Office 365 Security and Compliance: Data Leak Protection (DLP) & Azure Information Protection (AIP) Integration Unable to delete DLP Policy

Well hello! I’m back, yes I had been very busy last 2 months unable to write any new blog.

So when I was testing and playing with DLP and AIP in my test environment and I had 2 testing integration policy running and I found there was something wrong with my DLP policy and I went to trigger the delete via GUI at Security and Compliance and it basically will change its status to “Deletion pending” state. I know sometime these deletion takes up to 48 hours. However, it was more than 48 hours and the DLP policy is still showing the status “Deletion pending”.

So its time to use PowerShell to solve this deletion pending problem;

*Take Note;

If you try to run the “Remove-DLPCompliancePolicy” this PowerShell without using the “–ForceDeletion” to delete this policy it won’t work and you will return with an error;

#Sample PowerShell
Remove-DlpCompliancePolicy -Identity 58bed0c6-fbf9-41c4-b798-fdec65beae1c

We cannot remove policy ‘TopSecret_policy’ since it is already in pending deletion state.
+ CategoryInfo : InvalidOperation: (:) [Remove-DlpCompliancePolicy], ErrorCannotRemo…PolicyException
+ FullyQualifiedErrorId : [Server=xxxxxxxxxxxxxxx,RequestId=xxxxxxxx-xxxxx-xxxx-xxxxx-xxxxxxxxxxx5,TimeStamp=4/1/2019
8:26:50 AM] [FailureCategory=Cmdlet-ErrorCannotRemovePendingDeletionPolicyException] xxxxxx,Microsoft.Office.Com
pliancePolicy.Tasks.RemoveDlpCompliancePolicy
+ PSComputerName : apc01b.ps.compliance.protection.outlook.com

What to do?

First of all you need to using PowerShell and connect to Security and compliance
1. https://docs.microsoft.com/en-us/powershell/exchange/office-365-scc/connect-to-scc-powershell/connect-to-scc-powershell?view=exchange-ps
Next run the command below to get your DLP information

Get-DLPCompliancePolicy | select Name, Guid

3. Than run this command

Remove-DLPCompliancePolicy -Identity “Policyname” -ForceDeletion

OR

Remove-DLPCompliancePolicy -Identity “Policy GUID” -ForceDeletion

4. Select “A” , A is Yes to All

Below is a sample;

Capture

References:

https://sabrinaksy.com/2020/07/25/powershell-unable-to-delete-stuck-data-leak-policy-using-forcedeletion/

Microsoft RMS: What are the difference of Information Rights Management and Azure Information Protection?

RMS – Rights Management Service

Rights Management definition is that it is a protection mechanism that uses encryption, identity, authentication to protect your emails and documents from unauthorized access. Imagine, that your emails and documents is the Hamster and Rights Management is the Hamster’s protective ball, the Hamster is inside the Ball and if you are not the owner of the hamster and you wish to touch it I doubt that it won’t bite you.

34ql4ko — Cute and feisty hamster in a ball (from movie Bolt)

IRM- Information Rights Management

IRM stands for Information Rights Management/Azure Rights Management, let’s talk about a history of IRM.

IRM is the older version RMS, you could only find it at Office 365 portal, and now with AIP available, IRM has become a component within the AIP. I think Microsoft has plans to slowly decommissioning/move away IRM, because I’ve noticed that the usual modification method of IRM templates has closed since January,2018. The usual method to modify IRM templates was from the old portal of Microsoft Azure. Now the only way to modify the templates are through PowerShell.

Anyway, it also has it own separated activation via GUI;

For exchange online IRM you have to activate from office 365 portal > admin > settings > services & add-ins > Rights Management/ Azure Information Protection
For SharePoint online, activate it from office 365 portal > admin > admin center > SharePoint > Settings > Select Use the IRM service specified in your organization > Refresh IRM settings

Or you could just make use of PowerShell to activate IRM (Make sure you got all requirements ready);

Connect to AADRM services
Type in the PowerShell “Enable-Aadrm”

Yea, so the steps are actually not brain surgery. What I like about PowerShell is that its code is understandable just by looking at it. If you compare PowerShell and C++, than you know what I mean.

