Module 8: Administering and

troubleshooting compliance and

security in Office 365

Lab: Configuring and troubleshooting

compliance and security
Scenario
The compliance and security groups at A. Datum Corporation are quite concerned
with the implications of moving internal services and content to a cloud-based
solution such as Office 365. To gain project approval for the project, you need to
show how you can use rights management and compliance features to address these
concerns.

Objectives
After completing this lab, you will be able to:

 Configure rights management in Office 365.

 Configure compliance features in Office 365.

 Configure email protection in Office 365.

 Troubleshoot compliance and protection.

Note: The lab steps for this course change frequently due to updates to Office 365.
Microsoft Learning updates the lab steps frequently, so they are not available in this
manual. Your instructor will provide you with the lab documentation.

Lab setup
Estimated time: 75 minutes

Virtual machines: 10997B-LON-DC1, 10997B-LON-DS1, and 10997B-LON-CL1

User name: Adatum\Administrator (for 10997B-LON-DC1 and 10997B-LON-
DS1), Adatum\Holly (for 10997B-LON-CL1)
Password: Pa55w.rd

In all the tasks, where you see references to Adatumyyxxxxx.onmicrosoft.com,

replace yyxxxxx with your unique Office 365 number.

Exercise 1: Configuring and verify Azure Information

Protection in Office 365

Scenario
You need to configure Azure Information Protection in Exchange Online and
SharePoint Online to help ensure that confidential information is not shared with
unauthorized users.

The main tasks for this exercise are as follows:

1. Activate Azure Information Protection in Office 365

2. Configure Azure Information Protection for Exchange Online

3. Configure Azure Information Protection for SharePoint Online

4. Validate Azure Information Protection functionality

Task 1: Activate Azure Information Protection in Office 365

1. On LON-CL1, open Microsoft Edge, and then connect to the Office 365

portal.

2. Sign in as Holly@Adatumyyxxxxx.onmicrosoft.com by using Holly's

password.

3. Access Microsoft Azure Information Protection under Settings/Services &

add-ins menu, and then verify that Rights Management is activated. If it is
not, click activate.

Task 2: Configure and verify Azure Information Protection for Exchange Online

1. Open Windows Azure Active Directory Module for Windows

PowerShell from the desktop of LON-CL1.

2. Use the following commands to connect to Exchange Online with remote

Windows PowerShell. Use Holly's credentials to connect:

$Cred = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri
https://outlook.office365.com/powershell-liveid/ -Credential $Cred -Authentication
Basic -AllowRedirection
Import-PSSession $Session -DisableNameChecking

3. Use the following command to view the IRM configuration:

Get-IRMConfiguration
In the results, verify that values for the first nine variables are set to True (except
for TransportDecryptionSetting which can have value Optional).

4. Use the following command to test the configuration, where yyxxxxx is your unique
Adatum number:

Test-IRMConfiguration -Sender Holly@Adatumyyxxxxx.onmicrosoft.com

5. Verify that test result is PASS.

6. Remove the remote Windows PowerShell session, and then close Windows
PowerShell.

Task 3: Configure Azure Information Protection for SharePoint Online

1. From the Microsoft 365 admin center, connect to the SharePoint admin center.

2. Go to the settings page.

3. Enable IRM, and then refresh the IRM settings.

Task 4: Validate Azure Information Protection functionality

1. On LON-CL1, open Word 2016, and

add Holly@Adatumyyxxxxx.onmicrosoft.com as the Office account.

2. Close Word 2016.

3. Open Outlook 2016. Create a new message for Beth Burke. On

the Options tab, click Permission, and then connect to the rights
management server to get templates.

4. Click Permission again, apply the Do not Forward policy, and then send the

message.

5. In Microsoft Edge, connect

to https://Adatumyyxxxxx.sharepoint.com/sites/marketing.

6. Click Documents, and then access the library settings.

 7. Enable IRM, and then configure a policy with the following settings:

 Restrict permissions on this library on download

 Title: Marketing Policy

 Description: Marketing policy for downloads

 Allow viewers to write on a copy of the downloaded document

8. Close Microsoft Edge.

9. Open Microsoft Edge, and then connect to https://portal.office.com. Sign in

asBeth@Adatumyyxxxxx.onmicrosoft.com by using Beth's password as the
password.

10. Check Beth's email, and then verify that you received an email from Holly that
is IRM protected. Click the message.

11. Verify that you do not have the option to forward or print the message.

12. In Microsoft Edge, connect

to https://Adatumyyxxxxx.sharepoint.com/sites/marketing.

