Microsoft SC-900 – Module 4 : Describe the capabilities of Microsoft compliance solutions part 4

27. Customer Lockbox

Sometimes your organization might need Microsoft engineers to help troubleshoot and fix any kind of reported issues. Usually, issues are fixed through extensive telemetry, logging and debugging tools Microsoft already has in place for its services. However, in certain cases, Microsoft Engineer would require access to organizations content to determine the root cause and fix those issues. Customer Lockbox will ensure that Microsoft cannot access the content to perform a service operation without explicit approval. Customer Lockbox will also bring the organization into an approval workflow for requests in order to access their content. Customer Lockbox will support requests in order to access data in Exchange Online, OneDrive for Business and SharePoint Online.

Let’s go ahead and understand how this process looks like. So let’s say someone at an organization experiences issues with their Microsoft 365 Mailbox. After the user troubleshoots the issue, but they cannot fix it, they will go ahead and open a support request with Microsoft. Then the Support Engineer reviews the service request and determines whether the organization’s tenant can be accessed in order to repair the issue. In Exchange Online, the Microsoft Support Engineer logs into the Customer’s Lockbox Request tool and makes a Data Access request that includes the organization’s tenant name, the service request number, and the estimated time the engineer needs to access that data.

After a Microsoft Support Engineer approves that request, Customer LogBox sends the designated approval at the organization on email notification about the pending access request from Microsoft. The approval signs into Microsoft 365 Admin Center and approves that request. Sometimes this step also triggers the creation of an audit record, which is then available by searching in the audit log. Sometimes the customer will reject the request as well. So if the customer rejects the request or does not approve the request within 12 hours, the request expires and no access is granted to the Microsoft Engineer. Now, once the approval is done, let’s say the approver from the organization approves the request.

Then the Microsoft Engineer receives the approval message, logs into the tenant in Exchange Online, and thereby is able to fix the customer’s issue. Microsoft engineers have the access till the requested duration in order to fix the issue, after which the access is automatically revoked. Customer Lockbox is a formal approval process for access Control, and a common question about this is how this capability relates to pam the privileged access management which we just discussed in the previous topic. Customer Lockbox allows a level of access control for organizations when Microsoft accesses data, while the privileged Access Management allows granular access Control within an organization for all Microsoft 365 privileged tasks.

I want to tell you that Customer Log box is giving you Access Control to Microsoft, whereas Privileged Access Management is giving Access control within your organization for all the privileged activities that can be done. Well, that’s all for this module. Hopefully this has been informative to you. Thanks for watching so far and I’ll see you in the next lesson.

28. Lesson Summary

This brings us to an end of this lesson. What we learned about is the various capabilities that are available for Microsoft three, six, Five in order to protect organizations from insider risks. Without these capabilities, organizations would not be protected from insider risks. Now, if that ever happens, there could be serious negative financial and reputation consequences. With all of these features, organizations can prevent this from happening by protecting themselves from insider risk.

Now that you’ve completed this lesson, you would be able to describe how Microsoft 365 can help organizations identify these insider risks and take appropriate actions as well. You also know how how Microsoft 365 is helping organizations identify, investigate and remediate malicious and inadvertent activities. Let’s go ahead and talk about some more capabilities of Microsoft 365 specifically Ediscovery in the next lesson. Thanks for watching so far. I’ll see you in the next lesson.

29. eDiscovery capabilities of Microsoft M365 – Introduction

At times, organizations need to identify and collect information for various reasons. One of the most important reason is the legal capabilities and legal reasons. With today’s volume and variety of data, it’s vital that an organization can do this in an efficient and timely manner. Microsoft three six five Ediscovery capabilities can help organizations to achieve this goal. In this lesson we’re going to talk about various capabilities of Ediscovery, the purpose of that, the capabilities of the content search tool, then the core Ediscovery workflow. Finally, we also talk about the advanced Ediscovery workflow features. I hope this will add further value to your learning. Thanks watching so far and I’ll see you in the next lesson where our focus will be on the purpose of Ediscovery.

30. The Purpose of eDiscovery

Sometimes a company may find themselves involved in a litigation and at that point they need to find the electronic records or the electronic information to be used as an evidence. The electronic discovery or the Ediscovery tools can be used to search the content online in the Exchange Online Mailboxes. Not just that, it can search in Microsoft 365 groups. Microsoft teams SharePoint online and OneDrive for business sites as well. The other applications like Skype for business conversations and Yammer Teams, can also be searched for information. You can search across mailboxes and sites in a single Ediscovery search by using the Content Search tool.

You can also use the Core Ediscovery cases in order to identify, hold and export content which is found in mailboxes and the relevant websites. If your organization has an Office 365 e five subscription or M 365 e five subscription you can further manage, custodians and analyze content by using the Advanced Ediscovery solution in Microsoft 365. Microsoft 365 provides the Ediscovery tools like Content Search, Core Ediscovery and Advanced Ediscovery tools as well. Now, we’re going to talk about each of these tools in subsequent topics. The first one is content Search Tool.

31. The capabilities of the content search

Let’s go ahead and talk about the capabilities of the Content Search tool. This will be a long lesson, so stay tuned. The content search. Ediscovery tool has two sections. One is how do you run a search and what kind of details are available for you. And then finally, once you have the output from that search, what do you do with that right? For example, ample creating reports. Now the first part we want to know where can you run the Content Search on? Now specifically, this is meant for litigation purposes and to find electronic information as an evidence. That’s what we learned in the previous chapter. But this Content Search Ediscovery tool is accessible from the Compliance Center in Office 365 and also from Microsoft 365 consoles. So you can search in emails, documents, instant message conversations in your organizations as well.

Now, in order to be specific, I would say that you can search in exchange online mailboxes, public folders, online sites, OneDrive for business accounts, Skype for business conversations, microsoft Teams, Microsoft 365 Groups and Yammer Groups as well. For you to have access to Content Search page, you need to run certain searches and then you will be able to preview and export the results. Like I said earlier, first step is to run a search. For you to search using Content Search tool, you must choose where do you want to search, what is your content location to search and how do you configure a keyword query and find that specific item. Well, there are several capabilities of running a search. For example, you can build search queries and use conditions.

You can configure search permissions filtering so that the Ediscovery manager can only search for a subset of mailboxes or sites in your organization. You can run an ID search in order to search for a specific mailbox or a specific mailbox email message and other mailbox items. You can search for teams chat data across your on premises users as well. You can view keyword statistics for the results of a search and then refine the query if necessary. You can also search for third party data that your organization has possibly imported to Microsoft 365. Finally, you can also preserve the BCC recipients, not just Two and CC list. But in order to follow the regulatory compliance and ediscovery requirements, you may need your organizations to preserve mailbox content, including the ability to search for and reproduce details about all the recipients of the message.

Not just the ones in Two and CC, but also the BCC recipients. So that’s about running a search. Now, what is the next task that you will do after running a search? Well, you would want to refine it as much as necessary. Well, that’s the next step. So that way you can export and download the results to your local computer. Or if there is an email based attack, you can just delete the results of the search from users mailboxes. You can also use scripts for advanced scenarios. Sometimes you have to do more advanced, complex and repetitive content search tasks. So in order to make things easier, what Microsoft has done is created quite a lot of Power shell scripts in the Compliance Center that will help you do those complex content search related tasks easy way. Now, let me give you some examples of the script. So number one will be you’ll be able to search specific mailboxes and site folders.

So when you’re confident that the item responsive to a case are located in that folder, you can just pinpoint the script to that folder. You can also search the mailbox and OneDrive locations for a list of users you can create a report on as well as delete multiple searches for you to be efficient for you to quickly identify and search that data. And finally, when you have configured a search, you can clone a content search and quickly compare the results of a different keyword search query run on that same content locations or possibly use the script to save time by not having to reenter a large number of content locations every time you search. Well, that’s the benefit of using search within the context of the Edition discovery tool. Well, that’s all about this particular lesson. Now let’s go ahead and talk about the Core Ediscovery workflow in the next lesson.

32. The Core eDiscovery Workflow

What is core ediscovery? Now this is part of the Microsoft 365 suite and it will provide a very basic tool that organizations can use in order to search and export the content in Microsoft 365. Now, for you to access the Core Ediscovery, or to be added as a member of Core Ediscovery case, a user must be assigned the appropriate permissions what we call as Role based Access Controls. Specifically, the user must be a member of Ediscovery Manager Role group in Office 365 Security and Compliance Center. You will then start by creating an Ediscovery case which starts from within Microsoft 365 Compliance Center. When you create a case, you must specify a name for it and optionally define a case number. You can assign members to this case as well, so other members of your team can start working on it.

From that point the case will be displayed in the Ediscovery page and the user can step through the workflow. Now, what is an Ediscovery workflow? Now this workflow will consist of creating holds, searching for content, and exporting and downloading search results so you will be able to create an Ediscovery hold. So what is an Ediscovery hold? Well, you can use an Ediscovery case to create a hold in order to preserve the content that might be relevant to that case. You can place a hold on Exchange mailboxes and OneDrive for business accounts of people you are investigating. In that case, you can also place a hold on mailboxes and sites that are associated with Microsoft teams, possibly Microsoft Office 365 Groups and Yammer Groups as well.

Now, when you place content locations on hold, it’s preserved until you remove the hold from the current location or until you delete the hold. Remember, it may take up to 24 hours after you create the hold for it to take effect. Now at this point you got two options to scope the content that’s preserved, you create an infinite hold where all content in that specified location is placed on hold. Or you can create a query based hold where only the content in the specified locations that matches a search query is placed on hold. Or the second option is to specify a date range in order to preserve only the content that was sent, received or created within that date range. Or you can hold all the content in the specified locations regardless when it was sent, received or created.

Now, what do you have in the Ediscovery workflow? What’s the next phase? The next phase is to search for the content, right? Search for the content in the case. Now by this time you’ve placed a hold and then you create and run searches for content that relates to the case. So at this time you start the search from within the home page for that specific case. Searches are associated with the case and can only be accessed by members who are assigned to it. You can specify keywords of course. So the message properties, for example, sent and received dates or document properties such as file names or the date of the document that was last changed, all of these can be searched with the Boolean operators like and or not or near.

You can also search for sensitive information, for example, Social Security numbers and you can search it in documents or search for documents that have been shared externally. And if you don’t specify any keywords, all content located in that specified content location will be included in the search results. Now, the third part of this workflow is exporting the content from that case. Well, you can export search results, mailbox items that are downloaded in a PST file or as individual messages can be exported. Content from SharePoint OneDrive or Business sites. You can also have copies of native Office documents or other documents can also be exported. So what you will finally have is a Result CSV that contains information about every item that was exported and a Manifest file as well, which is an XML format.

And it contains information about every search result that is exported. You can export the results of both a single search or results from multiple searches that are associated with a case. Finally, you can close, reopen and delete a core Ediscovery case, right? So when the cases are open, they can be closed as well. So when the investigation or the legal close is completed, you close the case and any holes that are associated with it will be turned off. Now, once you turn off, there’s a 30 day grace period on the contents locations that were on hold. Well, let me tell you about the main difference between an active and a closed case. The main difference is that Ediscovery holds are turned off for a closed case.

So when you reopen a case, what happens? Well, when you reopen a closed case, any hold that was in place when it was closed would be reinstated automatically. So after reopening the case, you will need to turn on any previous holds. A reopened case will have its status changed from closed to Active. Well, that’s all for now when it comes to Ediscovery and the workflow and the various components inside the workflow. So just to summarize, we got a hold which is called as Ediscovery hold. Then you search for the content inside the hold and then you can export and download the results. Thanks for watching so far. I hope this has been informative to you. Let’s go ahead and talk about any advanced features available inside the Ediscovery workflow.

33. The advanced eDiscovery workflow

Let’s take a look at the advanced features in Ediscovery workflow. Now, this is built on top of the Core Ediscovery module. This new solution provides an EndToEnd workflow to preserve, collect, review, analyze, and export the content that’s relevant to your organization’s internal and external investigations. So that means that your legal team can now manage the entire legal hold notification workflow to communicate with the custodians involved in that case. The built in workflow of the Advanced Ediscovery, as you see in the picture, aligns with the Electronic Discovery Reference Model, what’s called as EDRM. EDRM is a framework that outlines standards for recovery and discovery of digital data. So first thing that you do is you add custodians to the case, and that is the first step after creating the case.

So, custodians are the people who have administrative control of a document or an electronic file that could be relevant to that case. You can then search for custodial information for data that is relevant to this case. So after custodians have been added to the case, you can use the built in search tool to find the custodian locations for data that might be relevant. You do this by using keyword properties and conditions in order to build your search queries. Now, this will be returning search results that contain data that’s likely to be prevalent in that case. Finally, you preview those search results to quickly verify whether the data is relevant and revise your queries and rerun searches to improve the results. The next step is adding data to review the set.

That means after configuring and verifying that a search result has been provided, you will be checking and preparing your results for review and analysis. You can do this by adding the search results to the review sets. The next step is review and analyze data in the review set. So when your data is in the review set, you are ready to view and analyze the case data through a wide variety of capabilities and tools such as filters, queries, and tags. The next step is export and download case data. And that is a final step. So you will be exporting the data out of advanced Ediscovery for external review. For example, you may call in an external team of investigators.

You export the data out of the review set and then copy it to possibly a central location like Azure Storage location. You can then use Azure Storage Explorer to download that data as an export package to a local device as well. Finally, to summarize this, I would like to tell you that Advanced Ediscovery in Microsoft 365 is helping you preserve, collect, review, analyze, and export the data that’s relevant to your organization’s internal as well as for your external investigations. Now, that marks the end of this module. Let’s go ahead and summarize this in the next video.