*Note:

IRM can’t protect documents that are not Office Apps
IRM can’t provide you much tracking details of your protected documents
Exchange Online IRM and SharePoint Online IRM has different IRM management
SharePoint Online IRM, is based on a site not the whole SharePoint Online
SharePoint Online IRM, you can apply IRM on its list or library
No longer using GUI to configure IRM templates
IRM needs manual activation
License requires are Microsoft Enterprise E3 or E5
Doesn’t support mobile
Longer propagation to end users (make take to 2 hours (same goes to DLP labeling))
End Users has to select “Connect to Rights Management” in the outlook

AIP – Azure Information Protection

AIP is the new advanced technology/mechanism of RMS, it broke through the limitation of IRM capabilities. You can only see and management AIP in Microsoft Azure Portal (Yes, you still can see it as “Advanced feature” in Services & add-ins in Office 365 portal). The capability of AIP I could tell you is quite mind-blowing for me. It combines the IRM and DLP’s sensitive information mechanism to produce an advanced method to protect data.

To understand how to use AIP for me (hope it helps you too), you must understand steps to deploy and implement AIP 6 major points;

Label – Parent Label? or Sub Label?
Permission – View Only? Read Only?
DLP Sensitive Information – Trigger label automatic?
Apply to – Sales Department? External parties?
Policy – Who will hold this label as admin?
Label Admin – Sales Admin hold this label as admin

The minor points would be the notification, policy tips, access expiration date and so on.

Sadly, AIP doesn’t provide the capability to prevent data leak. Wait! Why not integrate AIP with DLP block policy function? Yes, you could do that and that is what the recommendation from Microsoft. DLP is Data Leak Protection (License of Microsoft Enterprise E3 or E5)

Minimum you could get AIP Plan 1 license for your global admins and users, to have the permission to use AIP. Once you buy AIP license and apply for the license, AIP will automatically activate for your organization (Exchange Online, OneDrive, and SharePoint Online). (Chill this won’t impact your users yet)

*Note:

AIP can be apply to non-office apps documents too
AIP users needs an AIP application to be install on their devices to be visible to the users to use it (PC or mobile or both, you could deploy Intune to push the application executable file into intune policy and than force apply the policy to user’s devices, just make sure user’s devices are intune managed )
With AIP users can track their documents, where is it, whom has it, whom open it, whom trying to access it, AIP users whom applied the AIP label has the permission to revoke access of a document from a user(s), also can track when has this document open and etc..
Faster propagation to end users (Less than 5 minutes)
Easy to manage for Global admins
A lot of automation action than IRM

*Note for RMS (IRM & AIP)

Office web apps don’t support opening protected RMS documents
Office web apps don’t support apply RMS

Choose Either one to deploy IRM or AIP. Don’t Activate both in a production environment!

References:

Data Leak Prevention (Azure Rights Management): aOS Kuala Lumpur 2018

Good day, everyone, I’m not here to insult but to raise awareness, so please read this with an open mind.

I had met and chat with a few different people from different companies, asking them to do you know about data security, is your company ready for data security, what do you think about security, and etc..

Most had replied to me that data security is expensive and does impact the end users productivity. When they told me that it is expensive, and I had asked them “why do you think it is expensive? “. Their answers had hesitation in it. Anyway, to the ones that told me that security could only bring impact to users, and I replied them “Plan, organize, and proper implementation, never jump/rush to a conclusion” (Disaster plan is important).

Technology is there, is how you look at it and use it. (A joke: Don’t tell me that you go shopping and you just blindly buy stuff without testing or checking whether that it really suits your needs/wants.)

Yes, whenever most users or companies hear about security, the first thing on their mind was expensive and impact. Had you really asked and research and gather enough information to prove it? (You know references) Had you ever compare the investment of data security vs The cost of Fines from regulators? (GDPR law fines? PDPA fines?)

During my talk about Data Leak Prevention (Rights Management) in aOS KL event, on 23rd October 2018. I was trying to gain awareness to the audience about data security too. However, there was one audience told me that Microsoft enterprise license is expensive.

What I replied to the person, who was asking about the pricing of Microsoft enterprise license was to ask for more information with the licensing companies. I should have added another replied “Are you ready to lose 2% to 10% of your company global revenue (or probably both fine and jailed) to regulators?” but my session period had used up another extra 5 mins (felt panic and guilty to used up the time that is not mine already).

So for the people that were asking/telling about the security license is expensive in a technical session, I kindly advise you to think twice or many times to the statement above, which I’ve highlighted in RED.