13. Open the document in the Documents library, and then verify that you cannot
edit it.

Result: After completing this exercise, you should have configured rights
management for Exchange Online and SharePoint Online.

Exercise 2: Configuring compliance features

Scenario
As a part of general security and compliance strategy, you need to implement the
following features in Office 365:

 Delegate rights in the Office 365 Security & Compliance Center.

 Enable archive mailboxes.

 Configure retention tags and policies.

 Configure content deletion and preservation policies.

 Configure DLP.
The main tasks for this exercise are as follows:

1. Configure the Office 365 Security & Compliance Center permissions and audit
logging

2. Configure archive mailboxes

3. Configure retention tags and policies

4. Configure content deletion and preservation policies

5. Configure data loss prevention policy

6. Create compliance check content

7. Validate the configuration

Task 1: Configure the Office 365 Security & Compliance Center permissions and
audit logging

1. On LON-CL1, open Microsoft Edge, and then sign in

to https://portal.office.com as Holly@Adatumyyxxxxx.onmicrosoft.com.

2. In the Microsoft 365 admin center, click Security & Compliance, and then
open the Office 365 Security & Compliance Center.

3. In the Office 365 Security & Compliance Center, configure Beth Burke as a
Compliance Administrator and add her to the Compliance Management and
Recipient Management groups in Exchange Online. Add Christie Thomas as an
eDiscovery Manager.

4. Click Search & investigation.

5. Click Audit log search.

6. On the Audit log search page, click Turn on auditing.

7. Leave Microsoft Edge window opened.

Task 2: Configure archive mailboxes

1. In the navigation pane, click Data management, and then click Archive.

2. Configure Christie Thomas and Catherine Richard with archive mailboxes.

Task 3: Configure retention tags and policies

 1. In the Exchange admin center, navigate to compliance management and create the
following retention tags for your organization:

 DPT:
Name: Research User 1 year move to archive
Retention Action: Move to Archive
Retention Period: 365 days

 DPT:
Name: Default 2 years move to Deleted Items
Retention Action: Delete and Allow Recovery
Retention Period: 730 days

 RPT on the Deleted Items folder:

Name: Purge Deleted Items 30 days
Retention Action: Permanently Delete
Retention Period: 30 days

 Personal tag:
Name: 2 Year Delete
Retention Action: Delete and Allow Recovery
Retention Period: 730 days

 Personal tag:
Name: Never archive
Retention Action: Move to Archive
Retention Period: Never

2. Create the following retention policies for your organization:

 Retention policy for Research users:
Name: Research MRM Policy
Retention tags included:

o Research user 1 year move to archive

o Never delete

o 2 year delete

3. Apply the retention policy for Research users to Christie Thomas's mailbox.

Task 4: Configure content deletion and preservation policies

1. Return to the Office 365 Security & Compliance Center.

 2. Access the Retention page, and then select the option to manage document
deletion policies for SharePoint Online.

3. On the Retention page, configure a new policy by using the following

settings: Set the name as Marketing Document Policy.

Create a new rule named Delete Messages at 7 years that will permanently delete

messages seven years after they are created.

Set the new rule as the default rule.

4. Assign the policy to Adatum Corp Team Site.

5. On the Retention page, create a new preservation policy as follows:

Type Retain contract details as the policy name, and then click Next.

Make sure that the search locations include the Francisco Chavez mailbox.

Configure the policy to search for the word Contracts.

Configure the policy to retain the content for seven years.

Task 5: Configure data loss prevention policy

1. In the navigation pane, navigate to Data loss prevention.

2. Create a new DLP policy from a template with the following settings:

 Information to protect: Custom

 DLP policy name: Test DLP policy

 Location: All locations in Office 365

 Types of sensitive information: Use advanced settings

 Sensitive information type: IP address

 Action: Restrict access to the content

 Condition: Content is shared with people outside the organization

 Configure the policy to send notifications and provide policy tips for users, and
to be active immediately.

Task 6: Create compliance check content

 1. Open Microsoft Edge, and then connect
to https://portal.office.com as Beth@Adatumyyxxxxx.onmicrosoft.com.

2. Send a new email to your new Microsoft account that you created for this
course, with a subject of Server IP addressand a message body of My IP is
192.168.1.15. Note: If you didn't create Microsoft account for this course, you
can also use your private email address for this purpose.

3. Ensure that you received a message from Microsoft Outlook, telling you that
your email message conflicts with a policy in your organization. Note: You
might have to click Other in the middle pane to see the message. Also,
sometimes it takes time for the message to arrive. You can proceed with other
tasks.

