Friday, 22 April 2016

Protect your documents in Office365 using RMS (Rights Management)

In Last article, We discussed how to encrypt emails in Office365, In this article I am going to share how to send protected documents. If your organization has compliance requirement to send protected documents, Rights Management is the best option to achieve.
To configure Azure RMS (Right Management ) all you need is the Enterprise E3 or above or Azure Premium Subscription. For more details refer to Requirements for Azure Rights Management 
Azure Rights Management services (RMS) can be purchased with Office 365, with the Enterprise Mobility Suite (EMS), or as a standalone subscription. There are differences in Azure RMS capabilities when purchased through these offerings. The following table shows these differences and might be subject to updates. Source : Microsoft Technet

FeatureRMS for Office 365EMS or Azure RMS Premium
Users can create and consume protected content by using Windows clients and Office applicationsyesyes
Users can create and consume protected content by using mobile devicesyesyes
Integrates with Exchange Online, SharePoint Online, and OneDrive for Businessyesyes
Integrates with Exchange Server 2013/Exchange Server 2010 and SharePoint Server 2013/SharePoint Server 2010 on-premises via the RMS connectoryesyes
Administrators can create departmental templatesyesyes
Organizations can create and manage their own RMS tenant key in a hardware security module (the Bring Your Own Key solution)yesyes
Supports non-Office file formats: Text and image files are natively protected; other files are generically protectedyesyes
RMS SDK for all platforms: Windows, Windows Phone, iOS, Mac OSX, and Androidyesyes
Integrates with Windows file servers for automatic protection with FCI via the RMS connectoryes
Users can track usage of their documentsyes
Users can revoke access to their documents

Continue reading here

Sunday, 10 April 2016

Office365 Email Encryption - Explained

Email encryption is an added layer of security to protect being read by non-intended recipients. Even though office 365 is doing secured transmission using TLS (Transport Layer Security) OME is to build more secured mail transactions. Earlier office 365 version which is FOPE/Wave14 encryption needed  separate Microsoft hosted Encryption license and tokens were issued by reputed service provider called “Voltage” but with multiple enhancement current version has got in built encryption technology in Office 365.
To enable encryption in Office365 all we need is the active Azure Rights Management License, Bu default it is available in E3 & E4 Subscriptions, for all other subscription you can purchase as an add on for just 2$/user/month.
How to?
Enabling Encryption is not that difficult: We just have to,
§  Activate Azure Rights Management License. (If already activated, proceed to next step)
§  Configure Azure Rights Management
§  Configure Transport Rule based on requirement

Activate Azure Rights Management License
1.    Login to Office365 Portal
2.    Service Settings on Left Pane- > Rights Management-> Manage
3.    Click on “Activate”
Below is the screen, You will see post activation.

Configure Azure Rights Management:
2.    Run : Get-IRMConfiguration & make sure IRM is not enabled (If already enabled, You saved lot of time, Just transport rule is pending)
Refer table & choose URL of your region.
RMS key sharing location
North America
European Union
South America
Office 365 for Government (Government Community Cloud)
Example : For asia below is IRM configuration
§  Set-IRMConfiguration -RMSOnlineKeySharingLocation “”
§  Import-RMSTrustedPublishingDomain -RMSOnline -name “RMS Online”
§  Run the following commands to disable IRM templates from being available in OWA and Outlook and then enable IRM for your cloud-based email organization to use IRM for Office 365 Message Encryption:
To disable IRM templates in OWA and Outlook:
Set-IRMConfiguration – ClientAccessServerEnabled $false
To enable IRM for Office 365 Message Encryption:
Set-IRMConfiguration -InternalLicensingEnabled $true
Post configuration you will see it as below:
To make sure all configured properly, You can run test by running “Test-IRMConfiguration -Sender

Configure Transport Rule
Microsoft Technet has the detailed information on how to create transport rules with screenshot to apply encryption on messages. Based on your requirement you can customize the conditions to get the message encrypted.
Example, for me the encryption process should be simple so I need all my “High Importance” email should be encrypted, In this case I can simply click on “High Importance” button in Outlook/OWA and mails will be encrypted.
Below is the simple rule to achieve this requirement
After doing this all, I need to do is to simply click on “High Importance” and send the mail.
You can simply sign in using you Microsoft account, or use one time passcode to view the mail.
We can also create rule for confidential mails, By mentioning the condition for header Sensitivity: company-confidential.
Doing this we can change the sensitivity in outlook and send mails.
There are lot more you can do with transport rules to make it more effective way of processing mails.