Quote;
“Better safe than Sorry”
“Never a technology problem, Is human/attitude problem”
“Never try, never know”
“Plan, Don’t make harsh decision/actions”
“Live till old, learn till old” (Take Malaysia’s latest Prime Minister as an Example)
“Ask more doesn’t do harm, Only Stupidity does harm”
“Stop dreaming, Wake up is reality”

44713511_254650268584098_815480119027040256_n — Speaker for aOS Kuala Lumpur 2018 (IT Pro), Office 365 Security Compliance and Azure Information Protection Demonstration

44703405_2249593058655998_7974614577625169920_n — With Patrick Guimonet

44857196_325676234652877_3635763410328616960_n — Data Breaches since 2000s till 2018

Reference:

https://sway.office.com/eQ1CbkS7mOE5dvSi

Azure AD: How to permanent or force delete user from recycle bin via GUI?

As you may know Office 365 admin center doesn’t provide the capability to remove/delete deleted user from recycle bin and you may need to run powershell to do it.

Some of the IT admins may find using power shell is not very efficient than GUI. Currently you could perform the remove at Azure active directory.

Steps:

Sign in to https://portal.azure.com
At the side bar, select “Azure Active Directory”

4. Than select “Users”

5. Select “Deleted Users”

6. Next, select the users that you wish to permanently remove

Yes, Microsoft default of permanent remove of deleted user’s account is after 30 days.

Exchange Hybrid, Exchange Online & Outlook: How to get more email storage space?

Well currently, most enterprise users are using local storage to save their emails. For those whom are on SSD storage would be a problem and also goes for normal HDD storage uses.

What is online archive? Online archive is basically like your local/normal archive feature that you usually sees on your outlook but instead it is online/cloud and it provides 1TB of space. If the organization did enable this and they probably would also enable retention policy, this is just set a policy to automate moving primary emails to the online archive based on a range of period. Anyway, this is up to the organization settings and decision.

*Note: Retention Policy has many functionality and it is also part of security related

To have online archive your organization must have license like Office365 ProPlus, E3, Office365 Business or Office365 Business Premium.

How to enable online archive?

If the organization is in a hybrid environment, using Exchange 2016 and Exchange Online, as the IT Admin could enable the online archive from exchange 2016.
If the organization is in a hybrid environment, using Exchange 2013 (as a bridge for migration to exchange online) and had older version of exchange too than as IT admin you could only enable online archive via Exchange Online. This is because there could be possible is the unique id causes. (not much of issue if you have plans to upgrade exchange 2013 to exchange 2016)
If the organization is fully utilize Exchange online only, than as IT Admin you could enable online archive from exchange online > recipient > select specific recipient > mailbox feature.

*Note:

If you would wish to bulk enable, than perform using powershell, but there are other categories in Office 365 you could enable the online archive, such as from security and compliance.
If you would wish to disable it and wants to use back only the primary mailbox than below is a reference on how to perform it.

Reference:

Exchange 2013 Decommission: Unable to uninstall exchange 2013 because still holding older exchange records.

If you already migrate all exchange 2013 arbitration mailboxes to exchange 2016 but you found there are still the older exchange arbitration mailboxes in exchange 2013 which is useless, and these mailboxes shows as disable object in the Active Directory (Windows Server 2016). However, these has prevent you from disable or remove the mailboxes from the exchange 2013 via exchange powershell and prevent you to proceed to perform the uninstall of exchange 2013, because its status is still show as “Active”.

Here are the steps on how to resolve it;

Make sure anti-virus is disable
Remove these old arbitration mailboxes/Discovery mailboxes/Monitoring Mailboxes (please refer the reference for the sample list) object from Active directory
Before removing the object, take note to check the object’s “homeMDB” attribute with the value of the Exchange 2013 Mailbox Database name(You can get it by typing this powershell command in the exchange powershell “Get-MailboxDatabase” ). (If you remove the wrong one will be troublesome to recover)
Go to exchange 2013 > Open control panel > Programs and features > Select the Microsoft Exchange cumulative update > Right click it and select uninstall > refresh control panel page make sure it is uninstall
After completion uninstall, restart the server > disjoin the server from domain > remove the server object from Active Directory

*Note:

If you complete above step but still unable to uninstall via GUI because an error pop-up saying “incomplete installation…” than please run the cmd as administrator and use the cmd command to uninstall. (Please refer to reference)

Reference

PowerShell: How to export values into table format .csv file?

