 Good evening to those of you that are joining us today. My name is Kevin Mulhall. I'm the Senior Technical Customer Success Manager here at TechSoup. This month's virtual office hour, I'm very excited. We're going to be discussing data loss prevention and compliance and Microsoft 365, safeguarding your tenant account. We're definitely in for a special treat today. We are bringing in the big guns if you will. Mike Miller is joining us from CloudlySec. Mike's background and we'll get to it in a second is specifically around DLP and compliance. We're going to get a live demo too. You get to see this happen in real time. This session is being recorded. If you are not comfortable being a part of the session while it's being recorded, you're certainly welcome to leave. We will be following up next week with an email that will contain information that provides a link to the recording, as well as the decks that are going to be presented here. A couple of housekeeping items to use the chat function. Please use the chat function to place any questions and or comments that you may have during the presentation into there. Microphones have been enabled, but we ask that you have them off during the presentation for the sake of the recording and for our panelists. For closed captions, please click on the ellipsis. If you are using the browser-based version, the tile will appear when you take your cursor over towards the center, bottom center of the screen. Click on the three dots, turn on live captioning. The desktop application, it's in the more area in the upper right near react and camera. Our guest panelists today is Mike Miller. I actually am going to go ahead and we're going to hand this off to him to let him give his background. I feel like I don't want to do him any injustice. I'll go ahead, Mike. Thanks, Kevin, and I appreciate that. Welcome everyone. Happy to be here. As Kevin mentioned, I'm Mike Miller. I've been doing IT-related things since 2014 and started with a little over four years in the Marine Corps where I was a database administrator. After getting out in 2018, I jumped straight into consulting with the local consulting company here in Indianapolis, which is where I still am based out of. I was lucky to be exposed to Microsoft environments right off the bat, really piqued my interest in terms of some of the capabilities that I was seeing there, as well as for whatever reason, my ability to pick it up quickly and to help our clients. After a short stand at a consulting company, I did move on to an internal position with the Indiana Pacers in Indianapolis, where I was their Microsoft service engineer for a little over two and a half years. It was a full Microsoft 365 E5 engagement, if you will. They just upgraded to the E5 license and they needed someone to come in and make use of all the technology that was available to them at that point in time. For the better part of two and a half years, I was implementing these tools as an internal employee, getting used to them, working out all of the issues, and getting experience working with the key stakeholders across the business units and stuff like that. After that, I've been doing consulting since then, started going back into consulting back in 2021. I've worked with SMBs, I've worked with enterprise clients, I've worked with manufacturing and legal companies, I've worked with finances, banks. I'm currently the Microsoft Preview Administrator for Navy Federal Credit Union, actually. I'm also starting to Kevin's point, starting my own consulting company called Cloudy Security. Just looking to help the SMB market improve their overall security and compliance with Microsoft and the tools that are likely available to you, but you just have to have a dedicated person to do the implementing. To Kevin's point, my contact information is here, you'll have this presentation after the fact. You'll also be able to see my bookings link in the meeting chat. If you want to get on there and take a look at my calendar, which is always up to date, and you want to schedule some time, and those are always free. I'm more than happy to do it just to continue this conversation or for you have more specific conversations or whatever it is you want to talk about, feel free to use that bookings link and throw some time on there. I'm looking forward to having conversation with anyone of you. With that, I'll go ahead and get into the part that you guys really care about, which is the presentation. I will say I am going to do my best to avoid the old-fashioned death by PowerPoint. There's a lot of words and a lot of slides on this presentation, but I want to make sure that I go through quickly and get to the live demo, which is usually what people want to see, but at any point, if there are any questions, please put them in the chat. Kevin, I trust that you'll let me know if I happen to miss those, and if I'm looking over here, it's because I'm trying to catch the chat. With that, we're going to go ahead and start taking a look at trying to understand what Microsoft Preview Information Protection Suite is. It is a suite of tools, but the biggest thing that I want to focus on is right here in the middle, it's circled, is sensitive information types and sensitivity labels. These two things, sensitive information types is the true data identifier that Microsoft leverages. There's over 300, I think it's like 306 out of the box sensitive information types configured from Microsoft, and these are looking for the PCI, the PII, but they're also looking for passwords and credentials and security keys from Azure Key Vault, or different types of credentials, different types of medical information. Those sensitive information types are looking for all of that data, and it's so many countries, I can't even list all of the countries that are already pre-built, but you can also build your own. If you want to use RegEx or KeywordList, dictionaries, document fingerprints, we've all gone to the dentist office and they say, hey, fill out this paperwork for me. It's the same paperwork for everyone, but you went to your specific information. Well, we could take that blank form that has all the same fields and upload that into Microsoft Purdue and say, this is a sensitive file. This is a fingerprint of a file we want to protect anytime is it identified in the environment. No matter what you put on it, the form will be the same in terms of what fields need to be filled out, and we can identify and protect that file once it's uploaded to the Cloud or on-premise. As you can see, these sensitive info types and sensitive labels then extend out into the different tools available within Purview. Microsoft Defender for Cloud Apps can protect your SaaS applications, your SaaS platforms like Salesforce, ServiceNow, Dropbox, you have on-premise capabilities if you're still running on-premise SharePoint or on-premise file shares. Of course, you have your Office 365 capabilities as well as your endpoint TLP. With that, there are some advanced compliance solutions like eDiscovery, Insider Risk Management, Communication Compliance, which is something like Insider Teams, you don't want people sending vulgar abuse words or anything like that, you can prevent that communication through Teams. But to focus on today's talk, we're going to be looking at sensitivity labels and data loss prevention. The reason we're having that conversation specifically is the overall data protection and governance approach that Microsoft tries to take, that they recommend companies try to take is four phases starting with knowing your data, and the point there is you can't possibly know what to protect if you don't know what data you have, you can't possibly know what policies to put in play, if you don't know how your organization needs to be able to move these files, this information. You have to know your data before you start any of this. There are many different ways to do that. There's the old-fashioned talking with the key stakeholders, there's tools within Microsoft like Content Explorer that can tell you exactly how many files or what files contain a social security number or what types of data you have out there in the environment. But then you have Protect and Prevent Data Loss. You have Protecting Your Data, which is, it's your sensitivity labels. Sensitivity labels, and I'll get into what those are, can help classify and encrypt your files and your emails when they contain sensitive information or if a user decides to put one on themselves. And then you prevent the loss of that data through data loss prevention. And then you wrap it up with governing your data and getting rid of what you no longer need, using the retention and deletion processes built into Microsoft to get rid of the seven-year-old HR data that is no longer needed, for example, or if you wanna have a three-year delete as per your company regulations, you can have that as well for some things. So that's kind of the four-phase approach that Microsoft takes, but right there in the middle is that protecting and preventing the loss of your data. So that's what we're gonna take a look at today. All right, so taking a look at sensitivity labels and kind of what they are, again, not trying to do, not gonna read this word for word, but the important part is the sensitivity label is a tag that you apply to your files and that you apply to your emails, whether that's manual or systematically through content detection. And then that tag stays with that file through its entire life cycle, whether it leaves a company, whether it's shared, stored internally, put on a USB drive. That tag goes until you remove it. So that is critical in terms of being able to follow that file. If you think of an event of a compromise and you wanna know if your data was exported, you're gonna be able to follow all of your files that have labels on them through a tool called Activity Explorer, for example, and you'd be able to take actions on getting that data back, revoking access, things of that nature. It's critical to getting these tags on there and getting your data classification on your files, which is what you can use for sensitivity labels, such as public or general data, confidential, highly confidential, whatever the names that make sense for your organization. You can make those your label names and then deploy them through there. On top of that, you can also apply them to containers. So Microsoft 365 groups or SharePoint sites, team sites, and those are more for controlling the sharing from those sites, the conditional access settings, and we'll get into those here in a minute. Like I said, you do have your three ways of applying. You have your manual in terms of how you apply files or labels to files and emails. You have your manual method, which is just selecting it inside of the application. You have your recommended, which is content detection-based. This is something you can figure within the label itself. You say, if it has one to 10 social security numbers, recommend the confidential label gets applied to the document. The user has the option to approve or deny that recommendation. And if you're tired of them denying your recommendations, you can turn on automatic labeling. If there's one to 10 social security numbers, apply the confidential label. Don't recommend it, just put it on there. Now of course the user could remove that label or downgrade it, but that's logged and we're gonna see why they decided to do that. I do wanna call out licensing requirements. Manual and then automatic and recommended do have different licensing requirements. Manual is really that E3 business premium feature set, whereas automatic and recommended, you're gonna need to get into kind of the E5 compliance add-ons or the Microsoft 365 E5 license itself. So that is the more expensive option, but there's a lot of great capabilities there with recommended and automatic. All right, so there are different areas where labels can be applied and there are different things that labels can do. One of the most common things that people consider is the encryption, but again, there's access control and file marking built into that as well. You can determine what users and groups have which level of access. So you can get very, very granular with the controls on this data. If it is a HR file that only HR needs access to and you wanna build a label specifically for that, you can do that. You can say, here's my HR sensitivity label. With that sensitivity label, you can put in the HR distribution group and then only HR is gonna get access. And you can even say, HR is gonna get read only and then this one specific person in HR gets added access. It can get extremely granular. That's a little harder to manage, but you can get very granular with the permissions. You can let users specify the permissions themselves and I'll show you that here a little bit. That's known as user defined, but like I said, you can pick from a different list of different permissions. There's pre-built ones like co-owner reviewer, viewer, but then there's custom and you can make any combination of those pre-built ones yourself. And then you can also force access to expire, block offline access and you can do file markings with headers, footers or watermarks. The watermarks is a files only feature. One thing I wanted to go over as well is the Microsoft Teams meetings. So this is a new feature, but it's also a Teams premium feature. So it is a license upgrade for Microsoft Teams if you wanna have this capability, but you can now apply classifications and restrictions to your Teams meetings. Some of the more commonly asked ones are in terms of like controlling who can record the meeting, enable auto recording or if you wanna use something like end to end encryption for the video and the audio of that meeting. You can also apply watermarking to the file or to the video content as well or you can just turn off like meeting chats, right? Those are some of the options you get with this, but again, you're gonna have this, so I'm not gonna sit here and read you every single one of these words here, nobody's here for that next day. The other option with sensitivity labels, again, I talked about the containers, right? The M365 groups or SharePoint sites. So the groups gives you the capability of saying, with this sensitivity label applied to M365 group, it's a public group or it's a private meeting, only team members and members can access it and only owners can add people. But if it's public, anyone can access the group and anyone can add members to the group, but you can disable the ability for owners to add external members. So yeah, sure, anyone can access it, but no one is adding external people to the group, which is important. And maybe there's a use case where you need external people in the group, but if you're labeling it, then you probably don't want external people there. From a site perspective, that's where you get in terms of control external sharing. So if anyone has used SharePoint before, you know that you can share a file out of there and you get a list