One of the challenges faced by Microsoft 365 compliance administrators is to be aware of their responsibilities concerning any personal data that resides within their environment. The General Data Protection Regulations (GDPR) describes personal data as any information that relates to an identified or identifiable natural person.
In this chapter, we will demonstrate how you can identify and protect personal data within your Microsoft 365 environment by using content searches to find personal data, and then we will look at how to protect that data using retention or sensitivity labels. We will also explain how Data Loss Prevention (DLP) reports, audit logs, alert policies, and Cloud App Security can be used to monitor leaks of personal data.
We will cover these topics in the following order:
Under GDPR, compliance administrators are obliged to respond to any requests by users for access to any personal data relating to them that is stored in the Microsoft 365 tenant. In order to provide the required information, the Content search feature can be used. Content searches use built-in sensitive information types, which can be found in the Security & Compliance Center under Classification | Sensitive info types.
We have discussed these sensitive information types in previous chapters of this book when we talked about DLP and Azure Information Protection (AIP). DLP is particularly useful in protecting your organization against personal data loss as it is capable of detecting personal data in transit in an Exchange Online email and can act accordingly with policy tips, and DLP policies and rules. We will examine this in further detail later on in this chapter.
First, let's take a look at how you can use content searches to find personal data in your Microsoft 365 environment. This requires you to complete the following steps:
a. New search: This is the default option, which we will use in the following steps.
b. Guided search: This option is a wizard-based guide that helps you through the search process.
c. Search by ID List: The final option allows you to search for Exchange Online mailbox items. This process was formerly known as targeted search and requires a CSV file to identify the mailbox items that should be targeted by the search.
Important note
At the time of writing this book, sensitive information types cannot be selected to search for data contained in Exchange Online mailboxes at rest.
In this section, we showed you how to run a content search from the Security & Compliance Center to look for personal data within your Microsoft 365 locations. You learned how content searches can be set up with one or more keywords to search against and how conditions can narrow down your search results and provide you with the content you are searching for. Finally, we showed you how you can choose to search through specific Microsoft 365 locations or search through all locations during your search.
Next, we will show you how labels can be used to help you protect personal data in your Microsoft 365 environment.
In Chapter 11, Azure Information Protection, we showed you how to use sensitivity labels and policies to protect emails and documents in your Microsoft 365 environment. Retention labels can also be used to apply protection to personal data within Microsoft 365. With retention labels, you can automatically apply labels when sensitive information types are detected or allow your users to manually apply retention labels. Your retention labels can be set up to force the retention of the content you are applying the policy to for a specified retention period.
The way that retention labels are set to be published determines which Office 365 locations the labels will be applied to.
When a retention label is published to your end users, or auto-applied based on a query, your retention label policy can apply to the following locations:
When a retention label is auto-applied based on sensitive information types, your retention label policy can apply to the following locations:
Microsoft recommends that you use retention labels for any personal data. In the following example steps, we will show you how to set up retention labels and policies using sensitive information types:
Important note
You can apply retention labels to Outlook, SharePoint, OneDrive, and Office 365 groups in a similar way. Further details on applying retention labels to your Office 365 content can be found in the References section at the end of this chapter.
In this section, we showed you how retention labels can be applied to emails and documents within your Microsoft 365 environment. You learned that labels can be created with file plan descriptors to automatically apply a label to content, as well as by manually setting the retention label settings.
We also showed you how retention labels can then be published to Office 365 locations using label policies or by auto-application. Finally, we showed you how your end users can view and apply retention labels in their applications and how they would appear.
In the final section of this chapter, we will show you how to use logs and reports within your Microsoft 365 environment to search for any potential personal data leaks.
Now that you are aware of some of the tools and methods that can be used to prevent personal data loss, it is equally important to diligently monitor the use of personal data in your organization. There are a number of methods available to assist Microsoft 365 compliance administrators to achieve this. They include the following:
Let's examine each of these methods.
With data loss prevention reports, you can monitor any personal data contained in OneDrive or SharePoint Online, along with any email that is in transit, by viewing policy matches and trends within the Security & Compliance Center.
To view the data loss prevention reports, you need to complete the following steps:
It may take a number of hours for the report to be emailed to you. The information included in these reports will help you to detect and view any personal data leakage occurrences.
Alert policies can also be used in conjunction with the Office 365 audit log to review both user and admin activities across your Office 365 services. With alert policies, you can set up and view alerts, and with the audit log, you can carry out manual searches to look for events based on specific criteria or time frames.
Alert policies can be created and viewed by completing the following steps:
In addition to using these types of alerts, you can view the audit log to manually search for events relating to data loss prevention.
Important note
For more details on alert policies and the Office 365 audit log, please refer to Chapter 14, Security Analytics and Auditing Capabilities, where we covered alert policies and the audit log in greater detail.
It is also possible to use the Microsoft Cloud App Security Investigate feature to view how personal data travels within cloud applications.
From the Cloud App Security portal, which is accessed via https://portal.cloudappsecurity.com, you can view the activity log and files to view sharing activities, which will help you to identify potentially sensitive information that is leaving the organization. The Investigate feature is shown in the following screenshot:
You can also configure Cloud App Security policies to assist you with managing sensitive data. We will create an example policy in the following steps:
The policy we created in the preceding steps will alert us when a file containing Personally Identifiable Information (PII) is detected by the built-in DLP engine within any sanctioned cloud app.
Another potentially useful policy that you could create using Cloud App Security is one to block any downloads of files within your cloud apps to unmanaged devices. Alerts for this activity would show you any cases of these download attempts.
Important note
Microsoft Cloud App Security was covered in greater detail in Chapter 13, Cloud App Discovery and Security. Please refer to that chapter for more information on Cloud App Security.
In this section, you learned how to access and monitor logs and reports within Microsoft 365 to gain visibility on personal data activity in your organization. We demonstrated how DLP reports, including policy matches, incident reports, and false positives and overrides, can be used to detect sensitive information.
In addition, we demonstrated how alert policies within the Security & Compliance Center can be used to generate email alerts to administrators to be triggered when a match to sensitive information types is detected. The Office 365 audit log can also be interrogated to locate these activities.
Finally, we showed you how Cloud App Security can provide visibility on activities related to file and sharing activity, as well as how policies can be created to alert us about these activities.
In this chapter, we introduced you to the principles of protecting personal data within Microsoft 365. You learned how to run content searches from the Security & Compliance Center and how to preview and export the results.
We also showed you how retention labels and policies can be set up to be applied either automatically, based on matches to sensitive information types, or by manually applying your preferred retention settings.
Finally, we demonstrated the various methods of monitoring and reporting in relation to personal data within Microsoft 365. This includes configuring alert policies and viewing the Office 365 audit log activities, along with viewing and interpreting the DLP reporting options within the Security & Compliance Center and setting up policies within Cloud App Security.
In the next chapter, we will examine data governance and retention, which includes how to view data governance logs, how to plan and execute retention tags and policies, and how to use supervision policies and apply in-place and litigation holds.
a. True
b. False
a. Classification | Sensitivity Labels
b. Classification | Retention Policies
c. Classification | Retention Labels
d. Classification | Sensitive info types
a. True
b. False
a. DLP reports
b. Alert policies
c. Cloud App Security policies
d. Threat detection reports
a. Focused Search
b. Guided Search
c. Advanced Search
a. File plan descriptors
b. Label settings
c. Label classification
a. True
b. False
a. eDiscovery | Advanced eDiscovery
b. Search | eDiscovery
c. Search | Content Search
d. Investigation | Content Search
a. Control | Templates
b. Control | Policies
c. Investigate | Files
d. Investigate | Security Configuration
a. True
b. False
Please refer to the following links for more information: