Teams Channels Are Not Secure By Default: The Admin Lie

1
00:00:00,000 --> 00:00:01,680
The night was thick with static,

2
00:00:01,680 --> 00:00:03,760
Teams channels hummed like open vents,

3
00:00:03,760 --> 00:00:06,440
not secure by default, not even close.

4
00:00:06,440 --> 00:00:09,360
Guests slip in.

5
00:00:09,360 --> 00:00:10,680
Linger.

6
00:00:10,680 --> 00:00:14,080
Files sink to places you don't watch.

7
00:00:14,080 --> 00:00:17,040
One careless click away from a bleed you can't stop.

8
00:00:17,040 --> 00:00:18,400
Here's the upfront truth,

9
00:00:18,400 --> 00:00:20,480
Enforce MFA for everyone.

10
00:00:20,480 --> 00:00:21,840
Kill legacy oath,

11
00:00:21,840 --> 00:00:24,080
lock access to compliant devices,

12
00:00:24,080 --> 00:00:26,480
put DLP on chat and channels,

13
00:00:26,480 --> 00:00:29,000
govern guests with reviews and explorations,

14
00:00:29,000 --> 00:00:30,240
then prove it in logs.

15
00:00:30,240 --> 00:00:32,000
I'll show you the exact conditional access

16
00:00:32,000 --> 00:00:34,760
per view DLP and EntraID governance settings.

17
00:00:34,760 --> 00:00:37,640
Copy, test, measure, two real incidents first.

18
00:00:37,640 --> 00:00:39,600
They'll make the risk obvious.

19
00:00:39,600 --> 00:00:43,400
Incident proof, how defaults burned to tenants.

20
00:00:43,400 --> 00:00:45,760
Case one walked in quiet,

21
00:00:45,760 --> 00:00:47,480
a completed project,

22
00:00:47,480 --> 00:00:48,800
champagne gone.

23
00:00:48,800 --> 00:00:51,240
The guests remained.

24
00:00:51,240 --> 00:00:54,400
Their accounts sat dormant.

25
00:00:54,400 --> 00:00:57,720
But their sink client kept breathing.

26
00:00:57,720 --> 00:01:00,360
A private channel held the good stuff.

27
00:01:00,360 --> 00:01:03,480
Sensitive files lived in its share point stack,

28
00:01:03,480 --> 00:01:06,160
detached, hidden under the floorboards.

29
00:01:06,160 --> 00:01:09,480
The guests one drive sink still pointed to that library.

30
00:01:09,480 --> 00:01:11,480
Weeks later, they opened their laptop,

31
00:01:11,480 --> 00:01:12,600
the library woke.

32
00:01:12,600 --> 00:01:15,640
It pulled fresh copies down like rain through a cracked roof.

33
00:01:15,640 --> 00:01:16,600
What failed?

34
00:01:16,600 --> 00:01:18,200
No guest expiration.

35
00:01:18,200 --> 00:01:21,120
No access reviews tied to that team.

36
00:01:21,120 --> 00:01:23,000
External sharing sat loose,

37
00:01:23,000 --> 00:01:25,400
letting sinked libraries persist.

38
00:01:25,400 --> 00:01:28,600
Group owners assumed project over meant access over.

39
00:01:28,600 --> 00:01:31,280
It didn't. Private channels separate share point sites

40
00:01:31,280 --> 00:01:32,200
aren't a rumor.

41
00:01:32,200 --> 00:01:33,400
They're a second door.

42
00:01:33,400 --> 00:01:35,080
It stayed unlocked.

43
00:01:35,080 --> 00:01:36,360
Blast radius.

44
00:01:36,360 --> 00:01:38,480
Documents in the private channel site.

45
00:01:38,480 --> 00:01:41,080
Meeting recordings referenced in threads.

46
00:01:41,080 --> 00:01:43,520
Loop components injected into posts.

47
00:01:43,520 --> 00:01:45,400
Fragmented across share point stacks,

48
00:01:45,400 --> 00:01:46,680
but linked by the channel.

49
00:01:46,680 --> 00:01:48,360
The guests didn't need to browse teams.

50
00:01:48,360 --> 00:01:49,880
The files came to them.

51
00:01:49,880 --> 00:01:51,760
Quiet, automatic.

52
00:01:51,760 --> 00:01:53,320
You can tell a lot about a tenant

53
00:01:53,320 --> 00:01:55,320
from what it remembers to forget.

54
00:01:55,320 --> 00:01:57,880
This one remembered everything for the wrong person.

55
00:01:57,880 --> 00:02:02,280
Now the second case, inside job, not malicious, just tired fingers,

56
00:02:02,280 --> 00:02:04,920
an internal user pasted PII into a channel.

57
00:02:04,920 --> 00:02:08,600
SSNs, bank numbers, the kind of data the crawls.

58
00:02:08,600 --> 00:02:10,680
A coworker needed to email a vendor

59
00:02:10,680 --> 00:02:13,080
so they copied the message out it went.

60
00:02:13,080 --> 00:02:16,280
Then someone exported the thread for documentation.

61
00:02:16,280 --> 00:02:21,320
The data forked, email, local drives, third party systems,

62
00:02:21,320 --> 00:02:23,720
a cleanup turned into a scavenger hunt.

63
00:02:23,720 --> 00:02:24,760
What failed?

64
00:02:24,760 --> 00:02:28,040
No purview DLP on Teams Chat and channels.

65
00:02:28,040 --> 00:02:29,880
No policy tips to stop the pace.

66
00:02:29,880 --> 00:02:32,200
No block with override friction.

67
00:02:32,200 --> 00:02:33,960
No escalation to compliance.

68
00:02:33,960 --> 00:02:35,240
The system watched.

69
00:02:35,240 --> 00:02:36,600
It didn't act.

70
00:02:36,600 --> 00:02:38,920
And because Teams is just the front end,

71
00:02:38,920 --> 00:02:41,720
the core controls weren't where the words were spoken.

72
00:02:41,720 --> 00:02:43,400
They're in purview.

73
00:02:43,400 --> 00:02:45,320
Entra, share point.

74
00:02:45,320 --> 00:02:47,000
If those aren't tuned,

75
00:02:47,000 --> 00:02:49,800
the front end smiles while the back door swings.

76
00:02:49,800 --> 00:02:52,520
Most people think a private channel means private.

77
00:02:52,520 --> 00:02:55,080
We know better. Private just means different plumbing.

78
00:02:55,080 --> 00:02:57,720
New site collection, new permission surface.

79
00:02:57,720 --> 00:02:59,640
If you don't govern guest lifecycle

80
00:02:59,640 --> 00:03:02,680
and external sharing there, it will rot slowly.

81
00:03:02,680 --> 00:03:04,040
Then fast.

82
00:03:04,040 --> 00:03:06,840
Most people think don't share PII is enough.

83
00:03:06,840 --> 00:03:09,400
It isn't. You need the tripwire, the siren,

84
00:03:09,400 --> 00:03:11,400
the record that proves you tried to stop it

85
00:03:11,400 --> 00:03:12,680
and what happened next.

86
00:03:12,680 --> 00:03:14,120
Courts care about the ledger.

87
00:03:14,120 --> 00:03:15,400
Regulators too.

88
00:03:15,400 --> 00:03:18,120
Without DLP and audit, you're guessing.

89
00:03:18,120 --> 00:03:19,480
Guests don't hold.

90
00:03:19,480 --> 00:03:21,320
So here's the takeaway that Stings.

91
00:03:21,320 --> 00:03:22,520
Teams isn't the vault.

92
00:03:22,520 --> 00:03:23,400
It's the lobby.

