If you have an Azure subscription with a Log Analytics workspace created and at least Azure AD Premium P1, you can send Azure Active Directory activity log data to Azure Monitor easily by following these steps:
Under Monitoring, select Diagnostic settings and then click + Add diagnostic setting:
Figure 2.15 – Configuring Azure AD diagnostic settings
3. Under Logs, select one or more categories of logs to send to the workspace.
4. Under Destination details, check the Send to Log Analytics workspace checkbox and then select an Azure Subscription and Log Analytics workspace. Click Save when you have finished selecting these options:
Figure 2.16 – Selecting diagnostics settings for Azure Monitor
After about 15 minutes, new logging event data should begin showing up in the Log Analytics workspace.
Configuring and reviewing reports
With reporting data now flowing into Azure Monitor and Log Analytics, you can review auditing and logging data to gain insights into how your tenant and directory services are being used.
To review this data, you’ll need to have access to the Log Analytics workspace where Azure Monitor is sending data, as well as one of the following roles:
Global Admin
Reports Reader
Security Admin
Security Reader
With that, let’s start looking at logs!
Azure AD logs and reports
Azure AD provides several default reports that can be used to identify issues quickly. The core reports are the Audit, Sign-in, and Provisioning logs.
Audit log data can be held for up to 10 years, depending on the license:
Office 365 E1 or E3; Microsoft 365 F1 or E3: 90 days
If an incident occurs that affects the availability of services or features in your tenant, you need to be able to respond quickly. An incident response plan is a framework that you can prepare to help you address issues quickly.
While the details of each incident may differ, the steps you take to both prepare and work through one are the same:
Validate the incident scope details and confirm that your environment is affected. Not all incidents affect all tenants, so use the information in the Message Center (https://admin.microsoft.com/#/MessageCenter), as well as investigative procedures such as self-assessments and tests or synthetic transactions.
Determine whether the incident is relevant to your organization. If the incident involves a service that your organization hasn’t yet deployed or doesn’t interfere with business operations, it may not be relevant.
Once degradation and relevancy to your environment have been confirmed, review information sources for details on the timeline of Microsoft’s response. Microsoft will post regular status updates in the Message Center. If information such as a timeline has not been established, you can open a service ticket with Microsoft to request this information.
Develop a backup solution in case the service outage or degradation lasts longer than an acceptable time frame for your organization. Depending on the type of outage, this may mean working offline to fulfill business requirements.
Business continuity planning (BCP) is important regardless of the technology platforms or services being used. Work with various business unit owners to establish communication plans and methods to continue business operations should a service interruption occur.
Monitoring service health
Service health information is available from the Microsoft 365 admin center (https://admin.microsoft.com). Microsoft provides health information for a variety of services and features, including the SaaS services such as Exchange Online or SharePoint Online, the health of the directory synchronization environment, as well as the Windows operating system feature issues and service health.
You can check the overall service health by navigating to the health dashboard (Health | Dashboard), as shown in Figure 2.5:
Figure 2.5 – Service health dashboard
The health dashboard contains the current health status of all Microsoft 365 services. Normally, services will appear as Healthy, though this status will be updated when a service experiences an issue.
The Service health page (Health | Service health) will display the most detailed and comprehensive information on any ongoing or resolved issues:
Figure 2.6 – Service health page
If a service has an advisory or incident, you can expand the issue item under Active issues to display relevant events, as shown in Figure 2.7:
Figure 2.7 – Service health active issues
Selecting an individual item reveals expanded information about the particular issue. See Figure 2.8 for an example:
Figure 2.8 – Expanded active issue
Each service with an incident will display a status. Possible statuses include the following:
Normal service: This status indicates the service is available and has no current incidents or incidents during the reporting period.
Extended recovery: This status indicates that while steps have been completed to resolve the incident, it may take time for operations to return to normal. During an extended recovery period, some service operations might be delayed or take longer to complete.
Investigating: This status indicates that a potential service incident is being reviewed.
Service restored: This status indicates that an incident was active earlier in the day but the service was restored.
Service interruption: This status indicates the service isn’t functioning and that affected users are unable to access the service.
