Microsoft 365 Admin Updates for Compliance and Migration.
Keep your users and data safe wherever they’re working from, take a tour of all the recent upcoming updates for Microsoft 365 admins.
As people work remotely or in hybrid work environments, potentially on unmanaged devices or less trusted networks, information protection is more important than ever. We’ve created a simple environment for everybody — from end-users to administrators, in a way where the data is secure and able to be accessed from any device, in any location. Jeff Teper, Microsoft 365 CVP, joins Jeremy Chapman to discuss how his team is helping make the lives of our admins easier.
Discover the locations in Microsoft Teams and SharePoint where your most sensitive information is generated and stored, so you can holistically apply these labels at that site or team level.
Configure rules to detect and take actions at the file system level and manage Windows devices, so you can protect your files if they’re moved from the cloud to a local device.
To get best optimal performance, connect the user to the nearest Azure Front Door with a new service called Network Connection Insights found in the M365 Admin Center.
On-Prem File Servers require VPN connectivity for remote work. Moving these files to the cloud can help the VPN saturation, get you to the cloud even faster, and ultimately allow you to take advantage of everything in Microsoft 365.
00:36 — What’s easier for admins now?
01:49 — Apply labels at site or team level
06:06 — DLP to enforce responsible sharing policies
07:26 — Endpoint DLP
09:38 — Split Tunneling
11:17 — Migration Tools
Find out more about security controls at https://aka.ms/securityinM365.
To learn more about migration, go to https://aka.ms/MigrateToM365.
Unfamiliar with Microsoft Mechanics?
We are Microsoft’s official video series for IT. You can watch and share valuable content and demos of current and upcoming tech from the people who build it at Microsoft.
- Subscribe to our YouTube: https://www.youtube.com/c/MicrosoftMechanicsSeries?sub_confirmation=1
- Follow us on Twitter: https://twitter.com/MSFTMechanics
- Follow us on LinkedIn: https://www.linkedin.com/company/microsoft-mechanics/
- Follow us on Facebook: https://facebook.com/microsoftmechanics/
- Hello and welcome to a special edition of Microsoft Mechanics. Coming up on the show, we’re joined once again by Microsoft 365 CVP, Jeff Teper, for a tour of all the recent upcoming updates for Microsoft 365 admins to keep your users and data safe wherever they’re working from. So thanks for joining us today, Jeff.
- Thanks, it’s that time of year and it is great to be back.
- So what we’re gonna cover today is very topical, especially as people work remotely or in hybrid work environments, potentially on unmanaged devices and on less trusted networks. You know, information protection is more important than ever. What’s your team then doing to help make the lives of our admins easier?
- Yeah, we really wanna create a simple environment from everybody, from end users to administrators, and do this in a way where the data is secure and it’s able to be accessed from any device in any location.
- Right, and much of this has really pivoted on knowing your data and really which content to classify and it’s not always a one size fits all approach. You know, some files are more sensitive than others, just like some devices accessing the data might be more trusted than others.
- Yeah, that’s right. And so we wanna make this easier for everybody. Labeling and the classification of your files is what makes this possible. We’ve been on a journey, as you know Jeremy, to empower users to easily classify these sensitive files. Last year, we introduced auto classification as another way to automatically identify, label, and apply protections to your sensitive content. And as I’ll show you today, we’re taking a next step by helping you discover the locations in Microsoft Teams and SharePoint where your most sensitive information is generated and stored. So that you can holistically apply these labels at that site or team level.
- Okay, so how do we flag these locations to our admins?
- Yeah, so let me show you. You know, SharePoint is what powers the files experiences across Microsoft 365, including Teams, and I’m in the SharePoint Admin Center. And here I can see my top teams and sites with the highest number of sensitive files. And these can be manually or automatically classified. I can see the corresponding team, and site labels, and security policies for unmanaged devices and sharing as well. So at the top of this list, there’s an investment banking team in Microsoft Teams that has over 600 files marked as sensitive, but only a general label, which in our case means that the unmanaged devices and external sharing are allowed on that content. So that gives me some concern. Jeremy, you’re part of that team. Let’s take a look at what’s going on there.
- Okay, let’s do it. So in this case, I’m here in Microsoft Teams in my browser on my personal device. And I can see this site by the way only as a general classification. Now, if I go to the Files tab, there are a lot of files that already have labels, but there’s one here that’s called the Five Year Vision that doesn’t have a label. So I probably shouldn’t be sharing that externally, but I’ll try it anyway. So I’m gonna go ahead and select it. I’ll click Copy Link, and then since I’m responsible, at least, I will just share to specific people, not everyone. Now I’m gonna enter Alan’s name email@example.com. But this could be any email address. Now I’ll share it and it succeeds.
- Yeah, and that’s a classic example where the file might not yet contain terms that get flagged via automatic classification, but it’s pretty likely we should be treating this one as confidential. So let me show you how to protect all the files in this team by default. I’m back in the SharePoint Admin Center, and there’s the investment banking team. I’m gonna go ahead and select it, click into Policies, then under Sensitivity, I’ll choose Edit. And here’s where I can see all of my label options, and I’m gonna make this team Confidential. And I’ll hit Save and there we are.
- And okay, but these settings then behind the Confidential label, there’s stuff going on there. Can you explain what policies then are getting applied in our example with Confidential?
- Yeah, right, there are specific policies that prevent things from happening associated with this label that will now get applied to any confidential team or SharePoint site. So let me show you what’s behind this label that I just applied. I’ll do that in Information Protection in the Compliance Center, I’ll select Confidential, and you can see the site in Group Settings. And you can see that a team is set to Private so only members can access it. Allow limited web only access means that unmanaged devices can’t sync, print, or download content from the team. And now you can also control external sharing, so if I click Edit and you see the external sharing options therefore that span anyone, which is the most permissive, to just internal users. In my case for the confidential sites, I’m just gonna disable external sharing. And this is important, especially these days of remote working when you need to manage the external access of Microsoft 365 resources while users are not on your corporate network. So Jeremy, why don’t you try sharing that file again to see if our policies worked.
- Okay, so now I’m back in my team, I can see my labels now switched on the team to confidential, so I’m gonna click into the Files tab and try to share the same document, in my case, a specific person, my friend, again, firstname.lastname@example.org, and you’ll see a message here that external sharing isn’t allowed for this file. And by the way, now that the label’s changed, even though I previously shared the same file with Alan, the beauty of this approach is that behind the scenes, we retroactively enforced this policy so it’s not gonna be accessible. And if I open the same file in Teams, you’re gonna see this yellow bar here stating that I can’t download, print, or sync files to this device because of the label and the policy that’s put in place.
- So now that every file in the team is protected, but you can still securely work on that file, you get the benefits of security and collaboration, and this serves as an extra measure in addition to auto classification, where you want the teams site or site wide protection over that content. But sometimes you might not wanna go to that extreme. You might wanna be more nuanced in the level of protection. So let’s take a look at that. So let me jump back to our site list, and if you look around at the bottom of the list, you’ll see our operations team here it’s just a few sensitive documents. And for this team, you’re probably okay keeping the team’s label as is, and just use tools like Data Loss Prevention to enforce responsible sharing policies.
- Okay, so how would you configure that?
- Yeah, it’s pretty easy. And the thing I love about DLP policies is that they’re configured in one place in the M365 Compliance Center. So here you can see I have configured three policies, I’ll select the one for US PII Data, I’ll click Edit, and In advanced DLP rules, I’ll edit the low volume content rule. Now we do wanna promote sharing in organizations, but only authenticated sharing with people that you can verify. So to do that, I’ll block people using the anyone link to share information and permit the authenticated sharing of content for specific people, our third option. I’ll save the policy and now only specified parties will get access to the content shared.
- Right, and this is huge protection against oversharing.
- Yeah, it really is. And so we’ve introduced more DLP controls to help control over sharing or leaking data. As you know, Jeremy, until recently, our DLP controls ran at the app or service level, so things like SharePoint, and OneDrive, Teams. But now that we’re extending this to endpoints as well, I’d love to show you that. Endpoint DLP lets you configure rules to detect and take actions at the file system level and manage Windows devices. So now you can protect your files if they’re moved from the cloud to a local device, especially, which is gonna be more common as people are working from home and trying to get access remotely from their remote unmanaged devices. So let me show you the options here and how this works. I’m back in the DLP Policy Editor. And in Advanced Rules, I’ll edit the first rule. I’m gonna expand the Windows Devices Option and check out the list things I can do here, including auditing and blocking, and blocking with overrides for the clipboard and USB, and a bunch of other options. And if then I switch back to the Activity Explorer, I can see all the monitoring that’s going on for the various types of activities. And as you can see here, if somebody tries to do one of the block actions, they’ll get a notification in Windows that explains the DLP policy behind it.
- All right and one thing to point out here is that if you use other DLP clients on endpoints and you’ve heard maybe user complaints about agents slowing down their PCs, well this one’s designed to not negatively impact performance so it’s not gonna slow your system down.
- Yeah, that’s right, Jeremy. That’s really important that you don’t need the extra agents it’s just built into our endpoint management. And it gets even better for unmanaged devices. So say a user can’t find their PC, their Mac, their phone, we can just sign the user out of everything. Let me show you that. Here, I’ve got Sesha selected, and you’ll see the sign out control right here on the right. I’m gonna sign him out. And that is gonna sign them out of all authenticated sessions, anything that attaches to Microsoft 365. Of course this works in the browser, but we can even enforce signing out on locally installed apps. So here you can see works in a Word rich client, works in Teams, this even extends to mobile devices and Office running on Mac OS.
- A lot of security controls, they really only work if devices are on an internal network, or remote devices are connected via a VPN, but these times are particularly challenging to keep enough VPN capacity up and running.
- Totally, this is a real problem. And the first thing I’d say is you should use split tunneling. Especially if you’re enforcing VPN access for all user traffic. This is a way that everybody gets better performance. And to get this best optimal performance, you have to connect the user to the nearest Azure Front Door. That ensures that we get the user as fast as possible on the connection to our networks, which are the fastest in the world. So what you’re seeing here is a new service called Network Connection Insights, and here you can find in the M365 Admin Center, and this helps you tune the last mile connectivity. The map here shows that you’ve got different locations your users are working from that we’ve automatically discovered. The locations are color coded for network connectivity performance. So as you can see here, users in Melbourne, Australia aren’t having a great experience. I’m gonna click in and drill around and get insights on the specific issues and recommendations for this location. So for example, here we see a recommendation to connect to an Azure Front Door closer to Melbourne, instead of the one in North America to reduce latency. This is a great tool you can use to give your users the best performance even when working from home.
- Yeah, it looks super helpful, and I couldn’t agree with you more about the split tunneling, especially for the more expensive connection workloads, things like video calling, software update management, just to name a couple. But that said, there are some things like on-prem file servers that pretty much require VPN connectivity for remote work, but how can we help in those cases?
- Yeah, at a macro level, that’s where moving these files to the cloud can both help the VPN saturation and ultimately allow you to take advantage of everything in Microsoft 365. We know many of you have investments in on-premises file servers and SharePoint, so this is gonna help you get to the cloud even faster. We’ve made a number of investments in migration tools over the last year, let me show you what’s new. So here we are in the Migration Manager and you’ll find everything you need to get migrated from those file servers, SharePoint, and other cloud services. We know that a lot of organizations are still coming from file servers, and now we can migrate directly from those file servers into Microsoft Teams, you just need to download the SharePoint Migration Tool from here, and pap! You know, I’m not gonna do this one, Jeremy, why don’t you show us how this works.
- All right, it’d be my pleasure. So here, I’m actually already downloaded, I’ve already got the Migration Tool installed on my Windows machine, and I’m gonna go ahead and start my first migration. So here, I can choose my source location, and I’ll go ahead and choose a File Share in this case. And here as you can see, not only can I migrate files into OneDrive or SharePoint, but now I even have the option to migrate this location directly into an existing Microsoft team. So it’s gonna list all the teams I can migrate to, and I’m gonna go ahead and choose Contoso Sales, and I can even target the specific Teams channel if I want to, but I’m gonna go ahead and keep general in my case, and I’m gonna stop there, just to save little bit of time because the rest of the process is the same for the SharePoint Migration Tool you’ve seen before.
- And that’s a great example of how you can bring these files from on-premises file servers to the cloud with Microsoft Teams, and not only avoid the VPN access for them, but also you get better performance but you get richer collaboration with Teams, and version history, and real-time coauthoring, and a ton more. And we’re making, in addition to that, strives to bring content from other cloud services as well. We recently acquired Mover, which brings an industry-leading technology for migrating from other cloud services into Microsoft 365. This year, we’re building those Mover experiences right into the Migration Manager, and I’m gonna show that starting with Box. So let me go ahead into that, and I’m gonna click Getting Started. In this case, I’ve already connected to Box and have scanned my files. And the nice thing here is that covers all the content, so we can even convert Box notes into Word documents. Here you can see I’ve got eight users or seven people in a shared account for marketing, everything looks good. So I’m gonna go ahead and click Migrate. And you can see, it’s mapped those seven end users to their matching Microsoft 365 accounts. And I can edit these mappings, and in my case, I’ve edited the marketing account to go into the corresponding team in Microsoft Teams. I’m gonna select the first three accounts that I mentioned and have that shared marketing account be one of them. I’m gonna click Migrate, and we can watch the progress. I’ll go into Teams, click on the File tab, hit refresh, and you’ll see our folder is migrated in right there in Microsoft Teams. And what’s really powerful is we’re pulling in all the metadata, such as the timestamps and the modified dates, with the users who embedded the file and so forth. It’s really a great seamless experience. So that was the Box experience, we’re bringing more and more of those capabilities from Mover, again, natively into Migration Manager, and in the future we’ll add other cloud sources like Dropbox and Google Drive, that you can manage migration straight from Microsoft 365.
- So amazing stuff. So we’ve seen now everything from the latest controls for secure remote work, and how to take advantage of all this by migrating your files to Microsoft 365. But where can people go to learn more?
- Yeah, Jeremy, it’s really easy. You can find out more about the security controls I showed and so much more at aka.ms/SecurityinM365. And to learn more about a migration, go to aka.ms/MigrateToM365.
- It’s really great to see all this in action, all the flexibility that we have for migration, thanks so much for joining us today, Jeff. And giving us that end-to-end tour of all the admin updates, new compliance controls, and new options for automated migration as well. Now many of these capabilities are ready for you to use right now, and others are gonna be rolling out soon. We also hope that we’ve answered all your questions on this very popular set of topics as you work remotely or in hybrid environments. And of course, check out the latest updates on Microsoft Mechanics. Keep streaming our videos and subscribe if you haven’t already. Thanks for watching, we’ll see you soon.