93
00:03:23,400 --> 00:03:25,640
The vault lives in conditional access,

94
00:03:25,640 --> 00:03:26,920
purview DLP,

95
00:03:26,920 --> 00:03:28,280
Entra ID governance,

96
00:03:28,280 --> 00:03:30,040
and share point sharing limits.

97
00:03:30,040 --> 00:03:31,320
If those aren't set,

98
00:03:31,320 --> 00:03:34,360
the lobby looks safe while data slips into the alley.

99
00:03:34,360 --> 00:03:35,640
But down here in the internet,

100
00:03:35,640 --> 00:03:36,440
we like proof.

101
00:03:36,440 --> 00:03:37,640
We set barricades.

102
00:03:37,640 --> 00:03:38,440
We test them.

103
00:03:38,440 --> 00:03:39,880
We watch the logs.

104
00:03:39,880 --> 00:03:42,680
We break our own doors and see who notices.

105
00:03:42,680 --> 00:03:44,520
Now we build the first wall.

106
00:03:44,520 --> 00:03:46,840
Conditional access, MFA for everyone,

107
00:03:46,840 --> 00:03:47,960
including guests.

108
00:03:47,960 --> 00:03:49,320
Legacy auth buried.

109
00:03:49,320 --> 00:03:51,560
Access only from devices you trust.

110
00:03:51,560 --> 00:03:53,480
Session controls that don't blink.

111
00:03:53,480 --> 00:03:55,720
Because in this city identity is the lock,

112
00:03:55,720 --> 00:03:56,760
and it better bite.

113
00:03:56,760 --> 00:03:59,000
Layer one.

114
00:03:59,000 --> 00:04:02,600
Conditional access, baseline that actually bites.

115
00:04:02,600 --> 00:04:04,200
We started the gate.

116
00:04:04,200 --> 00:04:05,800
Identity first.

117
00:04:05,800 --> 00:04:08,520
Because every breach starts with a door that didn't hold.

118
00:04:08,520 --> 00:04:10,360
Goal is simple.

119
00:04:10,360 --> 00:04:11,800
MFA for everyone.

120
00:04:11,800 --> 00:04:12,920
Guests too.

121
00:04:12,920 --> 00:04:14,600
Legacy auth buried deep.

122
00:04:14,600 --> 00:04:17,320
Only compliant devices touch the stash.

123
00:04:17,320 --> 00:04:19,080
Sessions checked often.

124
00:04:19,080 --> 00:04:20,200
Without warning.

125
00:04:20,200 --> 00:04:21,240
Policy one.

126
00:04:21,240 --> 00:04:23,560
Require MFA for all cloud apps.

127
00:04:23,560 --> 00:04:26,600
Yes, all users and guests in scope.

128
00:04:26,600 --> 00:04:28,760
Create a single policy in Entra.

129
00:04:28,760 --> 00:04:31,000
Assignments include all users.

130
00:04:31,000 --> 00:04:33,480
Select guests and external users too.

131
00:04:33,480 --> 00:04:35,000
Exclude your break-class accounts.

132
00:04:35,000 --> 00:04:35,960
Two of them.

133
00:04:35,960 --> 00:04:37,720
Strong random passwords.

134
00:04:37,720 --> 00:04:39,000
No MFA.

135
00:04:39,000 --> 00:04:40,360
Store them offline.

136
00:04:40,360 --> 00:04:41,480
Cloud apps.

137
00:04:41,480 --> 00:04:42,680
All cloud apps.

138
00:04:42,680 --> 00:04:43,880
Grand controls.

139
00:04:43,880 --> 00:04:46,120
Require multi-factor authentication.

140
00:04:46,120 --> 00:04:46,760
Enable.

141
00:04:46,760 --> 00:04:48,760
Report only first if you're scared.

142
00:04:48,760 --> 00:04:49,720
But we know better.

143
00:04:49,720 --> 00:04:50,760
Now make it bite.

144
00:04:50,760 --> 00:04:52,280
Turn off report only.

145
00:04:52,280 --> 00:04:53,080
Watch sign-ins.

146
00:04:53,080 --> 00:04:54,840
You'll see who never had a second factor.

147
00:04:54,840 --> 00:04:55,560
They'll complain.

148
00:04:55,560 --> 00:04:58,440
That's the sound of a lock catching.

149
00:04:58,440 --> 00:04:59,400
Policy two.

150
00:04:59,400 --> 00:05:01,400
Kill legacy authentication.

151
00:05:01,400 --> 00:05:04,120
The old protocols don't understand MFA.

152
00:05:04,120 --> 00:05:05,640
They don't care who walks in.

153
00:05:05,640 --> 00:05:07,320
Create another policy.

154
00:05:07,320 --> 00:05:08,520
Users.

155
00:05:08,520 --> 00:05:10,520
All including guests.

156
00:05:10,520 --> 00:05:11,800
Cloud apps.

157
00:05:11,800 --> 00:05:13,400
All cloud apps.

158
00:05:13,400 --> 00:05:14,360
Client apps.

159
00:05:14,360 --> 00:05:15,160
Condition.

160
00:05:15,160 --> 00:05:16,280
Select exchange.

161
00:05:16,280 --> 00:05:18,360
Active sync and other clients.

162
00:05:18,360 --> 00:05:19,080
Grant.

163
00:05:19,080 --> 00:05:20,120
Block access.

164
00:05:20,120 --> 00:05:21,000
Turn it on.

165
00:05:21,000 --> 00:05:22,520
This starves the fish.

166
00:05:22,520 --> 00:05:24,600
It also breaks dusty clients.

167
00:05:24,600 --> 00:05:25,320
Good.

168
00:05:25,320 --> 00:05:27,560
Extinction comes for weak things.

169
00:05:27,560 --> 00:05:28,600
Policy three.

170
00:05:28,600 --> 00:05:31,480
Require device compliance for the Crown apps.

171
00:05:31,480 --> 00:05:32,280
Teams.

172
00:05:32,280 --> 00:05:33,000
SharePoint.

173
00:05:33,000 --> 00:05:33,880
Exchange.

174
00:05:33,880 --> 00:05:35,400
Because files live there.

175
00:05:35,400 --> 00:05:36,360
Chats point there.

176
00:05:36,360 --> 00:05:37,400
Males spreads there.

177
00:05:37,400 --> 00:05:38,280
Create a policy.

178
00:05:38,280 --> 00:05:39,240
Users.

179
00:05:39,240 --> 00:05:40,920
All internal users.

180
00:05:40,920 --> 00:05:43,640
Guests too if you allow device trust for them.

181
00:05:43,640 --> 00:05:45,800
If not, we'll use app protection instead.

182
00:05:45,800 --> 00:05:46,680
Cloud apps.

183
00:05:46,680 --> 00:05:47,960
Microsoft Teams.

184
00:05:47,960 --> 00:05:49,320
SharePoint online.

185
00:05:49,320 --> 00:05:50,680
Exchange online.

186
00:05:50,680 --> 00:05:51,640
Conditions.

187
00:05:51,640 --> 00:05:53,640
Locations can stay any.

188
00:05:53,640 --> 00:05:54,680
Grant controls.

189
00:05:54,680 --> 00:05:56,840
Require device to be marked as compliant.

190
00:05:56,840 --> 00:05:57,720
Enable.

191
00:05:57,720 --> 00:06:01,560
Now only devices in Intune meeting your rules get through.

192
00:06:01,560 --> 00:06:03,720
BYOD screaming fine.

193
00:06:03,720 --> 00:06:05,080
Clone this policy.

194
00:06:05,080 --> 00:06:09,240
Swap require compliant device for require approved client app.

195
00:06:09,240 --> 00:06:11,560
And require app protection policy.

196
00:06:11,560 --> 00:06:13,400
In scope it to mobile platforms.

197
00:06:13,400 --> 00:06:15,480
Keep desktops strict.