Additional information: This status indicates the presence of information regarding a recent incident from the previous day.
Service degradation: This status indicates that the service is slow or occasionally seems to be unresponsive for brief periods.
PIR published: This status indicates that a Post-Incident Report (PIR) of the service incident has been published.
Restoring service: This status indicates that the service incident is being resolved.
As an administrator, it’s important to frequently check the Service health dashboard to be apprised of alerts or incidents. If a service issue is affecting the Microsoft 365 admin center, you can also try the Office 365 status page (https://status.office.com) and the Azure status page (https://status.azure.com).
In this chapter, you learned about the fundamental aspects and terminology of configuring a Microsoft 365 tenant, such as selecting a tenant and subscription type, adding domains, and configuring the basic organization settings.
In the next chapter, we will learn how to monitor the Microsoft 365 tenant’s health.
Knowledge check
In this section, we’ll test your knowledge of some key elements from this chapter.
Questions
What is the maximum number of domains that can be added to a Microsoft 365 tenant?
100
500
900
1,000
You are the administrator for an organization with 250 employees. Which Office 365 subscription best fits the size of the organization?
Microsoft 365 Family
Microsoft 365 Business
Microsoft 365 Enterprise
Microsoft 365 Education
You recently took over the administration duties for a Microsoft 365 tenant for a start-up organization. The organization purchased a domain from a third-party registrar. Can this domain be used with Microsoft 365?
Yes
Yes, but it must be transferred to Microsoft first
No
Only domains purchased through the Microsoft 365 admin center can be configured for use with Microsoft 365
Your organization wants to turn off Microsoft Books for all employees until the support staff has had time to read the documentation. From the available options, what should you do?
Disable all Azure AD user accounts
Disable directory synchronization
Disable bookings from Org settings | Services
Disable bookings from Org settings | Security & privacy
The Service Desk manager for Contoso has asked you to update the help desk information for your Microsoft 365 tenant with the internal help desk contact information. Where would you make this update?
The act of creating a tenant is a relatively simple affair, requiring you to fill out a basic contact form and choose a tenant name. Microsoft periodically changes what plans are available for new trial subscriptions. As of this writing, Office 365 E3 is available for a trial subscription. Currently available public trial subscriptions require the addition of payment information, which will cause a trial to roll over to a fully-paid subscription after the trial period ends. See Figure 1.2:
Figure 1.2 – Starting a trial subscription
The signup process may prompt for a phone number to be used during verification (either a text/SMS or call) to help ensure that you’re a valid potential customer and not an automated system.
After verifying your status as a human, you’ll be prompted to select your managed domain, as shown in Figure 1.3:
Figure 1.3 – Choosing a managed domain
In the Domain name field, you’ll be prompted to enter a domain name. If the domain name value you select is already taken, you’ll receive an error and be prompted to select a new name.
After you’ve finished, you can enter payment information for a trial subscription. Note the end date of the trial; if you fail to cancel by that time, you’ll be automatically billed for the number of licenses you have configured during your trial!
Implementing and managing domains
The managed domain is part of the Microsoft 365 tenant for its entire lifecycle. While it is a fully-functioning domain name space (complete with its own managed publicly available domain name system), most organizations will want to use their organization’s domain names—especially when it comes to sending and receiving email or communicating via Microsoft Teams.
Organizations can use any public domain name with Microsoft 365. Microsoft supports configuring up to 900 domains in a tenant; you can configure both top-level domains (such as contoso.com) and subdomains (businessunit.contoso.com) with your Microsoft 365 tenant.
Acquiring a domain name
Many organizations begin their Microsoft 365 journey with existing domain names. Those existing domain names can be used with Microsoft 365. In addition, you can purchase new domain names to be associated with your tenant.
Third-party registrar
Most large organizations have existing relationships with third-party domain registrars, such as Network Solutions or GoDaddy. You can use any ICANN-accredited registrar for your region to purchase domain names.
The Services tab displays settings available for workloads, services, and features available in the Microsoft 365 tenant. The following table lists the services that have configurable options in the tenant.
Service
Description
Adoption Score
Manage privacy levels for Adoption Score as well as setting the scope for users to be included or excluded.
