Now Reading: Teams Channels Are Not Secure By Default: The Admin Lie
-
01
Teams Channels Are Not Secure By Default: The Admin Lie
1
00:00:00,000 –> 00:00:01,680
The night was thick with static,
2
00:00:01,680 –> 00:00:03,760
Teams channels hummed like open vents,
3
00:00:03,760 –> 00:00:06,440
not secure by default, not even close.
4
00:00:06,440 –> 00:00:09,360
Guests slip in.
5
00:00:09,360 –> 00:00:10,680
Linger.
6
00:00:10,680 –> 00:00:14,080
Files sink to places you don’t watch.
7
00:00:14,080 –> 00:00:17,040
One careless click away from a bleed you can’t stop.
8
00:00:17,040 –> 00:00:18,400
Here’s the upfront truth,
9
00:00:18,400 –> 00:00:20,480
Enforce MFA for everyone.
10
00:00:20,480 –> 00:00:21,840
Kill legacy oath,
11
00:00:21,840 –> 00:00:24,080
lock access to compliant devices,
12
00:00:24,080 –> 00:00:26,480
put DLP on chat and channels,
13
00:00:26,480 –> 00:00:29,000
govern guests with reviews and explorations,
14
00:00:29,000 –> 00:00:30,240
then prove it in logs.
15
00:00:30,240 –> 00:00:32,000
I’ll show you the exact conditional access
16
00:00:32,000 –> 00:00:34,760
per view DLP and EntraID governance settings.
17
00:00:34,760 –> 00:00:37,640
Copy, test, measure, two real incidents first.
18
00:00:37,640 –> 00:00:39,600
They’ll make the risk obvious.
19
00:00:39,600 –> 00:00:43,400
Incident proof, how defaults burned to tenants.
20
00:00:43,400 –> 00:00:45,760
Case one walked in quiet,
21
00:00:45,760 –> 00:00:47,480
a completed project,
22
00:00:47,480 –> 00:00:48,800
champagne gone.
23
00:00:48,800 –> 00:00:51,240
The guests remained.
24
00:00:51,240 –> 00:00:54,400
Their accounts sat dormant.
25
00:00:54,400 –> 00:00:57,720
But their sink client kept breathing.
26
00:00:57,720 –> 00:01:00,360
A private channel held the good stuff.
27
00:01:00,360 –> 00:01:03,480
Sensitive files lived in its share point stack,
28
00:01:03,480 –> 00:01:06,160
detached, hidden under the floorboards.
29
00:01:06,160 –> 00:01:09,480
The guests one drive sink still pointed to that library.
30
00:01:09,480 –> 00:01:11,480
Weeks later, they opened their laptop,
31
00:01:11,480 –> 00:01:12,600
the library woke.
32
00:01:12,600 –> 00:01:15,640
It pulled fresh copies down like rain through a cracked roof.
33
00:01:15,640 –> 00:01:16,600
What failed?
34
00:01:16,600 –> 00:01:18,200
No guest expiration.
35
00:01:18,200 –> 00:01:21,120
No access reviews tied to that team.
36
00:01:21,120 –> 00:01:23,000
External sharing sat loose,
37
00:01:23,000 –> 00:01:25,400
letting sinked libraries persist.
38
00:01:25,400 –> 00:01:28,600
Group owners assumed project over meant access over.
39
00:01:28,600 –> 00:01:31,280
It didn’t. Private channels separate share point sites
40
00:01:31,280 –> 00:01:32,200
aren’t a rumor.
41
00:01:32,200 –> 00:01:33,400
They’re a second door.
42
00:01:33,400 –> 00:01:35,080
It stayed unlocked.
43
00:01:35,080 –> 00:01:36,360
Blast radius.
44
00:01:36,360 –> 00:01:38,480
Documents in the private channel site.
45
00:01:38,480 –> 00:01:41,080
Meeting recordings referenced in threads.
46
00:01:41,080 –> 00:01:43,520
Loop components injected into posts.
47
00:01:43,520 –> 00:01:45,400
Fragmented across share point stacks,
48
00:01:45,400 –> 00:01:46,680
but linked by the channel.
49
00:01:46,680 –> 00:01:48,360
The guests didn’t need to browse teams.
50
00:01:48,360 –> 00:01:49,880
The files came to them.
51
00:01:49,880 –> 00:01:51,760
Quiet, automatic.
52
00:01:51,760 –> 00:01:53,320
You can tell a lot about a tenant
53
00:01:53,320 –> 00:01:55,320
from what it remembers to forget.
54
00:01:55,320 –> 00:01:57,880
This one remembered everything for the wrong person.
55
00:01:57,880 –> 00:02:02,280
Now the second case, inside job, not malicious, just tired fingers,
56
00:02:02,280 –> 00:02:04,920
an internal user pasted PII into a channel.
57
00:02:04,920 –> 00:02:08,600
SSNs, bank numbers, the kind of data the crawls.
58
00:02:08,600 –> 00:02:10,680
A coworker needed to email a vendor
59
00:02:10,680 –> 00:02:13,080
so they copied the message out it went.
60
00:02:13,080 –> 00:02:16,280
Then someone exported the thread for documentation.
61
00:02:16,280 –> 00:02:21,320
The data forked, email, local drives, third party systems,
62
00:02:21,320 –> 00:02:23,720
a cleanup turned into a scavenger hunt.
63
00:02:23,720 –> 00:02:24,760
What failed?
64
00:02:24,760 –> 00:02:28,040
No purview DLP on Teams Chat and channels.
65
00:02:28,040 –> 00:02:29,880
No policy tips to stop the pace.
66
00:02:29,880 –> 00:02:32,200
No block with override friction.
67
00:02:32,200 –> 00:02:33,960
No escalation to compliance.
68
00:02:33,960 –> 00:02:35,240
The system watched.
69
00:02:35,240 –> 00:02:36,600
It didn’t act.
70
00:02:36,600 –> 00:02:38,920
And because Teams is just the front end,
71
00:02:38,920 –> 00:02:41,720
the core controls weren’t where the words were spoken.
72
00:02:41,720 –> 00:02:43,400
They’re in purview.
73
00:02:43,400 –> 00:02:45,320
Entra, share point.
74
00:02:45,320 –> 00:02:47,000
If those aren’t tuned,
75
00:02:47,000 –> 00:02:49,800
the front end smiles while the back door swings.
76
00:02:49,800 –> 00:02:52,520
Most people think a private channel means private.
77
00:02:52,520 –> 00:02:55,080
We know better. Private just means different plumbing.
78
00:02:55,080 –> 00:02:57,720
New site collection, new permission surface.
79
00:02:57,720 –> 00:02:59,640
If you don’t govern guest lifecycle
80
00:02:59,640 –> 00:03:02,680
and external sharing there, it will rot slowly.
81
00:03:02,680 –> 00:03:04,040
Then fast.
82
00:03:04,040 –> 00:03:06,840
Most people think don’t share PII is enough.
83
00:03:06,840 –> 00:03:09,400
It isn’t. You need the tripwire, the siren,
84
00:03:09,400 –> 00:03:11,400
the record that proves you tried to stop it
85
00:03:11,400 –> 00:03:12,680
and what happened next.
86
00:03:12,680 –> 00:03:14,120
Courts care about the ledger.
87
00:03:14,120 –> 00:03:15,400
Regulators too.
88
00:03:15,400 –> 00:03:18,120
Without DLP and audit, you’re guessing.
89
00:03:18,120 –> 00:03:19,480
Guests don’t hold.
90
00:03:19,480 –> 00:03:21,320
So here’s the takeaway that Stings.
91
00:03:21,320 –> 00:03:22,520
Teams isn’t the vault.
92
00:03:22,520 –> 00:03:23,400
It’s the lobby.
93
00:03:23,400 –> 00:03:25,640
The vault lives in conditional access,
94
00:03:25,640 –> 00:03:26,920
purview DLP,
95
00:03:26,920 –> 00:03:28,280
Entra ID governance,
96
00:03:28,280 –> 00:03:30,040
and share point sharing limits.
97
00:03:30,040 –> 00:03:31,320
If those aren’t set,
98
00:03:31,320 –> 00:03:34,360
the lobby looks safe while data slips into the alley.
99
00:03:34,360 –> 00:03:35,640
But down here in the internet,
100
00:03:35,640 –> 00:03:36,440
we like proof.