198
00:06:15,480 --> 00:06:18,200
Because laptops leak in alleys you can't light.

199
00:06:18,200 --> 00:06:19,160
Policy four.

200
00:06:19,160 --> 00:06:21,560
Session controls we don't trust long sessions.

201
00:06:21,560 --> 00:06:23,960
Set sign in frequency.

202
00:06:23,960 --> 00:06:25,960
Eight hours is a good shift.

203
00:06:25,960 --> 00:06:29,080
Require re-auth every week for sensitive apps.

204
00:06:29,080 --> 00:06:31,560
Turn on continuous access evaluation.

205
00:06:31,560 --> 00:06:34,920
So token validity reacts to risk in near real time.

206
00:06:34,920 --> 00:06:36,120
Account disabled.

207
00:06:36,120 --> 00:06:37,320
Password changed.

208
00:06:37,320 --> 00:06:39,240
Session dies mid-sentence.

209
00:06:39,240 --> 00:06:40,760
That's the point.

210
00:06:40,760 --> 00:06:41,960
Risk signals.

211
00:06:41,960 --> 00:06:45,000
If you can, push phishing resistant MFA.

212
00:06:45,000 --> 00:06:46,120
Fido two keys.

213
00:06:46,120 --> 00:06:47,320
Windows hello for business.

214
00:06:47,320 --> 00:06:48,760
Number matching everywhere.

215
00:06:48,760 --> 00:06:51,720
Smarts will try to social your push approvals.

216
00:06:51,720 --> 00:06:53,240
Number matching cuts the chatter.

217
00:06:53,240 --> 00:06:57,560
Resistant factors break the script entirely.

218
00:06:57,560 --> 00:06:58,840
Per app hardening.

219
00:06:58,840 --> 00:07:01,480
Add a policy for high-risk sign-ins.

220
00:07:01,480 --> 00:07:03,720
Source from identity protection.

221
00:07:03,720 --> 00:07:06,760
Grant require password change or block.

222
00:07:06,760 --> 00:07:10,040
High-risk users block until investigated.

223
00:07:10,040 --> 00:07:13,160
Because in this city, risk isn't a mood.

224
00:07:13,160 --> 00:07:14,760
It's telemetry.

225
00:07:14,760 --> 00:07:16,440
Guest edge cases.

226
00:07:16,440 --> 00:07:19,800
Disable, unmanaged device redemption for guests

227
00:07:19,800 --> 00:07:21,560
if your program can stand it.

228
00:07:21,560 --> 00:07:25,000
Force guests to redeem into an Entra account with MFA.

229
00:07:25,000 --> 00:07:26,360
No email only shadows.

230
00:07:26,360 --> 00:07:27,720
You want identity with weight.

231
00:07:27,720 --> 00:07:29,080
With trace.

232
00:07:29,080 --> 00:07:30,040
Now the test.

233
00:07:30,040 --> 00:07:31,400
Open a clean browser.

234
00:07:31,400 --> 00:07:32,520
In private.

235
00:07:32,520 --> 00:07:33,560
Fresh guest.

236
00:07:33,560 --> 00:07:36,200
Invite a test guest from a personal account.

237
00:07:36,200 --> 00:07:39,480
Have them accept they should hit MFA at first sign in.

238
00:07:39,480 --> 00:07:41,480
No MFA you missed the guest assignment.

239
00:07:41,480 --> 00:07:43,400
Fix it next test from a machine

240
00:07:43,400 --> 00:07:45,160
that in tune doesn't bless.

241
00:07:45,160 --> 00:07:46,600
Try to open teams on the web.

242
00:07:46,600 --> 00:07:48,680
Try SharePoint you should hit a wall.

243
00:07:48,680 --> 00:07:51,000
If mobile you should be forced into the approved app

244
00:07:51,000 --> 00:07:52,920
with app protection policies.

245
00:07:52,920 --> 00:07:54,200
Anything else is a leak.

246
00:07:54,200 --> 00:07:55,640
Legacy Auth Probe.

247
00:07:55,640 --> 00:07:59,480
Connect with basic auth SMTP or an older outlook profile.

248
00:07:59,480 --> 00:08:00,600
It should fail hard.

249
00:08:00,600 --> 00:08:03,080
If it works, you missed a protocol exception.

250
00:08:03,080 --> 00:08:03,800
Hunt it down.

251
00:08:03,800 --> 00:08:05,160
No mercy for legacy.

252
00:08:05,160 --> 00:08:06,120
Session check.

253
00:08:06,120 --> 00:08:06,920
Sign in.

254
00:08:06,920 --> 00:08:07,560
Weight.

255
00:08:07,560 --> 00:08:10,040
Change the user's password from the admin side.

256
00:08:10,040 --> 00:08:11,880
Watch the session die with C.

257
00:08:11,880 --> 00:08:15,000
If it lingers, your tenant setting is asleep.

258
00:08:15,000 --> 00:08:15,880
Wake it.

259
00:08:15,880 --> 00:08:17,480
Break glass drill.

260
00:08:17,480 --> 00:08:19,480
Simulate an outage in your head.

261
00:08:19,480 --> 00:08:22,360
As your AD down, you sign in with a break glass account.

262
00:08:22,360 --> 00:08:23,560
No conditional access.

263
00:08:23,560 --> 00:08:26,200
No MFA confirmed they work quarterly.

264
00:08:26,200 --> 00:08:27,720
Monitor their use with alerts.

265
00:08:27,720 --> 00:08:29,640
If they light up, you have a real fire.

266
00:08:29,640 --> 00:08:30,520
Last piece.

267
00:08:30,520 --> 00:08:33,320
Exclude service accounts from interactive sign in.

268
00:08:33,320 --> 00:08:35,320
Force them into workload identities.

269
00:08:35,320 --> 00:08:37,000
Or manage identities.

270
00:08:37,000 --> 00:08:38,200
Humans do MFA.

271
00:08:38,200 --> 00:08:40,120
Bots don't log in like humans.

272
00:08:40,120 --> 00:08:46,520
Now step back perimeter stands MFA enforced legacy auth cold only trusted devices at the window.

273
00:08:46,520 --> 00:08:49,000
Sessions short, nervous, alert.

274
00:08:49,000 --> 00:08:51,640
But down here, walls don't stop whispers.

275
00:08:51,640 --> 00:08:53,480
Data still slips inside the lines.

276
00:08:53,480 --> 00:08:55,240
So we cut the channels next.

277
00:08:55,240 --> 00:08:57,240
Per view DLP on chat and channels.

278
00:08:57,240 --> 00:08:58,600
Trip wires in the carpet.

279
00:08:58,600 --> 00:08:59,800
Sirens in the ceiling.

280
00:08:59,800 --> 00:09:02,600
Because once words leave the mouth, they travel.

281
00:09:02,600 --> 00:09:04,040
Layer 2.

282
00:09:04,040 --> 00:09:06,760
Per view DLP for teams chat and channels.

283
00:09:06,760 --> 00:09:09,240
We wire the trip wires right under their feet.

284
00:09:09,240 --> 00:09:11,640
So the next bad pace never clears the threshold.

285
00:09:11,640 --> 00:09:12,600
Goal is simple.

286
00:09:12,600 --> 00:09:14,360
PII doesn't leave the keyboard.

287
00:09:14,360 --> 00:09:16,120
If it tries, users see the tip.

288
00:09:16,120 --> 00:09:17,560
Compliance gets the ping.

289
00:09:17,560 --> 00:09:19,320
The ledger records the move.

290
00:09:19,320 --> 00:09:21,560
Open Microsoft Per view.

291
00:09:21,560 --> 00:09:23,000
Data loss prevention.

292
00:09:23,000 --> 00:09:24,520
Create policy.

293
00:09:24,520 --> 00:09:26,680
Give it a name that carries weight.

