Microsoft SC-900 – Module 4 : Describe the capabilities of Microsoft compliance solutions part 5
- Lesson Summary
So far. We know that organizations get into situations where they need to collect information for legal reasons. You want to know how you could enable your organization to meet this goal. We looked at Ediscovery as a onestop shop that would help organizations to identify and collect information in a rapid and effective manner to meet eat those legal requirements. So what did we understand here?We looked at the purpose of Ediscovery, looked at the capabilities of the content search tool, then we looked at the core Ediscovery workflow and finally the advanced Ediscovery workflow as well. Thanks for watching so far. Hopefully this lesson was informative to you. Let’s go ahead and jump straight into the next lesson. We will talk about the audit capabilities of Microsoft. Three six five.
- The audit capabilities of Microsoft 365- introduction
There will be times when organizations need to investigate the actions of certain employees. Perhaps there is suspicious activity. For example, organizations may need to track who viewed, possibly who altered or deleted the files. The audit logs can do exactly just that. Monitor these type of activities.In this lesson, let’s go ahead and understand the auditing capabilities in Microsoft Three Six Five. So after this lesson, you will be able to explain about the core audit capabilities of Microsoft Three Six Five and then also describe the purpose and value of advanced auditing. Let’s get started.
- The core audit capabilities of M365
The audit functionality in the Microsoft Three Six Five Compliance Center will allow organizations to view users and administrators activity through a unified audit log. For example, did an administrator reset a password? Did a user change a setting for teams in Microsoft teams? So a unified audit log supports the search of users or even administrative activities across Microsoft 365, Services Dynamics 365, Microsoft PowerApps and Microsoft Power Automate as well. It also integrates very well with Microsoft Power Bi Azure Active Directory to provide a single holistic audit log solution. Now, when an audited activity is performed by a user or an admin, an audit record is generated and stored in the audit log for that organization.
Now, how much time do we keep it for? Well, the length of time that an audit record is kept depends on Office 365 or Microsoft 365 Enterprise subscriptions, specifically the type of license that is assigned to specific users for core audit capabilities. The audit record is kept and searchable for 90 days. Searching the audit log requires the search capability to be turned on, and for the user doing the search to be assigned, you need to have the appropriate role. The search criteria can be configured based on the various activities that somebody is doing, based on the start date and the end date on which the activity was performed, the user’s name as well, and the files and folders. Or sites at which the user was accessing the results of the audit log search, which can then be filtered and exported to CSV as well. And that exported file will have information like date, the IP address of the device that was used for the activity to be performed. The IP address is displayed in IPV Four and IPV Six formats. You can also see the username who completed the action that triggered that event, the activity that was performed by the user. You can see the item or the object that was modified or created because of the corresponding activity, as an example, the file that was viewed or modified, or the user account that was updated.
But keep in mind that not all activities have a value in their columns. And finally, you can also look at the detailed information about any additional information about an activity. But keep in mind that audit logs are not updated right away, so it takes up to 30 minutes, and sometimes even up to 24 hours after an event has occurred for the corresponding audit log record to be returned in the results of an audit log search. Now that’s the audit capabilities of M 365, let’s go ahead and talk about the advanced audit capabilities. We’ll talk about the long term retention, how do you access the crucial events for investigations, and also high bandwidth access to Microsoft 365 in the subsequent videos?
- What are the Advance Auditing Capabilities
Let’s go ahead and dive into the advanced auditing concepts of Office Three Six Five. The advanced audit will help your organizations conduct forensics and compliance investigations by increasing the audit log retention that’s required to conduct on an investigation. The audit log retention provides access to crucial events that help determine the scope of completion, compromise and faster access to Office 365 Management Activity APIs. These capabilities differentiate advanced audit from the core audit functionality described in the previous chapter. So what you will need well, you will need a Microsoft 365 E five license or Microsoft three six five E three or Office three six five E three license with a Microsoft three six five E five compliance or Microsoft three six five E five ediscovery and Audit add on license.