101
00:03:36,440 –> 00:03:37,640
We set barricades.
102
00:03:37,640 –> 00:03:38,440
We test them.
103
00:03:38,440 –> 00:03:39,880
We watch the logs.
104
00:03:39,880 –> 00:03:42,680
We break our own doors and see who notices.
105
00:03:42,680 –> 00:03:44,520
Now we build the first wall.
106
00:03:44,520 –> 00:03:46,840
Conditional access, MFA for everyone,
107
00:03:46,840 –> 00:03:47,960
including guests.
108
00:03:47,960 –> 00:03:49,320
Legacy auth buried.
109
00:03:49,320 –> 00:03:51,560
Access only from devices you trust.
110
00:03:51,560 –> 00:03:53,480
Session controls that don’t blink.
111
00:03:53,480 –> 00:03:55,720
Because in this city identity is the lock,
112
00:03:55,720 –> 00:03:56,760
and it better bite.
113
00:03:56,760 –> 00:03:59,000
Layer one.
114
00:03:59,000 –> 00:04:02,600
Conditional access, baseline that actually bites.
115
00:04:02,600 –> 00:04:04,200
We started the gate.
116
00:04:04,200 –> 00:04:05,800
Identity first.
117
00:04:05,800 –> 00:04:08,520
Because every breach starts with a door that didn’t hold.
118
00:04:08,520 –> 00:04:10,360
Goal is simple.
119
00:04:10,360 –> 00:04:11,800
MFA for everyone.
120
00:04:11,800 –> 00:04:12,920
Guests too.
121
00:04:12,920 –> 00:04:14,600
Legacy auth buried deep.
122
00:04:14,600 –> 00:04:17,320
Only compliant devices touch the stash.
123
00:04:17,320 –> 00:04:19,080
Sessions checked often.
124
00:04:19,080 –> 00:04:20,200
Without warning.
125
00:04:20,200 –> 00:04:21,240
Policy one.
126
00:04:21,240 –> 00:04:23,560
Require MFA for all cloud apps.
127
00:04:23,560 –> 00:04:26,600
Yes, all users and guests in scope.
128
00:04:26,600 –> 00:04:28,760
Create a single policy in Entra.
129
00:04:28,760 –> 00:04:31,000
Assignments include all users.
130
00:04:31,000 –> 00:04:33,480
Select guests and external users too.
131
00:04:33,480 –> 00:04:35,000
Exclude your break-class accounts.
132
00:04:35,000 –> 00:04:35,960
Two of them.
133
00:04:35,960 –> 00:04:37,720
Strong random passwords.
134
00:04:37,720 –> 00:04:39,000
No MFA.
135
00:04:39,000 –> 00:04:40,360
Store them offline.
136
00:04:40,360 –> 00:04:41,480
Cloud apps.
137
00:04:41,480 –> 00:04:42,680
All cloud apps.
138
00:04:42,680 –> 00:04:43,880
Grand controls.
139
00:04:43,880 –> 00:04:46,120
Require multi-factor authentication.
140
00:04:46,120 –> 00:04:46,760
Enable.
141
00:04:46,760 –> 00:04:48,760
Report only first if you’re scared.
142
00:04:48,760 –> 00:04:49,720
But we know better.
143
00:04:49,720 –> 00:04:50,760
Now make it bite.
144
00:04:50,760 –> 00:04:52,280
Turn off report only.
145
00:04:52,280 –> 00:04:53,080
Watch sign-ins.
146
00:04:53,080 –> 00:04:54,840
You’ll see who never had a second factor.
147
00:04:54,840 –> 00:04:55,560
They’ll complain.
148
00:04:55,560 –> 00:04:58,440
That’s the sound of a lock catching.
149
00:04:58,440 –> 00:04:59,400
Policy two.
150
00:04:59,400 –> 00:05:01,400
Kill legacy authentication.
151
00:05:01,400 –> 00:05:04,120
The old protocols don’t understand MFA.
152
00:05:04,120 –> 00:05:05,640
They don’t care who walks in.
153
00:05:05,640 –> 00:05:07,320
Create another policy.
154
00:05:07,320 –> 00:05:08,520
Users.
155
00:05:08,520 –> 00:05:10,520
All including guests.
156
00:05:10,520 –> 00:05:11,800
Cloud apps.
157
00:05:11,800 –> 00:05:13,400
All cloud apps.
158
00:05:13,400 –> 00:05:14,360
Client apps.
159
00:05:14,360 –> 00:05:15,160
Condition.
160
00:05:15,160 –> 00:05:16,280
Select exchange.
161
00:05:16,280 –> 00:05:18,360
Active sync and other clients.
162
00:05:18,360 –> 00:05:19,080
Grant.
163
00:05:19,080 –> 00:05:20,120
Block access.
164
00:05:20,120 –> 00:05:21,000
Turn it on.
165
00:05:21,000 –> 00:05:22,520
This starves the fish.
166
00:05:22,520 –> 00:05:24,600
It also breaks dusty clients.
167
00:05:24,600 –> 00:05:25,320
Good.
168
00:05:25,320 –> 00:05:27,560
Extinction comes for weak things.
169
00:05:27,560 –> 00:05:28,600
Policy three.
170
00:05:28,600 –> 00:05:31,480
Require device compliance for the Crown apps.
171
00:05:31,480 –> 00:05:32,280
Teams.
172
00:05:32,280 –> 00:05:33,000
SharePoint.
173
00:05:33,000 –> 00:05:33,880
Exchange.
174
00:05:33,880 –> 00:05:35,400
Because files live there.
175
00:05:35,400 –> 00:05:36,360
Chats point there.
176
00:05:36,360 –> 00:05:37,400
Males spreads there.
177
00:05:37,400 –> 00:05:38,280
Create a policy.
178
00:05:38,280 –> 00:05:39,240
Users.
179
00:05:39,240 –> 00:05:40,920
All internal users.
180
00:05:40,920 –> 00:05:43,640
Guests too if you allow device trust for them.
181
00:05:43,640 –> 00:05:45,800
If not, we’ll use app protection instead.
182
00:05:45,800 –> 00:05:46,680
Cloud apps.
183
00:05:46,680 –> 00:05:47,960
Microsoft Teams.
184
00:05:47,960 –> 00:05:49,320
SharePoint online.
185
00:05:49,320 –> 00:05:50,680
Exchange online.
186
00:05:50,680 –> 00:05:51,640
Conditions.
187
00:05:51,640 –> 00:05:53,640
Locations can stay any.
188
00:05:53,640 –> 00:05:54,680
Grant controls.
189
00:05:54,680 –> 00:05:56,840
Require device to be marked as compliant.
190
00:05:56,840 –> 00:05:57,720
Enable.
191
00:05:57,720 –> 00:06:01,560
Now only devices in Intune meeting your rules get through.
192
00:06:01,560 –> 00:06:03,720
BYOD screaming fine.
193
00:06:03,720 –> 00:06:05,080
Clone this policy.
194
00:06:05,080 –> 00:06:09,240
Swap require compliant device for require approved client app.
195
00:06:09,240 –> 00:06:11,560
And require app protection policy.
196
00:06:11,560 –> 00:06:13,400
In scope it to mobile platforms.
197
00:06:13,400 –> 00:06:15,480
Keep desktops strict.
198
00:06:15,480 –> 00:06:18,200
Because laptops leak in alleys you can’t light.
199
00:06:18,200 –> 00:06:19,160
Policy four.
200
00:06:19,160 –> 00:06:21,560
Session controls we don’t trust long sessions.
201
00:06:21,560 –> 00:06:23,960
Set sign in frequency.
202
00:06:23,960 –> 00:06:25,960
Eight hours is a good shift.
203
00:06:25,960 –> 00:06:29,080
Require re-auth every week for sensitive apps.
204
00:06:29,080 –> 00:06:31,560
Turn on continuous access evaluation.
205
00:06:31,560 –> 00:06:34,920
So token validity reacts to risk in near real time.
206
00:06:34,920 –> 00:06:36,120
Account disabled.
207
00:06:36,120 –> 00:06:37,320
Password changed.
208
00:06:37,320 –> 00:06:39,240
Session dies mid-sentence.
209
00:06:39,240 –> 00:06:40,760
That’s the point.
210
00:06:40,760 –> 00:06:41,960
Risk signals.