294
00:09:26,680 --> 00:09:28,520
Teams priority PII block.

295
00:09:28,520 --> 00:09:30,040
Scope it tight first.

296
00:09:30,040 --> 00:09:31,000
Pilot users.

297
00:09:31,000 --> 00:09:31,880
Pilot teams.

298
00:09:31,880 --> 00:09:33,960
We scale once it bites clean.

299
00:09:33,960 --> 00:09:34,920
Locations.

300
00:09:34,920 --> 00:09:37,720
Select teams chat and channel messages.

301
00:09:37,720 --> 00:09:40,040
Turn it on for both chat and channel.

302
00:09:40,040 --> 00:09:42,440
Because leaks don't care about room names.

303
00:09:42,440 --> 00:09:44,040
Sensitive info types.

304
00:09:44,040 --> 00:09:45,880
Start with the usual suspects.

305
00:09:45,880 --> 00:09:47,480
US Social Security number.

306
00:09:47,480 --> 00:09:48,920
Credit card numbers.

307
00:09:48,920 --> 00:09:49,960
ABA routing.

308
00:09:49,960 --> 00:09:51,640
Bank account numbers.

309
00:09:51,640 --> 00:09:54,040
Medical terms if you live in HIPAA land.

310
00:09:54,040 --> 00:09:57,080
Add your own custom entity for internal IDs.

311
00:09:57,080 --> 00:09:58,440
HR employee number.

312
00:09:58,440 --> 00:09:59,720
Customer account code.

313
00:09:59,720 --> 00:10:01,080
Train it with a pattern.

314
00:10:01,080 --> 00:10:01,960
Check digit.

315
00:10:01,960 --> 00:10:03,480
Keyword proximity.

316
00:10:03,480 --> 00:10:05,560
Give the engine something real to grab.

317
00:10:05,560 --> 00:10:07,160
Now the rule 1 for hard block.

318
00:10:07,160 --> 00:10:08,760
1 for softer hands.

319
00:10:08,760 --> 00:10:10,360
First rule.

320
00:10:10,360 --> 00:10:11,720
High confidence.

321
00:10:11,720 --> 00:10:13,480
Block with override.

322
00:10:13,480 --> 00:10:14,440
Condition.

323
00:10:14,440 --> 00:10:15,160
Match count.

324
00:10:15,160 --> 00:10:17,880
Edel 1 for SSN and PAN.

325
00:10:17,880 --> 00:10:19,000
Confidence high.

326
00:10:19,000 --> 00:10:20,760
No low signal noise.

327
00:10:20,760 --> 00:10:21,320
Action.

328
00:10:21,320 --> 00:10:22,520
Block the message.

329
00:10:22,520 --> 00:10:25,080
Allow override with business justification.

330
00:10:25,080 --> 00:10:27,320
Require users to type why.

331
00:10:27,320 --> 00:10:28,520
Not a checkbox.

332
00:10:28,520 --> 00:10:30,920
A written reason leaves fingerprints.

333
00:10:30,920 --> 00:10:32,920
Notify the user in real time.

334
00:10:32,920 --> 00:10:35,880
Policy tip says what hit and why it stopped.

335
00:10:35,880 --> 00:10:37,720
Add incident report to compliance.

336
00:10:37,720 --> 00:10:38,840
Severity high.

337
00:10:38,840 --> 00:10:41,320
Send to the mailbox that doesn't sleep.

338
00:10:41,320 --> 00:10:42,600
Second rule.

339
00:10:42,600 --> 00:10:43,960
Medium confidence.

340
00:10:43,960 --> 00:10:45,720
Educate and alert.

341
00:10:45,720 --> 00:10:46,920
Lower the match count.

342
00:10:46,920 --> 00:10:48,040
Confidence medium.

343
00:10:48,040 --> 00:10:48,760
Action.

344
00:10:48,760 --> 00:10:49,400
Allow.

345
00:10:49,400 --> 00:10:50,440
But warn.

346
00:10:50,440 --> 00:10:52,200
Policy tip with guidance.

347
00:10:52,200 --> 00:10:55,560
Incident goes to compliance as medium.

348
00:10:55,560 --> 00:10:58,360
This builds muscle without breaking work.

349
00:10:58,360 --> 00:10:59,960
User experience matters.

350
00:10:59,960 --> 00:11:01,240
You want friction.

351
00:11:01,240 --> 00:11:02,280
Not revolt.

352
00:11:02,280 --> 00:11:05,400
So write the tip text in clear words.

353
00:11:05,400 --> 00:11:07,320
Looks like a social security number.

354
00:11:07,320 --> 00:11:09,640
This is blocked to prevent exposure.

355
00:11:09,640 --> 00:11:12,360
If this is a test or a proof transfer,

356
00:11:12,360 --> 00:11:14,920
choose override and explain.

357
00:11:14,920 --> 00:11:18,160
No legal sludge, plain sharp, tuning time,

358
00:11:18,160 --> 00:11:22,760
confidence thresholds, set SSN to high with pattern and checksum.

359
00:11:22,760 --> 00:11:26,280
Set PAN to high with loon validation and issuer detection.

360
00:11:26,280 --> 00:11:28,840
Kill the noise from random numbers in logs.

361
00:11:28,840 --> 00:11:31,160
Require context keywords for custom IDs.

362
00:11:31,160 --> 00:11:33,960
Customer ID, ACCT, MRN.

363
00:11:33,960 --> 00:11:36,440
Raise match count for noisy types to two.

364
00:11:36,440 --> 00:11:40,600
Lower for crown jewels to one tune or drown exemptions.

365
00:11:40,600 --> 00:11:42,040
You need sandboxes.

366
00:11:42,040 --> 00:11:44,600
Add test channels to an exception group.

367
00:11:44,600 --> 00:11:45,720
Security lab.

368
00:11:45,720 --> 00:11:47,000
Training space.

369
00:11:47,000 --> 00:11:48,440
Keep production hot.

370
00:11:48,440 --> 00:11:50,680
Labsafe.notifications.

371
00:11:50,680 --> 00:11:52,360
Turn on admin alerts.

372
00:11:52,360 --> 00:11:56,040
Include matched content samples for compliance when lawful.

373
00:11:56,040 --> 00:12:00,200
Mask digits in emails to reduce spill in the alert itself.

374
00:12:00,200 --> 00:12:03,880
Balance evidence with exposure, because even alerts can leak.

375
00:12:03,880 --> 00:12:06,520
Now the evidence trail in purview, open alerts.

376
00:12:06,520 --> 00:12:07,560
Filter by policy name.

377
00:12:07,560 --> 00:12:08,680
You'll see the hits.

378
00:12:08,680 --> 00:12:14,280
Time, user location match type, export to CSV, feed the CM,

379
00:12:14,280 --> 00:12:18,200
set thresholds for spikes, because sudden bursts mean a surge

380
00:12:18,200 --> 00:12:20,520
or a test gone rogue test plan.

381
00:12:20,520 --> 00:12:23,160
In a pilot team, paste a known test PAN.

382
00:12:23,160 --> 00:12:25,720
Use 40101, 1111, 1111, 1111, 1111.

383
00:12:25,720 --> 00:12:29,880
The loon passes, the rule should bark policy tip appears.

384
00:12:29,880 --> 00:12:34,520
Send blocked, try override, type justification.

385
00:12:34,520 --> 00:12:38,520
Test transfer to approved processor, allowed with log.

386
00:12:38,520 --> 00:12:41,320
Now paste the fake SSN pattern without checksum.

387
00:12:41,320 --> 00:12:44,600
Rule shouldn't fire, at least not the high confidence one.

388
00:12:44,600 --> 00:12:47,400
If it does, your thresholds are sloppy.

