MCAS session control for sensitive information

I’ll start by apologizing that there hasn’t been a blog post in a long time. Me and my family have been sick with COVID-19 but fortunately we have recovered, which we are grateful for.

This article will be the first of a series of articles around Microsoft Cloud App Security (MCAS).

MCAS is an extremely powerful tool that can, among other things, support maintaining business requirements over how we can control our information in/to different cloud services.

Three common business cases
Click on the video to see it with the correct resolution.

Block certain information to be uploaded to the cloud
This video shows how we allow/block upload to the cloud based on the sensitivity of the fileMCASBlockUpload2

Blocking certain information for cloud storage is a prerequisite for most of the organizations in the public sector to even start using cloud services.

The organization needs to have an information classification in place, which is always the first step to get control of their information.

We can then block certain sensitive information in different ways to be stored in the cloud. EndPoint DLP is most commonly used for managed devices, while MCAS is the perfect solution for setting the same regulatory framework for other non corporate devices.

Block download of sensitive information

This video shows how we allow/block download from the cloud to an unmanaged device based on the sensitivity of the fileMCASBlockDownload

We can use Sensitivity Labels to block downloads from sensitive Team and SharePoint sites, but if we want to control downloading based on sensitivity MCAS can achieve this. A good example is when there is public information that is allowed to be downloaded regardless of device and we want to make sure that sensitive information from the same Team/Site are blocked from being downloaded to, for example, a home computer.

Block sensitive information in chat

This video shows how we can block users from sharing passwords

Another example concerns sensitive information written in posts/Chat where we may detect certain expressions indicating that a user is about to expose their password.

How does this work?

Let’s start by looking at how we can use Conditional Access and Session Control with a custom rule in MCAS.

To proxy the traffic, we start by creating a Conditional Access rule for the users and devices to which this should apply. In my case this affect all unmanaged devices accessing Office 365 SharePoint Online. We then Configure this as a Session rule with a custom policy.

This CA rule will redirect the session to MCAS. In MCAS we have created a couple of Session policies for the above scenarios.
If we take a look at the policy blocking uploading of sensitive data, we have defined the affected sensitivity labels that we want to block. We filter out the managed devices where we have EndPoint DLP to control the same thing. We have also created a customized block message for the end-users. It is very important that we clearly describe why something is blocked with guidelines on how to do instead or where they can find more information.

We can also create an alarm when this occurs for follow-up of this type of actions. In several cases, this can be a good start before we start blocking anything to get a good overview of the scope of this rule. As you can see in the above picture we got an overview of number of alerts that these policies triggers.


In the last video we see the end result of the above configuration when a user tries to access the URL –
This URL gets redirected to and the user get information about that this access is monitored.


I hope this article has supported you in your efforts to maintain all business requirements

In the next article, we’ll take a closer look at how MCAS can detect threats and automatically mitigate them to protect our identities and our environment.

Stay tuned!

Publicerat i MCAS, Microsoft Information Protection | Märkt , , | 1 kommentar

Revoke access to protected documents

Back in the days with the old Azure Rights Management Services solution Microsoft introduced the functionality to both track usage and the possibility revoke access to RMS encrypted information.

This function was not initially added to the new Unified Labeling client because of the low usage frequency, which led to a low prioritization of the function.

There were also some privacy concerns for some organizations regarding tracking of encrypted documents since the end user easily could track who had opened a document and from where. As a result, these organizations disabled the track and revoke -feature.

In the public preview version of the current AIP Client Microsoft have now reintroduced a track and revoke feature. This enables users to revoke their protected documents. The tracking function is also in public preview for documents protected with this preview client. Tracking is only available for administrators and administrators can also revoke protected documents.

There are currently some limitations with the revocation functionality. To be able to explain this in the best way I prefer (as always) to do a deep dive and illustrate what happens in the background during both tracking and revocation. I will also give some workarounds for the current limitations. Let’s kick off and test the new Track and Revoke -feature.

To be able to test this you need to have the AIP client version 2.9 or later

To be able to revoke a file you need to be the one who applied the protection (or a global admin).

