SC-400 Microsoft Information Protection Administrator – Implementing and Monitoring Microsoft Endpoint Data Loss Prevention

  1. Setting up proper licensing for Microsoft Endpoint Data Loss Prevention

Now when you want to start implementing policies such as data loss prevention with sensitivity labels and enforcement and all of that, there is a couple of little prerequisites you need to understand about dealing with this on the endpoint side. So if I’m wanting this to be deployed down and control my on premise environment with my clients, there’s a few things I want you to understand. First off, off, you got to have the correct licensing for this. If you look at Microsoft’s website, you’ll notice that they tell you that the licenses that are needed are these right here. Now unfortunately, if you set up a trial tenant, you probably did the Office 365 E Five because that was what was available to you and all of that. Unfortunately, that’s not a Microsoft 365 E Five license. It’s an office. 365 E five license. However, what you can do is you can add this license right here and it will give you what you need and you should be able to do even like a free trial if you want.

Okay? So let me show you a little bit of that right now. I’m going to jump back over here to portal Microsoft. com. I’m going to click on Show All here. We’ll drop down where it says billing and we’ll look at where it says your products, all right? And this will show you licenses that you currently have. And of course, the only two that really matters right now for me would be the EMS and Office 365 E Five. But I don’t have Microsoft 365. So I want to go to Purchase services and then what I’m going to do is click on Microsoft 365 and we’re going to scroll down and we’re going to go with right here where it says see all products scroll down and we’re going to go with this one right here, $7 a month if you purchase it. But if we click details, you’ll also notice that we can do a free trial. So in my case, I’m just going to say start a free trial. All right, click on that and I’m going to say try now for one month. All right?

So I’m going to go ahead and activate that license. Now let me warn you that you need to give this about an hour to propagate into your tenant properly. So I would give this some time before you start jumping in and trying to create data loss prevention policies for your on premise clients. All right? So I’m going to go ahead, I’m going to pause the video and we’ll come back. Now after giving this some time, I’m now ready to actually start issuing licenses. So here I am on portal Microsoft. com. I’m going to go to users, active users, and I’m going to issue the license to myself, John Christopher.

com go here to licenses and apps. And I’m going to go ahead and give this license right here, which is the one we care about right now. Okay? And again, don’t worry about all these other licenses right now. The only ones that really we’re even working with here would just be the Office 365 E five, Microsoft 365 E five, information Protection Government, which is the one we care about in this video. And then EMS E five, don’t worry about the other ones. So we’re just going to click Save Changes.

And we’ve now licensed out that. Now this is another thing. You may need to give this a few minutes before it’s going to start taking effect on your account. Sometimes signing out, signing back in can also speed things up a little bit. So now we’re ready to go into the Compliance center, and we’re going to verify that we have what we need to actually be able to create policies involving DLP for our endpoints. So we’re going to look over to the left. We’re going to click the Show Lip symbol, and we’re going to click Compliance, which is going to bring us into the Compliance center, all right? Compliance, Microsoft. com. And then from there, we’re going to scroll down and go to Data Loss Prevention. All right? We’re going to click Policies and we’re going to click to create a policy, and we’re just going to verify that we have what we need. I’m just going to pick something here, and we just want to verify something. Let me show you what we want to verify. So what we want to see is this right here. Devices. If you don’t see devices show up, then a couple of things. Number one, you don’t have the right license. You got to make sure you have one of those licenses. Number two, you’ve activated the license and you haven’t waited long enough for it to get activated.

And that can take an hour or maybe even a little longer. Number three, you’ve assigned the license to the user, and you need to give that some time, too. So if you’ve assigned it to yourself, you need to give it a little bit of time also and make sure. So it might be one of those things that you need to walk away, do all this and walk away from it for a little while and then come back to it. But ultimately, how you know you’ve got what you need for playing around with this is you’ll see this right here? This does not show up, then you don’t have what you need yet. You need to give it some time. All right, other than that, that’s it. Now you’ve officially got what you need to start working with DLP, policies included for your endpoints.

  1. Configuring Policies for Endpoints

I’m now ready to look into configuring a data loss prevention policy for endpoints. Now I want to preface this video with this. You definitely should have already watched the previous content on data Loss prevention policies where I explain what different settings are because really all we’re doing here is we’re just selecting one thing that’s going to point down to our endpoint.

There’s not a whole lot more that you’re going to do here other than just flag that you’re wanting this to go down to your Windows devices. So you definitely should have watched the previous videos on Data Loss prevention as well before attempting this and also making sure you’ve licensed, you’ve got the license and all that. All right, so here I am on portal Microsoft. com. I’m going to click Show All and I’m going to click the compliance blade that’s going to bring me into the compliance center. From there we’re going to go to Data Loss Prevention, click on Policies, and we’re now ready to create a policy. All right, so we’ll go here to create we’re going to select a template. Let’s do something like PCI DSS.

Maybe this is like for credit cards or something. We want to look for credit card numbers being shared on a document on premise. So we’d click Next, give it a name. I’m just going to use the default locations now. This is the key right here. This is the big thing. All right, if I’m only wanting this to apply to my devices, then this is the one I want to go with. So I’m just going to turn off all these other ones in this case and we’ll just stick with devices here. So I can also choose users or groups. Right now I’m just going to select all, okay? And then at that point we’re going to click Next. So from there I could review and customize the settings that are already there. If I want, I can click next again. It’s got info that I want to protect. All right, I can edit that if I want the confidence level. Again, I’ve talked about what these settings are in previous videos, so you should already be familiar with that. Click Next. And then also I’ve discussed these settings as well.

All right, so you should already have an idea of sending incident reports and alerts and all. It’s all the same thing as we’ve got in previous lessons. All right? All right. So from there we’ve got customized access and override settings. It tells you by default users are blocked from sending email and team chats and channel messages. Okay, this is stuff we’ve seen restrict access or encrypt the contents of the Microsoft location. If I want to encrypt, I can, I can also enable auditing for all of these items right here. Enable auditing. And it’s going to basically record stuff if I want it to. And if I want it to block certain things I can. So block certain activities. So if I want to upload to the cloud service, I could block that copy clipboard maybe. I don’t want to allow printing.

So we’re going to say block on that copy to a network share copy or move. I’m going to have it audit, all those things. I’m just going to have it block printing just for the fun of it there. Then we’re going to click Next and at that point I can say test it out. You’ll be able to review alerts. So test it out before you start using it. I’m going to say turn it on right away. So we’re going to go ahead and say turn it on right away. We’re going to click next and then we’re going to click submit. And it’s that easy.

So really ultimately creating your policy for data loss prevention is essentially the same kind of thing as what you’ve seen with previous policies. You just have to make sure you’ve met the prerequisites, you’ve got the proper license, you’ve got it applied, and then you have that desktop feature set. And then the computer of course needs to be joined to your environment as well. So that at that point you’ll be able to use control over that machine. Looking at that, there’s definitely a video on that as well. Connecting the computers to the, to your Microsoft 365 Azure ad environment and then having control over it.

  1. 3. Configuring Endpoint Data Loss Prevention Settings

I now want to take a look at some of the Endpoint data loss prevention policy settings that are available to us in the Compliance Center. So we’re starting out here on Portal Microsoft. com. We’re going to click the Show All lip symbol and go to the Compliance Center by clicking on the compliance blade. All right, once we get into the compliance blade, we’re going to now click on the data loss prevention blade and you will see this right here. It says Endpoint DLP settings. We’re going to go ahead and click on that, all right. And so these are nice little settings that once you have your client devices, they’re joined to your Azure Admiral 365 environment.

These policy settings can be deployed down to those devices. Now just kind of a forewarning to keep in mind for you guys that have some on premise domain experience and all that. Remember that if you deploy these policies down, if you have group policies inside your domain that conflict with any of these things, group policies that will override these settings. So if you’re wondering who gets the priority between domain group policies and these settings that you see here, group policies will. So my advice is to make sure that you verify if you’ve got any on premise policies that might conflict with this. But all in all, these policies are pretty straightforward, pretty neat little settings that can propagate down to your machines. You have file path exclusions.

So if you want to basically exclude certain file paths from being monitored, you can do that. You can say add a file path, you just put the file path in here, click the little plus sign and that’s going to propagate down to your machines that are joined to Azure Ad, Microsoft 365. Okay, the next thing we have is unallowed apps. So you can have basically certain apps that are going to be not allowed based on the data loss prevention policies that you put in place. So you can see here, it tells you that you can prevent specific apps from accessing files protected by DLP policy. So that’s helpful. If you want people using Office and they’ve got some kind of Office alternative or something you’re wanting to prevent that you can say add. You’ll see I’ve got a couple of things here, but if I want to add the app name and then specify the executable that you use to do it, I can do that here and click Add. The next thing I’ve got is unallowed Bluetooth apps. So this is just kind of the same thing, but it’s geared towards Bluetooth. All right, so Bluetooth based, so I can specify information there. They tell you that when a policies copy or move using unallowed Bluetooth app settings is selected and users attempt to use Bluetooth apps to copy or move protected files from Windows devices to another location.