389
00:12:47,400 --> 00:12:48,840
Try X-Fill by file.

390
00:12:48,840 --> 00:12:51,240
Upload a text file with three SSNs.

391
00:12:51,240 --> 00:12:53,240
DLP for teams covers messages.

392
00:12:53,240 --> 00:12:56,200
Files are guarded by SharePoint and OneDrive DLP,

393
00:12:56,200 --> 00:12:59,400
so add the same policy to those locations.

394
00:12:59,400 --> 00:13:00,600
Mirror the rules.

395
00:13:00,600 --> 00:13:03,080
Now post the file link in the channel.

396
00:13:03,080 --> 00:13:04,600
Watch two engines hum.

397
00:13:04,600 --> 00:13:06,040
Teams tip for message.

398
00:13:06,040 --> 00:13:08,040
SharePoint DLP for file.

399
00:13:08,040 --> 00:13:10,280
Defense in depth, not in name.

400
00:13:10,280 --> 00:13:12,840
In action, coach the users.

401
00:13:12,840 --> 00:13:15,880
Add a link in the policy tip to a short page.

402
00:13:15,880 --> 00:13:17,720
Send sensitive data the right way.

403
00:13:17,720 --> 00:13:22,200
Approved channels, secure forms, encrypted mail if you must.

404
00:13:22,200 --> 00:13:24,680
DLP without guidance breeds workarounds.

405
00:13:24,680 --> 00:13:26,200
You want behavior change.

406
00:13:26,200 --> 00:13:28,920
Not shadow at edge cases, third party apps and teams.

407
00:13:28,920 --> 00:13:31,400
DLP doesn't always see inside those pipes,

408
00:13:31,400 --> 00:13:33,240
disable apps you can't inspect.

409
00:13:33,240 --> 00:13:35,000
Or fence them with permissions,

410
00:13:35,000 --> 00:13:37,240
because blind spots invite ghosts.

411
00:13:37,240 --> 00:13:41,880
Roll out pilot first, tune noise out, then expand by department.

412
00:13:41,880 --> 00:13:44,200
Finance, HR, legal.

413
00:13:44,200 --> 00:13:45,800
Finally, flip to org wide.

414
00:13:45,800 --> 00:13:46,920
Announce the Y.

415
00:13:46,920 --> 00:13:48,040
Show the gains.

416
00:13:48,040 --> 00:13:50,200
Share the reduced incident count.

417
00:13:50,200 --> 00:13:52,520
Close the loop, metrics, number of blocks,

418
00:13:52,520 --> 00:13:54,120
overrides with reason codes.

419
00:13:54,120 --> 00:13:55,640
Repeat offenders.

420
00:13:55,640 --> 00:13:56,920
Time to alert.

421
00:13:56,920 --> 00:13:58,120
Time to triage.

422
00:13:58,120 --> 00:14:00,120
You don't guess, you measure.

423
00:14:00,120 --> 00:14:02,520
Now the carpet's wired, trip wires hum.

424
00:14:02,520 --> 00:14:04,600
Messages can't bleed without a siren.

425
00:14:04,600 --> 00:14:06,360
Good, but guests are still inside,

426
00:14:06,360 --> 00:14:07,880
and they don't leave on their own.

427
00:14:07,880 --> 00:14:10,120
Layer three.

428
00:14:10,120 --> 00:14:13,240
Guest access guardrails in Entra ID governance.

429
00:14:13,240 --> 00:14:14,680
Guests are wild cards,

430
00:14:14,680 --> 00:14:17,320
cheap identities, light footprints.

431
00:14:17,320 --> 00:14:19,720
They drift in, they rarely drift out.

432
00:14:19,720 --> 00:14:20,760
Goal is clear.

433
00:14:20,760 --> 00:14:23,720
Guests face MFA.

434
00:14:23,720 --> 00:14:24,840
Guests expire.

435
00:14:24,840 --> 00:14:27,560
Reviews run on a clock.

436
00:14:27,560 --> 00:14:30,040
External sharing tightens to a pinhole.

437
00:14:30,040 --> 00:14:32,360
And when the timer hits zero door slam,

438
00:14:32,360 --> 00:14:34,840
start with B2B inbound settings.

439
00:14:34,840 --> 00:14:35,880
Entra ID.

440
00:14:35,880 --> 00:14:37,400
External identities.

441
00:14:37,400 --> 00:14:39,320
Cross tenant access settings.

442
00:14:39,320 --> 00:14:41,400
Don't let just anyone invite.

443
00:14:41,400 --> 00:14:44,520
Turn off self-service sign-up unless you actually govern it.

444
00:14:44,520 --> 00:14:47,160
Limit who can invite to specific roles.

445
00:14:47,160 --> 00:14:49,400
Identity governance admins.

446
00:14:49,400 --> 00:14:50,520
Group owners you trust.

447
00:14:50,520 --> 00:14:51,560
Not the whole city.

448
00:14:51,560 --> 00:14:53,000
Redemption rules next.

449
00:14:53,000 --> 00:14:55,400
Force guest redemption with a real account.

450
00:14:55,400 --> 00:14:59,240
Entra backed or at least a federated identity you can challenge.

451
00:14:59,240 --> 00:15:02,680
No unmanaged personal shadows require MFA at redemption.

452
00:15:02,680 --> 00:15:04,360
Make them bind to a factor on day one.

453
00:15:04,360 --> 00:15:06,200
You want weight on the identity.

454
00:15:06,200 --> 00:15:07,560
Friction that leaves marks.

455
00:15:07,560 --> 00:15:09,240
Now lock devices for guests.

456
00:15:09,240 --> 00:15:11,000
If your model allows it,

457
00:15:11,000 --> 00:15:14,520
require compliant or hybrid joint devices

458
00:15:14,520 --> 00:15:17,240
for guest access to sensitive apps.

459
00:15:17,240 --> 00:15:19,320
If not, use app-based controls.

460
00:15:19,320 --> 00:15:21,160
Conditional access for guests.

461
00:15:21,160 --> 00:15:21,880
Users.

462
00:15:21,880 --> 00:15:23,560
Guests and external users.

463
00:15:23,560 --> 00:15:24,600
Cloud apps.

464
00:15:24,600 --> 00:15:26,120
SharePoint online.

465
00:15:26,120 --> 00:15:26,920
Teams.

466
00:15:26,920 --> 00:15:29,080
Exchange online if you expose mail.

467
00:15:29,080 --> 00:15:30,840
Grant.

468
00:15:30,840 --> 00:15:32,760
Require MFA.

469
00:15:32,760 --> 00:15:36,680
And either require device to be marked compliant

470
00:15:36,680 --> 00:15:41,080
or require approved client apps with app protection.

471
00:15:41,080 --> 00:15:42,040
Pick one.

472
00:15:42,040 --> 00:15:43,320
Be explicit.

473
00:15:43,320 --> 00:15:45,080
Because vague rules leak.

474
00:15:45,080 --> 00:15:47,720
External sharing defaults.

475
00:15:47,720 --> 00:15:50,200
SharePoint admin center.

476
00:15:50,200 --> 00:15:51,640
Policies.

477
00:15:51,640 --> 00:15:52,840
Sharing.

478
00:15:52,840 --> 00:15:54,840
Dial it down to.

479
00:15:54,840 --> 00:15:57,320
Existing guests only.

480
00:15:57,320 --> 00:15:58,680
No anyone links.

481
00:15:58,680 --> 00:16:01,480
No new external users from random shares.

482
00:16:01,480 --> 00:16:03,560
Block new invites at the file edge.

483
00:16:03,560 --> 00:16:06,040
Bring new guests through the front desk.

484
00:16:06,040 --> 00:16:07,240
Always.

485
00:16:07,240 --> 00:16:08,840
Site level controls.