Azure Speech Services
Manage whether Azure Speech Services can work using content in your tenant to improve the accuracy of speech services. Disabled by default.
Bookings
Choose whether the Bookings service is available for use in the tenant. If Bookings is enabled, you also manage specific options, such as whether social sharing options are available or whether Bookings can be used by users outside the organization as well as restricting the collection of customer data.
Briefing email from Microsoft Viva
Choose whether to allow users to receive the Viva briefing email. By default, the briefing email is enabled. Users can unsubscribe themselves.
Calendar
Choose whether to enable users to share the calendar outside the organization. If sharing is enabled, choose what level of detail is supplied.
Cortana
Choose whether to allow Cortana on devices to connect to data in your Microsoft 365 tenant.
Directory synchronization
Provides a link to download the Azure AD Connect synchronization tool.
Dynamics 365 Applications
Choose whether to allow insights for each user, aggregated insights for other users (non-identifiable), and identifiable insights for other users.
Dynamics 365 Customer Voice
Configure email parameters for collecting survey data from Dynamics 365.
Mail
There are no org-wide settings to manage here; however, there are links to various tools in the Exchange admin center and the Microsoft Defender 365 portal for things such as transport rules and anti-malware policies.
Microsoft Azure Information Protection
There are no settings to manage for this feature; it is a link to documentation for configuring Azure Information Protection settings.
Microsoft communication to users
Choose whether to enable Microsoft-generated training and education content delivery to users.
Microsoft Edge product messaging for users
Provides information on configuring the Edge spotlight experience for end users.
Microsoft Edge site lists
Manage lists of sites and specify which browser experience (Edge or Internet Explorer) users should receive when navigating to those sites.
Microsoft Forms
Manage external sharing settings for Microsoft Forms as well capturing the names of internal organization users who fill out forms.
Microsoft Graph Data Connect
Choose to enable Microsoft Graph Data Connect for the bulk transfer of data to Azure.
Microsoft Planner
Choose whether Planner users can publish to Outlook or iCal.
Microsoft Search on the Bing homepage
Customize the Bing.com search page for organization users.
Microsoft Teams
Choose whether to enable Teams organization-wide (users who are licensed will be blocked from using Teams). Also, choose coarse control for whether guest access is allowed in Teams.
Microsoft To Do
Choose to allow internal users the ability to join and contribute to external task lists and receive push notifications.
Microsoft Viva Insights (formerly MyAnalytics)
Manage which Viva Insights settings users have access to. By default, all options are selected (Viva Insights web experience, Digest email, Insights Outlook add-in and inline suggestions, and Schedule send suggestions).
Microsoft 365 Groups
Configure guest access and ownership settings for Microsoft 365 Groups.
Modern authentication
Provides links to information on configuring modern authentication and viewing basic authentication sign-in reports.
Multi-factor authentication
Provides links to information on configuring and learning about multi-factor authentication.
News
Choose organization and industry settings used to display relevant news information on the Bing home page as well as settings for delivering Microsoft-generated industry news to your organization users.
Office installation options
Choose the update channel for Microsoft 365 apps.
Office on the web
Choose whether to allow users to connect to third-party cloud storage products using Office on the web products.
Office Scripts
Configure Office Scripts settings for Excel on the web.
Reports
Choose how to display users’ personally identifiable information in internal reports and whether to make data available to Microsoft 365 usage analytics.
Search and intelligence usage analytics
Choose whether to allow usage analytics data to be filtered by country, occupation, department, or division.
SharePoint
Choose whether to enable external sharing.
Sway
Choose whether to allow the sharing of Sways outside the organization as well as what content sources are available (Flickr, Pickit, Wikipedia, and YouTube).
User consent to apps
Choose whether users can provide consent to OAuth 2 apps that access organization data.
User-owned apps and services
Choose whether to allow users to auto-claim licenses as well as start trials and access the Office Store.
Viva Learning
Choose which content provider data sources to use for Viva Learning. By default, LinkedIn Learning, Microsoft Learn, Microsoft 365 Training, and Custom Uploads are enabled. You can also manage the level of diagnostic data sent to Microsoft.
