Module 7

Exchange Online
Compliance
Management
Presenter name
Presenter role

Conditions and Terms of Use

Microsoft Confidential

This training package is proprietary and confidential, and is intended only for uses described in the training materials. Content and software is provided
to you under a Non-Disclosure Agreement and cannot be distributed. Copying or disclosing all or any portion of the content and/or software included in
such packages is strictly prohibited.
The contents of this package are for informational and training purposes only and are provided "as is" without warranty of any kind, whether express or
implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, and non-infringement.
Training package content, including URLs and other Internet Web site references, is subject to change without notice. Because Microsoft must respond
to changing market conditions, the content should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the
accuracy of any information presented after the date of publication. Unless otherwise noted, the companies, organizations, products, domain names, email addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product,
domain name, e-mail address, logo, person, place, or event is intended or should be inferred.

Copyright and Trademarks

2014 Microsoft Corporation. All rights reserved.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject
matter in this document. Except as expressly provided in written license agreement from Microsoft, the furnishing of this
document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of
this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means
(electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of
Microsoft Corporation.
For more information, see Use of Microsoft Copyrighted Content at
http://www.microsoft.com/about/legal/permissions/
Microsoft, Internet Explorer, Outlook, SkyDrive, Windows Vista, Zune, Xbox 360, DirectX, Windows Server and
Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
Other Microsoft products mentioned herein may be either registered trademarks or trademarks of Microsoft Corporation in the
United States and/or other countries. All other trademarks are property of their respective owners.

Overview

This module covers the compliance capabilities provided by

Exchange Online, which include:

In-Place eDiscovery and Hold

Auditing

Data Loss Prevention

Retention Policies and Retention Tags

Journal Rules

Objective

After completing this module, you will be able to:

Understand how to use the compliance management features
of Exchange Online
Search mailboxes via eDiscovery
Prevent the leakage of sensitive information from your
Exchange Online environment through data leak protection
policies

In-Place
eDiscovery and
Hold

In-Place
eDiscovery

Helps to perform discovery searches across mailboxes

Uses real time content indexes created by Exchange Search
Discovery Management role group is used to delegate
discovery tasks
Authorized users can:
o Estimate search results
o Preview search results
o Copy search results to a Discovery mailbox
o Hold content
o Search SharePoint and archived Lync content

Exchange
Search

In Exchange 2013, Exchange Search uses Microsoft Search

Foundation
- Provides a Rich search platform
- Has improved indexing and querying capabilities
- Is used by other Office products

In-Place eDiscovery uses Keyword Query Language (KQL)

- Similar to Advanced Query Syntax (AQS) used by Outlook
and
Outlook Web Access (OWA)

Discovery
Management
Role Group
and
Management
Roles

In-Place eDiscovery searches can only be performed by

members of Discovery Management role group
The Discovery Management role group consists of two roles
o Mailbox Search role
o Legal Hold role
No eDiscovery tasks are assigned to any user or Exchange
administrator by default

Discovery
Mailboxes

A secure target mailbox

When you use EAC to copy search results, only Discovery
Mailboxes are displayed
Large mailbox storage quota
50 GB by default
Enhanced security measures employed by default
Only users with explicit permissions can access
Email delivery disabled
Users cannot send email to discovery mailbox.

Interoperatio
n with
SharePoint
Server 2013

Allows a discovery manager to use eDiscovery Center in

SharePoint to:
Search and preserve content from a single location
Case management eDiscovery
Export search results

10

Using InPlace
eDiscovery

Discovery Management role group membership is required

o This role group membership must be carefully managed.

Search can be performed via the Graphical User Interface (GUI) or Shell
o EAC is easier for non-technical users such as Human Resource (HR)
or compliance officers.