of options, right? It can be anyone, it can be new and existing guests, specific people, only internal that already have access to the file. Well, you can set that for the entire site itself by applying a sensitivity label and then you set the setting of what the sharing permission is, whenever you configure the label itself. So if you apply that label to the SharePoint site, it's gonna overrule anything that the admin of that SharePoint site had sent. The label will overrule that. You can also configure conditional access controls on the site. So if you wanted to disable the ability on a sensitive site, say finance who controls all of the company's credit card numbers and any client payment processes, their site, you wanna block unmanaged devices from accessing the files unless they go through the browser. You can do that with the conditional access controls available to you through a sensitivity label or you can require something called authentication context where you can say, hey, look, if you're accessing this site, I need you to agree to an acceptable terms of use policy and I need you to re-MFA to prove you are who you say you are and we don't have a malicious user among us. The next two slides are gonna kind of cover your sensitivity label options from like a diagram perspective, not gonna spend a lot of times on these. I want you all to have these after the fact. So you all can refer to these, use them however you want. Again, you're gonna have full access to this presentation. So please use this if you so want to, if you wanna review this content, these diagrams are for you all to reference after the fact, not gonna go through each one of these bubbles here. So before we get into the rest of the diagrams, though, I do wanna cover the client side versus service side label. This is important to understand. So we've talked about selecting labels within your office applications. That's considered client side labeling. That is in the moment from the end user's perspective, applying the label. And again, that's where you get the three ways. You get the manual, the recommended or the automatic applications. Those are deployed through what are called label policies within the purview portal. And those policies are nice because you can say things like which users get which sensitivity label. So again, go back to that HR example where you're getting very granular. If you wanna label just deployed to HR that only HR gets access to if it's applied, you can do that by setting in the policy setting saying this is only for the HR business unit. Nobody else is gonna see this label. So that's a good way of keeping different labels for different scenarios separate. Of course, there's typically an overarching default policy where you want everyone to have your four standard tiers of classification or however many standard tiers you have. You have your default policy but you can get granular from there and give people specific labels after the fact. You can require something like a justification for removing or downgrading the classification of a label. And I'll show you that here in just a few minutes. And then you can require a label on all files and emails. The caveat with that is it can be a little disruptive. If you don't set a default label for example but you do require a label at the beginning of your label journey you're gonna realize your users are not used to setting a label on a file. It's not a standard process that they have done for the last 20 years. Their entire professional career they haven't been selecting sensitivity labels. So they're not gonna be used to doing it on a routine basis, right? So if you set, require a label and I go to hit send on an email and I didn't select that it's gonna stop me in my tracks and make me pick a specific label of my choosing to then send the email. It can be disruptive. Same thing with saving a file, right? Especially if you have autosave on until they apply that label they're not gonna be able to save the document. You can do something like a custom help page. This is really, I've done a couple of these for organizations where we build in a site that is just, that just contains quick reference cards quick fixes, maybe an overview of what each label is for why you would use it the different scenarios and the impact of applying that label. If a user needs to refresh their memory outside of the initial training that they probably received. But like I said, you can also do a default label. Emails do have the ability to automatically inherit the label from an attached file. If that file has say a higher sensitivity label applied to it it can then apply that same label to the email itself. So that's client side. And then you have service side labeling which is all about data and rest, right? So you have your two million files that are stored between your SharePoint and your OneDrive locations because you've been around for 30 years or however long. Well now you wanna start encrypting that data at rest because nobody's accessing every single one of those files, right? So this will actually go out and scan your files for specific content, right? We talked about those sensitive information types. This could be looking for credit card numbers or social security numbers or a combination of multiple different data types and applying a label of your choosing based on things like the number of instances found within a file or the combination of instances, right? Any or all or some of the factors that you can put into play say, I'm looking for credit cards and social security numbers or I'm looking for credit cards or social security numbers within the statement and then it'll apply the label when it's matched. You can run these in simulation mode which is a great feature. It can help you identify what the impact would be on the company from there. That way you can have time to not only properly identify false classifications, right? To retrain the system and say, that's not actually a credit card number, it's a serial number. Or you can retrain it that way but you can also take that information to train your end users, right? And help them maybe get a better understanding of why they have that sensitive data or help you understand why they have it and then how they leverage it. Now you can control what settings get put on the file from there. And then you can scan for pre-built templates, something like the US Patriot Act, for example, is built in and it contains all of the sensitive data types that are covered by the US Patriot Act. Or you can use custom templates such as PCI and I have a really bad typo there, sorry about that. I'll fix that. But you can use something like PCI or PII data and select those yourself. And I've been talking for a long time. So if there's Q&As, please ask your questions throughout the presentation and I'll make sure we get them answered. There's a lot to cover, so I don't want anybody to forget by the end of the call, so. All right, so here's some more of the diagram. So this shows you the three options and kind of the decision tree that each one's gonna go through. This one has a lot to it. So at a high level, right? You have the manual labeling on the left. Yes, thank you, Kevin. I'm sorry, I speak in acronyms a lot. I am trying to get better about that. PII is personally identifiable information. So sorry if I lost anyone on that. You have the manual labeling on the left where it's gonna ask, the system is gonna ask itself, the first thing is, is a label required? And one thing you'll see on here is