Feel free to comment below for any suggestions or questions :-)

Tuesday, 5 April 2016

Office365 Backup & Recovery

In current trend Microsoft Office365 is really doing good job in providing messaging & collaborative services, Even though On premise servers are too expensive to manage but arguably it takes high probability in winning the market, as there are lot of good reasons behind companies using Exchange On-premise servers,But I guess Office365 is going to be the future, Because.. It is..
  1. Cost effective
  2. Flexibility & Reliability, Stablity.
  3. Great benefits & Features
  4. No more stress about updates & maintenance
  5. Compliance
  6. Accessibility
  7. Combo application & services
  8. Collaboration (Exchange, Lync, Sharepoint)
  9. Trust Worthy, Yes, You can trust Microsoft & Me :-)
well, Everyone in this world deal with messaging system know how benefit office365 can bring into business. I can talk lot of good things about Office 365 as I have been working from BPOS and aware on how they grew up in the Market. It was just amazing with great transitions from BPOS – Wave 14 – Wave 15, But from the beginning one thing which concerns the customer is “Backup” “Backup” “Backup”
Lets discuss about backup solution in this article:
  • There are lot of things can disrupt the service like hardware failure, human error & most powerful natural disaster. But in all scenario your data is safe, because Exchange Online mailboxes are continuously replicated to multiple database copies, in geographically dispersed Microsoft data centers, to provide data restoration capability in the event of a local messaging infrastructure failure & For large-scale failures, service continuity management procedures are initiated.But there is no point-in-time restore, so you need to review all the documentation and ensure the service meets your requirements. It’s all detailed in the service description document High Availablity Exchange Online by means your data is not just in single location and it has multiple copies. This is calledNative Backup solution as every database copies acts as backup for each other. But doesn’t end here, even though it has backup even me as an admin doesn’t set myself free, So there should be something else I should be doing to ensure it is met at next level, Just go further….
  • Office365 mailboxes gets an additional space in archiving mailbox which is 50 GB Refer Archiving : Define proper MRM (Retention Policies), this is kind of backup which will again makes copy to multiple data bases.
User Level Backup
  • User can also take PST backup in their outlook system which is effective way in backing up mailbox items, However there are cases this is not possible due to compliance, client restriction, Outlook usage etc. Please follow this article to know how to take backup.
Note : OWA doesn’t have export PST option, It requires outlook. But good news admins can Import PST’s using Exchange admin center, Follow this 
Recover Deleted Items
For all of us, below statements are not something new
  1. Our users have never deleted this item
  2. Items are missing, disappearing
  3. We didn’t delete this email
This could be genuine, either user deletes the mail manually or MRM could have processed the mailbox or our dear malware friend sometime play games with mail items :-)
At this point question may arise concerning the deleted data as “what will happen if user deletes an email?” “Can that be recovered?”
No worries,If you accidentally delete data in any service Office365 provides a number of features that can help you restore the data. E.g. we can use Recycle Bin to restore the deleted item within 30 days in SharePoint Online & User/administrators can always recover deleted emails within certain time period these time period is called “Retention Period” 
About the data on SharePoint Online, data protection services are provided to prevent the loss of SharePoint Online data. Backups are performed every 12 hours and retained for 14 days.
There are two types of deletions:
  1. Soft delete (Just deleting)
  2. Hard Delete (Delete Emails from Deleted Items folder, Shift+Delete)
So, any items soft deleted from mailbox has default 30 days retention & It stays in “Deleted Items” folder can be recovered whenever user wants.
Good news is, this 30 days can be extended to Unlimited, Means Soft deleted items can be recovered at any given point of time by users with occupying lot of space in mailbox.
So any items which are:
  • Shift + Delete
  • Emptied Deleted Items folder
  • Deleting from Deleted Items Folder…
Will reach to reach to next level with new retention period of 14 days by default, which we used to call as “Dumpster” in earlier version & Now Recoverable Deleted Items folder.
As mentioned this is 14 days by default & can be extended to 30 days by running below commands:
  1. Connect to Exchange Online Powershell 
  2. Set-Mailbox -Identity “Single User” -RetainDeletedItemsFor 30
  3. For all users : Get-Mailbox -ResultSize unlimited -Filter {(RecipientTypeDetails -eq ‘UserMailbox’)} | Set-Mailbox -RetainDeletedItemsFor 30
Recoverable Deleted Items folder has following features:
  • Deleted item retention
  • Single item recovery
  • In-Place Hold
  • Litigation Hold
  • Mailbox audit logging
  • Calendar logging
Below table shows how the items are handled post deletions.

For more details about this, Please refer here
In-Place hold & Litigation Hold:
If requirement is above these limits for retention(30 days for Recoverable deleted items), We can utilize “In-Place hold” “Litigation Hold” feature & Since it is premium features minimum license requirement must be Enterprise E3 or above.
Place a mailbox on Litigation Hold to preserve all mailbox content, including deleted items and original versions of modified items. When you place a mailbox on Litigation Hold, the user’s archive mailbox (if it’s enabled) is also placed on hold. Deleted and modified items are preserved for a specified period or until you remove the mailbox from Litigation Hold. All such mailbox items are returned in an In-Place eDiscovery in Exchange 2016 search.
Reference : Technet 
Note : This could result in large volumes of email cluttering the user mailbox, and thus impacting user productivity.
Any mailbox which is on retention hold complete content can be searchable using In-Place hold feature and can also be exported as PST.
In short the level of backup based on requirement will be:
  • Native Backup
  • Archive using MRM
  • User Level Backup, PST.
  • Increase Retention Policies for Deleted Items
  • Increase Retention Policies for Recover Deleted Items
  • In-Place hold or Litigation Hold
Other References:

My own blogs :-)

Monday, 21 March 2016

Cloud Computing - Part1

Cloud Computing

Cloud Computing : The most familiar term in current technologies & there are many questions we have related to Cloud, But the real fact is “Yes” we all are on Cloud now :-) & there are miles to go, So what it is?:

Data Cloud

Few years back someone asked me to make a simple definition for cloud who has no idea about Cloud, I answered: You can store or access your data over the internet from anywhere. This may sound so simple, But at background Cloud has got gigantic, structured infrastructure through which you can customize all your needs On-Demand & pay as you go. It is secured and most reliable, More than the technology security level, Mutual trust also plays a vital role to choose Cloud from major cloud service providers. There are Private, Public, Hybrid deployment modes are available.  When I talk about Cloud to those who has no preference to cloud, the first thing comes to my mind  : People don’t like change, Do not work in technology :-)

Cloud services typically have the following characteristics:

  • Fast and efficient deployment
  • Less or no capital investment
  • Reliability, Scalability, Sustainability & Resource pooling
  • Pay as you go, with no monthly commitment
  • Customization is limited
  • Highly automated with Utility based system
  • On-Demand-Service
  • There are few Cloud services I have explained below, all below technologies put together can also be called EaaS, Everything as a Services (*aaS), It has not only garnered excitement from technologists but has captured the attention of business leaders around the world.

IaaS: Infrastructure as a Service

Cloud infrastructure services or referred as Infrastructure as a Service (IaaS) is an offering form of Cloud Computing that provides secure virtualized resources over internet which are self-service models for accessing, monitoring, and managing remote data center infrastructures, this includes servers, storage, networking & firewalls.

IaaS users can manage applications, data, Runtime, middleware. IaaS platforms offers highly scalable resources that can be adjusted on-demand. There are lot the Major Cloud service Providers provides this IaaS and they have a wide variety of hardware and software combinations to choose from.

PaaS : Platform as a Service

Cloud Platform Services, also known as Platform as a Services is similar to IaaS with the major difference as there will no control for the users over the network, resources, servers etc, With that said PaaS typically provides no control. This indirectly explains that there will no costs involved for users to manage administration and service provider takes responsible to manage, administrate & and also the maintenance.

SaaS: Software as a Service

Cloud application services or referred as Software as a Service (SaaS) is a software licensing and delivery model, This can also be referred as “Software-on-Demand”, SaaS uses the web to deliver applications that are managed by a the service providers and whose interface is accessed over internet using Web interface.

Being web delivery model there is no need of any installation or complicated setup. Popular SaaS widely used for Email Messaging & Collaboration systems like Exchange, Sharepoint, Lync

Be in Cloud , Stay in Cloud & Enjoy Cloud :-)

Saturday, 12 March 2016

Do you know, attachment can be inspected

Attachments can be inspected by creating Exchange Transport rules, We had this option earlier however not really worked as expected, Now it is working as expected. This article applies for Exchange & Office365.
Below source : Technet

Conditions can be applied for transport rules:
Condition name in EACCondition name in the ShellDescription
Any attachment file name matches these text patternsAttachmentNameMatchesPatternsThis condition matches messages with supported file type attachments when those attachments have a name that contains the characters you specify.
Any attachment file extension includes these wordsAttachmentExtensionMatchesWordsThis condition matches messages with supported file type attachments when the file name extension matches what you specify.
Any attachment size is greater than or equal toAttachmentSizeOverThis condition matches messages with supported file type attachments when those attachments are larger than the size you specify.
Any attachment didn’t complete scanningAttachmentProcessingLimitExceededThis condition matches messages when an attachment is not inspected by the transport rules agent.
Any attachment has executable contentAttachmentHasExecutableContentThis condition matches messages that contain executable files as attachments. The supported file types are listed here.
Any attachment is password protectedAttachmentIsPasswordProtectedThis condition matches messages with supported file type attachments when those attachments are protected by a password.
The Exchange Management Shell names for the conditions listed here are parameters that require theTransportRule cmdlet.
Learn more about the cmdlet at New-TransportRule.
Learn more about property types for these conditions at Conditions and Condition Properties for a Mailbox Server.
The transport agent uses true type detection by inspecting file properties rather than merely the file extensions. This helps to prevent malicious hackers from being able to bypass your rule by renaming a file extension. The following table lists the executable file types supported by these conditions. If a file is found that is not listed here, the AttachmentIsUnsupported condition is triggered.

Type of fileNative extension
Self-extracting archive file created with the WinRAR archiver..rar
32-bit Windows executable file with a dynamic link library extension..dll
Self-extracting executable program file..exe
Java archive file..jar
Uninstallation executable file..exe
Program shortcut file..exe
Compiled source code file or 3-D object file or sequence file..obj
32-bit Windows executable file..exe
Microsoft Visio XML drawing file..vxd
OS/2 operating system file..os2
16-bit Windows executable file..w16
Disk-operating system file..dos
European Institute for Computer Antivirus Research standard antivirus test
Windows program information file..pif
Windows executable program file..exe

Blog Archive