211
00:06:41,960 –> 00:06:45,000
If you can, push phishing resistant MFA.
212
00:06:45,000 –> 00:06:46,120
Fido two keys.
213
00:06:46,120 –> 00:06:47,320
Windows hello for business.
214
00:06:47,320 –> 00:06:48,760
Number matching everywhere.
215
00:06:48,760 –> 00:06:51,720
Smarts will try to social your push approvals.
216
00:06:51,720 –> 00:06:53,240
Number matching cuts the chatter.
217
00:06:53,240 –> 00:06:57,560
Resistant factors break the script entirely.
218
00:06:57,560 –> 00:06:58,840
Per app hardening.
219
00:06:58,840 –> 00:07:01,480
Add a policy for high-risk sign-ins.
220
00:07:01,480 –> 00:07:03,720
Source from identity protection.
221
00:07:03,720 –> 00:07:06,760
Grant require password change or block.
222
00:07:06,760 –> 00:07:10,040
High-risk users block until investigated.
223
00:07:10,040 –> 00:07:13,160
Because in this city, risk isn’t a mood.
224
00:07:13,160 –> 00:07:14,760
It’s telemetry.
225
00:07:14,760 –> 00:07:16,440
Guest edge cases.
226
00:07:16,440 –> 00:07:19,800
Disable, unmanaged device redemption for guests
227
00:07:19,800 –> 00:07:21,560
if your program can stand it.
228
00:07:21,560 –> 00:07:25,000
Force guests to redeem into an Entra account with MFA.
229
00:07:25,000 –> 00:07:26,360
No email only shadows.
230
00:07:26,360 –> 00:07:27,720
You want identity with weight.
231
00:07:27,720 –> 00:07:29,080
With trace.
232
00:07:29,080 –> 00:07:30,040
Now the test.
233
00:07:30,040 –> 00:07:31,400
Open a clean browser.
234
00:07:31,400 –> 00:07:32,520
In private.
235
00:07:32,520 –> 00:07:33,560
Fresh guest.
236
00:07:33,560 –> 00:07:36,200
Invite a test guest from a personal account.
237
00:07:36,200 –> 00:07:39,480
Have them accept they should hit MFA at first sign in.
238
00:07:39,480 –> 00:07:41,480
No MFA you missed the guest assignment.
239
00:07:41,480 –> 00:07:43,400
Fix it next test from a machine
240
00:07:43,400 –> 00:07:45,160
that in tune doesn’t bless.
241
00:07:45,160 –> 00:07:46,600
Try to open teams on the web.
242
00:07:46,600 –> 00:07:48,680
Try SharePoint you should hit a wall.
243
00:07:48,680 –> 00:07:51,000
If mobile you should be forced into the approved app
244
00:07:51,000 –> 00:07:52,920
with app protection policies.
245
00:07:52,920 –> 00:07:54,200
Anything else is a leak.
246
00:07:54,200 –> 00:07:55,640
Legacy Auth Probe.
247
00:07:55,640 –> 00:07:59,480
Connect with basic auth SMTP or an older outlook profile.
248
00:07:59,480 –> 00:08:00,600
It should fail hard.
249
00:08:00,600 –> 00:08:03,080
If it works, you missed a protocol exception.
250
00:08:03,080 –> 00:08:03,800
Hunt it down.
251
00:08:03,800 –> 00:08:05,160
No mercy for legacy.
252
00:08:05,160 –> 00:08:06,120
Session check.
253
00:08:06,120 –> 00:08:06,920
Sign in.
254
00:08:06,920 –> 00:08:07,560
Weight.
255
00:08:07,560 –> 00:08:10,040
Change the user’s password from the admin side.
256
00:08:10,040 –> 00:08:11,880
Watch the session die with C.
257
00:08:11,880 –> 00:08:15,000
If it lingers, your tenant setting is asleep.
258
00:08:15,000 –> 00:08:15,880
Wake it.
259
00:08:15,880 –> 00:08:17,480
Break glass drill.
260
00:08:17,480 –> 00:08:19,480
Simulate an outage in your head.
261
00:08:19,480 –> 00:08:22,360
As your AD down, you sign in with a break glass account.
262
00:08:22,360 –> 00:08:23,560
No conditional access.
263
00:08:23,560 –> 00:08:26,200
No MFA confirmed they work quarterly.
264
00:08:26,200 –> 00:08:27,720
Monitor their use with alerts.
265
00:08:27,720 –> 00:08:29,640
If they light up, you have a real fire.
266
00:08:29,640 –> 00:08:30,520
Last piece.
267
00:08:30,520 –> 00:08:33,320
Exclude service accounts from interactive sign in.
268
00:08:33,320 –> 00:08:35,320
Force them into workload identities.
269
00:08:35,320 –> 00:08:37,000
Or manage identities.
270
00:08:37,000 –> 00:08:38,200
Humans do MFA.
271
00:08:38,200 –> 00:08:40,120
Bots don’t log in like humans.
272
00:08:40,120 –> 00:08:46,520
Now step back perimeter stands MFA enforced legacy auth cold only trusted devices at the window.
273
00:08:46,520 –> 00:08:49,000
Sessions short, nervous, alert.
274
00:08:49,000 –> 00:08:51,640
But down here, walls don’t stop whispers.
275
00:08:51,640 –> 00:08:53,480
Data still slips inside the lines.
276
00:08:53,480 –> 00:08:55,240
So we cut the channels next.
277
00:08:55,240 –> 00:08:57,240
Per view DLP on chat and channels.
278
00:08:57,240 –> 00:08:58,600
Trip wires in the carpet.
279
00:08:58,600 –> 00:08:59,800
Sirens in the ceiling.
280
00:08:59,800 –> 00:09:02,600
Because once words leave the mouth, they travel.
281
00:09:02,600 –> 00:09:04,040
Layer 2.
282
00:09:04,040 –> 00:09:06,760
Per view DLP for teams chat and channels.
283
00:09:06,760 –> 00:09:09,240
We wire the trip wires right under their feet.
284
00:09:09,240 –> 00:09:11,640
So the next bad pace never clears the threshold.
285
00:09:11,640 –> 00:09:12,600
Goal is simple.
286
00:09:12,600 –> 00:09:14,360
PII doesn’t leave the keyboard.
287
00:09:14,360 –> 00:09:16,120
If it tries, users see the tip.
288
00:09:16,120 –> 00:09:17,560
Compliance gets the ping.
289
00:09:17,560 –> 00:09:19,320
The ledger records the move.
290
00:09:19,320 –> 00:09:21,560
Open Microsoft Per view.
291
00:09:21,560 –> 00:09:23,000
Data loss prevention.
292
00:09:23,000 –> 00:09:24,520
Create policy.
293
00:09:24,520 –> 00:09:26,680
Give it a name that carries weight.
294
00:09:26,680 –> 00:09:28,520
Teams priority PII block.
295
00:09:28,520 –> 00:09:30,040
Scope it tight first.
296
00:09:30,040 –> 00:09:31,000
Pilot users.
297
00:09:31,000 –> 00:09:31,880
Pilot teams.
298
00:09:31,880 –> 00:09:33,960
We scale once it bites clean.
299
00:09:33,960 –> 00:09:34,920
Locations.
300
00:09:34,920 –> 00:09:37,720
Select teams chat and channel messages.
301
00:09:37,720 –> 00:09:40,040
Turn it on for both chat and channel.
302
00:09:40,040 –> 00:09:42,440
Because leaks don’t care about room names.
303
00:09:42,440 –> 00:09:44,040
Sensitive info types.
304
00:09:44,040 –> 00:09:45,880
Start with the usual suspects.
305
00:09:45,880 –> 00:09:47,480
US Social Security number.
306
00:09:47,480 –> 00:09:48,920
Credit card numbers.
307
00:09:48,920 –> 00:09:49,960
ABA routing.
308
00:09:49,960 –> 00:09:51,640
Bank account numbers.
309
00:09:51,640 –> 00:09:54,040
Medical terms if you live in HIPAA land.
310
00:09:54,040 –> 00:09:57,080
Add your own custom entity for internal IDs.
311
00:09:57,080 –> 00:09:58,440
HR employee number.
312
00:09:58,440 –> 00:09:59,720
Customer account code.
313
00:09:59,720 –> 00:10:01,080
Train it with a pattern.
314
00:10:01,080 –> 00:10:01,960
Check digit.
315
00:10:01,960 –> 00:10:03,480
Keyword proximity.
316
00:10:03,480 –> 00:10:05,560
Give the engine something real to grab.
317
00:10:05,560 –> 00:10:07,160
Now the rule 1 for hard block.
318
00:10:07,160 –> 00:10:08,760
1 for softer hands.
319
00:10:08,760 –> 00:10:10,360
First rule.
320
00:10:10,360 –> 00:10:11,720
High confidence.
321
00:10:11,720 –> 00:10:13,480
Block with override.
322
00:10:13,480 –> 00:10:14,440
Condition.
323
00:10:14,440 –> 00:10:15,160
Match count.
324
00:10:15,160 –> 00:10:17,880
Edel 1 for SSN and PAN.
325
00:10:17,880 –> 00:10:19,000
Confidence high.
326
00:10:19,000 –> 00:10:20,760
No low signal noise.
327
00:10:20,760 –> 00:10:21,320
Action.
328
00:10:21,320 –> 00:10:22,520
Block the message.
329
00:10:22,520 –> 00:10:25,080
Allow override with business justification.
330
00:10:25,080 –> 00:10:27,320
Require users to type why.
331
00:10:27,320 –> 00:10:28,520
Not a checkbox.
332
00:10:28,520 –> 00:10:30,920
A written reason leaves fingerprints.
333
00:10:30,920 –> 00:10:32,920
Notify the user in real time.
334
00:10:32,920 –> 00:10:35,880
Policy tip says what hit and why it stopped.
335
00:10:35,880 –> 00:10:37,720
Add incident report to compliance.
336
00:10:37,720 –> 00:10:38,840
Severity high.
337
00:10:38,840 –> 00:10:41,320
Send to the mailbox that doesn’t sleep.
338
00:10:41,320 –> 00:10:42,600
Second rule.
339
00:10:42,600 –> 00:10:43,960
Medium confidence.
340
00:10:43,960 –> 00:10:45,720
Educate and alert.
341
00:10:45,720 –> 00:10:46,920
Lower the match count.
342
00:10:46,920 –> 00:10:48,040
Confidence medium.
343
00:10:48,040 –> 00:10:48,760
Action.
344
00:10:48,760 –> 00:10:49,400
Allow.
345
00:10:49,400 –> 00:10:50,440
But warn.
346
00:10:50,440 –> 00:10:52,200
Policy tip with guidance.
347
00:10:52,200 –> 00:10:55,560
Incident goes to compliance as medium.
348
00:10:55,560 –> 00:10:58,360
This builds muscle without breaking work.
349
00:10:58,360 –> 00:10:59,960
User experience matters.
350
00:10:59,960 –> 00:11:01,240
You want friction.
351
00:11:01,240 –> 00:11:02,280
Not revolt.
352
00:11:02,280 –> 00:11:05,400
So write the tip text in clear words.
353
00:11:05,400 –> 00:11:07,320
Looks like a social security number.
354
00:11:07,320 –> 00:11:09,640
This is blocked to prevent exposure.
355
00:11:09,640 –> 00:11:12,360
If this is a test or a proof transfer,
356
00:11:12,360 –> 00:11:14,920
choose override and explain.
357
00:11:14,920 –> 00:11:18,160
No legal sludge, plain sharp, tuning time,
358
00:11:18,160 –> 00:11:22,760
confidence thresholds, set SSN to high with pattern and checksum.
359
00:11:22,760 –> 00:11:26,280
Set PAN to high with loon validation and issuer detection.
360
00:11:26,280 –> 00:11:28,840
Kill the noise from random numbers in logs.
361
00:11:28,840 –> 00:11:31,160
Require context keywords for custom IDs.
362
00:11:31,160 –> 00:11:33,960
Customer ID, ACCT, MRN.
363
00:11:33,960 –> 00:11:36,440
Raise match count for noisy types to two.
364
00:11:36,440 –> 00:11:40,600
Lower for crown jewels to one tune or drown exemptions.
365
00:11:40,600 –> 00:11:42,040
You need sandboxes.
366
00:11:42,040 –> 00:11:44,600
Add test channels to an exception group.
367
00:11:44,600 –> 00:11:45,720
Security lab.
368
00:11:45,720 –> 00:11:47,000
Training space.
369
00:11:47,000 –> 00:11:48,440
Keep production hot.
370
00:11:48,440 –> 00:11:50,680
Labsafe.notifications.
371
00:11:50,680 –> 00:11:52,360
Turn on admin alerts.
372
00:11:52,360 –> 00:11:56,040
Include matched content samples for compliance when lawful.
373
00:11:56,040 –> 00:12:00,200
Mask digits in emails to reduce spill in the alert itself.
374
00:12:00,200 –> 00:12:03,880
Balance evidence with exposure, because even alerts can leak.
375
00:12:03,880 –> 00:12:06,520
Now the evidence trail in purview, open alerts.
376
00:12:06,520 –> 00:12:07,560
Filter by policy name.
377
00:12:07,560 –> 00:12:08,680
You’ll see the hits.
378
00:12:08,680 –> 00:12:14,280
Time, user location match type, export to CSV, feed the CM,
379
00:12:14,280 –> 00:12:18,200
set thresholds for spikes, because sudden bursts mean a surge
380
00:12:18,200 –> 00:12:20,520
or a test gone rogue test plan.
381
00:12:20,520 –> 00:12:23,160
In a pilot team, paste a known test PAN.
382
00:12:23,160 –> 00:12:25,720
Use 40101, 1111, 1111, 1111, 1111.
383
00:12:25,720 –> 00:12:29,880
The loon passes, the rule should bark policy tip appears.
384
00:12:29,880 –> 00:12:34,520
Send blocked, try override, type justification.
385
00:12:34,520 –> 00:12:38,520
Test transfer to approved processor, allowed with log.
386
00:12:38,520 –> 00:12:41,320
Now paste the fake SSN pattern without checksum.
387
00:12:41,320 –> 00:12:44,600
Rule shouldn’t fire, at least not the high confidence one.
388
00:12:44,600 –> 00:12:47,400
If it does, your thresholds are sloppy.
389
00:12:47,400 –> 00:12:48,840
Try X-Fill by file.
390
00:12:48,840 –> 00:12:51,240
Upload a text file with three SSNs.
391
00:12:51,240 –> 00:12:53,240
DLP for teams covers messages.
392
00:12:53,240 –> 00:12:56,200
Files are guarded by SharePoint and OneDrive DLP,
393
00:12:56,200 –> 00:12:59,400
so add the same policy to those locations.
394
00:12:59,400 –> 00:13:00,600
Mirror the rules.
395
00:13:00,600 –> 00:13:03,080
Now post the file link in the channel.
396
00:13:03,080 –> 00:13:04,600
Watch two engines hum.
397
00:13:04,600 –> 00:13:06,040
Teams tip for message.
398
00:13:06,040 –> 00:13:08,040
SharePoint DLP for file.
399
00:13:08,040 –> 00:13:10,280
Defense in depth, not in name.
400
00:13:10,280 –> 00:13:12,840
In action, coach the users.
401
00:13:12,840 –> 00:13:15,880
Add a link in the policy tip to a short page.
402
00:13:15,880 –> 00:13:17,720
Send sensitive data the right way.
403
00:13:17,720 –> 00:13:22,200
Approved channels, secure forms, encrypted mail if you must.
404
00:13:22,200 –> 00:13:24,680
DLP without guidance breeds workarounds.
405
00:13:24,680 –> 00:13:26,200
You want behavior change.
406
00:13:26,200 –> 00:13:28,920
Not shadow at edge cases, third party apps and teams.
407
00:13:28,920 –> 00:13:31,400
DLP doesn’t always see inside those pipes,
408
00:13:31,400 –> 00:13:33,240
disable apps you can’t inspect.
409
00:13:33,240 –> 00:13:35,000
Or fence them with permissions,
410
00:13:35,000 –> 00:13:37,240
because blind spots invite ghosts.
411
00:13:37,240 –> 00:13:41,880
Roll out pilot first, tune noise out, then expand by department.
412
00:13:41,880 –> 00:13:44,200
Finance, HR, legal.
413
00:13:44,200 –> 00:13:45,800
Finally, flip to org wide.