If you want to test this with a new document:

  1. Create a new document and apply any label with encryption/protection.
  2. Then you need to close the file and reopen it again.
    After this you will have a new option Revoke Access under the Sensitivity Button

If you get annoyed that you needed to close and reopen the document, I will now try to explain the reason for this.

First of all, we are able to encrypt files when we are offline. This is done with help of the public organization key and the users certificate keys. These keys are cached on the device when the end-user connect to the AIP service the first time (this is called the bootstrap process).
This means that Microsoft are not aware of the files that we have encrypted.
Second of all, files that just have been protected and haven’t been shared jet doesn’t have a reason to be revoked. 

But when we decrypt a document there will be an authentication and authorization by the MIP service and during this process the unique ContentId will be created and registered. The ContentID is the unique value that Microsoft need for both the track and revoke-functionality.

By running the PS-command for tracking, Get-AipServiceDocumentLog we can see that this ContentID is registered (after the document have been decrypted/opened for the first time)imageSince the contentID doesn’t change if someone make copies of the original document all copies of a sensitive document (even outside the organization) will be revoked. The exception is the one who applied the protection that still have access to all copies of the document.

Let’s test this scenario as well!

We take the original encrypted document and make a couple copies of this document and then open this with other accounts that have permissions to the document.

All access, both successful and denied access will be logged and visible with the
Get-AipServiceTrackingLog command:image

Let’s go back to the original document with the user account who applied the protection and revoke access:image

When this is done the end-user can easily see that the document has been revokedimage

Also an administrator can revoke access to the specific document with the PS command: Set-AipServiceDocumentRevoked

When I try to open the document with one of the other users, I do get a denied access which is showed with this message (after Word had tried to access the document with the logged in account):image

Notice that if offline access is allowed for specific label, users will continue to be able to access the documents that have been revoked until the offline policy period expires.

If we run the same PS commands once again, we will now see that this document has been revokedimageAnd the central tracking log shows that we got an attempt to open this document after its revocation


Limitations and workarounds

One limitation in the current preview is that documents that have been uploaded to SharePoint Online cannot be revoked by the owner. This applies to SharePoints tenants where AIP integrations have been enabled. The reason is simply that SharePoint then decrypts the RMS protection for the document during upload/storage and contentID is then removed from the document. If a user downloads the file from SharePoint and accesses it from their local machine, a new ContentID is applied with the RMS protection to the document. In that case an administrator needs to identify the new contentID and assist the user to revoke access.

There is a couple of other workarounds to prevent the above (current) limitation:

  1. If end user revocation is a business requirement for all protected documents don’t enable AIP integration with SharePoint Online
  2. To be sure that you can revoke a certain information class/label. You can prevent uploading to SharePoint with this label by using EndPoint DLP or MCAS
  3. If there is a business requirement to be able to revoke files stored at a certain SharePoint site/library there is a work around to enable IRM for this library. In that case protected files that are uploaded to this library won’t be decrypted.

For the organizations that haven’t migrated from the classic AIP client to the unified labeling client because of the lack of Track and Revoke feature, can now start to plan the migration. Read more about the feature release notes here

For more details around the new Track and Revoke feature go to Microsoft docs

Publicerat i Microsoft Information Protection | Märkt | Lämna en kommentar

Endpoint DLP helps you meet the business requirements

The most common reason to information leakage is basically human mistakes!

Different kind of data Loss Prevention (DLP)-solutions can be helpful to assist our users to follow the company guidelines around information handling. Microsoft have just announced their new Endpoint DLP as General Available!

Endpoint DLP can be useful in several scenarios. It can be used to alert on different actions, both for end-users as well as the admins. It can also be used to prevent or warn the end-user , this can be really helpful in educational purposes. Increasing the knowledge of information management among our users can often be the best protection for our information.

A common business requirement that I have heard of (mostly from organizations in the public sector) is that some information is not allowed to be stored in a cloud service. A combination of Conditional Access (that limit the access only for managed devices) and Endpoint DLP for these cloud services can be used to meet these needs.


But let us have a look how to configure this in the compliance portal.

When we create a DLP policy we define what kind of location this is for.