there's a couple of bubbles here for E3 and E5. So label required and manual labeling is an E3 feature, right? But recommended or automatic labeling, now you're getting into E5. So it is important to know that difference, especially for whatever has been enabled in your environment from a licensed perspective. But it's always gonna ask itself, is the label required or is there a policy being triggered by the contents of this data? And then from there, it's a decision tree. If there's not a label required and the user doesn't apply the label themselves, well, now we'll take a look at the next slide and say now there's some more decisions to be made from the manual perspective. But if there is a label required or the user does apply the label, now you've got the label applied, you can follow that document wherever it goes. The same concept comes into play from a recommended policy, except there's an added step of, well, did the user accept my recommendation or did it reject it? If they rejected it, now you've got an unlabeled document. So if it did accept it, well, you've got a label document. And then same thing with automatic, except there's no recommendation, you just get that label if there is a policy. And then this is the manual labeling with a little bit more detail, a couple of steps added into it. So again, they don't label it. Now you have to rely on other areas of protections, other conditions, such as the sensitive information types within it, the process of sharing it, the file types in play, and you can use other tools based on those conditions like data loss prevention, which again, we'll talk about here soon. And again, something like Endpoint DLP is an E5 only feature. You don't get Endpoint DLP with E3 licensing. So again, I wanna make sure that those are called out for everyone's convenience. And this is something I've given to a lot of clients over consulting. And I think they appreciate the licensing information more than they appreciate the content itself. So licensing with Microsoft is always a cloudy area for everyone. So, and then there's the recommended. Just run you through a little further again, not a lot of time to spend here. You got your automatic here at the end. It's a little bit more simple than the recommended process. There's one less step added in there. You either get the label or you don't. All right, from a recommendations perspective, there's a couple of things I wanna point out here again, not gonna read every single word on this page, but avoid scoping. So we talked about how there's the ability to assign labels to files and emails and meetings. And then there's also the ability to assign labels to containers. It's really important and it's highly recommended that you should keep labels separate between groups and sites and files and emails. One way to do that is to do something like sub labels, where you create a parent label and then underneath that is a sub label. One sub label is for files and emails and that's what the user will see within their file. And then the other sub label can be assigned to the group or site and that's it. So it's try to keep those separate. They're gonna have different meanings. They're gonna have different names and the impact is gonna be very different and you want the users to fundamentally understand the difference. You also wanna keep the number of labels deployed to your user small. I do prefer no more than five in a production environment, but you can use sub labels to kind of go along with that. Maybe you wanna say all employees versus trusted people. Trusted people would have external access capabilities where all employees is internal only. And those are some examples of sub labels. You could also do sub labels based on departments. Again, so we talked HR, marketing doesn't need to see HR, but at the same time, HR probably doesn't really need or care to see marketing. So you can have different sub labels based on your departments as well. The transition to automatic labeling should be as needed for highly sensitive content. The reason I say as needed, you're going through a crawl walk run approach to your labeling. You're gonna start with manual. And I say that because really you should from a user adoption perspective, but also the user understanding. When users don't understand something, the fact of the matter is they're gonna try to find ways to avoid it. They're gonna try to find ways to avoid using a sensitivity label. If they find a way to avoid it, they're going to. So you wanna start as simplistic as possible, as hand holding as possible in that first phase of manual labeling. And then you go back and modify your labels to look for recommended labeling. Don't just jump straight into automatic because what you're doing on the back end of that is running service side automatic labeling policies and simulation mode. And you're already identifying what would have gotten labeled. And then you're working with the people that that actually impacts. You don't wanna turn on automatic labeling for everyone right away. It's gonna create problems. It's gonna create false positives. You haven't had time to retrain the system. So follow that crawl walk run approach as much as possible. You also wanna leverage something like content explorer to identify data within your organization. See where that lives. See if there's a heavy site that contains 75% of your credit card numbers. I've seen that happen. I've actually seen a SharePoint site that was 90% of the credit card numbers within the organization. And they had over a million credit card numbers in there. It was one site dedicated to that. And that tackled 90% of our needs for protecting credit cards, right? So keep things like those tools that can help you identify data in mind before you start rolling out your labels, especially before you start implementing them automatically on your end users. There is one important note on the service side labeling. It does have a limitation of applying 25,000 labels a day. So it'll continue scanning, but in a rolling 24 hours, only 25,000 labels would be applied. This is complimented by the fact that not every single file gets labeled and you are cleaning up data as you go, as well as users are also opening data and client side doesn't have that limitation. So with that, I am gonna go ahead and get into a quick demo here. So I'm gonna take down the screen sharing and get the right window pulled up. Just gonna show you some use cases of using the sensitivity labels within your office applications. So before I do that, if you have any questions, now would be a great time for that and we'll go ahead and go from there. All right, so to start off with, it's important to understand of seeing your sensitivity labels and knowing where they are, how to select them, things like that within your office applications. So it's under your task bar up here at the top, the ribbon, there is a sensitivity icon. From there, you can select the dropdown and this is where you're gonna see all of the labels that have been deployed to you. What I want everyone to focus on for right now is to ignore the edit rights and authentication users. I've got a couple of test scenarios going on that I'm helping people with, so don't mind those. We're gonna look at public, general, confidential and highly confidential. The first thing I wanna point out is public shows the shield, there's no sub labels. Public is its own label, there's no sub labels available to it. But then you can hover over general and see my two sub labels there. So