That’s a mouthful of licenses by the way. But if you would like to have the advanced auditing features, then you will need to have an appropriate license in order to get that. Let’s talk about the long term retention of audit logs. Well, the advanced audit keeps all the Exchange, SharePoint and Azure Active Directory audit records for one year. Keeping audit records for longer periods can help with ongoing forensics or compliance investigations as well. Microsoft now has the capability to keep the audit logs for ten years. The ten year retention of audit logs will help support running investigations and respond to regulatory legal as well as internal obligations. Keep in mind that retaining audit logs for ten years requires an additional add on license. So how do you access such audit logs during crucial events for investigations?
Well, advanced auditing will help organizations conduct forensics and compliance investigations when they provide access to crucial events. And such examples could be when mail items were accessed, when mail items were replied to and when were they forwarded, possibly when and what a user searched for in Exchange Online and SharePoint Online. These crucial events can help admins and users investigate possible breaches and determine the scope of compromise. There are several crucial events that advanced auditing can provide information about. For example, mail items accessed So, the Mail Items Accessed event is a mailbox auditing action that’s triggered when mailbox data is accessed. By using mail protocols and using male clients, the mail items accessed action can help investigators identify data breaches and determine the scope of messages that may have been compromised.
The send event. Now, this is also a mailbox auditing action and is triggered when a user does any of these actions. For example, sending an email message, replying to an email message, or forwarding an email message. Investigators can use these to track the actions done by possible malicious attacker or a compromised account. The next one is search query initiated. Exchange. Now, this event is triggered when a person uses the search bar in the Outlook on the Web to search for items in a mailbox. So investigators can use this event to determine if an attacker may have compromised an account. The audit record for this event contains information such as the actual text of the search query. So by looking at search queries possibly the attacker may have made an investigator can better understand the intent of the email data that was searched for.
Next one is a search query initiated SharePoint. As the name says, this is related to the SharePoint query. And this event is triggered when a person searches for items in the SharePoint homepage for your organization. And the investigators can use this event to determine if an attacker tried to find or possibly accessed sensitive information in SharePoint. So by looking at search queries that an attacker may have performed, an investigator can better understand the intent and the scope of the file data being searched for. These are the important crucial events that are provided in the advanced auditing capabilities of M 365. And talk about the high bandwidth access to Office 365 Management Activity API. Thanks for watching so far, and I’ll see you in the next lesson.
- High Bandwidth for Office 365 API Activities
Now, what we’re trying to retrieve with audit data is a magnitude of information. For example, you’re trying to retrieve the email information, who sent it, who replied it, who forwarded it. And then if you’re trying to search for such volumeless information, it’s like finding that needle in the stack. And finding the needle in the stack may take a lot of time. What I mean need to say is that you need a lot of bandwidth. Organizations that access auditing logs through Office 365 Management Activity API were previously restricted by throttling limits at a publisher level. This means that for a publisher pulling data on behalf of multiple customers, the limit was shared by all those customers. Now, with the release of advanced audit, microsoft is moving from a publisher level limit to a tenant level limit.
What does that mean?Well, it means that each organization will get their own fully allocated bandwidth quota to access their auditing data. So bandwidth here is not static, it’s not a predefined limit, but this is modeled around various factors. A combination of factors. And what are those? Well, it includes the number of seats in the organization, which means how many licenses you have procured, and the type of Microsoft 365 license. Organizations with an E Five license will get more bandwidth than the non E Five organizations. Well, that’s all for now, folks. That’s the end of this lesson. We were in the module four. We are talking about the audit capabilities of Microsoft 365. Let’s go ahead and summarize what we learned in the next lesson. Thanks for watching so far. I’ll see you there.
- Lesson Summary
Here we are in the last video of this chapter. We’re talking about the summary. Now, we know that the audit logs can help the organizations and enterprises meet the regulatory requirements for protecting your records. Microsoft 365 offers both standard and advanced auditing capabilities. Now, with this, the organizations will be able to achieve their goals. By retaining audit logs, organizations can respond to any kind of investigations, could be possibly internalor external, and this would ensure that they are in line with legal or government requirements. Now that you’ve completed this lesson, you very well understand the core audit capabilities of Microsoft 365. You understand the purpose and value of advanced auditing. Thanks for listening so far. Let’s go ahead and get started with the next chapter, which is describe the resource governance capabilities in Microsoft Azure. I’ll see you there.