The activity will be allowed block or a block, but users can override restrictions. So you can set that here, okay, if you want. So add or you can basically add or edit the unallowed Bluetooth apps based on that little screen. And then the next thing we’ve got is browser and domain name restriction and domain restrictions. So right here I can actually click here and specify these different browsers that I’ve got available, as you can see, unallowed browsers. And Microsoft is trying to be very stingy about which ones here you’ll notice the ones that aren’t here as well, like Microsoft’s browser, right?

And so you can do that if you want. You can also do what’s called service domains and they tell you right here it says control whether sensitive files protected by your policies can be uploaded to specific service cloud domains from Edge, Google Chrome, they do warn you have to have the Microsoft clients extension installed on Chrome if you’re going to do that. But you can choose to block to prevent certain domains from accessing these files or to specify safe domains.

So for example, I could prevent Amazon Cloud Services or something there using the Amazon Cloud service domain names. All right, so the next thing we’ve got is additional settings for endpoint DLP. This is where you get into the business justification. So in dealing with data loss prevention policies, we have that ability to where if something is detected, like, let’s say it’s a credit card number or something like that, we can just flat out block the user, or the user can get a message that, hey, you can override the block policy, but you have to give a justification. Right now you just got the defaults enabled. You can have it to where it says show default options and custom text box. So you can have a custom text box pop up. If you don’t want the custom text box, you can say only show default options.

You can also just customize all the boxes. So if I click there, I can click customize the options in the drop down menu. So when they get this little pop up, they get the drop down and you can actually customize each one of the messages that shows up. So the default messages, this is part of the established business workflow. My manager has approved the action. Urgent access required. I’ll notify my manager.

Separately, the information in these files is not sensitive or other. So you can customize all those messages if you want. So that’s what the business justification drop down is. All right. And then lastly, I’ve got always audit file activity for devices. So by default, basically devices that are connected to Azure Admitraw 365, which is a call onboarded devices, it is automatically going to be monitoring the office files, PDF files, CSV files, all that, and it’s going to have these policies in place. Now you can disable this and you can set up specific policies just for specific devices. Of course, we don’t really thoroughly get into a lot of, like Microsoft Intune in here, but Microsoft Entry is Microsoft’s MDM product as well as Endpoint Configuration Manager, formerly known as Sccm.

Yes, if you didn’t know, Sccm’s name has changed to Endpoint Configuration Manager as of 2019. But anyway, you can disable this and you can set up policies that are just specific for a group of computers if you want. From there, you can configure the DLP settings through that, which we don’t get into in this class. But we have everything turned on for auditing in our entire tenant right now. But as you can see here, I can turn that off if I want and I can create specific policies. All right. All right. So those are your endpoint data Loss prevention settings. I really am looking forward to Microsoft adding a bunch of more stuff to this. This is sort of just a few things they’ve added here, but over time you’re going to start seeing more and more that will be added and will have even more control over the API endpoint side of things.

  1. Recommending Configurations that enable devices for Endpoint DLP

Now if you are going to be connecting devices into Microsoft 365, Azure Ad and all of that, it’s important to understand that there are different ways to go about doing that. In order for data loss prevention policies and sensitivity labels and all that stuff to be available for your on premise devices, they’ve got to be connected and there are various ways that we can do this.

OK, I’ve mentioned earlier, and I would also like to add that this course goes over the basics of this, but they do kind of require you to have some prerequisite knowledge. Maybe you’ve taken some of the earlier certifications of connecting Windows devices and there’s lots of courses out there that get into that sort of thing. But I’m going to give you what you need to know here. And then of course, if you’re taking the exam, I’ll let you know what you want to know there too. But just so you know, they do kind of expect you to have some knowledge of on premise environments and all that and hopefully you watched foundation videos and all that at the beginning. But the thing I want to show you on this is that if you go to Google, there’s a helpful document that you can pull up and all you have to do is just do a search that says get started with Endpoint DLP data Loss Prevention.

So Microsoft has this document right here you can go to, all right? And if we go into this document and scroll down a little bit, it talks about onboarding. So your devices can be onboarded into Azure Ad so that they tie to Microsoft 365 and then from there those devices can then be managed. But what are the different ways that we can do that? And that’s what I want to show you right here. You can on board a few different ways. One way is you can use group policies, okay? Group policies, GPOs again, this is where you kind of expected to understand a little bit of the on premise world of group policies. You could deploy that at those policies out and you could force a computer to get joined to your Azure Ad environment. You can also do this using Windows Endpoint Configuration Manager, again, formally known as Sccm System Center Configuration Manager and the name changed back in 2019. You can use Intune, which is Microsoft’s MDM product mobile device management, which a lot of people call it. Endpoint intune. Now endpoint manager intune because these two things are kind of tied together in point.