414
00:13:45,800 –> 00:13:46,920
Announce the Y.
415
00:13:46,920 –> 00:13:48,040
Show the gains.
416
00:13:48,040 –> 00:13:50,200
Share the reduced incident count.
417
00:13:50,200 –> 00:13:52,520
Close the loop, metrics, number of blocks,
418
00:13:52,520 –> 00:13:54,120
overrides with reason codes.
419
00:13:54,120 –> 00:13:55,640
Repeat offenders.
420
00:13:55,640 –> 00:13:56,920
Time to alert.
421
00:13:56,920 –> 00:13:58,120
Time to triage.
422
00:13:58,120 –> 00:14:00,120
You don’t guess, you measure.
423
00:14:00,120 –> 00:14:02,520
Now the carpet’s wired, trip wires hum.
424
00:14:02,520 –> 00:14:04,600
Messages can’t bleed without a siren.
425
00:14:04,600 –> 00:14:06,360
Good, but guests are still inside,
426
00:14:06,360 –> 00:14:07,880
and they don’t leave on their own.
427
00:14:07,880 –> 00:14:10,120
Layer three.
428
00:14:10,120 –> 00:14:13,240
Guest access guardrails in Entra ID governance.
429
00:14:13,240 –> 00:14:14,680
Guests are wild cards,
430
00:14:14,680 –> 00:14:17,320
cheap identities, light footprints.
431
00:14:17,320 –> 00:14:19,720
They drift in, they rarely drift out.
432
00:14:19,720 –> 00:14:20,760
Goal is clear.
433
00:14:20,760 –> 00:14:23,720
Guests face MFA.
434
00:14:23,720 –> 00:14:24,840
Guests expire.
435
00:14:24,840 –> 00:14:27,560
Reviews run on a clock.
436
00:14:27,560 –> 00:14:30,040
External sharing tightens to a pinhole.
437
00:14:30,040 –> 00:14:32,360
And when the timer hits zero door slam,
438
00:14:32,360 –> 00:14:34,840
start with B2B inbound settings.
439
00:14:34,840 –> 00:14:35,880
Entra ID.
440
00:14:35,880 –> 00:14:37,400
External identities.
441
00:14:37,400 –> 00:14:39,320
Cross tenant access settings.
442
00:14:39,320 –> 00:14:41,400
Don’t let just anyone invite.
443
00:14:41,400 –> 00:14:44,520
Turn off self-service sign-up unless you actually govern it.
444
00:14:44,520 –> 00:14:47,160
Limit who can invite to specific roles.
445
00:14:47,160 –> 00:14:49,400
Identity governance admins.
446
00:14:49,400 –> 00:14:50,520
Group owners you trust.
447
00:14:50,520 –> 00:14:51,560
Not the whole city.
448
00:14:51,560 –> 00:14:53,000
Redemption rules next.
449
00:14:53,000 –> 00:14:55,400
Force guest redemption with a real account.
450
00:14:55,400 –> 00:14:59,240
Entra backed or at least a federated identity you can challenge.
451
00:14:59,240 –> 00:15:02,680
No unmanaged personal shadows require MFA at redemption.
452
00:15:02,680 –> 00:15:04,360
Make them bind to a factor on day one.
453
00:15:04,360 –> 00:15:06,200
You want weight on the identity.
454
00:15:06,200 –> 00:15:07,560
Friction that leaves marks.
455
00:15:07,560 –> 00:15:09,240
Now lock devices for guests.
456
00:15:09,240 –> 00:15:11,000
If your model allows it,
457
00:15:11,000 –> 00:15:14,520
require compliant or hybrid joint devices
458
00:15:14,520 –> 00:15:17,240
for guest access to sensitive apps.
459
00:15:17,240 –> 00:15:19,320
If not, use app-based controls.
460
00:15:19,320 –> 00:15:21,160
Conditional access for guests.
461
00:15:21,160 –> 00:15:21,880
Users.
462
00:15:21,880 –> 00:15:23,560
Guests and external users.
463
00:15:23,560 –> 00:15:24,600
Cloud apps.
464
00:15:24,600 –> 00:15:26,120
SharePoint online.
465
00:15:26,120 –> 00:15:26,920
Teams.
466
00:15:26,920 –> 00:15:29,080
Exchange online if you expose mail.
467
00:15:29,080 –> 00:15:30,840
Grant.
468
00:15:30,840 –> 00:15:32,760
Require MFA.
469
00:15:32,760 –> 00:15:36,680
And either require device to be marked compliant
470
00:15:36,680 –> 00:15:41,080
or require approved client apps with app protection.
471
00:15:41,080 –> 00:15:42,040
Pick one.
472
00:15:42,040 –> 00:15:43,320
Be explicit.
473
00:15:43,320 –> 00:15:45,080
Because vague rules leak.
474
00:15:45,080 –> 00:15:47,720
External sharing defaults.
475
00:15:47,720 –> 00:15:50,200
SharePoint admin center.
476
00:15:50,200 –> 00:15:51,640
Policies.
477
00:15:51,640 –> 00:15:52,840
Sharing.
478
00:15:52,840 –> 00:15:54,840
Dial it down to.
479
00:15:54,840 –> 00:15:57,320
Existing guests only.
480
00:15:57,320 –> 00:15:58,680
No anyone links.
481
00:15:58,680 –> 00:16:01,480
No new external users from random shares.
482
00:16:01,480 –> 00:16:03,560
Block new invites at the file edge.
483
00:16:03,560 –> 00:16:06,040
Bring new guests through the front desk.
484
00:16:06,040 –> 00:16:07,240
Always.
485
00:16:07,240 –> 00:16:08,840
Site level controls.
486
00:16:08,840 –> 00:16:11,240
Private channels have their own sites.
487
00:16:11,240 –> 00:16:12,200
Tighten those two.
488
00:16:12,200 –> 00:16:14,120
Disable anyone links at the site.
489
00:16:14,120 –> 00:16:16,840
Set default link type to specific people.
490
00:16:16,840 –> 00:16:20,600
Expire shared links after seven days.
491
00:16:20,600 –> 00:16:21,880
Short-sharp windows.
492
00:16:21,880 –> 00:16:23,320
Dores that close without asking.
493
00:16:23,320 –> 00:16:24,760
Now the lifecycle engine.
494
00:16:24,760 –> 00:16:26,360
Access reviews.
495
00:16:26,360 –> 00:16:28,280
Microsoft EntraID governance.
496
00:16:28,280 –> 00:16:30,840
Create a review for groups and teams.
497
00:16:30,840 –> 00:16:34,040
Scope to enabled Microsoft 365 groups with guests.
498
00:16:34,040 –> 00:16:35,960
Reviewers.
499
00:16:35,960 –> 00:16:37,400
Group owners.
500
00:16:37,400 –> 00:16:39,000
They know who still belongs.
501
00:16:39,000 –> 00:16:39,800
Frequency.
502
00:16:39,800 –> 00:16:41,080
Monthly for hot teams.
503
00:16:41,080 –> 00:16:42,520
Quarterly for the rest.
504
00:16:42,520 –> 00:16:43,560
Settings.
505
00:16:43,560 –> 00:16:46,120
If reviewer doesn’t respond, remove access.
506
00:16:46,120 –> 00:16:47,480
Auto-apply results.
507
00:16:47,480 –> 00:16:48,840
No manual mercy.
508
00:16:48,840 –> 00:16:50,680
Guests who don’t get renewed are gone.
509
00:16:50,680 –> 00:16:51,400
No drama.
510
00:16:51,400 –> 00:16:52,520
Just a clean cut.
511
00:16:52,520 –> 00:16:53,960
Notifications matter.
512
00:16:53,960 –> 00:16:56,280
Remind reviewers a week before you.
513
00:16:56,280 –> 00:16:57,720
Three days before.
514
00:16:57,720 –> 00:16:58,680
Last day too.
515
00:16:58,680 –> 00:16:59,720
People forget.
516
00:16:59,720 –> 00:17:01,080
You automate the memory.
517
00:17:01,080 –> 00:17:02,280
Add a second review.
518
00:17:02,280 –> 00:17:05,240
Guests themselves confirm they still need access.
519
00:17:05,240 –> 00:17:06,600
Self-attestation.
520
00:17:06,600 –> 00:17:08,040
Owners approve.
521
00:17:08,040 –> 00:17:09,640
Two lights must turn green.
522
00:17:09,640 –> 00:17:10,840
Otherwise, darkness.
523
00:17:10,840 –> 00:17:13,400
Exploration policies.
524
00:17:13,400 –> 00:17:15,160
Group expiration.
525
00:17:15,160 –> 00:17:18,040
Set 180 days for project groups.
526
00:17:18,040 –> 00:17:19,400
Owners get renewal prompts.
527
00:17:19,400 –> 00:17:21,640
If nobody renews the group retires.
528
00:17:21,640 –> 00:17:23,640
Backed up by retention if you needed.
529
00:17:23,640 –> 00:17:25,240
Guests account expiration.
530
00:17:25,240 –> 00:17:27,000
Use entitlement management.
531
00:17:27,000 –> 00:17:29,880
Access packages with time-bound assignments.
532
00:17:29,880 –> 00:17:31,400
60 or 90 days.
533
00:17:31,400 –> 00:17:33,400
Extensions require approval.
534
00:17:33,400 –> 00:17:35,240
No perpetual passes.
535
00:17:35,240 –> 00:17:38,120
Entitlement management is your concierge.
536
00:17:38,120 –> 00:17:41,000
Create a catalog for external collaboration.
537
00:17:41,000 –> 00:17:43,960
Build access packages per project or partner.
538
00:17:43,960 –> 00:17:44,840
Include the team.
539
00:17:44,840 –> 00:17:46,120
Include the SharePoint sites
540
00:17:46,120 –> 00:17:47,400
behind private channels.
541
00:17:47,400 –> 00:17:49,320
Include required apps.
542
00:17:49,320 –> 00:17:52,120
Define who can request their domain.
543
00:17:52,120 –> 00:17:53,800
Or just invited users.
544
00:17:53,800 –> 00:17:55,080
Approval workflow.
545
00:17:55,080 –> 00:17:56,680
Business owner signs off.
546
00:17:56,680 –> 00:17:58,040
Assignment duration.
547
00:17:58,040 –> 00:17:58,680
Fixed.
548
00:17:58,680 –> 00:17:59,480
Auto-remove.
549
00:17:59,480 –> 00:18:00,360
On expiry.
550
00:18:00,360 –> 00:18:01,560
That’s the cut.
551
00:18:01,560 –> 00:18:02,760
Onboarding gets cleaner.
552
00:18:02,760 –> 00:18:04,360
Offboarding gets automatic.
553
00:18:04,360 –> 00:18:06,200
Audit trail writes itself.
554
00:18:06,200 –> 00:18:07,080
Every approval.
555
00:18:07,080 –> 00:18:08,120
Every extension.
556
00:18:08,120 –> 00:18:09,080
Every removal.
557
00:18:09,080 –> 00:18:10,040
You don’t guess.
558
00:18:10,040 –> 00:18:11,320
You show receipts.
559
00:18:11,320 –> 00:18:13,480
Conditional access cleanup for guests.
560
00:18:13,480 –> 00:18:15,000
High-risk sign-in.
561
00:18:15,000 –> 00:18:16,040
Block.
562
00:18:16,040 –> 00:18:17,240
Medium-risk.
563
00:18:17,240 –> 00:18:19,240
Require password change.
564
00:18:19,240 –> 00:18:21,480
Risk comes from identity protection.
565
00:18:21,480 –> 00:18:23,080
Let it bite guests too.
566
00:18:23,080 –> 00:18:25,720
Because someone will try to borrow a guest’s skin.
567
00:18:25,720 –> 00:18:26,520
Testing time.
568
00:18:26,520 –> 00:18:27,560
Invite a test guest.
569
00:18:27,560 –> 00:18:29,000
Make them redeem with MFA.
570
00:18:29,000 –> 00:18:32,200
If they slide past it, your guest policy missed the assignment.
571
00:18:32,200 –> 00:18:33,080
Fix the scope.
572
00:18:33,080 –> 00:18:34,680
Put them in the access package.
573
00:18:34,680 –> 00:18:36,520
Watch approval flow trigger.
574
00:18:36,520 –> 00:18:37,400
Owner approves.
575
00:18:37,400 –> 00:18:38,440
Assignment grants.
576
00:18:38,440 –> 00:18:39,560
They enter the team.
577
00:18:39,560 –> 00:18:41,000
Now check device gate.
578
00:18:41,000 –> 00:18:43,640
From an unmanaged desktop browser,
579
00:18:43,640 –> 00:18:46,360
try to open the private channel files.
580
00:18:46,360 –> 00:18:49,000
Should fail with compliant device required.
581
00:18:49,560 –> 00:18:51,320
On mobile unmanaged,
582
00:18:51,320 –> 00:18:55,080
teams opens only with the approved app and app protection.
583
00:18:55,080 –> 00:18:58,920
Cut, paste, share, data lives in a sandbox.
584
00:18:58,920 –> 00:18:59,640
Good.
585
00:18:59,640 –> 00:19:00,840
Now age the guest.
586
00:19:00,840 –> 00:19:03,160
Shorten the clock to seven days in test.
587
00:19:03,160 –> 00:19:04,280
Let the review fire.
588
00:19:04,280 –> 00:19:05,720
Owner doesn’t respond.
589
00:19:05,720 –> 00:19:08,040
Auto-remove drops the guest from the group.
590
00:19:08,040 –> 00:19:09,960
SharePoint site access revoked.
591
00:19:09,960 –> 00:19:10,840
Try sync again.
592
00:19:10,840 –> 00:19:11,880
Client breaks.
593
00:19:11,880 –> 00:19:12,920
Access denied.
594
00:19:12,920 –> 00:19:14,040
That’s the sound you want.
595
00:19:14,040 –> 00:19:14,840
One more drill.
596
00:19:14,840 –> 00:19:16,040
Owner renews the group.
597
00:19:16,040 –> 00:19:17,640
But forgets the guest review.
598
00:19:17,640 –> 00:19:18,760
Guest falls out.
599
00:19:18,760 –> 00:19:19,960
Files still safe.
600
00:19:19,960 –> 00:19:21,320
Threads still visible.
601
00:19:21,320 –> 00:19:22,920
Only until cash clears.
602
00:19:22,920 –> 00:19:24,520
Then the neon goes dark.
603
00:19:24,520 –> 00:19:26,280
Matrix always.
604
00:19:26,280 –> 00:19:27,880
Number of active guests.
605
00:19:27,880 –> 00:19:29,480
Average guest age.
606
00:19:29,480 –> 00:19:31,240
Reviews completed on time.
607
00:19:31,240 –> 00:19:33,560
Auto-removeals versus approved renewals.
608
00:19:33,560 –> 00:19:35,240
External sharing link counts.
609
00:19:35,240 –> 00:19:36,280
Private channel site.
610
00:19:36,280 –> 00:19:37,640
External access incidents.
611
00:19:37,640 –> 00:19:38,520
You want to slope.
612
00:19:38,520 –> 00:19:39,560
Downward.
613
00:19:39,560 –> 00:19:42,520
Because in this city, guests don’t leave on their own.
614
00:19:42,520 –> 00:19:43,720
You escort them to the door.
615
00:19:43,720 –> 00:19:45,000
You take back the key.
616
00:19:45,000 –> 00:19:46,600
And you lock the good bye.
617
00:19:46,600 –> 00:19:47,560
Layer 4.
618
00:19:47,560 –> 00:19:49,880
Audit forensics and automated reporting.
619
00:19:49,880 –> 00:19:51,560
Per view plus UAL.
620
00:19:51,560 –> 00:19:53,160
Now we need truth.
621
00:19:53,160 –> 00:19:54,440
Cold timestamp.
622
00:19:54,440 –> 00:19:55,480
Signed by the system.
623
00:19:55,480 –> 00:19:57,160
Enable the unified audit log.
624
00:19:57,160 –> 00:19:58,760
If it’s off, nothing exists.
625
00:19:58,760 –> 00:20:00,040
No retroactive memory.
626
00:20:00,040 –> 00:20:01,000
Turn it on in Per view.
627
00:20:01,000 –> 00:20:01,880
Confirm your role.
628
00:20:01,880 –> 00:20:02,600
Conceit.
629
00:20:02,600 –> 00:20:04,200
Audit logs or view only.
630
00:20:04,200 –> 00:20:06,040
Otherwise, you’re staring through glass.
631
00:20:06,040 –> 00:20:07,800
Set retention to what you paid for.
632
00:20:07,800 –> 00:20:09,400
E3 gives you short memory.
633
00:20:09,400 –> 00:20:10,520
E5 stretches it.
634
00:20:10,520 –> 00:20:13,000
If you’ve got advanced audit, extend key events.
635
00:20:13,000 –> 00:20:15,000
High value crumbs last longer.
636
00:20:15,000 –> 00:20:17,080
Because investigations don’t run on hope.
637
00:20:17,080 –> 00:20:18,520
They run on timestamps.
638
00:20:18,520 –> 00:20:20,200
Scope your watch list.
639
00:20:20,200 –> 00:20:21,960
Teams activity worth tracking.
640
00:20:21,960 –> 00:20:23,000
Member added.
641
00:20:23,000 –> 00:20:24,120
Member removed.
642
00:20:24,120 –> 00:20:25,160
Team created.
643
00:20:25,160 –> 00:20:26,280
Channel created.
644
00:20:26,280 –> 00:20:27,880
Private channel created.
645
00:20:27,880 –> 00:20:29,560
External user added.
646
00:20:29,560 –> 00:20:31,640
SharePoint file shared externally.
647
00:20:31,640 –> 00:20:34,280
Sharing link created or changed.
648
00:20:34,280 –> 00:20:35,880
Meeting recording uploaded.
649
00:20:35,880 –> 00:20:37,640
Sensitivity label changed.
650
00:20:37,640 –> 00:20:39,240
Those are doors opening.
651
00:20:39,240 –> 00:20:42,120
And sometimes closing too late.
652
00:20:42,120 –> 00:20:43,400
Queries first.
653
00:20:43,400 –> 00:20:46,600
Per view, audit, activity filter.
654
00:20:46,600 –> 00:20:49,400
Start with added member to team.
655
00:20:49,400 –> 00:20:50,840
Find new blood.
656
00:20:50,840 –> 00:20:54,840
Add added member to SharePoint group for private channel sites.
657
00:20:54,840 –> 00:20:57,800
Because private channels punch a hole in a new wall.
658
00:20:57,800 –> 00:21:00,280
Crosscheck external user invited.
659
00:21:00,280 –> 00:21:03,800
Follow the guest from invite to entry to file touch.
660
00:21:03,800 –> 00:21:05,960
Chain the events.
661
00:21:05,960 –> 00:21:08,360
Build the story.
662
00:21:08,360 –> 00:21:10,280
Now file moves.
663
00:21:10,280 –> 00:21:13,640
Share file folder or site.
664
00:21:13,640 –> 00:21:15,720
External file accessed.
665
00:21:15,720 –> 00:21:17,640
Anonymous link created.
666
00:21:17,640 –> 00:21:19,400
Anonymous link used.
667
00:21:19,400 –> 00:21:22,600
If you see anyone links, that’s a streetlight flicker.
668
00:21:22,600 –> 00:21:24,920
You tighten sharing or you bleed.
669
00:21:24,920 –> 00:21:26,280
Meeting traces.
670
00:21:26,280 –> 00:21:28,120
Meeting created.
671
00:21:28,120 –> 00:21:29,560
Recording started.
672
00:21:29,560 –> 00:21:32,440
Recording uploaded to one drive or SharePoint.
673
00:21:32,440 –> 00:21:34,040
Transcript created.
674
00:21:34,040 –> 00:21:36,520
Those artifacts carry secrets.
675
00:21:36,520 –> 00:21:38,200
Treat them like vault contents.
676
00:21:38,200 –> 00:21:41,560
Label them, hold them or expect a subpoena to find you first.
677
00:21:41,560 –> 00:21:43,080
Export the trail.
678
00:21:43,080 –> 00:21:45,000
CSV out to your sim.
679
00:21:45,000 –> 00:21:47,640
KQL if you’re living in the cloud with Sentinel.
680
00:21:47,640 –> 00:21:49,000
Normalize fields.
681
00:21:49,000 –> 00:21:49,720
Actor.
682
00:21:49,720 –> 00:21:50,360
Target.
683
00:21:50,360 –> 00:21:51,240
Location.
684
00:21:51,240 –> 00:21:52,040
IP.
685
00:21:52,040 –> 00:21:52,680
App.
686
00:21:52,680 –> 00:21:55,080
Build detections that don’t sleep.
687
00:21:55,080 –> 00:21:56,360
Patterns to flag.
688
00:21:56,360 –> 00:21:58,280
Guest added to private channel site.
689
00:21:58,280 –> 00:22:00,920
Within 24 hours, external links surged.
690
00:22:00,920 –> 00:22:02,800
That’s a correlation you don’t ignore.
691
00:22:02,800 –> 00:22:04,920
Owner flips default link type to anyone.
692
00:22:04,920 –> 00:22:07,240
Then a midnight spike in anonymous downloads.
693
00:22:07,240 –> 00:22:09,080
That’s not maintenance.
694
00:22:09,080 –> 00:22:10,520
That’s a siphon.
695
00:22:10,520 –> 00:22:12,040
Automate the bark.
696
00:22:12,040 –> 00:22:13,080
Seem rule.
697
00:22:13,080 –> 00:22:17,000
If external sharing enabled on a private channel site.
698
00:22:17,000 –> 00:22:19,400
Send high priority alert.
699
00:22:19,400 –> 00:22:23,640
If external user added and require MFA for guests.
700
00:22:23,640 –> 00:22:25,400
Not satisfied at sign-in.
701
00:22:25,400 –> 00:22:26,840
Page on call.
702
00:22:26,840 –> 00:22:30,760
If anonymous link created count X in an hour.
703
00:22:30,760 –> 00:22:34,920
Disable anyone links tenant wide-wire response playbook.
704
00:22:34,920 –> 00:22:35,960
Temporary.
705
00:22:35,960 –> 00:22:36,920
Surgical.
706
00:22:36,920 –> 00:22:38,440
Then investigate.
707
00:22:38,440 –> 00:22:40,280
Work flow matters.
708
00:22:40,280 –> 00:22:41,160
Prepare.
709
00:22:41,160 –> 00:22:42,520
You’ve written the runbook.
710
00:22:42,520 –> 00:22:43,800
Who triages.
711
00:22:43,800 –> 00:22:45,000
Who contains.
712
00:22:45,000 –> 00:22:46,280
Who calls legal.
713
00:22:46,280 –> 00:22:47,640
It’s all inked.
714
00:22:47,640 –> 00:22:48,680
Triage.
715
00:22:48,680 –> 00:22:50,360
Confirm the signal.
716
00:22:50,360 –> 00:22:53,320
Is it a policy drift or a human pulling a fast one?
717
00:22:53,320 –> 00:22:54,920
Don’t waste minutes on ghosts.
718
00:22:54,920 –> 00:22:55,720
Contain.
719
00:22:55,720 –> 00:22:57,160
Remove guest from group.
720
00:22:57,160 –> 00:22:59,560
Kill shared links at the site.
721
00:22:59,560 –> 00:23:03,480
Flip site sharing down to existing guests.
722
00:23:03,480 –> 00:23:05,560
Lock the room while you count heads.
723
00:23:05,560 –> 00:23:06,760
Irradiate find the route.
724
00:23:06,760 –> 00:23:09,240
Was this an owner shortcut or a policy gap?
725
00:23:09,240 –> 00:23:10,120
Close it.
726
00:23:10,120 –> 00:23:11,320
Document the patch.
727
00:23:11,320 –> 00:23:13,240
No silent fixes.
728
00:23:13,240 –> 00:23:14,280
Recover.
729
00:23:14,280 –> 00:23:16,360
Restore access the right way.
730
00:23:16,360 –> 00:23:17,880
Access packages.
731
00:23:17,880 –> 00:23:19,720
Specific links only.
732
00:23:19,720 –> 00:23:21,000
Expire them.
733
00:23:21,000 –> 00:23:23,240
Make the owner feel the difference.
734
00:23:23,240 –> 00:23:24,520
Post-incident.
735
00:23:24,520 –> 00:23:25,720
Write the ledger.
736
00:23:25,720 –> 00:23:26,520
Timeline.
737
00:23:26,520 –> 00:23:27,560
Actors.