In Hybrid deployments
o Use on-premises EAC
o Use on-premises discovery mailbox to copy results

When you create an In-Place eDiscovery search:

o A search object is created in the system mailbox
o The object can be manipulated to start, stop, modify and remove the
search
o After it is created, you can estimate, preview or copy search results
11

Creating an
In-Place
eDiscovery
search

12

Creating In-Place
eDiscovery
Searches Via
PowerShell

This example creates the In-Place eDiscovery search

Discovery-CaseId012 for items containing the keywords
Contoso and ProjectA that also meet the following
criteria:
Start date: 1/1/2009
End date: 12/31/2011
Source mailbox: DG-Finance
Target mailbox: Discovery Search Mailbox
Message types: Email
Log level: Full

New-MailboxSearch "Discovery-CaseId012" -StartDate "1/1/2009"

-EndDate "12/31/2011" -SourceMailboxes "DG-Finance"
-TargetMailbox "Discovery Search Mailbox" -SearchQuery
'"Contoso" AND "Project A"' -MessageTypes Email
-IncludeUnsearchableItems -LogLevel Full
14

Consideratio
ns When
Using InPlace
eDiscovery

Attachments

Unsearchable items

Searches attachments supported by Exchange Search

Items that cannot be indexed due to filter, filter error or
encrypted
Can still be copied to Discovery Mailbox

Safe list

Files with content that cannot be indexed

Information Rights Management (IRM)-protected items
IRM protected messages are indexed
De-duplication
Allows to copy only one instance of a unique message to
the discovery mailbox, reducing size of Discovery Mailbox,
reducing workload for discovery managers, reduces cost of
eDiscovery
15

Estimate,
Preview and
Copy
Search
Results

17

Logging

Basic Logging
Enabled by default for all In-Place eDiscovery searches
Includes information about the search and who performed it
Information appears in the body of the email message sent to
the mailbox where the search results are stored, under the
folder created to store search results
Full logging
Includes information about all messages returned by the
search
Information provided in a CSV file attached to the email
message that contains basic logging
Enabled via checkbox when copying search results or via
LogLevel parameter in PowerShell

18

Search and
Destroy

Requires Powershell session to Exchange Online (No UI) to use

DeleteContent switch
Can also move data out of source mailbox into a target
mailbox
Admin needs to have Import-Export admin role assigned

This example deletes all messages containing text abc123 out

of JohnSmiths mailbox, using DumpYardMailbox as a target
Search-Mailbox identity JohnSmith -SearchQuery abc123
-TargetFolder DeletedFromJohnSmith -TargetMailbox
DumpYardMailbox -DeleteContent
Note that the admin should log into the target mailbox and
explicitly delete the items out of the targetfolder to complete the
Destroy action
19

In-Place
eDiscovery
and Hold

As part of eDiscovery you may be required to preserve

mailbox content
In-Place Hold cannot be used when searching all mailboxes,
you must select the mailboxes individually or use
distribution groups to break up the searches
You cannot remove the In-Place eDiscovery search until the
In-Place Hold is removed

20

In-Place Hold

21

In-Place
Hold

Place user mailboxes on hold and preserve mailbox items

immutably
Preserve mailbox items deleted by users or automatic
deletion processes such as Messaging Records Management
(MRM)
Use query-based In-Place Hold to search for and retain items
matching specified criteria
Preserve items indefinitely or for a specific duration
Place a user on multiple holds for different cases or
investigations
Transparent to the end user
Enable In-Place eDiscovery searches of items placed on hold

22

In-Place
Hold
Limitations

Only 10,000 mailboxes per in-place hold (However, multiple

holds may be created)
Specifying an in-place hold upon a Distribution group
expands the group immediately.
Adding new members to the group will not automatically
place new members under in-place hold

23

In-Place
Hold
Scenarios

What to hold

How long to hold

You can specify which items to hold by using query

parameters
You can specify a duration for items to hold

Scenarios:

Indefinite hold: items are never deleted

Query-based hold: items matching query are preserved
Time-based hold: items are preserved for the duration of
the hold

24

Placing a
Mailbox on
In-Place
Hold

26

In-Place
Hold and
Mailbox
Quotas

Recoverable Items folder

Items are not calculated against users
mailbox quota
Recoverable Items folder has its own quota
RecoverableItemsQuota (default 100 GB)

27

In-Place
Hold and
Litigation
Hold

Litigation hold was introduced in Exchange 2010 and uses the

LitigationHoldEnabled property of a mailbox
In-Place Hold provides granular hold capability based on query
parameters whereas Litigation Hold is all or nothing
Litigation hold is still available for use in Exchange Online
Recommended to use In-Place Hold

28

Placing a
Mailbox on
In-Place
Hold Via
PowerShell

This example creates an In-Place Hold named Hold-Case

and adds the mailbox joe@contoso.com to the hold
New-MailboxSearch "Hold-Case" -SourceMailboxes
"joe@contoso.com" -InPlaceHoldEnabled $true

To remove an In-Place Hold

Set-MailboxSearch "Hold-Case" -InPlaceHoldEnabled $false
Remove-MailboxSearch "Hold-Case"

29

Auditing

30

Auditing
Reports

Use audit reports to track changes made by administrators:

Administrator audit logging

Mailbox audit logging

Reports:

Non-owner mailbox access report

Administrator role group report

In-place discovery and hold report

Per-mailbox litigation hold report

31

Run and
Export
Auditing
Reports

32

Configure
Audit
Logging

Enable mailbox audit logging

Set-Mailbox <Identity> -AuditEnabled $true

Give users access to Auditing reports

Administrators can access and run any report in EAC

Users can be added to Records Management role group
(easier)
Users can be assigned Audit Logs management role via
PowerShell
Users can be assigned View-Only Audit Logs
management role in PowerShell to be able to run audit
reports, but not export audit logs

Configure OWA to allow XML attachments in order

to see the audit logs
33

Viewing
Audited
Data

3 ways to methods to view Audit events:

Exchange Admin Center - Auditing: non-owner mailbox access
report
Search-MailboxAuditLog - results shown in shell window

New-MailboxAuditLogSearch Asynchronous search results sent

in email
34

Data Loss
Prevention

35

Data Loss
Prevention
Policies

Helps organizations meet specific regulations or security

objectives by finding, protecting, and preventing the leaking
of sensitive data

DLP policies:
o Transport rules, actions and exceptions
o Policies can be created, but not activated to allow testing
o Deep content analysis through keyword and expression
evaluation
o Built-in policy templates
o Policy Tips for Outlook and OWA users

36

Establish
Policies to
Protect
Sensitive
Data

Apply built-in template

o Quickest way to start using data loss prevention (DLP)
policies

Import policy file

o Policies created by Independent software vendors (ISVs)
from outside your organization

Create a custom policy

o Customized policies to meet specific organization criteria

37

Sensitive
Information
Types in
DLP Policies

Sensitive information types

Inventory of sensitive information type definitions available on
TechNet.
That is to say, ABA routing number, Canada Social Insurance
Number, US Social Security Number, Credit Card Number, etc
Microsoft has supplied policy templates that include those
information types

38

Policy Tips

Similar to MailTips
Informs email senders about possible compliance issues when
composing email messages that violates a DLP policy

39

Document
Fingerprintin
g

Advanced DLP content analysis method for comparing

documents to determine if one document is based on
another.
Our fingerprints have unique patterns
Documents have unique word patterns
Unique word pattern in the document, represents a document
fingerprint
Document fingerprint represented as a new Sensitive
Information Type

40

DLP
Fingerprint
Workflow

Fingerprint generation

Template document(s) are fingerprinted for reference

Fingerprints are added to data classification

DLP (transport) rule creation

DLP (Transport rule) created referencing data classification
containing the document(s) fingerprint.

Fingerprint comparison

Documents are streamed for classification by the text

extraction engine
Engine fingerprints the incoming document and compares it
with the fingerprint in the classification rule.
Based on classification rule match, the document is said to be
a match for the rule.

41

Fingerprint
Workflow

42

Creating a
document
fingerprint

Using the Exchange Admin Center (EAC)

Exchange Admin Center

Compliance Management /DLP
Manage Document Fingerprints
New Document Fingerprint

Using PowerShell

Open PowerShell
Enter the following commands:

$FP = New-Fingerprint Description <desc> FileData (Get-Content <path>

Encoding Byte)
New-DataClassification Description <desc> Name <name> Local en-us
Fingerprints $FP
43

Supported
File Types

File Types
Same as Transport rules (DOCX, PPTX, XLSX, others)
See: Supported file types for transport rule scanning

Unsupported File Types

Office Template files (DOTX, POTX, XLTX

Password Protected
RMS/IRM protected

Office Templates Files

Create/save blank doc based Office template

Use blank doc for fingerprinting
Any new docs created with Office template will be detected
based on fingerprinted doc