What’s new in Office
Choose whether to display messages to users about new features that are available. This does not change the availability of the feature—only the display of the notification message.
Whiteboard
Choose whether to allow the Whiteboard app to be used. Additionally, manage the amount of diagnostic data collected.
In this chapter, you learned about some of the important compliance tasks that many organizations face, such as content classification and retention. You learned about the foundational technical concepts around sensitive information types. SITs are used to classify content and can be used in the Microsoft Purview solutions including labeling and retention.
In the next chapter, you’ll apply the SIT knowledge learned here to another compliance concept: data loss prevention.
Exam Readiness Drill – Chapter Review Questions Benchmark Score: 75% Apart from a solid understanding of key concepts, being able to think quickly under time pressure is a skill that will help you ace your certification exam. That’s why, working on these skills early on in your learning journey is key.
Chapter review questions are designed to improve your test-taking skills progressively with each chapter you learn and review your understanding of key concepts in the chapter at the same time. You’ll find these at the end of each chapter.
Before You Proceed You need to unlock these resources before you start using them. Unlocking takes less than 10 minutes, can be done from any device, and needs to be done only once. Head over to the start of Chapter 7, Managing Security Reports and Alerts by Using the Microsoft 365 Defender Portal in this book for instructions on how to unlock them.
To open the Chapter Review Questions for this chapter, click the following link: https://packt.link/MS102E1_CH10. Or, you can scan the following QR code:
Figure 10.57 – QR code that opens Chapter Review Questions for logged-in users
Once you login, you’ll see a page similar to what is shown in Figure 10.58:
Figure 10.58 – Chapter Review Questions for Chapter 10
Once ready, start the following practice drills, re-attempting the quiz multiple times:
Exam Readiness Drill
For the first 3 attempts, don’t worry about the time limit.
ATTEMPT 1 The first time, aim for at least 40%. Look at the answers you got wrong and read the relevant sections in the chapter again to fix your learning gaps.
ATTEMPT 2 The second time, aim for at least 60%. Look at the answers you got wrong and read the relevant sections in the chapter again to fix any remaining learning gaps.
ATTEMPT 3 The third time, aim for at least 75%. Once you score 75% or more, you start working on your timing.
Tip You may take more than 3 attempts to reach 75%. That’s okay. Just review the relevant sections in the chapter till you get there.
Working On Timing Target: Your aim is to keep the score the same while trying to answer these questions as quickly as possible. Here’s an example of how your next attempts should look like:
Table 10.2 – Sample timing practice drills on the online platform
Note The time limits shown in the above table are just examples. Set your own time limits with each attempt based on the time limit of the quiz on the website.
With each new attempt, your score should stay above 75% while your time taken to complete should decrease. Repeat as many attempts as you want till you feel confident dealing with the time pressure.
In Chapter 10, Implementing Microsoft Purview Information Protection and Data Lifecycle Management, and so far in this chapter, you’ve learned how Microsoft’s information protection and DLP features can be used to detect sensitive information in your organization and then both classify and protect it. For example, when sending sensitive information through email, a DLP policy applied to Exchange Online can be used to cause Outlook to display a policy tip, as shown in Figure 11.25:
Figure 11.25 – Policy tip test
What happens, though, when users ignore the policy tip warning and send sensitive data anyway? That’s dependent on your DLP policy alerting settings.
Organizations with any subscription can create DLP alerts that are triggered on every matching activity. Organizations with A5, E5, or G5 subscriptions or an Office 365 Advanced Threat Protection Plan 2, Microsoft 365 E5 Compliance, or Microsoft 365 eDiscovery and Audit add-on license can configure aggregated alerts—meaning that DLP alerts will only show up based on a certain threshold.
DLP alerts show up in three places:
Microsoft Purview compliance portal| Data loss prevention | Alerts: Only DLP-related events and alerts
Microsoft Purview compliance portal| Alerts: All events and alerts in the compliance portal, including DLP alerts
• Microsoft 365 Defender portal| Incidents & alerts | Alerts: All security-related events and alerts, including DLP alerts
In addition to those alert views, the event data is also surfaced in the following ways:
Microsoft Purview compliance portal| Data loss prevention | Activity explorer: All compliance activity, including DLP policy activity
Microsoft Purview compliance portal| Data classification | Activity explorer: All compliance activity, including DLP policy activity
Microsoft 365 Defender portal| Incidents & alerts | Incidents: DLP alerts as exfiltration incidents
Microsoft Purview compliance portal| Audit log: All activity and events in Microsoft 365, including DLP policy activity
In this last section of the book, you’ll look at activities you can perform in these areas to both review and respond to DLP events.