486
00:16:08,840 --> 00:16:11,240
Private channels have their own sites.

487
00:16:11,240 --> 00:16:12,200
Tighten those two.

488
00:16:12,200 --> 00:16:14,120
Disable anyone links at the site.

489
00:16:14,120 --> 00:16:16,840
Set default link type to specific people.

490
00:16:16,840 --> 00:16:20,600
Expire shared links after seven days.

491
00:16:20,600 --> 00:16:21,880
Short-sharp windows.

492
00:16:21,880 --> 00:16:23,320
Dores that close without asking.

493
00:16:23,320 --> 00:16:24,760
Now the lifecycle engine.

494
00:16:24,760 --> 00:16:26,360
Access reviews.

495
00:16:26,360 --> 00:16:28,280
Microsoft EntraID governance.

496
00:16:28,280 --> 00:16:30,840
Create a review for groups and teams.

497
00:16:30,840 --> 00:16:34,040
Scope to enabled Microsoft 365 groups with guests.

498
00:16:34,040 --> 00:16:35,960
Reviewers.

499
00:16:35,960 --> 00:16:37,400
Group owners.

500
00:16:37,400 --> 00:16:39,000
They know who still belongs.

501
00:16:39,000 --> 00:16:39,800
Frequency.

502
00:16:39,800 --> 00:16:41,080
Monthly for hot teams.

503
00:16:41,080 --> 00:16:42,520
Quarterly for the rest.

504
00:16:42,520 --> 00:16:43,560
Settings.

505
00:16:43,560 --> 00:16:46,120
If reviewer doesn't respond, remove access.

506
00:16:46,120 --> 00:16:47,480
Auto-apply results.

507
00:16:47,480 --> 00:16:48,840
No manual mercy.

508
00:16:48,840 --> 00:16:50,680
Guests who don't get renewed are gone.

509
00:16:50,680 --> 00:16:51,400
No drama.

510
00:16:51,400 --> 00:16:52,520
Just a clean cut.

511
00:16:52,520 --> 00:16:53,960
Notifications matter.

512
00:16:53,960 --> 00:16:56,280
Remind reviewers a week before you.

513
00:16:56,280 --> 00:16:57,720
Three days before.

514
00:16:57,720 --> 00:16:58,680
Last day too.

515
00:16:58,680 --> 00:16:59,720
People forget.

516
00:16:59,720 --> 00:17:01,080
You automate the memory.

517
00:17:01,080 --> 00:17:02,280
Add a second review.

518
00:17:02,280 --> 00:17:05,240
Guests themselves confirm they still need access.

519
00:17:05,240 --> 00:17:06,600
Self-attestation.

520
00:17:06,600 --> 00:17:08,040
Owners approve.

521
00:17:08,040 --> 00:17:09,640
Two lights must turn green.

522
00:17:09,640 --> 00:17:10,840
Otherwise, darkness.

523
00:17:10,840 --> 00:17:13,400
Exploration policies.

524
00:17:13,400 --> 00:17:15,160
Group expiration.

525
00:17:15,160 --> 00:17:18,040
Set 180 days for project groups.

526
00:17:18,040 --> 00:17:19,400
Owners get renewal prompts.

527
00:17:19,400 --> 00:17:21,640
If nobody renews the group retires.

528
00:17:21,640 --> 00:17:23,640
Backed up by retention if you needed.

529
00:17:23,640 --> 00:17:25,240
Guests account expiration.

530
00:17:25,240 --> 00:17:27,000
Use entitlement management.

531
00:17:27,000 --> 00:17:29,880
Access packages with time-bound assignments.

532
00:17:29,880 --> 00:17:31,400
60 or 90 days.

533
00:17:31,400 --> 00:17:33,400
Extensions require approval.

534
00:17:33,400 --> 00:17:35,240
No perpetual passes.

535
00:17:35,240 --> 00:17:38,120
Entitlement management is your concierge.

536
00:17:38,120 --> 00:17:41,000
Create a catalog for external collaboration.

537
00:17:41,000 --> 00:17:43,960
Build access packages per project or partner.

538
00:17:43,960 --> 00:17:44,840
Include the team.

539
00:17:44,840 --> 00:17:46,120
Include the SharePoint sites

540
00:17:46,120 --> 00:17:47,400
behind private channels.

541
00:17:47,400 --> 00:17:49,320
Include required apps.

542
00:17:49,320 --> 00:17:52,120
Define who can request their domain.

543
00:17:52,120 --> 00:17:53,800
Or just invited users.

544
00:17:53,800 --> 00:17:55,080
Approval workflow.

545
00:17:55,080 --> 00:17:56,680
Business owner signs off.

546
00:17:56,680 --> 00:17:58,040
Assignment duration.

547
00:17:58,040 --> 00:17:58,680
Fixed.

548
00:17:58,680 --> 00:17:59,480
Auto-remove.

549
00:17:59,480 --> 00:18:00,360
On expiry.

550
00:18:00,360 --> 00:18:01,560
That's the cut.

551
00:18:01,560 --> 00:18:02,760
Onboarding gets cleaner.

552
00:18:02,760 --> 00:18:04,360
Offboarding gets automatic.

553
00:18:04,360 --> 00:18:06,200
Audit trail writes itself.

554
00:18:06,200 --> 00:18:07,080
Every approval.

555
00:18:07,080 --> 00:18:08,120
Every extension.

556
00:18:08,120 --> 00:18:09,080
Every removal.

557
00:18:09,080 --> 00:18:10,040
You don't guess.

558
00:18:10,040 --> 00:18:11,320
You show receipts.

559
00:18:11,320 --> 00:18:13,480
Conditional access cleanup for guests.

560
00:18:13,480 --> 00:18:15,000
High-risk sign-in.

561
00:18:15,000 --> 00:18:16,040
Block.

562
00:18:16,040 --> 00:18:17,240
Medium-risk.

563
00:18:17,240 --> 00:18:19,240
Require password change.

564
00:18:19,240 --> 00:18:21,480
Risk comes from identity protection.

565
00:18:21,480 --> 00:18:23,080
Let it bite guests too.

566
00:18:23,080 --> 00:18:25,720
Because someone will try to borrow a guest's skin.

567
00:18:25,720 --> 00:18:26,520
Testing time.

568
00:18:26,520 --> 00:18:27,560
Invite a test guest.

569
00:18:27,560 --> 00:18:29,000
Make them redeem with MFA.

570
00:18:29,000 --> 00:18:32,200
If they slide past it, your guest policy missed the assignment.

571
00:18:32,200 --> 00:18:33,080
Fix the scope.

572
00:18:33,080 --> 00:18:34,680
Put them in the access package.

573
00:18:34,680 --> 00:18:36,520
Watch approval flow trigger.

574
00:18:36,520 --> 00:18:37,400
Owner approves.

575
00:18:37,400 --> 00:18:38,440
Assignment grants.

576
00:18:38,440 --> 00:18:39,560
They enter the team.

577
00:18:39,560 --> 00:18:41,000
Now check device gate.

578
00:18:41,000 --> 00:18:43,640
From an unmanaged desktop browser,

579
00:18:43,640 --> 00:18:46,360
try to open the private channel files.

580
00:18:46,360 --> 00:18:49,000
Should fail with compliant device required.

581
00:18:49,560 --> 00:18:51,320
On mobile unmanaged,

582
00:18:51,320 --> 00:18:55,080
teams opens only with the approved app and app protection.

583
00:18:55,080 --> 00:18:58,920
Cut, paste, share, data lives in a sandbox.

584
00:18:58,920 --> 00:18:59,640
Good.

585
00:18:59,640 --> 00:19:00,840
Now age the guest.

586
00:19:00,840 --> 00:19:03,160
Shorten the clock to seven days in test.