Endpoint DLP is for our devices and works (today) for Windows 10. We can easily test this for a small amount of users by defining this policy per user or group.


We can then create rules with conditions for certain information based on:

  • Included information types (everything from predefined types like credit cards, personal ID´s to custom information types)
  • Sensitivity of the information based on its Sensitivity label


We can also exclude content based on the same two options (information type/label) if there is a need for that.

When these conditions are met, we can then decide what we want to do around these types of actions. We can choose to

  • only audit the specific action
  • block the action with the possibility for the end-user to override
  • Block the action


The above activities:

  • Upload to cloud services or access by unallowed browsers
  • Access by unallowed apps

are based on central configured EndPoint DLP settings.

Here we can for instance add our unallowed apps. In this business case we had a specific label that was not allowed to be stored in Office 365, therefor we had to add Microsoft Teams as an unallowed app. Other unallowed apps could be different sync agents for instance the DropBox, Itunes and OneDrive that could prevent syncing the relevant classified information.


The end-user experience for a blocked app will be like this:DLPTeams 

To be able to restrict uploading of content to different web services we must exclude browsers that does not support Endpoint DLP. Notice that we do not stop these browsers (or specified unallowed apps) to run, we just block them to be used with certain information, defined by our DLP rules.


Endpoint DLP with Microsoft Edge.

For our restrictions to either “block” or “block with override” for uploading to defined cloud services, this is based on central DLP Settings. This function requires the Microsoft Edge browser

We can run this in a black- or whitelist scenario where we can either allow defined domains and block all the rest or we can choose to block defined domains.

In my business case where a specific label was not allowed to be stored in Office 365 (or Google) we defined the domains for these services.


The end-user experience for a block with override policy for a defined domain will be like this:

Regardless if the action is to block our just Audit specified action, we can define different notification options (per policy). If we want to notify the user or somebody else in the organization, we can do this by email.


We can also trigger an incident report and define what kind of sensitivity the specific incident should have.


An important take around DLP is that as soon as you block the user from something, you need to have an answer to how they should solve the business need instead. If you block too much there is always a risk that your users will use another (unsanctioned) service to do their work. In that case you will lose control completely and will have what is called a Shadow IT.

Publicerat i Microsoft Information Protection | Märkt | 5 kommentarer

Let’s defend ourselves!

Maybe not yourself, but your organization! Smile

Ignite have recently ended with a lot of news from Microsoft. One of biggest news around threat detection and protection is the latest integration of all security solutions for our M365 environment. Based on my own as well as my company’s experiences this is a success factor for identifying and prevent intrusions before they do harm.

Lets do an example to explain this a little bit more.

Think of your environment like this:


Most of us still have an on-premises environment including local Active Directory, servers and clients. We got a cloud environment with Office 365 and Azure Active Directory and we maybe got other cloud services as well.

Then we have our security solutions that protects our clients/servers, our cloud solutions, and our identities. All these solutions can identify different kind of threats and give us alerts that could be really critical, or just be the daily noise of non-critical alerts.

Lets do some examples

  • What if we have a user where we see authentication alerts like unfamiliar sign-ins, impossible travels etc.? Of course, this could be a false positive because he is using his own new VPN service.
  • What if the same user is trying to access local resources that he doesn’t use to, for instance in a unusual time in the middle of the night. This could be a false positive alerts because he have a new role and working late.
  • What if the same user running advanced PowerShell commands on his company device? He might be taking a PowerShell course.
  • What if he downloading a lot of files from a SharePoint/Team site? He may be planning to work offline.
  • What if he sending highly confidential files to a private email address? I don’t add any suggestion here, but you may be interested in the newly released Insider Risk Management as well ?

I do think that you got the idea. If any of these alerts have been raised there could be a non-critical alert. But if we are seeing a combination of alerts from different services there is a really high risk that we got something critical going on. When it comes to preventing an attack, it is extremely time critical and going through different kind of alerts often takes too much time.

Microsoft have now released the Microsoft 365 Defender that is not only getting alerts from all these different security solutions, it is doing much more…


The Microsoft 365 Security -portal generate automated incidents based on all these security solutions. Gives us one single portal that helps us prioritize and getting insights in the most ongoing critical alerts and risks for the moment. In several cases the generated incidents can mitigate the attack automatically or make it easier to take the correct action manually to prevent the attack. What is also time consuming is to identify what a bad guy have been doing during a period, all these integrations are helpful in these scenarios!

For the more experienced security administrators, there is also Advanced Hunting with virtually unlimited possibilities. My colleagues who work for Onevinn’s MDR service have been working on this for a long time and are building impressive threat-hunting queries towards all these services and also more services. This is often a critical proactive step during an ongoing attack

Microsoft have also chosen to rename a lot of these services to complete the Defender story:

  • Microsoft Defender for Office 365 – Office 365 Advanced Threat Protection (Office ATP)
    Protect our collaboration services from Exchange Online to Teams
  • Microsoft Defender for Identity – Azure Advanced Threat Protection (Azure ATP)
    Identifies threats in our local environments based on signals from our domain controllers
  • Microsoft Defender for EndPoint – Microsoft Defender Advanced Threat Protection (Defender ATP)
    Detect and response on threats on your endpoints, from computers, tablets, cellphones to servers
  • MCAS, Microsoft Cloud App Security still have the same name. MCAS protect our cloud apps, Office 365 and other 3-party cloud apps. MCAS also integrates with Azure Active Directory Identity Protection that protect our identities in Azure AD. All of these important signals from our cloud identity and our connected cloud apps are shared with Microsoft 365 Defender.

How to get started?

Just go to
If any of the above services are in use, you ready to onboard your tenant.
Find more information on Microsoft docs

Publicerat i Microsoft Defender, Threat Protection | Märkt | 2 kommentarer

Revoke access to sensitive emails

Microsoft has started to roll out a lot of new features related to Information Protection. A  requested feature that was rolled out last week is the possibility to revoke protected emails that are sent externally.

As in the cases with new functionality, this feature has started to be rolled out in the cloud service, Outlook online!

Let me show how you how this works:

The senders experience

If I have protected an email to external recipients and I realize that this was a misstake or some other reason that the email needs to be revoked (prevented to be accessed).

I can go to my Sent-folder (In Outlook -online). There I will see an option (for protected emails that are sent to external users) to Remove external access for the specific email.

image image

When I click on “Remove external access” I get a prompt to confirm this action.


When the email is revoked, I can see in the specific email that this email is not accessible for external recipients anymore.


Recipient experience

The external recipient who got the email and try to read it will have the following experience.

When the recipient tries to access the protected email (hosted by the senders Exchange Online)

image image

He will get a message after signing in, that this email has been revoked by the sender.


Requirements and explanation of how it works

As you may understand by the above screen shoots, this works for emails protected by Office 365 Advanced Message Encryption. I have explained this concept earlier in this swedish article.
But let’s do a recap about what’s happening when you protect an email. In the same way as for almost 20 years ago when AD RMS was introduced, the protected email will end up in a protected format. A rights protected message with the file format .rpmsg. To be able to read (decrypt) this message there are two requirements:

1. The recipient needs to have an email application who understand the RPMSG-format to render this message

2. The recipient needs to be able to authenticate himself to Azure Active Directory

If these two requirements are fulfilled, this gives a really nice experience where the protected email is rendered in Outlook among the other emails, and the recipient does not need any additional step to access this protected email. But to be able to create a solution that make it possible to access a protected email without any requirements on the sender’s side, there is a plan B.

The protected email (the specific rpmsg-file) will be cached (by default in 90 days) in the senders Exchange Online environment. If either of the two requirements above is not met, the result for the recipient will end up with a customizable message. This email contains a link where the recipient can log on to the sender’s Exchange Online to read the email (and any attached document or pdf).

One great benefit with this is that the email remains in the sender’s tenant and the recipient can reply and have a secure email communication that is only stored in the recipient’s environment. And now, we also got another great benefit… These kinds of emails can now be revoked by the sender and an administrator(s)!

If there is a business need to require revocation possibilities, this behavior can be enforced for all external emails. As always when it comes to Information Protection the decisions need to come from the business itself!