Again I’m no expert in PowerShell, it took me few hours to figure it out. Searched many articles but are difficult for me to understand.

However, the answer was right under my nose. Please refer to the reference I’ve include below this blog. Sorry about the attribute naming, well this is only an example. Hope this helps.

*Note:

Always run this(PowerShell) on a test account before moving production (bulk).
This script only supports PowerShell version 3.0 or above

Here is an example of what I’m saying;

#Purpose: This powershell is to get the office phone and copy 
#the last 4 digit into a temporary programming attribute and than 
#merge with a string value with the last 4 digits
#Export the user's name, office phone and New Phone

#Merge value
$merge= "123"

#Get the filename
$users = import-csv .\file.csv -delimiter ","

foreach ($i in $users)
{
#Attributes
$name = $i.Name
$officephone = $i.OfficePhone

#If the user's OfficePhone has value
if ($officephone -ne "")
{
#Copy the last 4 digit of the OfficePhone
$lastfourdigit = $officephone.substring($officephone.length - 4)
#Merge the string value with the 4digit to create a new phone number
$newvalue= $merge + $lastfourdigit

#Table format for csv
$content = [PSCustomObject]@{Name = $name; OfficePhone = $officephone; NewPhone= $newvalue}
#Export the table to new csv file
$content | Export-csv newfile.csv -Append

}
else{
#Table format for csv
$content = [PSCustomObject]@{Name = $name; OfficePhone = $officephone; NewPhone= ""}
#Export the table to new csv file
$content | Export-csv newfile.csv -Append

}

}

So the end result is;

newfile

I prefer to keep my codes simple and understandable.

Reference

https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/export-csv?view=powershell-6

Office 365: How to handle resign user mailbox with litigation hold enabled?

Litigation hold is a feature that allows you to keep your mailbox with specific period or unlimited period. However, this is only the high level definition of litigation hold. Through out my deep and many research of Microsoft articles, especially technet it only state high level of definition of litigation hold but nothing about notices.

Few weeks ago I’ve encounter one of my user reported to me, saying that they have a user account that is disable (in Active Directory), blocked sign in and unlicensed but the mailbox still in active state and able to send (etc inbox forwarding rules) and receive mails and also able to login if with full access. After few research, I found a Microsoft article (support article “https://support.office.com/en-us/article/manage-inactive-mailboxes-in-office-365-296a02bd-ebde-4022-900e-547acf38ddd7“) , about how to handle inactive mailboxes. However, it still didn’t state why it happens or how this mechanism works.

We call this as deprecated account but active mailbox. I really hope that Microsoft could do something about this as it seems to me it is pretty troublesome to go extra further step to handle this, and also hope that they could elaborate more about litigation hold pro and cons or how this mechanism works.

*Note:

Please take note if you have mailboxes with unlimited litigation hold enabled, and user account in Active Directory is disable but in a sync Organization Unit, please move them to a unsync organization unit IMMEDIATELY or else it will full up the mailbox storage.

To check whether which Organization unit is unsync;

Just go to your Azure Active Directory Server
Windows Start button
open MIISCLIENT or Synchronize Services
On top select “Connection”
double on your local domain
select Configure Directory Partition
at the bottom right button
select “Containers”
enter Azure Active Directory credential
you will able to view unchecked boxes means they are the unsync organization unit.

References:

Exchange Hybrid & PowerShell: How to customize a permission of a role?

Again not brain surgery. Just need you to calm your mind and enjoy understanding it.

Yes, I know that there would be defaults settings or features that doesn’t mean the customer’s requirement, so they always requested for customization.

So basically I expect that you know what are the default roles in exchange hybrid and its permissions inside. Anyway, you have to be the administrator only you could able to view where are the roles. You can find it at your exchange hybrid console > Permission > Admin roles.

*Note:

I prefer to use Power Shell to create this customize permission role because it provides more details of what are the functions runs in each role type.
And you can dig deeper by removing/adding certain role’s type function that you would not wish to be in your customization.
Try not to configure the default roles given
Always create a new role

Using Interface to create Admin Roles Group

However, interface doesn’t actually allows you to create customize roles.