587
00:19:03,160 --> 00:19:04,280
Let the review fire.

588
00:19:04,280 --> 00:19:05,720
Owner doesn't respond.

589
00:19:05,720 --> 00:19:08,040
Auto-remove drops the guest from the group.

590
00:19:08,040 --> 00:19:09,960
SharePoint site access revoked.

591
00:19:09,960 --> 00:19:10,840
Try sync again.

592
00:19:10,840 --> 00:19:11,880
Client breaks.

593
00:19:11,880 --> 00:19:12,920
Access denied.

594
00:19:12,920 --> 00:19:14,040
That's the sound you want.

595
00:19:14,040 --> 00:19:14,840
One more drill.

596
00:19:14,840 --> 00:19:16,040
Owner renews the group.

597
00:19:16,040 --> 00:19:17,640
But forgets the guest review.

598
00:19:17,640 --> 00:19:18,760
Guest falls out.

599
00:19:18,760 --> 00:19:19,960
Files still safe.

600
00:19:19,960 --> 00:19:21,320
Threads still visible.

601
00:19:21,320 --> 00:19:22,920
Only until cash clears.

602
00:19:22,920 --> 00:19:24,520
Then the neon goes dark.

603
00:19:24,520 --> 00:19:26,280
Matrix always.

604
00:19:26,280 --> 00:19:27,880
Number of active guests.

605
00:19:27,880 --> 00:19:29,480
Average guest age.

606
00:19:29,480 --> 00:19:31,240
Reviews completed on time.

607
00:19:31,240 --> 00:19:33,560
Auto-removeals versus approved renewals.

608
00:19:33,560 --> 00:19:35,240
External sharing link counts.

609
00:19:35,240 --> 00:19:36,280
Private channel site.

610
00:19:36,280 --> 00:19:37,640
External access incidents.

611
00:19:37,640 --> 00:19:38,520
You want to slope.

612
00:19:38,520 --> 00:19:39,560
Downward.

613
00:19:39,560 --> 00:19:42,520
Because in this city, guests don't leave on their own.

614
00:19:42,520 --> 00:19:43,720
You escort them to the door.

615
00:19:43,720 --> 00:19:45,000
You take back the key.

616
00:19:45,000 --> 00:19:46,600
And you lock the good bye.

617
00:19:46,600 --> 00:19:47,560
Layer 4.

618
00:19:47,560 --> 00:19:49,880
Audit forensics and automated reporting.

619
00:19:49,880 --> 00:19:51,560
Per view plus UAL.

620
00:19:51,560 --> 00:19:53,160
Now we need truth.

621
00:19:53,160 --> 00:19:54,440
Cold timestamp.

622
00:19:54,440 --> 00:19:55,480
Signed by the system.

623
00:19:55,480 --> 00:19:57,160
Enable the unified audit log.

624
00:19:57,160 --> 00:19:58,760
If it's off, nothing exists.

625
00:19:58,760 --> 00:20:00,040
No retroactive memory.

626
00:20:00,040 --> 00:20:01,000
Turn it on in Per view.

627
00:20:01,000 --> 00:20:01,880
Confirm your role.

628
00:20:01,880 --> 00:20:02,600
Conceit.

629
00:20:02,600 --> 00:20:04,200
Audit logs or view only.

630
00:20:04,200 --> 00:20:06,040
Otherwise, you're staring through glass.

631
00:20:06,040 --> 00:20:07,800
Set retention to what you paid for.

632
00:20:07,800 --> 00:20:09,400
E3 gives you short memory.

633
00:20:09,400 --> 00:20:10,520
E5 stretches it.

634
00:20:10,520 --> 00:20:13,000
If you've got advanced audit, extend key events.

635
00:20:13,000 --> 00:20:15,000
High value crumbs last longer.

636
00:20:15,000 --> 00:20:17,080
Because investigations don't run on hope.

637
00:20:17,080 --> 00:20:18,520
They run on timestamps.

638
00:20:18,520 --> 00:20:20,200
Scope your watch list.

639
00:20:20,200 --> 00:20:21,960
Teams activity worth tracking.

640
00:20:21,960 --> 00:20:23,000
Member added.

641
00:20:23,000 --> 00:20:24,120
Member removed.

642
00:20:24,120 --> 00:20:25,160
Team created.

643
00:20:25,160 --> 00:20:26,280
Channel created.

644
00:20:26,280 --> 00:20:27,880
Private channel created.

645
00:20:27,880 --> 00:20:29,560
External user added.

646
00:20:29,560 --> 00:20:31,640
SharePoint file shared externally.

647
00:20:31,640 --> 00:20:34,280
Sharing link created or changed.

648
00:20:34,280 --> 00:20:35,880
Meeting recording uploaded.

649
00:20:35,880 --> 00:20:37,640
Sensitivity label changed.

650
00:20:37,640 --> 00:20:39,240
Those are doors opening.

651
00:20:39,240 --> 00:20:42,120
And sometimes closing too late.

652
00:20:42,120 --> 00:20:43,400
Queries first.

653
00:20:43,400 --> 00:20:46,600
Per view, audit, activity filter.

654
00:20:46,600 --> 00:20:49,400
Start with added member to team.

655
00:20:49,400 --> 00:20:50,840
Find new blood.

656
00:20:50,840 --> 00:20:54,840
Add added member to SharePoint group for private channel sites.

657
00:20:54,840 --> 00:20:57,800
Because private channels punch a hole in a new wall.

658
00:20:57,800 --> 00:21:00,280
Crosscheck external user invited.

659
00:21:00,280 --> 00:21:03,800
Follow the guest from invite to entry to file touch.

660
00:21:03,800 --> 00:21:05,960
Chain the events.

661
00:21:05,960 --> 00:21:08,360
Build the story.

662
00:21:08,360 --> 00:21:10,280
Now file moves.

663
00:21:10,280 --> 00:21:13,640
Share file folder or site.

664
00:21:13,640 --> 00:21:15,720
External file accessed.

665
00:21:15,720 --> 00:21:17,640
Anonymous link created.

666
00:21:17,640 --> 00:21:19,400
Anonymous link used.

667
00:21:19,400 --> 00:21:22,600
If you see anyone links, that's a streetlight flicker.

668
00:21:22,600 --> 00:21:24,920
You tighten sharing or you bleed.

669
00:21:24,920 --> 00:21:26,280
Meeting traces.

670
00:21:26,280 --> 00:21:28,120
Meeting created.

671
00:21:28,120 --> 00:21:29,560
Recording started.

672
00:21:29,560 --> 00:21:32,440
Recording uploaded to one drive or SharePoint.

673
00:21:32,440 --> 00:21:34,040
Transcript created.

674
00:21:34,040 --> 00:21:36,520
Those artifacts carry secrets.

675
00:21:36,520 --> 00:21:38,200
Treat them like vault contents.

676
00:21:38,200 --> 00:21:41,560
Label them, hold them or expect a subpoena to find you first.

677
00:21:41,560 --> 00:21:43,080
Export the trail.

678
00:21:43,080 --> 00:21:45,000
CSV out to your sim.

679
00:21:45,000 --> 00:21:47,640
KQL if you're living in the cloud with Sentinel.

680
00:21:47,640 --> 00:21:49,000
Normalize fields.

681
00:21:49,000 --> 00:21:49,720
Actor.

682
00:21:49,720 --> 00:21:50,360
Target.

683
00:21:50,360 --> 00:21:51,240
Location.

684
00:21:51,240 --> 00:21:52,040
IP.

685
00:21:52,040 --> 00:21:52,680
App.

686
00:21:52,680 --> 00:21:55,080
Build detections that don't sleep.

687
00:21:55,080 --> 00:21:56,360
Patterns to flag.

688
00:21:56,360 --> 00:21:58,280
Guest added to private channel site.