44

Retention Tags
and Retention
Policies

45

Messaging
Records
Manageme
nt Strategy

Messaging records management (MRM), the records

management technology in Exchange Online provides:
Control of how long to keep items in users' mailboxes
Define what action to take on items that have reached a
certain age
Remove e-mail that is not required to be retained
Used for business, legal, or regulatory reasons
Users can also leverage the technology if not mandated

46

Retention
Tags

Used to apply retention settings to folders and individual

items
Specifies how long a message remains in a mailbox and
the action to be taken once retention age is reached
Allow users to tag their own folders and individual items for
retention
User does not need to file items in managed folders
provisioned by the administrator

47

Types of
Retention
Tags

Default policy tags

Apply to untagged mailbox items in the entire mailbox
Retention policy tags
Apply retention settings to default folders in the mailbox.
Items in a default folder that have an RPT applied inherit the
folders tag
Users cannot apply or change RPT applied to a default folder.
Personal tags
Available to Outlook and OWA users
Users can apply personal tags to folders they create or to
individual items, even if those items already have a different
tag applied
48

Retention
Tags in
Outlook and
OWA

50

Retention
Age Limit
and
Retention
Actions

When you enable a retention tag, you must specify a retention

age

Retention actions for RPTs:

- Move to Archive
- Delete and Allow Recovery
- Permanently Delete
- Mark as Past Retention Limit

51

How
Retention
Age is
Calculated

Managed Folder Assistant processes items in a mailbox

Retention age is calculated from the date of delivery
Managed Folder Assistant stamps a start and a expiration
date for all items with retention tags with Delete or
Permanently Delete actions
Items with archive tag are stamped with move date
Retention age for items in Deleted Items folder is calculated
based on date of delivery unless the item was moved or
deleted from a folder that does not have a tag

52

Retention
Policies

To apply retention tags, they need to be added to a

retention policy.
A retention policy can have:

One RPT for each supported default folder.

One DPT with the Move to Archive action.

One DPT with the Delete and Allow Recovery or

Permanently Delete actions.

One DPT for voice mail messages with the Delete and
Allow Recovery or Permanently Delete actions.

Any number of personal tags.

53

Journaling

54

Journaling
in
Exchange
Online

Journaling is the copying of emails to an external mailbox

via SMTP
Helps with legal, regulatory or compliance requirements
Records inbound and outbound communications
Per user or per distribution list basis
Internal messages, external messages or both
Journaling destination cannot be an Exchange Online
mailbox

55

Journal
Rules

Journal rule scope

o Defines which messages are journaled by the journaling
agent (internal, external, or all)
Journal recipient
o Specifies the SMTP address of the recipient you want to
journal
Journaling mailbox
o Specifies one or more mailboxes used for collecting journal
reports

56

Creating
Journal
Rules in
EAC

57

Creating
Journal Rule
in
PowerShell

This example creates the journal rule Discovery Journal Recipients to

journal all messages sent from and received by the recipient
joe@contoso.com.
New-JournalRule -Name "Discovery Journal Recipients" -Recipient
joe@contoso.com -JournalEmailAddress "Journal Mailbox" -Scope Global
-Enabled $True

58

Lab: Compliance
Management

59

Module
Review

What group do you need to be a member of before you can

perform eDiscovery searches in Exchange Online?
eDiscovery search results can be exported to which mailbox?
What is the quota for the recoverable items folder for
mailboxes on in-place hold?

60

Module
Review
(Answers)

What group do you need to be a member of before you can

perform eDiscovery searches in Exchange Online?
Answer: Discovery Management Group
eDiscovery search results can be exported to which mailbox?
Answer: Discovery mailbox
What is the default quota for the recoverable items folder for
mailboxes on in-place hold?
Answer: 100 GB

61

Module
Summary

In this module we discussed:

How to use the compliance management features of
Exchange Online
Search mailboxes via eDiscovery
Prevent the leakage of sensitive information from your
Exchange Online environment through data leak
protection policies

62

Contact
John Doe
Job title goes here
(800) 123-4567
www.microsoft.com/microsoftservices

2013
2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks
in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of
this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and
Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR
STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION