MS-203 Microsoft 365 Messaging – Managing Compliance Part 3

5. Managing Journal Rules

I’d like to now talk about Journaling Email. Now if you’re not familiar with Journaling Email, this is the concept of being able to track the communications of certain users. Now this could be a scenario where we are needing to get a look at some of the communications that are happening with a specific user or even all of our users in our enterprise. This could be for litigation purposes, we might be doing this for compliance, but ultimately we need a way to track what users are saying in certain circumstances. Okay? Now one thing of note, in order to do Journaling, you’re going to be setting up a Journaling email account. That email account cannot be part of your exchange organization.

This is a compliance rule that Microsoft has put in place. So the email address that actually collects the Journal information, in other words the email address that gets a copy of the communications of a user is actually going to have to be part of a different organization. It could be a different exchange organization. It could be an on premise exchange server even in a hybrid environment. But the user account, the email account I should say cannot be part of our exchange organization.

So just make note of that. You’ll see me demonstrate that here right now. So here we are in the Microsoft 365 Admin Center. You can get there by going admin. Microsoft. com or portal microsoft. com. I’m going to click the show all drop down here and we’re going to go into Exchange. All right? Once we get an exchange, we’re going to go to the compliance management and we’re going to click on Journal rules. Now the first order of business is this area right here.

Send undeliverable Journal reports to Admin@examlabpractice. com. Now when you first come in here, this is not going to be selected. So you have to do that. This account can be part of your organization, okay? But you have to have one of those. If you do not have something to catch undeliverable Journal reports then it will not allow you to create a Journal rule. As you can see, I’ve already done that. I selected the admin examlabpractice. com. Now let’s create a Journal rule. So we’re going to click the little plus sign. I’m going to send this Journal report copy of this information to an old email account I created. It’s a Gmail account. Okay.

And it’s just going to be this email address here. All right? So we’re going to use that because that’s not part of our organization. From there you can give it a name, I’m just going to call it Journal Example and then it says if the message is sent to or see you could do every apply to all messages. I don’t want to capture an ungodly amount of email right now. I’m just going to do one user. So we’re going to pick on one user and it’s going to be, let’s see, how about Bill Williams. So we’ll do Bill Williams. Any emails that Bill Williams is dealing with here, we’re going to have that sent to that Journal email account. So if the message is sent to or received from Bill Williams, so journal the message, the following message. I can say all messages. I could say internal messages only.

Or I could do external messages only. I’m going to say all messages. And then we’re going to go ahead and click save. All right? So it’s in the process of saving that message now. All right, then what we’re going to do is we’re going to fire off an email to Bill Williams and we’re going to see if our Journal email account actually captured it. I’m going to open up Outlook here and I’m going to go to create a new email. I’m emailing from Jc@examlabpractice. com. We’re going to email Bill Williams. All right, as you can see, it’s detected bill Williams subject is going to be payroll and budget. I’m going to say, hey, Bill, can you send me the latest budget and payroll information? Thanks, JC. All right. So now we’re going to go ahead and click send. So that’ll take a moment to process.

And then we should be able to jump over to our Gmail account, which is going to be the Journal email box. And we should see a copy of that information that has been sent. We’re going to jump over there now and check that out. So popping in here to my Gmail account. As you can see, the email from that email account that I sent through Outlook just now is popping up in the inbox here. This being the Journal recipient I’ve set up, I’m going to click on that email and we’re going to read it. Notice the information. It says the sender was JC examlabpractice. com subject payroll and budget. The person that was going to was Bill Williams at Exam Labpractice. com.

Here is a copy of the forwarded email. Hey, Bill, can you send me the latest budget and payroll information? So you’ll, you can see the Journal inbox does work. So this can be a pretty good little feature you can use to get a copy of emails from a certain user. This is going to be for litigation purposes or whatever, and it meets your compliance restrictions. This is a great way to get that done. And as you can see, it’s really not all that difficult to set up.

6. eDiscovery with Litigation, In-Place and Retention Holds

What exactly is ediscovery? Ediscovery gets into being able to identify and capture information inside of your cloud services environment as well as even on premise environment where we perhaps need to use this for evidence in legal cases. This is going to involve situations where maybe litigation has got to happen. This is going going to allow us to perform different actions such as doing in place holds on people’s mail and controlling retention of all of that. So you got to imagine maybe a situation in your environment where somebody’s broken the law, maybe somebody’s leaked a bunch of information out to somebody financial information about your company and we might have to take legal action.

Or if somebody is being let go because of something they did, we may need to have this evidence in case that person was to turn around and maybe sue the company. So it’s important that we have a way to get this information and utilize this information in our environment. So Microsoft provides some tools to assist you with this right there in your Security Compliance center known as the Ediscovery Tools. Okay? They’re going to allow you to search your exchange, online mailboxes, your office, 365 group teams, SharePoint, OneDrive for business, Skype for business.

All of that stuff is part of your Ediscovery and you can perform evidence collection on it with the help of these Ediscovery tools. Now the other thing is with Ediscovery, you’re going to set up something called an Ediscovery case. An Ediscovery case is going to allow you to add members to this case that are allowed to view and look at this evidence and do and perform searches. Another thing again, is that you can place hold on people’s content, holds on people’s content.

So for example, you might have a user who has been maybe talking about payroll with other employees and emailing payroll information. Now you’ve got a bunch of drama going on in your company and the company needs to prove that this person has done it. Well, somebody’s going to try to delete the evidence, right? So if they were emailing out some of the other employees and talking about company payroll or budgeting or whatever it is, we can place a hold on their mailbox so that anything they delete doesn’t actually get deleted. That way we can go back and we can peruse all the things that are going on in their email. And again, that’s the exchange just being an example. This also works with SharePoint and OneDrive and teams and all that stuff as well.

You can save specific searches also. So after you have done the search and found the information, you can save it and you can even export this information out to other forensics tools. So if you’re using some of the maybe on premise forensic tools like OS, Forensics Autopsy, something like that, then this stuff can be actually exported. It supports comma, separated value, all of that good stuff. You can also do advanced C discovery. And where you get into advanced C discovery is essentially where maybe we’re dealing with a very large amount of information. We might even be working with a lawyer, a bunch of lawyers, and the lawyers need to be able to get access to this information.

So if you need to share this Ediscovery stuff with people outside your organization, then Microsoft does provide advanced methods in order to do that. But this is a great solution for if you’re needing to share it with other people outside your organization. But all in all, Ediscovery is definitely an important aspect of our business. It’s not the most pleasant thing we have to deal with in our environments, but it’s definitely something that happens, and it’s something that we need tools to help us in order to put all this together and share it with the people that it needs to be shared with.

7. Configuring eDiscovery and holds

I’d now like to walk you through managing the Ediscovery settings in the Microsoft 365 environment here. Now to start with, we’re in the Microsoft 365 Admin Center, which you can get to by going to admin dot Microsoft. com or portal dot Microsoft. com. And from there I’m going to click the Show All Ellipse symbol here. I’m going to scroll down and we’re going to click the Security Admin Center. OK, this is going to open up the, the Admin Center for your Microsoft 365 services for security and compliance. This is also known as the Security and Compliance Center. Now when we get in here, if we scroll down towards the bottom you’re going to see a dropdown that says Ediscovery, okay? So we can drop that down and we can click here where it says Ediscovery. We’re going to do that and then from there the next step is you have to create what is called a case.

So we’re going to click to create a case. Okay, maybe your case is you are searching for information involving the company’s payroll. So I could call this case Payroll, for example, save it and now I’m ready to open the case and do some searching. So here we are, we’re opening up the case and we can go through now and we can perform searches for certain keywords and all that. And then we can do things like placing holds and all that on people’s mailboxes. So we can go here and do a search. We can click, do a new search and we’ll search the keyword payroll.

We can add additional certain types of conditions like we can specify sender and size and subject all that stuff. Lots of little options here. I could specify email related options here if I want document information, so I can add any of that to the search if I want. Okay, you also can do search all locations, or if you wanted to search specific locations, you can say modify and you can modify specific locations that you want to actually perform the search.

Now in my case, I’m going to search all locations and then at that point I can say Save and run. And it’s now going to perform the search after I give it a name. So I’m going to call this payroll search, hit Save and now it’s ready to do the search. Now keep in mind, in a very large environment, this can take a very long time. You’re talking hours to go through and search a lot of data.

But once it’s done, at that point I can save this search and I’ve got this information as an evidence. Now I can also do hold so I can come over here and I can click to create a hold on somebody’s, maybe their mailbox or something. So I’m going to say I’m going to call this an email hold. I’m going to click next. And then if I wanted to do exchange email or something, I’ll choose users groups. I’m going to say choose the users and groups. And then at this point I can specify the user that I want to perform this on. You can search for a specific user if you want, searching for a user named Joe or actually Jane, and it’ll locate your users. And then from there you can select the user that you want to perform this on. All right. And let’s see, find our user here. There’s Greg Johnson.

So we’ll select Greg Johnson. I just remembered that my Joe and Jane are actually in a separate environment. But here is Greg Johnson. I’m placing a hold on Greg Johnson’s email account. So what this basically means is anything that this user does, if he deletes email and stuff like that, we’ve placed a hold on it. So we will still be able to find the email messages and stuff like that, even if he deletes that email. All right, so we’re going to choose to do this to Greg Johnson. We’re going to click done. We’re going to click next. And then of course, again, the keywords are going to be the word payroll. So it’s going to place the query conditions on that keyword, the word payroll, and then we’re going to click to create this hold. And we’ve now officially placed a hold on Greg Johnson. All right, so that’s how you do a hold.

You can come back over to searches if you want. Unfortunately, I didn’t find any data in my case. But if you did find any searches, any specific company information pertaining to those keywords that would show up here and you could save this if you want. Another thing you can do is you can export this information as well. If you want to export it out to a forensics tool or something like that, you could. So again, this ediscovery set of tools that we’ve got is all about trying to assist us in finding information that is perhaps apps being shared around or even just stored in certain documents or email and then being able to take action such as gather that collection. And then in the case of Exchange, for example, I could do an in place hold on their data.

• Category: Uncategorized