you have anyone unrestricted and then you have all employees unrestricted. I put unrestricted to say it's not encrypting the content, it's just applying a classification. When you do hover over it, it's gonna give you the policy tip, the description for the users that you can figure within the portal. So it's gonna say, business data, my mouse would hold still, let me get back over it. Maybe, okay, it's not gonna show up now, great. But it shows you the user description that you answer whenever you configure the sensitivity label. So you can go through here and select the labels within the file manually. Again, there can be recommendations, there can be automation built into applying a label, but the user, if they have the edit rights permission on the file, which if I'm the original owner of the file I do, I can always come in here and change the label at the beginning. So an example of that is right now, I have general all employees selected. That's actually my default label that I have set from the policy. So as soon as I open a document for the first time or create a new document or a new email, that is the label that is going to get applied originally. So it's gonna start with the all employees. The reason I do that and the reason I recommend that for clients is typically a new document is considered working content. That working content is made for internal access. You don't want it to be leaving the company when it's half finished, right? You don't send out marketing announcements that you haven't finished your thought on or you haven't finished the branding or the design. You leave it internal until it's ready for that public use until it's in its mostly finalized state, right? So general all employees is my default. This is an internal document only and I'm gonna show you how it stays internal with DLP here shortly. So that's how you select your sensitivity labels if you wanna do it from a manual process. There's also the option under the drop-down menu here. You can see the sensitivity icon there. And this actually gives you the really big user description that I was just talking about. The only other place and I don't even know if anyone can even see it, I barely can, is down here on the very bottom of the word application. It shows the classification that's applied. I wish there was a better way to highlight that for you but if you look down here close to new comment right under there is a place to see the classification. So with that, that's how you see the labels. You can see the one that's been applied but if you wanna downgrade the label, right? We talked about requiring a justification. Right now it's defaulted to the all employees general label but if I wanna say, well, this is public data, it doesn't need that protection on or that classification. If I select public, it's now gonna ask me to provide a reason for doing so because I am downgrading the classification of this content. So there's a couple of pre-built options. There's the previous label no longer applies, previous label was incorrect or you can select other and obviously we wanna train people to say, well, XXX-XX-XXXX was not a social security number, it was a serial number. We don't want them entering that into the explanation here because it's actually sent unencrypted into the compliance portal where users can be able to see that information, not general users, administrators, sorry. So you can enter a custom explanation here and if you do select other, you have to type a reason into the box. You can't just say other and press enter. You have to provide a reason. So public data and that's all I have to put and I can hit change. And now I can see that the public label has been applied and it's automatically resaving the file because I've changed the metadata of the content. However, if I go and start entering, say a credit card number and I'm gonna rely on this to work in a timely manner, this is not my actual credit card. So please, you can try to use this if you want but it's not a real credit card number, right? I've entered one credit card number and it's CBV, all right, perfect. So I answered that credit card number and the system scanned the file as I'm working in real time. And as you can see, I've been given a policy tip here saying, hey, looks like you might have some sensitive data in here. We recommend that you apply the sensitivity label of confidential, anyone unrestricted. That's what my policy has been set to say. When I configured the confidential label, I said, look for any file containing a credit card number. It's actually one through nine credit card numbers. If it has one through nine credit card numbers apply, recommend that the user applies this content. So if I had entered 10 or more, it actually would have automatically applied the confidential all employees sensitivity label for you or for me. So I can hit apply sensitivity label or I can hit show sensitive content and it's gonna give me some context as to why it thinks I need that sensitivity label. As you can see, it's calling out the credit card number here. This is really apparent because that's all that this, there's in this file, but if this was a massive 10 page file and they had just now entered the credit card number, well, that'd been a little bit more handy in terms of being able to find that in a faster manner. But I can hit apply sensitivity and now it has applied the confidential anyone label, right? And I can go back and confirm that by clicking here confidential and I can see that it's selected. But again, if I'm like, well, no, you're wrong, I'm gonna downgrade this to general anyone unrestricted. Well, it's not gonna ask me because it didn't say, but it should have asked me why I was downgrading it again. Don't hold that against me. I'm moving too fast for the file and that is possible. Users can move too fast, but me downgrading that label just got logged in my activity Explorer system. So that's a demo, that's an example of leveraging the sensitivity labels within your office applications. Word is the easiest one to showcase this. You're also gonna see it in the email here in a little bit whenever we look at DLP and I am trying to move fast, Kevin, I know we wanna get to Q&A. So with that, I'm gonna go ahead and head back to the presentation really quick. I'm just gonna share my main screen from here because switching back and forth is tedious. All right, from current slide. All right, so looking at Microsoft's DLP, DLP is a security solution that is designed to prevent the unauthorized sharing, the unauthorized movement, unauthorized access of your sensitive information within your company. It is preventing that data from being lost or ex-filled outside of your organization. There are many different locations. You've got, of course, your exchange, your SharePoint, your OneDrive. Those are all your E3 capabilities, but if you look at your E5 capabilities, you've got Teams Chat and channel messages, you've got devices, your third-party apps, such through Microsoft Defender for Cloud Apps. Again, I talked about it being the SaaS platform. You've got on-premise file repositories and you can apply DLP to Power BI content as well. Each location does have its own set of conditions and actions available to it. So when you configure your DLP policy, you want to select as few locations as possible because if I select, say, Exchange, SharePoint, Teams and Devices, I'm only gonna get the conditions and actions that are available in every single one of those, which means I'm really kind of restricting