Windows Autopilot – check those logs…

Windows Autopilot is a Windows 10 feature that enables organizations to pre-register devices either through an OEM or manually.  When users receive a Windows 10 device that is registered with Autopilot and turn it on, they’ll walk through a streamlined and customized out of box experience (OOBE).  In summary, Autopilot helps to reduce the costs (and in some cases, infrastructure) of deploying devices to users.

If Autopilot were to run into an error there are several methods to check what and why issues occurred. Michael Niehaus has several posts about troubleshooting Autopilot including a recent blog post outlining new methods of accessing information to investigate Autopilot. Refer to Michael’s posts for detailed information on how to troubleshoot Autopilot.

In this post I’m sharing a simple script I wrote (based on the info Michael Niehaus outlined in his post) to view aggregated information about Autopilot from the registry and event viewer. In addition to registry and event viewer info, deeper investigation steps may be pursued with ETW.

 

Let’s get started

Requirements

  • Windows 10, 1709 or later
  • PowerShell


PowerShell Script

Feel free to modify the script to suite your needs such as remotely pull information from devices, etc.

The script is straight forward, first it looks for the Windows 10 version, i.e. 1709, and if it’s greater than or equal to “1709” it runs through both steps and pull registry and event logs. If the installed OS is greater than “1709” it will only pull event logs for 1709 as registry entries didn’t show up until 1803. Lastly, the script only pulls the latest 10 events, however that is easily modified.

 

#Get Windows Version
$WinVersion = (Get-ItemProperty -Path “HKLM:SOFTWAREMicrosoftWindows NTCurrentVersion” -Name ReleaseId).ReleaseId
Write-Host “”
Write-Host WindowsVersion= $WinVersion

if ($WinVersion -ge ‘1709’)

{
Write-Host “”
Write-Host “AutoPilot Registry Entries”
Get-ItemProperty ‘HKLM:SOFTWAREMicrosoftProvisioningDiagnosticsAutoPilot’
}

if ($WinVersion -gt ‘1709’)

{
#Show AutoPilot events
Write-Host “AutoPilot Event Logs”
Write-Host “”
Get-WinEvent -MaxEvents 10 -LogName ‘Microsoft-Windows-Provisioning-Diagnostics-Provider/AutoPilot’
}

 

Let’s see it in action:

Below are the results of a device not deployed with Autopilot.  As we can see there’s not much to look at or troubleshoot…

clip_image002[6]

Let’s take a look at a device deployed with Autopilot (notice the new setup screen that shows up in 1803)

clip_image003

The results of the script shows more information that may be utilized when troubleshooting Autopilot errors:

clip_image004[6]clip_image005

Add Windows Defender Browser Protection to Chrome with Intune

I recently read a really great post by Martin Bengtsson about utilizing Configuration Manager (SCCM) to force installation of the Windows Defender Browser Protection extension for Chrome. So I decided to take a different approach and deploy the extension utilizing a PowerShell script deployed through Microsoft Intune.

To learn more about the Windows Defender Browser Protection for Google Chrome please visit: https://chrome.google.com/webstore/detail/windows-defender-browser/bkbeeeffjjeopflfhgeknacdieedcoml

Assumptions

Windows 10 device enrolled in Intune


Let’s get started

I created the following PowerShell script to add the Defender Chrome extension as a registry entry:

New-Item -Path HKLM:SoftwarePoliciesGoogleChrome -Name ExtensionInstallForcelist –Force

$RegKey =”HKLM:SoftwarePoliciesGoogleChromeExtensionInstallForcelist”

Set-ItemProperty -path $RegKey -name 1 -value “bkbeeeffjjeopflfhgeknacdieedcoml;https://clients2.google.com/service/update2/crx”

I saved the script as a .ps1 file and added to Intune utilizing the steps below:

clip_image001

Name the script, upload, and save

clip_image002[4]

Assign the script to a group

clip_image003

Sync your Windows 10 device with Intune

clip_image004[4]

Sync the device with Intune 

clip_image005

Registry Before sync

clip_image006[4]

Chrome without Defender browser protection

clip_image007

Registry after sync

clip_image008[4]

Chrome with Defender browser protection

Once Chrome is launched, the extension is automatically downloaded to the extension directory and added to Chrome.

clip_image009

Chrome extension directory

clip_image010[4]

In addition to configuration, Configuration Manager will also perform remediation if this is something you’re more concerned with, SCCM is the best path to go currently. Again read Martin Bengtsson’s detailed post for insight on deploying and remediating for the Windows Defender Browser Protection for Chrome extension through SCCM.

Windows 10 Group Policy vs. Intune MDM Policy who wins?

 

When I speak with organizations about managing Windows 10 devices with Microsoft Intune there is a concern about disruption of current projects to deploy new OSs, patches, etc.  When moving to Intune for managing Windows devices, Intune will leverage the built-in MDM agent vs. having to install another agent to manage Windows 10 devices.

 

With modern management of Windows 10, the process of updating and upgrading Windows 10 devices is seen as continual process.  Updating Windows doesn’t have to be seen a massive project, evaluate your current processes for updating Windows and look at updating Windows 10 as an ongoing predictable process for IT and end users.  In addition your users and company benefit from the latest security features built into Windows 10.

 

Managing Windows policies are also a concern when moving to a newer OS.  Traditionally, configuration policies are managed by Group Policy, however Modern Management of Windows 10 with Microsoft Intune also has a set of policies, even policies that are duplicative of Group Policy (where applicable, not all Group Policies are available via MDM or CSP).  In environments where Group Policies are deployed and managed by Intune there’s the question of which policy wins.  The following describes which policy wins according to Windows 10 version.

 

  • Windows 10 versions 1709 and earlier Group Policy will override MDM policies, even if an identical policy is configured in MDM.

  • Windows 10 version 1803 and beyond there is a new Policy CSP setting called ControlPolicyConflict that includes the policy of MDMWinsOverGP, where the preference of which policy wins can be controlled, i.e. Microsoft Intune MDM policy.

 

For more details about the new ControlPolicyConfict setting please visit: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-controlpolicyconflict#controlpolicyconflict-mdmwinsovergp

 

What happens to the policy if the device is unenrolled from Intune?  If applicable, Group Policy will re-apply the policies in this scenario.

 

 

Setting up a policy

In the link above, the “scope” of the policy is set for “device” so we’ll need to target the policy at the device scope. 

 

To learn more about user and device scopes please visit: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-configuration-service-provider#policy-scope 

Since the ControlPolicyConfict policy applies to the device, we’ll have to utilize the following string: ./Device/Vendor/MSFT/Policy/Config/AreaName/PolicyName to configure the policy. 

 

Next replace AreaName/PolicyName with ControlPolicyConflict/MDMWinsOverGP

After the modification to the string, the policy should look like the following: ./Device/Vendor/MSFT/Policy/Config/ControlPolicyConflict/MDMWinsOverGP

 

Creating the policy

 

Let’s create a new policy in Intune to control the GP vs. MDM winner

 

  1. Navigate to portal.azure.com and locate Intune
  2. Select “Device configuration à Profiles à Create profile”
  3. Under Platform select Windows 10 and later
  4. Under Profile type select “custom” and “add”
  5. Name the custom setting with something intuitive
  6. For OMA-URI add the policy OMA-URI string: ./Device/Vendor/MSFT/Policy/Config/ControlPolicyConflict/MDMWinsOverGP
  7. For Data type select Integer and add the number 1

 

Supported values for this policy are as follows:

0 (default)

1 – The MDM policy is used and the GP policy is blocked.

 

 

 

image

 

image

 

 

 

Let’s take a look how the policy is applied

  1. On the Windows 10 device, select the Windows icon > Settings > Accounts > Access work or school à under the account name select Info
  2. Sync with Microsoft Intune by selecting “Sync”
  3. Once the Sync as completed select “Create report”

 

image

 

  • Once the report is completed a folder will open containing an .html file
  • Open the .html report and search for “MDMwins”

 

image

 

GP Setting before the MDM policy takes place :

clip_image007

 

MDM setting after the policy is applied (note: Windows 10 1803 is required to override the GP):

image

 

 

Let’s take a look at a report in Intune regarding the policy and if it was successfully applied.  This useful to make sure the policies are actually applying or not.

 

image

 

 

Logging

Being able to investigate modifications to a device is extremely important, especially when troubleshooting. 

 

In event viewer we can access the event where the policy was applied as shown below.  However digging through events, especially across multiple devices, can be a difficult process.  This is where Microsoft Operations Management Suite (OMS) comes in.

 

 image

 

 

Logging with Microsoft Operations Management Suite (OMS)

Within OMS there is the Log Analytics solution to manage logs from devices with the OMS agent installed.  I won’t go into details about installing the OMS agent, however I will say it’s straight forward.  Once the agent is installed (which I have it installed on all my devices so I can look at label changes with Azure Information Protection (see my previous post) and other aggregated information) we’ll need to grab the proper even log source name and populate that in Log Analytics.

 

 

Find and copy the event log source or name: Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider

 

image

 

image

 

 

Paste the event log path in Log Analytics to “Windows Event Logs under Settings > Data > Windows Event Logs” as shown below:

 

image

 

 

Give the logs a few minutes to sync from the device to OMS, then run the query below in log analytics analyzer and look for the MDMWinsOverGP policy created above:

 

image

 

For more details about Windows 10 MDM logging please visit: https://docs.microsoft.com/en-us/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10

 

 

Evaluating existing Group Policies to determine migration to MDM

Use the MDM Migration Analysis Tool (MMAT) to evaluate which Group Policies have been set for a target user/computer and cross-reference against its built-in list of supported MDM policies.

 

Download the MDM Migration Analysis Tool (MMAT): https://github.com/WindowsDeviceManagement/MMAT

 

For additional details about creating custom ADMX policies please view the following two great videos:

 

Enable ADMX backed policies in Intune: https://www.microsoft.com/en-us/videoplayer/embed/bdc9b54b-11b0-4bdb-a022-c339d16e7121

 

ADMX backed policy import example: https://www.microsoft.com/en-us/videoplayer/embed/a59888b1-429f-4a49-8570-c39a143d9a73

 

Keep up to date with MDM policies and other features via What’s new in MDM enrollment and management

 

https://docs.microsoft.com/en-us/windows/client-management/mdm/new-in-windows-mdm-enrollment-management

 

That’s it, we’ve learned that there is a new policy added to Windows 10 1803 that will control if MDM policies win over Group Policies (where applicable, not all Group Policies are available via MDM or CSP), how to investigate policies via event viewer, and aggregate those logs using Log Analytics (OMS).

 

 

Windows Information Protection – adding the Intune Company Portal for Windows as an exempt app

As of January 2019 this is no longer necessary as the Intune Company Portal app is now included in the default list of protected apps.



2019-01-03_12-52-07

Organizations using Windows Information Protection (WIP) may experience issues accessing the Intune Company Portal app.  Fortunately, exempting Intune Company Portal app and any other application from a WIP policy is straight forward.

 

To learn more about creating Windows Information Protection policies please visit: https://docs.microsoft.com/en-us/windows/security/information-protection/windows-information-protection/create-wip-policy-using-mam-intune-azure

 

 

Let’s get started

 

By exempting an application the following pertains:

 

If you’re running into compatibility issues where your app is incompatible with WIP, but still needs to be used with enterprise data, you can exempt the app from the WIP restrictions. This means that your apps won’t include auto-encryption or tagging and won’t honor your network restrictions. It also means that your exempted apps might leak.

Source: https://docs.microsoft.com/en-us/windows/security/information-protection/windows-information-protection/create-wip-policy-using-mam-intune-azure#add-apps-to-your-allowed-apps-list

 

Since the Intune Company Portal App doesn’t store any sensitive company data, exempting it shouldn’t be an issue, however always check in with your security team to make sure.

 

The first step to exempting the Intune Company Portal App for Windows is to locate the app in the store.  I’ve done this for you below and even though the app may be accessed from the consumer and business store, all we really care about is the AppID at the end, i.e. “9wzdncrfj3pz”. 

As we can see, the AppID is the same regardless of what portal it was accessed from:

 

Windows Store Intune Company Portal app: https://www.microsoft.com/en-us/store/p/company-portal/9wzdncrfj3pz

Windows Store for Business Intune Company Portal app: https://businessstore.microsoft.com/en-us/store/details/company-portal/9wzdncrfj3pz

 

 

Creating the WIP exemption policy

To create an app policy within Intune to exempt the Intune Company Portal app navigate to portal.azure.com à Intune à Mobile Apps à App protection policies à Add a policy

 

  1. Give the policy a name and select Exempt apps
  2. Select Add apps
  3. From the drop-down menu select Store apps

 

At this point you’ll need to have some information handy about the app.  Fortunately, there is an easy method of extracting this data using the URL below.  I’ve already accessed the URL below; however, you can do this for any store app to find the name, publisher info, and product name.

 

Access following and replace the ID with the ID of the app you’d like to exempt, in this case, the Intune Company Portal app ID: 9wzdncrfj3pz

https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/9wzdncrfj3pz/applockerdata

For more details about accessing app package info please visit: https://docs.microsoft.com/en-us/windows/client-management/mdm/get-product-package 

The following is the output you’ll see in the browser in JSON format:

 

{

  “packageFamilyName”: “Microsoft.CompanyPortal_8wekyb3d8bbwe”,

  “packageIdentityName”: “Microsoft.CompanyPortal”,

  “windowsPhoneLegacyId”: “0b4016fc-d7b2-48a2-97a9-7de3b5ea7424”,

  “publisherCertificateName”: “CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US”

}

 

Now that we have the JSON information about the Intune Company Portal store app (using the URL above), we need to add that data to the policy as shown below. 

Once finished adding the information, select OK and assign the policy.  On the Windows device, either wait for your devices to sync with Intune of force a sync from Settings à Accounts à Access work or school.

 

image

 

 

Once the policy updates you’ll be able to access the Intune Company Portal app:

 

image

 

If you’re interested, I go into detail about WIP a previous post: https://blogs.technet.microsoft.com/cbernier/2017/05/19/windows-information-protection-explained-windows-10-creators-update/ 

That’s it, if you’re not utilizing Windows Information Protection today, I highly encourage everyone to look into the benefits of protecting corporate information across personal and corporate owned devices with Intune, including Windows, iOS, and Android.

 

Windows update compliance – Querying Azure Log Analytics data using PowerShell

 

With the abundance of data across services it’s important to have a method (API) to access the data for export.  Most organizations I speak with have some sort of SIEM to aggregate data and analyze it for informational and alerting purposes.  Microsoft also offers a service called Microsoft Operations Management suite and within that suite is a service called Log Analytics.  For more details about Log Analytics please visit: https://azure.microsoft.com/en-us/services/log-analytics/ 

For the purposes of this post we’ll look at how to query Log Analytics using PowerShell.

 

Requirements

Azure Log Analytics workspace (aka OMS)

Add and configure solutions so data is available to query

 

Let’s get started

Sign into Azure Log Analytics

Download the module from the PowerShell reference link above.