Config manager and mobile device management. Intune, you could write a script, there are PowerShell scripts and things out there that can do it. Also they tell you can onboard non persistent VDI machines that’s getting into virtual desktop infrastructure where you’re using like thin clients and all that. And of course you can also manually onboard a device. Okay, so I want to show you a little bit of that. Right now. I’m going to jump over to a Windows Ten machine and we’ll look at manually onboarding the device into the cloud. I’m just sitting right here in front of a Windows machine. If you have a Windows machine you can try this out with, you can actually onboard it yourself and test it out.

Now on this Windows machine, I’m just going to go to start, I’m going to go to Settings. All right? Once we get into Settings, we’re going to go to Accounts and we’re going to go to Access work or School. All right? And then from there, you’re just going to click Connect and you’re going to put in your login credentials for your environment. So mine would be Jc. You’re going to click Next and you’ll put your password in and it’s going to connect you. Now you’re going to see I got an error, why don’t I get an error? Well, because I actually have already connected Mine. Okay, so you’ll just go through that process, it will join and then I would say give it about five minutes and then you can go and you can verify that it’s connected.

And so let me show you how we can verify that it’s connected. So here I am on Portal Azure. com, and I’m just going to click the little menu button here and we’re going to go to Azure Active Directory. From there we’re going to click on Devices. The device is blade. And if the device is connected, you should see it right here. Okay, so this is my little device. I called it NYC. Co one. All right. And so that device is officially registered and we now know that it is connected. All right? And of course, the next thing that you can do is if you’ve got Office installed and all that, you can Office 365 installed and you’ve got it tied to your licensed user account, you can pull that up and see if policies and things are available, sensitivity labels, all that are available.

So let me show you that over here on the Windows machine, I’m just going to do a search for Word. I’ve got word installed, and I’m just going to open up a word and then from there if this is the first time you’ve ever opened up an office product or something, after you have connected the machine, you may have to authenticate, but if not, you can always click account and you can verify that you’ve authenticated up here.

Okay, so there it is, JC. You’ll notice I’ve got the license for this, all right? And so from there, I’m going to go here and just create a new document. All right. And then I can type stuff in here, right? And I can also go over here if I’ve created sensitivity labels and all that fun stuff. And I can verify that’s all available. So I have a confidential info and all that stuff. Business secure. That’s just kind of verifying that things are connected. And I even have a sensitivity labels as confidential and all that stuff that I set up previously. So as you can see, it did propagate down from my cloud service and it is properly connected.

  1. Monitoring Endpoint Activities and Reports for Policy Violations

Now, if you’re wanting to monitor the endpoint activities that are happening with things like data loss prevention and sensitivity labels and all that fun stuff, Microsoft provides a couple of ways you can do that, all right? Inside the compliance center. So let’s take a look at that. Now. We’re here on Portal Microsoft. We’re just going to click on the Show All lip symbol and go to the Compliance Center by clicking on the compliance blade. Once we get into the Compliance Center, one thing we can do is we can click on reports, all right? And then if we scroll down, we can see different reports involving things like sensitivity labels, data loss prevention policy matches, incidents, false positives, override. And of course, you can actually click on these two.

You can click on these reports and you can see more information. You can export the information out. Now, if you’ve got a new trial tenant, you probably don’t have a lot of activities generated. Also, you guys need to understand that when you do utilize this, sometimes it can take 24 hours if you have a new tenant set up and you’ve configured this recently for this to actually start showing up. But this is where everything’s going to show up at. You have these nice little reports. So I definitely encourage you, if you’ve got a production environment, to kind of come in here and look at it. But you can also once you’ve played around with this stuff and you’ve started utilizing DLP policies and all that, you can basically come in here and take a look at some of the things that get generated.

All right? The other thing you can do is you can come over here to Data, up here to sorry, down here to Data loss prevention, and you can click on Activity Explorer. So if you go over here to Activity Explorer, you can see the various activities that have occurred, all right? And so you get a nice little report. It will show you if users have utilized sensitivity labels, if data loss prevention policies have blocked anything. And this is going to include your endpoints as well, your on premise devices. So this is a great way for you to kind of jump in and see the different activities that have occurred involving data loss prevention for your endpoint devices. You.