To create a new customize permission role you go to this directory Exchange Hybrid console > Permission > Admin roles > “+”

Example below;

Capture01

Select what roles you want for your customize permission;

Using Power Shell to create customization

What I would do is I will copy a default role and its permission into my new role, which is closer to my client’s request and than I will eliminate the permission based on a comparing function such as “Query if the role’s permission doesn’t has this permission than remove the those permission”. This will definitely save much more time.

If you aren’t sure about what default role should you copy than try to extract the detail list of each roles permission. Simply just type the following code below;

Get-ManagementRole * | Get-MangementRoleEntry

Go to your Exchange Hybrid Server > Open the Exchange Power Shell console (Run as Administrator)

Run these commands below

#To get a list of role type
Get-ManagementRole

#Get function details of each role type
Get-ManagementRole "RoleTypeName" | Get-ManagementRoleEntry

#Create a new Customize Role copying a default role type
New-ManagementRole -Parent "RoleTypeName" -Name "NewCustomizePermissionRoleName"

*RoleTypeName would be these at the picture below, circle in red

Get-ManagementRoleEntry is basically get the list of permissions that is inside the role.

*Each roles has its own list of permissions

If you wish to limit or remove a role type’s function/permission, than you can run this command

#Find your customization that you had created
#Query where if the function is not the name "Get-RemoteDomain" & "New-RemoteDomain" remove the other's functions
Get-ManagementRoleEntry "NewCustomizePermissionRoleName\*" | Where { $_.Name -NotLike "Get-RemoteDomain" -and $_.Name -NotLike "New-RemoteDomain" } | Remove-ManagementRoleEntry

#Query your modified customization, to check whether are the modification correct
Get-ManagementRoleEntry "NewCustomizePermissionRoleName\*"  | select name,role | ft

#If you wish to undo than just run this command
#It will get the function "Get-Mailbox" from Role Type and add into your customization
Get-ManagementRoleEntry "RoleTypeName\Get-Mailbox" | Add-ManagementRoleEntry -Role "CustomizePermissionRoleName"

References:

Exchange 2016: “Database is mandatory on UserMailbox”

When you are setting up a new exchange server to upgrade the current exchange server, with all the prerequisite has been applied and the next step is the run the setup.exe file of the exchange CU. However, you notice that the interface of the setup has stop at Step 7 which is “Mailbox role setup” because of an error encounter.

Usually the interface doesn’t really provide you the detail reason of error occur.

“Mailbox role: Transport service : Error”

Example:

Untitled picture

To know get more understanding of the error, Go to > Windows Explorer > open C:\ Drive > Select Exchange Setup Log Folder > Open Exchange Setup txt file > Scroll to the bottom to get the details.

Example:

Capture

*Error: Database is mandatory on UserMailbox;

Below is the sample logs and error that causes the setup to stop, and it seems that there is a system mailbox “SystemAttendantDependent_xxx” found corrupted. Usually if is corrupted means that this account’s the value of HomeMDB attribute is empty. The solution to this is to add the correct value for HomeMDB attribute of the corrupted account.

Here how it is done;

To find whether are there any other corrupted mailboxes;
- Open your current exchange server’s powershell
- Run this command
  - Get-Mailbox -Arbitration | Select Name, Database
  - Then it will show you number of corrupted mailboxes with WARNING stated
Go to ADSI Edit > Connect to Default naming context > Users container > search for a valid user account with mailbox > Open properties
Find the attribute HomeMDB > Copy the value (*Optional: You can paste the value into a notepad for temporary)
Go to ADSI Edit > Connect to Default naming context > Users container > search for a corrupted account > Open properties
Find the attribute HomeMDB > Replace the empty box with the copied value
* Do this for corrupted mailboxes that you found, which is blocking your success to complete setup of your new exchange.
Rerun the setup.exe
If successful setup than continue with the post-installation.

*Note:

There could be other related corrupted account (Can’t be find from the exchange powershell) that has blocking your success to complete setup of your exchange. Please look into details of the logs to find out what are the other corrupted accounts and replace their empty value attribute with the correct ones.

	George Simos on Active Directory: Logon script…
	sabrinaksy on Active Directory: Logon script…
	George Simos on Active Directory: Logon script…
	Julian Thibeault on Active Directory: Logon script…
	George Simos on Active Directory: Logon script…