a good read for you. This was a quick hit on a lot of different topics. As you can see Office 365 does have comprehensive solutions built within the platform that does retention management, records management, eDiscovery, legal hold, data loss prevention and reporting.

No comments: