Categories
Governance Identity and Access Organizational Effectiveness

Extend Audit Log Retention From 1 Year to 10

Read Time: 2 minutes

Advanced Audit in Microsoft allows retention of the Unified Audit Log for a period of 10 years.

Audit logs. We need them for investigation and compliance purposes, and we generally need them for a very long time (e.g. 10 years). Up to recently, we did not have much flexibility.

Very recently announced is the Advanced Audit in Microsoft 365 services. There are two key takeaways:

  • Advanced Audit in Microsoft 365 will provide a one-year retention period of audit logs for user and admin activities, with the ability to create custom retention policies for other Microsoft 365 services
  • An additional add-on (at additional cost) will provide the ability to enable a retention period of 10 years.

Required Licensing

Accounts with any of the following licenses can be included in Advanced Audit capabilities:

  • Office 365 E5
  • Microsoft 365 E5
  • Microsoft 365 E5 Compliance
  • Microsoft 365 eDiscovery and Audit

As mentioned above, an additional licence is required to extend and ensure retention of audit logs for 10 years. The additional license is expected to be available early this year (2021).

High-bandwidth API Access

Large organizations may notice an improvement in performance when using the audit log API. Every organization will have allocated bandwidth for accessing their audit log based on the number of seats (licensed users) and number of E5 licenses.

Key Benefits of the Advanced Audit Log

  • A standard retention term of 1 year for all auditable activities
  • The ability to extend retention of audit logs for 10 years without having to manage an additional service or application (e.g. Sentinel or Splunk) strictly for long term storage of all activity logs for compliance/policy purposes
  • Improved bandwidth for accessing the Audit Log via API.

Resources

Thank you for Reading

Questions? Comments? Feel free to reach out.

    Categories
    Enterprise Mobility Information Protection

    Getting Started with Sensitivity Labels for Files and Emails

    Read Time: 3 minutes

    All information is not equal.

    Some documents or emails have private financial or health information and others have plans for lunch.

    Sensitivity Labels within Microsoft 365 provides end-users the ability to classify their documents and emails to ensure a certain level of information protection to both their and the organization’s content.

    Sensitivity Labels for files and emails allow staff to identify specific documents as more or less sensitive than others.

    For example, a briefing note to senior leadership could be tagged as ‘confidential’, which would then add a “confidential” watermark added to the document and restrict it from being shared externally. Compliance officers would also be able to filter reports on documents marked as confidential.

    Applying labels is easy.

    Once Sensitivity Labels are created and published, individuals can choose to tag content directly within the application, providing them a seamless and low friction experience.

    Emails can be tagged with their “sensitivity” when being drafted, and documents anytime they are opened. These features are available in both the installed applications and online browser based versions.

    Sensitivity Labels allow individuals to mark files and emails with both different controls (e.g. allow internal access only) or using an existing information classification adopted or published by the organization (e.g. Protected A).

    Options for controls are:

    • restrict/provide access to appropriate roles (and individuals)
    • create a watermarks, header, and/or footer on the document to communicate the document’s sensitivity.

    Planning Sensitivity Labels

    When planning Sensitivity Labels, it is important to consider certain key factors to ensure successful implementation and adoption.

    • Align to existing information security classification schemas where available
    • Leverage a cross-functional team to build the label business and technical requirements
    • A clear and concise set of details will ensure labels are used correctly, rather than providing too many options with language requiring a reference guide or training course
    • Ensure alignment, approval from all key stakeholders (not just IT or Cybersecurity), Sensitivity Labels can mark documents (potentially impacting existing templates) and more importantly can effect the ability to collaborate (restricting documents to internal only or subsets of internal users).

    Implementation

    • Pilot the labels with a small group and collect feedback prior to implementation
    • If introduced into an active environment, consider a phased approach – avoid restricting access in bulk to focus on training and adoption, to build a cultural practice within the organization without impacting day-to-day activities

    Resources

    Learn about Sensitivity labels (Microsoft Docs)

    Thank you for Reading

    Questions? Comments? Feel free to reach out.

      Categories
      Enterprise Mobility General

      Starting BYOD using Microsoft 365

      Read Time: 3 minutes

      Bring Your Own Device

      We want staff to work comfortably and provide flexibility. We also want to ensure it is within a secure and well managed ecosystem. The more appropriate flexibility we provide, the more our users will happily adhere to both required standards and recommended practices.

      Using Microsoft Enterprise Mobility allows us to support a Bring Your Own Device (BYOD) program within your organization which allows end-users to:

      • Use devices they like to use and already are comfortable with to access corporate cloud data – safely and securely
      • enforce access to devices which meet a minimum compliance level as defined by your organization (e.g. support operating system, device encryption, remote wipe, etc.)
      • Reduce spend on IT asset and asset support
      • Exclude devices not approved by your organizations (Hint – this also significantly cuts down on access from malicious agents).

      The two major Microsoft 365 (M365) services to implementing a successful BYOD program are Microsoft Intune and Azure Conditional Access.

      Microsoft Intune

      Using Intune, we can create device compliance policies to ensure devices meet specific standards. For example:

      • what operating systems and versions are authorized for access
      • require device encryption requiring a pin on boot and access
      • restrict devices which are rooted or jail broken.

      Intune supports iOS/iPadOS, Android, Windows, and macOS. From an operational perspective, a unified solution for managing devices greatly simplifies processes for IT Operations teams. Interoperability with other Microsoft services, such as Defender help to provide unparalleled capabilities to harden and protect the devices due to the integration of tools and unified system for accounts and access.

      Intune also reduces the burden on IT Operations teams for registered devices as it provides the ability for staff to self-enroll compliant devices.

      Azure AD Conditional Access

      Conditional Access helps enforce specific rules, for example ensures only Intune registered mobile devices can connect to your M365 tenant.

      Conditional Access also helps enforce rules using different signals. Signals include:

      • User or group membership
      • IP Location information
      • Device
      • Application
      • Real-time and calculated risk detection.

      Based on signals, Conditional Access will apply action to block or grant access. Granting access can also require one or more of the following options:

      • Require multi-factor authentication
      • Require device to be marked as compliant
      • Require Hybrid Azure AD joined device
      • Require approved client app
      • Require app protection policy

      Common behaviours with Conditional Access include:

      • Requiring trusted locations for Azure Multi-Factor Authentication registration
      • Restricting the use of apps on mobile devices to organization-managed devices
      • Blocking risky sign-in behaviours (e.g. authentication requests from different countries.)

      Summary

      In closing, using Microsoft Intune with Microsoft Azure Conditional Access, an organization can:

      • register and manage devices (phone, tablet, computer) for compliance and defining standards
      • define requirements for accessing the organization’s M365 tenant
      • Improve employee satisfaction by letting them use the devices they want to use (and not carry additional devices)
      • Enhance productivity by enabling staff to work from anywhere, anytime, providing more flexibility and better overall engagement on a day to day basis.
      • Reduce resources required for IT asset and device management, allows IT Operations to focus on more complex and challenging tasks.

      Resources – docs.microsoft.com

      • Azure AD Conditional Access (link)
      • Microsoft Intune (link)

      Thanks for reading.

      If you have any questions or would like to know more, please feel free to connect with me.