Viva Insights Teamwork habits, part of the premium Viva Insights experience, allows managers to gain additional recommendations for managing people. Teamwork habits helps managers identify regular after-hours work, meeting overload conditions, and a lack of dedicated focus time.
Managers can set up their teams by manually adding users, though they can use the suggested list if the manager property has been configured in Active Directory or Azure Active Directory:
Figure 2.25 – Confirming team members
Three additional core features of Teamwork habits are as follows:
Scheduling recurring 1:1 time with managed employees
Gathering quiet hours impact to determine how work habits impact employees outside of their configured working hours
Shared plans for no-meeting days and shared focus times
Organizations that have the Teamwork habits tools available can improve their employees’ well-being and work-life balance. The Teamwork habits feature requires a separate Microsoft Viva Insights license.
Organization trends
The Organization trends tab shows business leader and manager insights to help understand how to effectively manage your teams, such as identifying work patterns:
Figure 2.26 – Organization trends
Organization trend data is privacy-oriented, requiring a minimum of 10 people (including the manager) to be in the management chain, either directly or indirectly. In addition, access to organization trends requires granting access to manager insights through the Viva setup.
Advanced insights
Microsoft Viva Advanced Insights is a reporting tool that provides research-based behavioral insights into organizational work patterns, such as hybrid work, work-life balance, and employee well-being.
The Advanced Insights reporting tool comes with several built-in templates and analysis tools to help organizations understand everything, from meeting effectiveness to employee performance trends correlated to manager 1:1 meetings:
With large organizational changes such as hybrid and remote work scenarios, it can be important to understand how those work patterns affect performance, including interesting data points such as how much time is spent during meetings multitasking, or how much work is getting done outside normal business hours:
Figure 2.28 – Advanced insights working hours details
The Advanced Insights Power BI report templates provide an analysis of employee engagement and work patterns. Here are the reports:
Business resilience: Overall business report highlighting performance and employee well-being
Hybrid workforce experience: This report highlights how different work modes (onsite, hybrid, and remote) affect workers
Manager effectiveness: This report provides insight into patterns for people managers
Meeting effectiveness: This report captures and displays information on meeting statistics such as how many meetings happen at short notice or how much multitasking occurs during meetings
Ways of working: This data helps answer questions such as, “Are employees receiving enough 1:1 coaching time?” and “Who generates the most work by organizing meetings?”
Wellbeing – balance and flexibility: This reporting data is used to identify whether employees have enough time to focus on core priorities and balance that with breaks and time away from work
Activity explorer is a dashboard-style interface that displays charts for the various compliance activities in Microsoft 365, including file deletions, archive creations, label applications, DLP rule matches, and content classification.
Figure 11.30 depicts the default view of the dashboard with the Activity dropdown selected to show the filter options:
Figure 11.30 – Activity explorer dashboard
You can use the filters to locate and display only the data that matches your criteria. Once you have identified the type of data to display, you can select an individual event to view the details surrounding it, as shown in Figure 11.31:
Figure 11.31 – Viewing details of an event in Activity explorer
Activity explorer, whether it is the Activity explorer node under Data classification or under Data loss prevention, shows exactly the same data and events. Some activity details may direct you to individual devices or other items in the Microsoft 365 Defender portal. DLP activities are not typically linked to other pages, however.
Microsoft 365 Defender Alerts Dashboard
The Microsoft 365 DefenderAlerts dashboard displays security-related alerts generated throughout your Microsoft 365 tenant. SeeFigure 11.32:
Figure 11.32 – Microsoft 365 Defender Alerts dashboard
The Alerts dashboard shows the current status of alerts as well as information about the category of the alert, where the alert originated, its severity, and its impacted assets. In the case of DLP alerts, the detection source is Microsoft DataLoss Prevention.