738
00:23:27,560 –> 00:23:29,000
Controls that fired.
739
00:23:29,000 –> 00:23:30,440
Controls that failed.
740
00:23:30,440 –> 00:23:31,560
Decisions made.
741
00:23:31,560 –> 00:23:32,760
Evidence preserved.
742
00:23:32,760 –> 00:23:34,840
Share it with the few who must know.
743
00:23:34,840 –> 00:23:36,760
Lessons fold back into policy.
744
00:23:36,760 –> 00:23:38,360
Dashboards help you breathe.
745
00:23:38,360 –> 00:23:39,800
Build one for leadership.
746
00:23:39,800 –> 00:23:40,600
No fluff.
747
00:23:40,600 –> 00:23:41,960
DLP hits this week.
748
00:23:41,960 –> 00:23:42,840
Guest count.
749
00:23:42,840 –> 00:23:43,800
Trend line.
750
00:23:43,800 –> 00:23:47,000
External link inventory by sensitivity label.
751
00:23:47,000 –> 00:23:48,840
Top teams by guest density.
752
00:23:48,840 –> 00:23:51,240
Private channel sites with external access.
753
00:23:51,240 –> 00:23:52,520
Mean time to triage.
754
00:23:52,520 –> 00:23:53,560
Mean time to contain.
755
00:23:53,560 –> 00:23:54,840
Green turns to yellow.
756
00:23:54,840 –> 00:23:56,360
Yellow to red.
757
00:23:56,360 –> 00:23:57,560
People look.
758
00:23:57,560 –> 00:23:58,840
People act.
759
00:23:58,840 –> 00:24:00,600
Schedule compliance reports.
760
00:24:00,600 –> 00:24:02,040
Weekly to security.
761
00:24:02,040 –> 00:24:03,320
Monthly to legal.
762
00:24:03,320 –> 00:24:04,680
Quarterly to audit.
763
00:24:04,680 –> 00:24:05,880
Automate the pool.
764
00:24:05,880 –> 00:24:07,960
Don’t rely on a calendar in a coffee.
765
00:24:07,960 –> 00:24:10,840
Tabletop the two scars we opened earlier.
766
00:24:10,840 –> 00:24:12,040
Guest linker case.
767
00:24:12,040 –> 00:24:13,240
Replay the audit trail.
768
00:24:13,240 –> 00:24:14,840
Where did the log first whisper?
769
00:24:14,840 –> 00:24:16,040
Who should have seen it?
770
00:24:16,040 –> 00:24:18,040
Run it again with your new detections.
771
00:24:18,040 –> 00:24:19,400
Make sure the bark is loud.
772
00:24:19,400 –> 00:24:20,760
PII paste case.
773
00:24:20,760 –> 00:24:21,880
Trace DLP alert.
774
00:24:21,880 –> 00:24:23,080
Trace user override.
775
00:24:23,080 –> 00:24:24,200
Trace email export.
776
00:24:24,200 –> 00:24:26,040
Confirm the chain of custody holds.
777
00:24:26,040 –> 00:24:27,000
Then try to break it.
778
00:24:27,000 –> 00:24:27,880
Delete a message.
779
00:24:27,880 –> 00:24:29,720
Does retention keep the shadow?
780
00:24:29,720 –> 00:24:31,320
If yes, you’re ready for court.
781
00:24:31,320 –> 00:24:32,920
If not, fix the hold.
782
00:24:32,920 –> 00:24:35,080
Because in this city stories win.
783
00:24:35,080 –> 00:24:37,800
But only when the ledger backs them.
784
00:24:37,800 –> 00:24:38,840
Layer five.
785
00:24:38,840 –> 00:24:42,520
Retention and legal hold that survives scrutiny.
786
00:24:42,520 –> 00:24:44,680
Now we freeze the echoes.
787
00:24:44,680 –> 00:24:45,960
So evidence doesn’t vanish.
788
00:24:45,960 –> 00:24:48,040
So cleanup doesn’t become spoliation.
789
00:24:48,040 –> 00:24:49,240
Map the data.
790
00:24:49,240 –> 00:24:50,280
Teams chat.
791
00:24:50,280 –> 00:24:51,720
Channel posts.
792
00:24:51,720 –> 00:24:54,120
Files in SharePoint and OneDrive.
793
00:24:54,120 –> 00:24:55,880
Meeting recordings and transcripts.
794
00:24:55,880 –> 00:24:57,080
All different pipes.
795
00:24:57,080 –> 00:24:57,880
One story.
796
00:24:57,880 –> 00:24:59,000
Open purview.
797
00:24:59,000 –> 00:25:00,040
Retention.
798
00:25:00,040 –> 00:25:02,360
Create policies for teams messages.
799
00:25:02,360 –> 00:25:03,480
Set minimum keep.
800
00:25:03,480 –> 00:25:06,120
Two to seven years fits most regs.
801
00:25:06,120 –> 00:25:08,280
No delete before no user purge.
802
00:25:08,280 –> 00:25:10,280
For files aligned to your rule book,
803
00:25:10,280 –> 00:25:13,720
finance longer, general shorter label where you can.
804
00:25:13,720 –> 00:25:15,640
Let the label drive the clock.
805
00:25:15,640 –> 00:25:17,400
Legal hold next.
806
00:25:17,400 –> 00:25:18,760
E-discovery premium.
807
00:25:18,760 –> 00:25:19,960
If you have it.
808
00:25:19,960 –> 00:25:21,160
Create a case.
809
00:25:21,160 –> 00:25:22,680
Add custodians.
810
00:25:22,680 –> 00:25:25,880
Add sites for hot teams and private channels.
811
00:25:25,880 –> 00:25:28,360
Place hold holds override deletion.
812
00:25:28,360 –> 00:25:30,680
That’s the steel bar on the archive door.
813
00:25:30,680 –> 00:25:32,360
Less is more after that.
814
00:25:32,360 –> 00:25:35,000
Outside the hold, delete what you don’t need.
815
00:25:35,000 –> 00:25:37,240
Short retention trims blast radius.
816
00:25:37,240 –> 00:25:39,320
You can’t leak what you don’t hold.
817
00:25:39,320 –> 00:25:40,680
Audit the process.
818
00:25:40,680 –> 00:25:42,440
Export hold actions.
819
00:25:42,440 –> 00:25:43,880
Log who placed it?
820
00:25:43,880 –> 00:25:44,440
Why?
821
00:25:44,440 –> 00:25:45,000
When?
822
00:25:45,000 –> 00:25:46,120
Scope.
823
00:25:46,120 –> 00:25:48,040
Maintain chain of custody notes.
824
00:25:48,040 –> 00:25:49,160
Prove it.
825
00:25:49,160 –> 00:25:51,320
Delete a message in a held channel.
826
00:25:51,320 –> 00:25:52,120
Search the case.
827
00:25:52,120 –> 00:25:53,160
It’s still there.
828
00:25:53,160 –> 00:25:54,840
Delete a file on a held site.
829
00:25:54,840 –> 00:25:57,000
The preservation copy answers.
830
00:25:57,000 –> 00:25:58,440
Discovery runs.
831
00:25:58,440 –> 00:25:59,640
Ledger sings.
832
00:25:59,640 –> 00:26:00,520
Walls.
833
00:26:00,520 –> 00:26:01,560
Drains.
834
00:26:01,560 –> 00:26:02,280
Ledger.
835
00:26:02,280 –> 00:26:04,280
Hold system breathes.
836
00:26:04,280 –> 00:26:05,640
Key truth?
837
00:26:05,640 –> 00:26:06,520
Defaults.
838
00:26:06,520 –> 00:26:07,560
Trust too much.
839
00:26:07,560 –> 00:26:09,320
And your tenant bleeds for it.
840
00:26:09,320 –> 00:26:10,760
Lock this down now.
841
00:26:10,760 –> 00:26:12,280
Run the five layers.
842
00:26:12,280 –> 00:26:13,240
Test them.
843
00:26:13,240 –> 00:26:14,040
Watch alerts.
844
00:26:14,040 –> 00:26:15,800
Bark and logs line up.
845
00:26:15,800 –> 00:26:17,240
Subscribe if this helped.
846
00:26:17,240 –> 00:26:20,040
Then open the next walkthrough on zero trust teams
847
00:26:20,040 –> 00:26:21,240
with app control.