Task 7: Validate the configuration

1. Sign in to Office 365 as Christie@Adatumyyxxxxx.onmicrosoft.com.

2. Access Christie's mailbox, and then verify that she has an In-Place Archive.

3. Access Holly's mailbox and verify that she received a notification about the
message that Beth tried to send to your Microsoft account.

4. Close all Microsoft Edge browser windows.

Result: After completing this exercise, you should have implemented the following
features in Office 365:

 Delegate rights in the Office 365 Security & Compliance Center.

 Enable archive mailboxes.

 Configure retention tags and policies.

 Configure content deletion and preservation policies.

 Configure DLP.

Exercise 3: Configuring email protection

Scenario
You also need to explore the anti-spam and anti-virus settings that are available in
Exchange Online. You need to:
  Configure a policy to ensure that an administrator account is notified when a
message containing malware is received.

 Ensure that you can block all email from specified IP addresses.

 Ensure that all messages sent to the Sales shared mailbox are received, even
when there is a high likelihood that the message is spam.

 Enable Advanced Threat Protection for users in the Sales department.

The main tasks for this exercise are as follows:

1. Configure the malware filter

2. Configure the connection filter

3. Configure the spam filter

4. Enable Advanced Threat Protection

Task 1: Configure the malware filter

1. On LON-CL1, in the Exchange admin center, browse to malware

filter in protection.

2. Modify the default malware filter to:

 Notify internal senders when a message is blocked

 Notify Holly@Adatumxxyyy.onmicrosoft.com about undelivered messages

from internal or external senders

Task 2: Configure the connection filter

 On LON-CL1, in the Exchange admin center, configure the default connection

filter with the following settings:

o IP Block list: 192.168.0.0/24

o Enable safe list

Task 3: Configure the spam filter

1. On LON-CL1, in the Exchange admin center, modify the default spam filter to
quarantine high-confidence spam.

2. Create a new spam filter with the following settings:

  Name: Projects spam policy

 Spam: Prepend subject line with text

 High confidence spam: Move message to Junk Email folder

 Prepend subject line with text Junk:

 Applied to: members of the Projects group

Task 4: Enable Advanced Threat Protection

 In the Exchange admin center, create a new safe attachments policy in

advanced threats with the following settings:

o Name: Projects policy

o Safe attachments unknown malware response: Replace - Block the

attachments with detected malware, continue to deliver the
message

o Applied to if: The recipient is a member of Projects

Result: After completing this exercise, you should have explored the anti-spam and
anti-virus settings that are available in Exchange Online.

Exercise 4: Troubleshooting security and compliance

Scenario
As one of the troubleshooting measures for access issues on protected documents,
you need to configure the super user feature on your Office 365 tenant and assign
Holly as a super user. You also need to validate that the super user feature works.

The main tasks for this exercise are as follows:

1. Configure the super user feature for Azure Information Protection

2. Verifying access to protected document

3. Validating the super user feature

Task 1: Configure the super user feature for Azure Information Protection

1. Open Microsoft Azure Active Directory Module for Windows PowerShell on LON-CL1.
 2. Use cmdlet Set-PSRepository -Name PSGallery -InstallationPolicy Trusted to add
PSGallery as trusted source
3. Use cmdlet Install-Module -Name AADRM to install PowerShell module for Azure
RMS.
4. Connect to MsolService in PowerShell with Holly's credentials.
5. Use cmdlet Connect-AadrmService to connect to Azure RMS service.
6. Use Enable-AadrmSuperUserFeature to enable the super user feature.
7. Assign Holly as a super user by using Add-AadrmSuperUser.
8. Verify that Holly is the only super user.
9. Sign out from LON-CL1.

Task 2: Verifying access to protected document

1. Sign in as Adatum\Beth to LON-CL2.

2. Open Word, and then sign in as Beth@Adatumyyxxxxx.onmicrosoft.com.

3. Type a text of your choice in the document.

4. Configure rights management protection on the document so that only

Christie can read the document.

5. Save the protected document in the C:\LabFiles folder on LON-CL2. Name the

document as test.docx.

6. Sign out from LON-CL2.

Task 3: Validating the super user feature

1. Sign in as Adatum\Holly to LON-CL2.

2. Open Word, and then, if needed, sign in

as Holly@Adatumyyxxxxx.onmicrosoft.com.

3. Verify that you can open C:\LabFiles\test.docx, because Holly is configured as

a super user.

Result: After completing this exercise, you should have configured the super user
feature on your Office 365 tenant and assigned Holly as a super user.
Question Why did you configure different anti-spam settings for members of the
sales group?

Question What is the best approach to protect organizational financial data?