myself in terms of what I can do with Exchange DLP. There's a lot to Exchange DLP, a lot more than there is with SharePoint. I need those specific capabilities for Exchange, so I want to create a DLP policy scope specifically to Exchange, specifically to Devices. The only caveat that I put there is most commonly, you're okay to combine SharePoint and OneDrive. There is a couple of differences between the two. They're very small and you'll see those in some diagrams in a little bit. Looking at your DLP policies, there's a flow of what you're really configuring within these policies. You have the policy itself where you're setting the name, you're telling it what content you're looking for, whether it's a pre-built template again, like HIPAA or like the US Patriot Act, or if you want to use custom, you're also setting the scope of users and groups within the DLP policy and defining what locations the policy is looking at. So again, that's the Exchange, the Devices, the SharePoint, and then those contain your rules. And your rules are where you're setting your conditions and actions. It is again crucial to have your rules and the right priority. The highest priority, most restrictive policy will always be applied when multiple rules are matched. So you wanna be careful in terms of how you organize your policies to make sure that you're not being over restrictive or allowing things to go through that shouldn't be, right? So just be careful with that. But then you get into your conditions and actions and that's really where you're configuring what you care about from a policy perspective. That's where you're saying, I'm looking for any file containing a social security number and a credit card number, or I'm looking for specific file types like a .exe, a .x, which is a Word document, any PowerPoints, any Notepad files, things like that, or a file containing one of those sensitivity labels. So again, we talked about how the system integrates with the sense of info types and sensitivity labels expanding out within purview. You can use sensitivity labels as a condition on your DLP policies. So I'll actually show you that here in a little bit on DLP, I can block an email from being sent out if it has an internal only sensitivity label applied to it or stop a file from being put on a USB based on its sensitivity label and nothing else. The conditions do leverage any all. So again, you can say I'm looking for a credit card or a social security number or this amount of those two. You don't have to say I'm looking for credit cards and social security numbers, but you can. And that would probably be more of a more restrictive rule because it has multiple types of sensitive data within it. And then you also have and or statements to build in specific exclusions or exceptions to your conditions as well when you're writing them. And then you have your actions. So actions can be enforced based on the conditions of the file. So again, each location has its own potential actions that you can configure. I can't block moving to a USB through SharePoint, but I can through device-based DLP, endpoint DLP, right? Those are some common examples there. Blocking USBs, blocking printing, blocking sending emails to external recipients based on content, right? Those are some common examples of your actions that are available to you. And anybody wants to read more on these. There's some diagrams here that shows you every condition and action available within each location. And I'm also doing a blog series on all the different DLP locations right now on my website that you'll be able to access as well. There's user notifications that you can configure for each rule so it could be something like a policy tip. So the similar to that yellow bar that you saw in my Word document with the label, you can apply as a policy tip that's just gonna say, hey, look, this looks like it contains a credit card number. You're not gonna be able to send this externally or you need to override this block and then you can send it externally, which gets into the user overrides where you can give the users the capability of overriding the block with a valid business reason if you want to do so. So when you talk about the different rules, maybe rule one is one to 10 credit card numbers, but rule two is 11 or more. And in rule one, you can do the override, but in rule two, because there's so many, you can't override that block. And then you have your incidents reports where you can notify multiple different people about what was shared, who did the sharing, and of course the administrative alerts that get triggered on every policy violation. That's a duplicate slide, all right? These are the diagrams I talked about. So you have your cloud DLP. I did combine the SharePoint and OneDrive here, but you can see under document is shared, that is OneDrive for business capability exclusively, not for SharePoint. And that's just saying it's shared through anyone with the link or it's shared for anyone outside of the owner of the OneDrive site, which obviously that's a little different than SharePoint. So here's some diagrams for all of these. Again, you're gonna have this, I want you all to be able to reference these. It is a little difficult to find all of these in a single location. So hopefully these diagrams can help you reference this quickly moving forward. Endpoints, team chat and channel messages, and then exchange DLP as well. Don't have any for some of the more complex ones, like on-premise file repositories. Those take a little more time to demo and put together. So not something that I can easily do in this one hour call. So with that, I think at this point, go ahead and get into the live demo. I kind of covered all my recommendations when we were talking previously. So go ahead and demo some DLP policies here for you and show you that and we'll go from there. Again, any questions, please don't hesitate to ask. All right, so the first thing I wanna start with from a DLP perspective is actually going to be an exchange message. So I have got an email here configured to go to an external DLP testing Gmail account that I configured. So as you can see, it's cloudedlptesting at gmail.com, which is obviously outside of my organization. And I have the general all-employee sensitivity label applied. So within my policy, I've said that general all-employees is internal only and can't be sent to external recipients. There's no overriding that. If you have that label applied, that is meant for internal use only. So you can't override that and all you can see up here at the top is a policy tip saying large amounts of sensitive info, please handle it properly. I'm not creative with my policy tips. I usually let the more creative people from my clients configure those because they already have them figured out. It'll actually tell you that the following recipients are the reason you can't send this message and you can have them removed by clicking the X or you can go through the two line and remove them yourself, which would be a lot harder to do if you had a lot of recipients built into this. But if I hit send, it just tells me I can't. It tells me the reason for not being able to send it and I have to hit okay. There's nothing I can do until I remove that recipient, which is an external user. So once I do that, it's no longer gonna block me from hitting send, although there's no one in the two lines so I can't hit send, right? But if I were to change that to say public, sorry, let's not do public, let's do confidential, anyone