- Describe the resource governance capabilities- introduction
In Microsoft Azure you create quite a lot of resources. It could be virtual machines, storage accounts, databases, or maybe backup and disaster recovery related resources. Now when you do that, the organizations will be succeeding when they create resources and use such services in Azure. Administrators need to ensure that these resources are governed properly. This need to be done in order to make sure that these resources are secure and in line with the organizational compliance requirements. What are we going to learn in this module? Well, you will learn about the resource governance capabilities that are available in Azure. So you will have reference to resource governance capabilities in Azure and also how the cloud adoption framework works. So without any further delay, let’s get started. The first topic is Azure Resource. Locks.
- Resource Manager – Locks
So what is a resource lock? As the name itself says, it locks your resources. It is used to prevent the resources from being accidentally deleted or accidentally changed. Even with rulebased access controls in place, there is always a risk that people with the right level of access could possibly delete a critical resource. Azure Resource Source Manager Locks prevents users from accidentally deleting or modifying a critical resource. You can apply the lock at a subscription level, at a resource group level, and even at a resource level. There are several times when an administrator needs to lock the subscription, possibly a resource group or a resource, and thereby the administrator is preventing people to delete or write things accidentally into the resource.
A lock would be applied in the situation to prevent users from accidentally deleting or evenmodifying a critical resource a lock level can be set to cannot delete or read only. So in the Azure Portal, you will see something. Like delete and read only. And what that means is that when the lock level is set to cannot delete, it means that the authorized users can still read and modify a resource, but they cannot delete the resource as opposed to read only. It means that the Authorized Users can read a resource, but they cannot delete or update the resource. Applying this lock is similar to restricting all Authorized Users to the permissions granted by a reader role. Remember that a resource can have more than one lock. For example, you can keep the resource as cannot delete as well as Read only Lock, which means that the users will not be able to write to it because there is Read only lock they cannot delete as well because they have cannot delete lock.
- What is Azure Blueprints
There are situations when you would like to create similar set of environments. For example, prod environment must be same as stage environment, or the stage environment must be same as QA environment. Now, if you like to deploy the infrastructure repeatedly, then it becomes really problematic because you have to do things manually. Azure Blueprints provides a way to define those repeatable set of Azure resources. Azure Blueprints enables the development teams to rapidly provision and then spin up new environments. The teams can also provision Azure resources across several subscriptions simultaneously, meaning that they will be able to deploy infrastructure in a shorter development time and quicker delivery as well. Azure Blueprints are a declarative way to orchestrate the deployment of various resources and other artifacts. T
hese artifacts include role assignments, policy assignments, arm templates, and resource groups. What this means is that if you would like to define and give permissions, if you would like to give Azure policies or control your environment with policies, or spin up couple of Arm templates and then create multiple resource groups, that can be done with the help of Azure Blueprints. The blueprint objects are also replicated to multiple Azure regions.It means that the blueprints have high availability as well. The replication of blueprints provides low latency, high availability and consistent access to your blueprint objects. So you can choose whatever region in Azure the blueprints will be available in that region because Azure Blueprints are getting replicated across multiple Azure regions.
Now, with Azure Blueprints, the relationship between the blueprint definition and definition means what should be deployed and the blueprint assignment. It means that what was deployed is always preserved, so you always get a status of what should be deployed and what was deployed. Now, this connection here will always help you improve tracking and help you audit your deployments. Azure Blueprints helps ensure Azure resources are deployed in a way that’s in line with your compliance requirements. However, there’s another service called as Azure Policy, which we’ll be talking about in a minute, that is there to continuously monitor your resources and ensure that it always is adhering to your compliance requirements. Let’s talk about Azure Policy and understand that in the next lesson.
- What is Azure Policy
Let’s talk about Azure policy. There are situations when you would like to enforce certain standards and also assess your compliance across your organization. Azure Policy is designed to just do that. Azure Policy has a compliance dashboard and you can get access. With that, you get an aggregated view to help evaluate the overall state of your environment. You can drill down as well per resource, per policy and then identify whether that is compliant or not. You can also use the capabilities like bulk remediation for existing resources and automatic remediation, for example, let’s say new resources to resolve issues rapidly and effectively. There are several use cases of Azure policies. It could be implementing governance for resource consistency. It could be regulatory compliance looking at security, or could be cost or even management.
Azure Policy evaluates all the resources in Azure, but remember that Azure Policy, with the help of Azure Arc can also look at resource types hosted outside Azure. Azure policy is there to evaluate whether the properties of the resources match the business rules that you have defined. And these business rules are defined in JSON format and these are referred to as policy definitions for simplified management. You can group together multiple business rules to form a single policy initiative. After business rules have been formed, you can assign the policy definition or policy initiative to any scope of resources that are supported.For example, the supported resources are management groups, subscriptions resource groups, or even individual resources.
So what will be the final outcome of this? Azure Policy will be evaluating all your resources at specific times during the resource life cycle, and if it finds anything out of compliance, it’s going to mark it as red. There could be different events or times when a trigger is evaluated. For example, when a resource is created, deleted, or updated in the scope of policy assignment. At that time, you will see whether the policy is letting you create, delete or update that scope or resource. It will also trigger when a policy or an initiative is newly assigned to a scope, a policy or initiative that has been assigned to a scope or is updated. Also the standard compliance evaluation cycle, and this happens every 24 hours.
Organizations will vary in how they respond to non compliant resources because you will be able to see the compliant and non compliant resources on that dashboard. All in all, Azure Policy is there to help you enforce standards and also assess compliance across the organization. With Azure Policy, you get a compliance dashboard and you get an aggregated view of every resource, and thereby you’ll be able to know whether that particular resource or service is compliant or not. But remember that there is a difference between Azure Policy and Azure role based access controls. Let’s go ahead and take a look at that in the next section.
- Difference between Azure Policy and RBAC
Two things that people often get confused with is Azure policy and Azure RBAC. Let’s go ahead and talk about the differences here. It’s important not to confuse between Azure policy and Azure RBAC. Well, you will use Azure policy to ensure that the state or the resources are compliant to your organization’s business rules, no matter who made the change change or who has the permissions to make those changes. Azure policy is there to evaluate the state of the resource and then act on it in order to ensure that the resources always stay compliant. On the other side, Role Based Access Control is focusing on managing user actions at different levels.
Azure RBAC manages who has access to Azure resources, what they can do with that, andwhat areas that they can access. If actions need to be ever controlled, you would be doing using RBAC. If an individual has access to complete an action but the result is non compliant resource, then Azure policy still blocks that action. That means that even if you are an admin and you got permissions to do a lot of things and then you go ahead and execute it, let’s say create a virtual network in a subscription that has a policy against it. That means you’re not allowed to create a network where you will not be allowed to create a network even though you have the full admin access. They would work together in order to achieve good governance for that organization.
- Cloud Adoption Framework
Microsoft Cloud Adoption Framework for Azure consists of different documentation, implementation and guidance, best practices and tools which are designed to help businesses to implement strategies that are necessary to succeed in the cloud. The Cloud Adoption Framework has been carefully designed based on the cloud adoption’s best practices from Microsoft Soft, employees and partners. The various categories that you see here are various proven methodologies that has helped various customers, employees and partners. You can use one of these strategies to go ahead and implement cloud, specifically Azure in your organization. Let’s go ahead and understand the life cycle of cloud adoption. There are various steps in the cloud adoption lifecycle. The first one is strategy.
This is where you would define the business justification and expected outcomes of the adoption. You will then go ahead and plan. That means that you will align any kind of actionable adoption plans to the business outcome. You are then ready to prepare the cloud environment for the plan changes. Finally, you adopt the cloud. You can either choose to migrate or innovate. You can migrate and modernize existing workloads or develop new cloud, native or hybrid solutions. Then it’s important to govern the environments and the workloads that now exist in the cloud. Finally, you manage the cloud environments with the help of operations management tools which are built for cloud and hybrid solutions. When the enterprise digital transformation involves the cloud, understanding these fundamental concepts will help you during each step of the process.