 

Here’s a view of the Log Analytics portal, for this post I’ll focus on Windows Analytics

SNAGHTML6bdc4ff

 

PowerShell access

Open PowerShell ISE and import the module

Import-Module .LogAnalyticsQuery.psm1

In the query below I’m looking for Windows devices that are missing security updates:

$Query = @’

WaaSUpdateStatus

| where NeedAttentionStatus==”Missing multiple security updates”

| render table

‘@

$SubID = “subscriptionID

$ResourceGrp = “resource group

$workspace=”workspace name

$(Invoke-LogAnalyticsQuery -WorkspaceName $workspace -SubscriptionId $SubID -ResourceGroup $ResourceGrp -Query $Query).Results|Out-GridView

 

Below is the output from PowerShell query using GridView.  Because the data is in JSON format we can use the data to import into an existing SIEM or dump the data in whatever format needed.

image

 

 

Below is a view of a query from log analytics, as we can see the query’s are identical using both methods.  So utilizing the Log Analytics portal, we can craft queries and then use those queries in our PowerShell scripts to extract data.  I recommend using the Log Analytics portal to prove out queries before utilize PowerShell.

image

 

References

Microsoft Flow and Azure AD – let’s automate!

 

When I speak with organizations we often discuss scenarios such as having an onboarding process that is in need of a front-end utility and automation.  Many organizations have cloud services and on premises applications where the user onboarding process in some cases is still a manual procedure.  To assist with these processes and many others, Microsoft offers as service called Microsoft Flow.  I’m always looking for creative uses of applications and Microsoft Flow offers just what we need to help automate processes such as account management across applications and services.  In addition, Microsoft Flow goes well beyond just automating a user management processes (e.g. onboarding) as discussed below.

 

What is Microsoft Flow?

“Microsoft Flow is a service that helps you create automated workflows between your favorite apps and services to synchronize files, get notifications, collect data, and more.”

Source: https://docs.microsoft.com/en-us/flow/getting-started

Microsoft Flow allows you to create workflows to automate tasks, for example, when files are added to a folder in a cloud storage environment such as OneDrive or Box, notify a user. Or create an approval workflow process to manage tweets before they’re posted to Twitter.

 

Microsoft Flow offers connectors to connect to either cloud applications or on premises environments.

To view a list of Microsoft Flow connectors, please visit: https://us.flow.microsoft.com/en-us/connectors/

 

In addition, there are many pre-defined templates that may be utilized such as starting an approval process when a new item is added to SharePoint or save tweets to an Excel file or sync files between cloud drives or a file server via FTP.  The list goes on and on…

To view a list of Microsoft Flow templates, please visit: https://us.flow.microsoft.com/en-us/templates/

 

Microsoft Flow Licensing

Some features are free and require premium Flow sku.  For more details about Microsoft Flow licensing please visit: https://flow.microsoft.com/en-us/pricing/

Microsoft Flow FAQ: https://docs.microsoft.com/en-us/flow/frequently-asked-questions

 

For this post, I will utilize Microsoft Flow to create users in Azure AD as well as provide custom bonus flows! so let’s get started…

As an administrator, the first thing we need to do is access Microsoft Flow and create a new workflow.

Navigate to https://flow.microsoft.com and sign-in.

Search for Azure AD in the search box provided as shown below:

image

 

From the results page, locate and select “Create Azure AD User From Button”

image

 

From there select “Continue” to add the template:

image

 

For more details about the Microsoft Flow Azure AD connector and templates, please visit: https://us.flow.microsoft.com/en-us/connectors/shared_azuread/azure-ad/

 

From here you can use the template as is and select Create flow, or you change the name and edit the steps in the template provided:

image

 

I chose to edit the “Send an email” step in the flow as I wanted a little more detail, I began the editing process by selecting “Send an email”:

image

 

The default template only offers a one-line sentence of info, however I changed it to add information the manager and the end user would need:

image

 

We can also edit each flow step or add more if necessary by deleting or adding fields (if the field is used downstream in the flow you’ll need to delete the field first downstream):

image

image

 

“Adding an Azure AD User” Flow in action

The great thing about Microsoft Flow is a flow may be run on a schedule, via an event or trigger, or manually from the web or the Mobile app. 

Additionally, Flow templates may be shared out to other users to access as well, so administrators don’t always need to be in the process.  Ultimately a Flow template configuration is up to you and what works best for your processes within your organization

 

Flow Web App

To manually start the newly created Flow template, when in the Flow template select “More” from the top and then select “Run now”

image

 

From there the template with a list of fields will open for a user to manually fill in:

image

 

Once all the fields are filled in properly, select “Run flow” and a new user will be created in Azure AD.  I show more details and results below using the mobile app.

 

Mobile App

I find the Microsoft Flow mobile app very easy to use, especially when on the go.  In fact, flows may be created and edited directly from the Microsoft Flow app.

Download the Microsoft Flow app from your favorite app store, in my case I have the iOS app installed on my device.  The first time Microsoft Flow app is launched you’ll need to sign into your Azure AD tenant (be sure that user has rights to create users, groups, access apps, etc.).

 

Select “Buttons” at the bottom of the app:

SNAGHTML4c3e814e

 

Locate the the button that will create the Azure AD User:

image

 

Fill out the form and submit:

image

 

Here are my inputs from my Flow template process, when finished select “Done” at the top of the app and the Flow will run:

imageimage

 

Once the Flow has completed, we can look at the run history and the details of each flow process (great for troubleshooting as well):

imageimage

 

Expanding the “Send an email” flow we see the following:

image

 

Below is the customized email received by a user or manager after the user is created (including a randomly generated password):

image

 

Lastly, below is the user that was created by the Flow process in the Azure AD admin portal:

image

 

Dynamic groups

Once users are created, dynamic group memberships may be used to automatically assign users to group, for example, any user may be dynamically assigned to Group A. Group A can also be assigned to licenses, SaaS applications or assigned to SharePoint Online/OneDrive, so as soon as a user is assigned to a group they’ll have access to the licenses and apps assigned to it.

Dynamic group membership eases the management process of adding and removing users to applications. Simply assign a group to the application permission and use dynamic group rules to automatically assign and remove users. You can even use attributes such as employeeId, mail, or companyName as attributes to look for, however there are many more attributes to choose from and depending where the users originates from, you may want to get creative.  Finally, for applications that support provisioning, users may be automatically provisioned and provisioned to SaaS applications which provides full user lifecycle management.

For more details about Azure AD Dynamic Groups please visit: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-groups-dynamic-membership-azure-portal

 

BONUS FLOWS 

Need to disable or enable sign-on for a user quickly in Azure AD (i.e. O365, Dynamics365, etc.) from your mobile device?  I created Flows to do that.

 

Current sign-in state of the user shown in Azure AD and O365 Portals (it’s the same setting btw) shown below:

imageSNAGHTML13b5bc02

 

I created a button in Microsoft Flow and filling out the following fields in red:

image

 

When the flow is run, type in the UPN (email address) of the users and flow will disable sign-on for that user.

image

image

 

New sign-in state of the user shown in Azure AD and O365 Portals (it’s the same setting btw) now blocked shown below:

imageimage

 

Enable sign-on for an Azure AD user

Follow the Flow creation process above to create a Flow to enable a user to sign-on, however change the “Account Enabled” setting to “Yes”.  Note: Flows may be copied, to copy a flow select Save As for the flow you’d like to copy in the Flow portal and modify from there.

As a result we’ll end up with two flow as shown below:

image

 

And the flow buttons on my mobile device:

SNAGHTML14328189

 

Delete Azure AD Users

Now a question you may have is “can we delete Azure AD Users using a button?”  You could, however there is nothing built in with Flow or connectors today.  A custom app would need to be developed with the proper permissions to the Microsoft Graph to delete an account then added to flow.  So this would be more of a custom development approach that what I demonstrated in this post.  As a result, using Microsoft Flow we can create a custom connector that will call into the app registered with Azure AD to make calls to delete users using a button flow in Microsoft Flow.  Same holds true for resetting user passwords.

With Microsoft Flow, the possibilities are endless with the predefined templates and built-in connectors to services, you don’t have to be a developer to automate processes and workflows!

Regulations and data management in a hybrid world

 

I speak with a lot of organizations and often they’re interested in locating, tagging, and controlling data for various reasons such as legal, regulatory, or protecting personal and proprietary information.

However, there’s one regulation that keeps popping up and it’s the new EU General Data Protection Regulation or GDPR.  GDPR will be enforced on May 25, 2018, which is just around the corner.  Unfortunately, GDPR is not a one-time process, it’s an ongoing regulation and failure to comply could result in heavy fines.  For most organizations, data may be stored across all types of systems and services including backups so locating and managing data across those environments may be difficult.

For this post, Microsoft provides guidance around GDPR and I’ve utilized some of the terms and guidance provided to simply the overview.

To learn more about how Microsoft is addressing GPDR please visit: https://www.microsoft.com/en-us/TrustCenter/Privacy/gdpr/default.aspx

The categories below align with the Microsoft GDPR guidance provided in documentation above, however I’ve attempted to simplify while targeting Office 365 and Enterprise Mobility + Security.  The last topic I’ll discuss is how to identity and classify information across SharePoint Server and file shares.

 

Let’s take a look at the four pillars of addressing data management requirements:

image

clip_image001[4]

 

Tying everything together, we have a process to identify, manage, protect, and report on data:

clip_image002[4]

 

Now that we have a definable process, let’s align the Microsoft services around all four categories, again the area of focus here is EMS and O365:

clip_image003[4]

image

 

 

Let’s take close look at some of the details across the Microsoft offerings:

Azure Active Directory

  • Lay the foundation for your organization by protecting access to sensitive information, which starts with modernizing your identities with Azure Active Directory. Whether a cloud or on premises application, Azure Active Directory will act as a controlled gateway to your data.

Azure Information Protection

  • Automated Classification, Labeling, and Protection + File scanner for file servers and SharePoint.

Office 365 Data Loss Prevention

  • Identify and retain data by applying retention policies to data across O365 services. Discover data through eDiscovery and actions on data via O365 audit logs.

Exchange Online

  • Prevent data from leaking by creating message rules to stop sensitive information from being sent through email. Ties into Data Loss Prevention as described above.

Microsoft Cloud App Security

  • Discover, monitor access, and apply governance to sensitive data across cloud services.

Microsoft Intune Application Protection

  • Protect information from leaking to non-protected applications and accounts across devices such as iOS, Android, and Windows.

Microsoft Power BI

  • Create insightful and visual reports by importing audit data into Power BI.

 

SharePoint Server and File Shares

I understand the previously mentioned services are great for managing data across cloud services, however what about on premises environments?

Azure Information Protection includes a scanning tool called the Azure Information Protection scanner or AIP scanner.  The AIP scanner is used to comb through file shares and SharePoint and identity and/or classify + protect data.

Once the AIP scanner is installed, use it to report on information you’re looking for and when discovery is complete, run the AIP scanner and apply classification and protection across those files.

Below is the output of an AIP scanner scan I ran against a few sample files.  The AIP scanner will look for specific information based on the AIP policies that are configured (e.g. credit card info).

image

For more information about the Azure Information Protection scanner please visit: https://docs.microsoft.com/en-us/information-protection/deploy-use/deploy-aip-scanner

 

All the services described above dovetail nicely with GDPR and other regulations requiring control of data.  If you don’t believe your organization is affected by a regulation such as GDPR I highly encourage further research as you may find out that your organization actually is.  Unfortunately, there are steep penalties with non-compliance so doing some research before May will save organizations time and money.

 

Again, to learn more about how Microsoft is addressing GPDR as well as managing data across other services such as Microsoft Azure, Dynamics 365, SQL Server, etc. please visit: https://www.microsoft.com/en-us/TrustCenter/Privacy/gdpr/default.aspx