When you have gathered all your business needs you can read more about license agreements and administrative routines for email revocations on Microsoft docs

Publicerat i Microsoft Information Protection | Märkt | Lämna en kommentar

Double Key Encryption (DKE) for Microsoft Information Protection

This week Microsoft Ignite starts. One of the biggest news around Microsoft Information Protection is the new encryption technology. This is meant to be the new Hold Your Own Key (HYOK) option that will replace the alternative to use AD RMS. The new technology is called Double Key Encryption (DKE), simply because it uses two keys to protect your data—one key in your control, and the other one is your Azure RMS key. Viewing data protected with Double Key Encryption requires access to both keys. Compared to AD RMS (that is built on the local Active Directory) DKE are using Azure AD. In the same way as Azure RMS information can be protected to both internal as well as external users.

The content that is being encrypted with DKE is protected with your own key (where ever the content is stored). You have a lot of options for your own key, that is running on a web service that can be stored where ever you want. Access to this key is definied by you, which give you a lot of possibilities to meet different business requirements.
The concept is still that Microsoft doesn’t have access to this key and therefor none of the online services from Microsoft will work. No support of Office Online apps/Microsoft Teams or actions like co-authoring or eDiscovery/content search is available.

This technology is built into the Modern Office, also called Office ProPlus that will have support to encrypt and decrypt with DKE. In the first release this will only work on Office for Windows, but the plan is to release this to all kind of platforms (iOS, Mac, Android etc.) The goal is to support email encryption as well (with the requirement to use the modern Outlook app) but for now, DKE only supports Office Documents, Excel files and PowerPoints.

In the same way as HYOK with AD RMS this is only meant to be use for certain highly confidential information. Information that have this specific business encryption/access requirements.


I will not keep trying to explain this technology more in text Have a lock at this video where I explain the concept and everything you need to know about the encryption and decryption with DKE.

Publicerat i Microsoft Information Protection | Märkt | Lämna en kommentar

Auto-labeling for Office Online services

Last week Microsoft released a new function to be able to act on data-at-rest information in Teams (SharePoint and OneDrive). In my previous article about how to prevent information leakage when inviting external guests into Teams, we had a scenario for “Project Delta”. The business case was to be able to share the project information in a secure way to all internal and external project members. There was also a requirement to restrict internal sensitive information to invited guests.

This article is about how to automatically identify and protect information. In many cases we already have existing sensitive information without correct classification and protection at rest. For local files we have had the AIP Scanner for a while that is able to both identify certain information as well as label this information with the correct information classification and protection (when needed). For data stored in the cloud (Office 365) we have had the possibility to identify the same information with the build in solutions in Compliance Center. What we now have is possibility to also apply classification and protection automatically, to identified files in the cloud.

Let’s go back to the previous business case for “Project Delta”.

When it comes to identify information all the different solutions use “Sensitive info types” from the Compliance portal. Here we have the built-in information types that includes everything from financial, privacy to medical and health information. imageWe also have possibilities to create our own information types.
In this example we have a project with a defined project number (that is used for example in document templates). We have created a sensitivity info type that looks for this number.

The result from this will show us (under Data classification in the Compliance portal) how many files we have in Office 365 that includes information related to Project Delta.

image image


The new auto-labeling feature gives us the possibility to take action on this information.
Auto-labeling is found under Information Protection in the Compliance portal


A new policy gives us the possibility to act on predefined information types or create a custom policy.


We then specify the location for the information we want to automatically apply labels to.


For each of these locations we can create specific rules with conditions. In our case we want to identify everything that include Project Delta information and apply protection to it.


Another scenario would be more advanced rules for instance to only label Project Delta information that is being shared externally.

We then choose what Label we want to apply for identified information. Where we choose the Label for Project Delta.

When we turn on this policy it will start in simulation mode. This help us ensure that we apply the label to correct information.

We can then go back and review which files have been identified and ensure that the policy is properly configured.


When we are ready, we can turn on the policy.


The result will be that identified Project Delta information in all these locations will be automatically classified and protected to only the members of the project.


Other solutions to identify Project Delta information based on this sensitivity info type

  • Auto-Labeling in Office that can auto apply a label or recommend the end-user to apply the correct labelimage

  • Scan local file shares and SharePoint servers with the AIP Scanner.
    The scanner uses the same sensitivity info types and gives a view of all local files including Project Delta information.

The AIP scanner have a couple of news as well. Let’s keep that for a coming article

Publicerat i Microsoft Information Protection | Märkt | Lämna en kommentar

Information Protection reduces the risk with guest invites into Teams

I have met a lot of customers who have hesitated to enable the possibility to invite external guests into Teams (and SharePoint/OneDrive). In all cases the concern is about information leakage. “What if our users invite others that are getting access to sensitive information”?


The solution in all these scenarios are classification and protection.

If the information is classified correctly with protection for sensitive information, we can mitigate the risks of information leakage.

Let’s take an example with this scenario.

The business requirements

This organization wants to be able to invite external guests.

They have a couple of projects that needs to include external users that also need to be able access sensitive project information.

They also have internal information that needs to be blocked for the external users. There are also internal SharePoint and Team sites that can’t allow external guests at all.

The Solution

Let’s start with the last business requirement where we need to define which sites that should allow external invites.
Based on Classification of the site itself we are able to define if external invites are allowed or not. In this scenario, Confidential sites allow external invites while Secret sites do not.
More about what’s behind the scene can be read in my previous post

image image

Let’s focus on an example for a sensitive project that should only be accessible for the project members (both internal and external users).

This is Project Delta

Project leader, Peter can invite members (because this is classified Confidential site) and in this case he invites an external account via Azure AD B2B.

The external users get an invite and are able to access this Team site.



When we look at all stored information on this Teams site the user can easily see how each of these files are classified.

Based on the classification we also have protection and access control of these files.


The external user is able open information classified and protected to Project Delta


If he downloads these documents the local copy will be protected and only accessible for Project Delta members


The external user will also have access to default classified Business documents but will be restricted from accessing classified Confidential or secret information that is protected for internal use only



The Setup

In the background we have the following setup


There is an Office 365 group that was created in the back end by default when the Project Delta Team was created.
This group also gives access to the same SharePoint site that is used for this Project Delta Team.


This group is then used to give access to information protected by the Project Delta label


With this setup we support the project leader to follow the business requirements.

Based on the site classification he can create a Teams site that allows invites of external guests. Hi can also make sure that information for the Delta project is limited only for the project members that also include his invited guest. By classifying information as Confidential Peter can choose if information should be available for Project Delta.



Peter can also classify information as Confidential and define if the information should be restricted to “Internal” users. This prevent all external guests to access any of this content.


In the next article we going to go through how we can support Project Delta, to automatically identify and protect their information as soon as it being stored in Microsoft/Office 365. This with the recently released “Auto Classification” that helps us act on data-at rest in the cloud. Stay tuned!

Publicerat i Microsoft Information Protection | Märkt | 1 kommentar

Classify SharePoint sites, Teams and Groups

The demands to have a mobile way to work grows all the time. In the time of writing this article the biggest motivation is the current spread of the Covid 19 virus. More companies start using Teams, SharePoint Online and Office 365 groups as tools to access information, coworking and sharing information in or outside the organization. Information Classification and Protection is as always a mayor player when it comes to the mobile work to prevent information leakage.

The possibility to classify information grows. One of the latest update to the MIP story is the possibility to classify Teams, SharePoint sites and Office 365 groups. All these services got different settings that control if the service:

– Is Private/Public (Allows external invites)

– Only allow the owner to add members

– Allow full, limited or block access for unmanaged devices

Based on the above control settings the business (information owner) can decide what settings that meets their information classification.
A classified Team or SharePoint site will show the end users what kind of classification / sensitivity the specific site have, as well as enforcing the defined access control setting.

Classify site and teams


Let’s have a look how to get started and how this will affect the end user in the following video:


The attentive reader may have seen in the above picture that the word document is classified with a different classification/label than the SharePoint site. A classified Teams, SharePoint site will not affect document that are stored or created from this site. The purpose of the classification is to show the sensitivity for the end user of the site itself, as well as preventing information leakage by restricting permissions to different actions.

To be able to restrict different action for an unmanaged/unsanctioned device a Conditional Access policy need to be defined for the affected users, to the cloud app Office 365, with app enforced restriction for the session

image image

If there is a need to enforce a specific classification for the documents as well this can be done today by using Microsoft Cloud App Security or Auto-Labeling, but that is another (coming) article

Publicerat i Microsoft Information Protection | Märkt | 1 kommentar

Trainable classifier

I usually blog only in Swedish but will from now on mix articles based on the content in Swedish or English. In this case it’s quite easy to choose since this article is about a new fantastic technic that can help your organization to find patterns in your information which can be basis for information classification. For now, this only works for information in English.

Why and when should we have use of trainable classifiers?

Today we can choose to either let the author of the information decide the correct information classification/label or we can automatically detect content like word, phrases or expression types that decide the correct information classification.

For example, if the document includes everything from predefined information types like credit card numbers, social security numbers to organization specific types, like project names or unique identifiers of drawings or recipes, it can be automatically classified. The classification can result in encryption or other data loss prevention technics.

But what if the organization can´t identify what´s unique for certain information? For example, if there have been projects that are working with sensitive information around a new invention but doesn’t have anything that is unique for all these documents?
The trainable classifier is meant just for these kinds of cases. Based on machine learning it can identify patterns by looking at existing documents. Basically, you point out a location that includes this information. Once it processes files in the location, you test the result by giving it a mix of both matching and non-matching documents and manually help the classifier to reduce the false positive predictions.

Let’s have a look in the compliance portal to find out more.

Trainable classified can be found under Data classification in Microsoft 365 compliance portal


Before you can start using this function in needs to scan your content and this can take up to 2 weeks to finish. I tried this in two different tenants and for our production tenant where we had a lot of data it took 8 days and in our test tenant with less data it took 12 days.

When the analytics is done you will find 6 predefined classifiers.


For instance, I can see high value of looking for “Threat” that detects a specific category of offensive language text containing threats to commit violence or do physical harm or damage to a person or property. One example of action here would be to identify and block email and chat with this kind of information.

Create a trainable classifier

Let’s create our own trainable classifier. The requirement is that the content needs to be stored in SharePoint Online. The file types that are supported are listed here. It needs to be 50 files at least, where the latest 500 files are the once that will be scanned (if the location includes more files).

I had no more imagination than sending up 50+ RMS logs which I changed the file format to .txt to be able to crawl these files. This is just for testing and demonstration but a business need here could be that sensitive log data needs to identified and retained for a specific time.


The syntax in those two fields is very strict and needs to be as follows:


As you can see in the following picture it can take up to 24 hours to analyze the content. You need to be patience testing this.


…after 3 hours I was able to start testing my classifier



I started out with creating two word documents, one with RMS log data and another one with only some characters from a log and other data that shouldn’t be identified as a RMS log. I uploaded these to another folder in SharePoint and added this location



The work wasn’t done after reviewing 2 files.. The portal now showed the following


As you can read under Classified accuracy above, It’s recommended (and also required) to test 200 items at least.

I uploaded 200+ files with a mix of correct logs and other type of log files and continued with the review.
When this was done it was possible to publish my classifier



I now have a new classifier ready to use that is showed together with the pre defined classifiers created by Microsoft.


Start using trainable classifier

Lets have a look in different types of action that can be taken based on the trainable classifier.

It can be used to auto-label a sensitivity label for Office apps:

image image

The end user experience will be that, as soon as RMS log data is added to an Office document it will recommend (or automatically) change label and protect the file.


The classifier can be used as condition for a Retention Label (that can retain or delete content).
For now I had to use the classic Security & Compliance portal to be able to choose a trainable classifier as a condition for a Retention Label.


I can then create a Data Loss Prevention policy based on this retention label for SharePoint, OneDrive, Teams etc. To be able on act on data at rest in Office 365.


You can find more information and examples here

Trainable Classifier is another good example of technics that can help de business to identify and act on sensitive information. As always, it´s important to include the organizations information owners and appointed CISO or equivalent role in this work.

Publicerat i Microsoft Information Protection | Märkt | 1 kommentar