unrestricted. This is approved for external access. So if I go and take a look at that, it should be scanning it. Once I enter the external recipient again, it's gonna scan the content, start looking for the conditions that I've configured within the policy. There it goes. Now it's giving me the policy tip. But the difference this time is I can hit overwrite. Because this label is approved for external use, I can override this block and say this recipient is entitled to receive this content. I did configure an option that says I must specifically acknowledge this override within exchange. I hit that, I press override. Now I can send this message. I've overridden that block and I can send that message. So that is exchange DLP. But if we go and look at endpoint DLP, and I'll go ahead and throw this over, I've got a couple of files here within my OneDrive account, and I've also got a USB drive, right? And that USB drive is here, and this goes here, right? So now I've got a couple of files that are on my device. If I wanted to, for whatever reason, try and move those to a USB drive, I wouldn't be able to see your screen. I'm sorry about that. Should have been sharing, but I'll take that down and redo it. They'll be seeing it now, yes? Perfect. All right, and yes, Michael, sorry about that. Thought it was sharing, I don't know why it stopped. All right, so I've got a few different files here, and they are matching different rules from my endpoint DLP perspective. High count means that there's a lot of sensitive data within that file, right? So if I go ahead and try to throw that over here, I am showing you the wrong screen. I got a block actually, and let me, I'm sorry everyone, let me share the right screen here. Sorry, you didn't get to see the notification that popped up whenever I did that, and that's like the most important part. So again, I've got my high count file. I try to throw that on a USB drive, which my DLP policy says that's a no-no. I now get my blocked activity notification that shows up in the bottom right-hand side of my screen. Whereas if I do that with a lower count file, and these have credit card numbers inside of them, this one has like three, the other one has 13 in it. So again, it violates my high policy. All right, just do the unrestricted label. Problem with live demos is they are prone to user error, which you are currently seeing. Unrestricted label, I can now enter a business justification for why I wanna do that, why I need that unrestricted label document to go onto that USB drive. So there's a couple of different options here. This is part of an established business workflow, manager approved this action, urgent access required. What I wanna say is that these are all pre-built and can be modified within the purview portal. And the reason I say that is I really dislike the urgent access required. I'll notify my manager separately option here. I just don't believe that they actually gonna notify the manager and we've got files out there that shouldn't be out there after the fact. If you do other, you have to enter a valid reason for doing so similar to the sensitivity labels, but I'll say part of the established business workflow. What's important to see here whenever I say that is it doesn't actually move the file. I have to repeat the action again. So if I do the unrestricted label here, now it puts it on the USB drive because I've given it the reason to override it. Similar to that, we can also control things like cloud uploads within point DLP. So that was one of the options on the capabilities there. So if I take that, let's say high count document again, and I wanna put that in my personal email, I've realized that exchange is gonna stop me from sending it outside of the company. I've realized that I can't put it on the USB drive. I can't share it through SharePoint OneDrive, which I'll show that in a minute too. Now I wanted to go ahead and just try to put it into my personal email so I can send it. Well, I've got Gmail being blocked. And now if I do that, it actually tells me that this is a blocked activity that cannot be completed. I can't give an override, but if I did try the unrestricted label, then I can provide the override. Similar to putting it on a USB drive, there's something like printing, there's a lot of options for endpoint DLP. This is a huge ask for a lot of clients is getting endpoint DLP deployed, because if it's in the cloud, it's really easy to control, but if a user puts it on their device it gets a little harder. Well, now you have endpoint DLP to stop that capability. So with that, that is kind of the demo there of endpoint DLP. What I do wanna show is if I try to share this through OneDrive, right? If I go through here and I hit share, if I then enter, make sure this is set to people you choose and apply and I enter cloudy DLP testing at gmail.com. Now I get the block saying that I can't do that. So if I wanna hit the view policy tip, it's gonna give me the reason as to why I can't hit that. But if this was then the unrestricted label, which I'll do that now, it would actually give me the option to override that capability. So again, this is blocking pure block. You cannot override this capability, this rule here. But if you go back and do that with the unrestricted label and I share that again, I'll have the option to override that block and still send that through OneDrive sharing to my cloudy DLP testing account, which is outside of the organization. So now I still get told that I have to view the policy tip before I can hit send. But if I go into that policy tip, I can hit override here, enter my business reason, valid vendor, submit, and I have to go back. It would press the button, there's it. Well, it didn't allow me to do that. I hit the override. Sorry, I tested this before the call and I know it works. So submit, policy overriding, go back. Okay. Well, I apologize, but that should be letting me override the block there, which it did let me override it, but it's not ungraying the send box. So I apologize for that. But that is the demo, and I am very sorry that that was having an issue there. I'll take the user error on that again. But with that, that is the presentation and the live demo. The last slide was the integration within the Microsoft ecosystem. Whole lot of words and information here. This is something again, I want you all to have after the fact, where you can kind of go over some examples of how DLP sensitivity labels, the entire purview suite can integrate together to give you a holistic data security program. So with that, we'll go ahead and open up to questions Q&A and see if anybody has anything. There was a couple of questions that did come in. Michael had asked, and specifically around the DLP, automation of a notification to a user's manager and or say global admin. So when you tried to pull that file over, for example, if I'm correct, Michael or I'm incorrect, please feel free to come off mute. Will a notification be sent when someone attempts to move a file that's a violation of policy? Yeah, so whenever you configure your rules within your DLP policies, you can figure the notifications that are triggered, right? So if they move a file that is matching your DLP policy, you can configure not only by default, that's gonna go to global administrators, but you can set maybe a shared group called cybersecurity at companydomain.com. And that entire shared mailbox is gonna receive the alert and you'll be able to go into the portal and investigate it. One of the things that is important to note