Selecting the row of an event brings up a details flyout, providing information regarding the alert’s source and classification. See Figure 11.33:
Figure 11.33 – Alert detail flyout
From this flyout, you can select Open alert page to view the overall alert and the alert story, Manage alert to update its status, or the ellipsis (…) for the additional options Link alert to another incident and Ask Defender Experts.
Like the compliance portal’s Alerts and Activity explorer views, there aren’t remediation tasks that can be performed on these pages.
Microsoft 365 Defender Incidents Dashboard
From the perspective of responding to alerts, the Microsoft 365 DefenderIncidents dashboard gives you the most capability, as shown in Figure 11.34:
Figure 11.34 – Microsoft 365 Defender Incidents dashboard
While the other dashboards only highlight activity and events, the Incidents dashboard allows you to see the most detail and the context of the alert inside the incident’s attack story. By selecting an incident, you can review the attack story (chain of related events) as well as the corresponding alerts and assets involved.
In this DLP example, the user sent a file with sensitive information. It could have been accidental or intentional, or it could also have represented a malicious actor who has gained control of the user’s account and is attempting to exfiltrate data.
By selecting the Assets tab in an incident, for example, you can locate the impacted user and choose to perform activities against that user such as requiring the user to sign in again, suspending the account, or confirming the identity as compromised. See Figure 11.35:
Figure 11.35 – Viewing the user actions in a DLP incident
By selecting the Evidence tab of the incident and then selecting an item inside it, you may be presented with the Go hunt option. This will create a hunting query targeting this item to help you locate it in the organization. See Figure 11.36:
Figure 11.36 – Microsoft 365 Defender incident evidence
Selecting Run query on the Advanced hunting window will take the pre-loaded query and return corresponding results. See Figure 11.37:
Figure 11.37 – Advanced hunting results
Selecting the hyperlinked value in the NetworkMessageId column (shown in Figure 11.37) will display details of the actual item (Figure 11.38). From there, you can perform remediation tasks.
Figure 11.38: Advanced hunting item details
By selecting Take action, as shown in Figure 11.38, you can initiate a variety of triage and response tasks to help mitigate or resolve the issue. Depending on the data type and risk, you may want to move the item or delete it altogether. You can use the message details to create additional rules for restricting content as well.
Figure 11.39 – Initiating remediation tasks
Additional remediation options from this page include launching an investigation or contacting the user.
Sublabels function almost exactly like sensitivity labels—you can think of them as higher up the hierarchy to give you more specificity when categorizing data. For example, in Figure 10.43, you can see that Anyone (unrestricted) and All Employees (unrestricted) are configured as sublabels of the General label:
Figure 10.43 – Sublabel example
There may be instances when you have a broad category for labeling content but want to use an additional method or level of classification. This is where sublabels can be helpful.
There are a few important points to consider when using sublabels:
• A sublabel inherits its color settings from its parent. • When a label has sublabels configured, the parent label can’t be used to classify content—only the sublabel can be used.
Note If a label has sublabels, it’s important that the parent label not be used as a default label. To create a sublabel, follow these steps:
In the Microsoft Purview compliance portal (https://compliance.microsoft.com), expand Information protection, and select Labels.
Locate the label that will be the parent label and select it.
Click Create sublabel, as shown in Figure 10.44:
Figure 10.44 – Creating a sublabel
On the Name and tooltip page as shown in Figure 10.45, enter values for Name, Display name, and Description for users. Note that the Label color choice is non-selectable. If a label color has already been chosen for the parent, this sublabel will inherit that color.
Figure 10.45 – Reviewing name and tooltip settings
Click Next to continue configuring the label. The remaining steps are the same as configuring a standalone or parent label. Refer to the previous section for details and options.
Now that you’ve successfully configured labels, let’s briefly look at configuring label policies.
Implementing sensitivity label policies
Label policies are the configuration objects that are used to either assign labels to content or make them available for users to apply. Sensitivity labels can be applied in a number of ways:
The automatic label application options can be confusing, since there are two types of label policies that appear at first glance to do the same thing. Let’s dig into each of them now.