is when you do the investigation, you're gonna be able to see the full context of the file and what had triggered the policy there. So be very careful with who you give investigative rights to because they could be viewing a valid social security number or credit card number, things like that. Paul had asked the subscription level for endpoint DLP. I actually think I know this one. That's Microsoft 365 E3. It's E5, right? E5, okay. Defender for endpoint, does that also include that as well? Because that's technically, okay, good, I'm glad that you were able to ask. So a good thing to know about this is what Mike and I are talking about and the difference between core licensing and add-on licensing. And the charts that he did, I cannot explain how amazing those are because that's hours and hours of technical documentation to go through because it does not get presented that way ever. So yeah, so it's Microsoft E5 licensing for full endpoint DLP. Lowell, just more of a comment. This is really helpful, thank you. I'm willing to do a session on configuring data retention policies sometime. They'd definitely be interested. So I don't know if Mike, if you wanted to toss back into chat your information, his booking link is also pinned as well into the chat. One question that I actually had somebody write into me in advance of this was about false positives. More so just if you could speak just very briefly, maybe where you've seen these occur more often and or just some bootstrapping strategies for how you typically unpack those kind of things because apparently they have been dealing with this problem for going on a month just with constant false flags coming up. So the first thing that it starts with is making sure that whenever they receive the alert and it is a false positive is actually classifying the alert properly. That's gonna help retrain the system. It's gonna go back and tell everything, hey, you were wrong, this wasn't that situation. Another option there is something like the automated simulation mode for labels. You go out and look for content. You can actually go and mark that as true or false positives and that helps retrain the system on what is or is not a social security number, a credit card number, a custom sensitive info type. The truth is, it's all machine learning and training itself on your data and saying what confidence level it has that this is a credit card number that this is a social security number. So another thing to do within their policies is make sure that they're not looking for low confidence on everything. So if you say low confidence on a social security number, it could flag anything that's nine digits as being a social security number, but that's not. There is a specific set of criteria that should be matched to be a social security number. But if you do low confidence, it's dropping down the overall percentage to being down in the 60s on the system. So I mean, if we go back to school rules, that's a D and my dad was never happy if I brought home a D on the report card, right? So raise the confidence level that you're looking for there but also use the tools available to you like content explorer, rule classification, simulation mode for labels to go out and look for that data within your organization and take the time to actually train it and say it is a false positive, it is a true positive. Don't just mark false positives, mark true positives as well because that's gonna reinsure the confidence of the system. One thing I want to go back to Michael, I'm sorry, I didn't see the part about automating a notification to the user's manager. There are capabilities within side of exchange as conditions and actions where you can trigger that. Unfortunately, it's a little limited and saying I'm pretty sure you can only do that with exchange DLP. The notification in terms of notifying the manager, again, you can't say based on this user send it to this person. You can say based on this rule, send it to these people but it wouldn't be for an approval. The only place it goes to a manager for approval is through exchange, through exchange DLP. So little limited there. I'm hoping more comes out, especially from the power automate and the power apps perspective. But right now you wouldn't be able to do that. To my knowledge, if I'm wrong on that, I'd be happy to be told so. Lowell, in terms of doing retention, I'd be happy to have a conversation with you. Again, the bookings link is linked there. You can put it on my calendar, send me an email or if it's something where I come back here with TechSoup and do another conversation of all about data retention, I'm happy to do that as well. I'm actually at my current role with Navy Federal. I'm actually doing a massive data retention project and there's a lot of undertaking there. So happy to have that conversation as well. Awesome. Yeah. Yeah, I'm full transparency. I am not a power user. I wanna get better in that space but if it is possible through power automate, I cannot begin to tell you how to do it. Yeah, we actually have somebody on staff that's power automate certified. Shoot me an email, Michael, I just pinged my personal alias into the chat. And I can certainly, I work with this gentleman on a couple of other power apps that we're building actually right now. So with that, we're getting, we've actually hit past time. Thank you so very much, Mike. This is high level stuff, but these are the conversations that I love to have because this is really getting into the nitty gritty of what Microsoft 365 really, the capabilities that it has. So just some resources about getting started, digital skills, training courses, digital transformation forum. Next month, we're gonna switch the, hit the switch a little bit. We're moving off of Microsoft and over to grant writing. So if you were able to join us, if you've got somebody on your development team or grant writing team that's interested, this is gonna be an awesome session. We're actually gonna be focusing on, as the title implies, grant writing with a purpose, strategy specifically around gaining access to grant funding for things such as technical assistance, maybe something like that Mike does. We understand that organizations are still struggling to try and make their digital acquisitions happen. And my hope is, is that this session next month will shed some light on how to access that funding. Some additional resources, again, this is all gonna be in the slide deck that's passed out to those who have attended next week. Could the digital assessment tool a great way to spend some time learning a little bit more about what your organization is doing, where areas where it maybe could benefit from adding new technologies, et cetera. Along with our blogs, they're just, these are all just great resources to have. So with that, gonna close it out. Mike, I love live demos, awesome job. These are seeing this in real time. I don't know how anybody else really felt about that, but to me to actually see what this looks like, I think is the difference because when you go from, again, from technical documentation and some screenshots to what this really looks like, I really feel like that's a game changer. So with that, we are gonna have the content to you all next week. It includes the slide decks, along with a link to today's recording. So with that, we wish everybody an adieu and have a great day. All right, thanks everyone. Sorry for the blunders on the live demo, but thank you all for having me and then always feel free to reach out. Thanks guys.