689
00:21:58,280 --> 00:22:00,920
Within 24 hours, external links surged.

690
00:22:00,920 --> 00:22:02,800
That's a correlation you don't ignore.

691
00:22:02,800 --> 00:22:04,920
Owner flips default link type to anyone.

692
00:22:04,920 --> 00:22:07,240
Then a midnight spike in anonymous downloads.

693
00:22:07,240 --> 00:22:09,080
That's not maintenance.

694
00:22:09,080 --> 00:22:10,520
That's a siphon.

695
00:22:10,520 --> 00:22:12,040
Automate the bark.

696
00:22:12,040 --> 00:22:13,080
Seem rule.

697
00:22:13,080 --> 00:22:17,000
If external sharing enabled on a private channel site.

698
00:22:17,000 --> 00:22:19,400
Send high priority alert.

699
00:22:19,400 --> 00:22:23,640
If external user added and require MFA for guests.

700
00:22:23,640 --> 00:22:25,400
Not satisfied at sign-in.

701
00:22:25,400 --> 00:22:26,840
Page on call.

702
00:22:26,840 --> 00:22:30,760
If anonymous link created count X in an hour.

703
00:22:30,760 --> 00:22:34,920
Disable anyone links tenant wide-wire response playbook.

704
00:22:34,920 --> 00:22:35,960
Temporary.

705
00:22:35,960 --> 00:22:36,920
Surgical.

706
00:22:36,920 --> 00:22:38,440
Then investigate.

707
00:22:38,440 --> 00:22:40,280
Work flow matters.

708
00:22:40,280 --> 00:22:41,160
Prepare.

709
00:22:41,160 --> 00:22:42,520
You've written the runbook.

710
00:22:42,520 --> 00:22:43,800
Who triages.

711
00:22:43,800 --> 00:22:45,000
Who contains.

712
00:22:45,000 --> 00:22:46,280
Who calls legal.

713
00:22:46,280 --> 00:22:47,640
It's all inked.

714
00:22:47,640 --> 00:22:48,680
Triage.

715
00:22:48,680 --> 00:22:50,360
Confirm the signal.

716
00:22:50,360 --> 00:22:53,320
Is it a policy drift or a human pulling a fast one?

717
00:22:53,320 --> 00:22:54,920
Don't waste minutes on ghosts.

718
00:22:54,920 --> 00:22:55,720
Contain.

719
00:22:55,720 --> 00:22:57,160
Remove guest from group.

720
00:22:57,160 --> 00:22:59,560
Kill shared links at the site.

721
00:22:59,560 --> 00:23:03,480
Flip site sharing down to existing guests.

722
00:23:03,480 --> 00:23:05,560
Lock the room while you count heads.

723
00:23:05,560 --> 00:23:06,760
Irradiate find the route.

724
00:23:06,760 --> 00:23:09,240
Was this an owner shortcut or a policy gap?

725
00:23:09,240 --> 00:23:10,120
Close it.

726
00:23:10,120 --> 00:23:11,320
Document the patch.

727
00:23:11,320 --> 00:23:13,240
No silent fixes.

728
00:23:13,240 --> 00:23:14,280
Recover.

729
00:23:14,280 --> 00:23:16,360
Restore access the right way.

730
00:23:16,360 --> 00:23:17,880
Access packages.

731
00:23:17,880 --> 00:23:19,720
Specific links only.

732
00:23:19,720 --> 00:23:21,000
Expire them.

733
00:23:21,000 --> 00:23:23,240
Make the owner feel the difference.

734
00:23:23,240 --> 00:23:24,520
Post-incident.

735
00:23:24,520 --> 00:23:25,720
Write the ledger.

736
00:23:25,720 --> 00:23:26,520
Timeline.

737
00:23:26,520 --> 00:23:27,560
Actors.

738
00:23:27,560 --> 00:23:29,000
Controls that fired.

739
00:23:29,000 --> 00:23:30,440
Controls that failed.

740
00:23:30,440 --> 00:23:31,560
Decisions made.

741
00:23:31,560 --> 00:23:32,760
Evidence preserved.

742
00:23:32,760 --> 00:23:34,840
Share it with the few who must know.

743
00:23:34,840 --> 00:23:36,760
Lessons fold back into policy.

744
00:23:36,760 --> 00:23:38,360
Dashboards help you breathe.

745
00:23:38,360 --> 00:23:39,800
Build one for leadership.

746
00:23:39,800 --> 00:23:40,600
No fluff.

747
00:23:40,600 --> 00:23:41,960
DLP hits this week.

748
00:23:41,960 --> 00:23:42,840
Guest count.

749
00:23:42,840 --> 00:23:43,800
Trend line.

750
00:23:43,800 --> 00:23:47,000
External link inventory by sensitivity label.

751
00:23:47,000 --> 00:23:48,840
Top teams by guest density.

752
00:23:48,840 --> 00:23:51,240
Private channel sites with external access.

753
00:23:51,240 --> 00:23:52,520
Mean time to triage.

754
00:23:52,520 --> 00:23:53,560
Mean time to contain.

755
00:23:53,560 --> 00:23:54,840
Green turns to yellow.

756
00:23:54,840 --> 00:23:56,360
Yellow to red.

757
00:23:56,360 --> 00:23:57,560
People look.

758
00:23:57,560 --> 00:23:58,840
People act.

759
00:23:58,840 --> 00:24:00,600
Schedule compliance reports.

760
00:24:00,600 --> 00:24:02,040
Weekly to security.

761
00:24:02,040 --> 00:24:03,320
Monthly to legal.

762
00:24:03,320 --> 00:24:04,680
Quarterly to audit.

763
00:24:04,680 --> 00:24:05,880
Automate the pool.

764
00:24:05,880 --> 00:24:07,960
Don't rely on a calendar in a coffee.

765
00:24:07,960 --> 00:24:10,840
Tabletop the two scars we opened earlier.

766
00:24:10,840 --> 00:24:12,040
Guest linker case.

767
00:24:12,040 --> 00:24:13,240
Replay the audit trail.

768
00:24:13,240 --> 00:24:14,840
Where did the log first whisper?

769
00:24:14,840 --> 00:24:16,040
Who should have seen it?

770
00:24:16,040 --> 00:24:18,040
Run it again with your new detections.

771
00:24:18,040 --> 00:24:19,400
Make sure the bark is loud.

772
00:24:19,400 --> 00:24:20,760
PII paste case.

773
00:24:20,760 --> 00:24:21,880
Trace DLP alert.

774
00:24:21,880 --> 00:24:23,080
Trace user override.

775
00:24:23,080 --> 00:24:24,200
Trace email export.

776
00:24:24,200 --> 00:24:26,040
Confirm the chain of custody holds.

777
00:24:26,040 --> 00:24:27,000
Then try to break it.

778
00:24:27,000 --> 00:24:27,880
Delete a message.

779
00:24:27,880 --> 00:24:29,720
Does retention keep the shadow?

780
00:24:29,720 --> 00:24:31,320
If yes, you're ready for court.

781
00:24:31,320 --> 00:24:32,920
If not, fix the hold.

782
00:24:32,920 --> 00:24:35,080
Because in this city stories win.

783
00:24:35,080 --> 00:24:37,800
But only when the ledger backs them.

784
00:24:37,800 --> 00:24:38,840
Layer five.

785
00:24:38,840 --> 00:24:42,520
Retention and legal hold that survives scrutiny.

786
00:24:42,520 --> 00:24:44,680
Now we freeze the echoes.

787
00:24:44,680 --> 00:24:45,960
So evidence doesn't vanish.

788
00:24:45,960 --> 00:24:48,040
So cleanup doesn't become spoliation.

789
00:24:48,040 --> 00:24:49,240
Map the data.

790
00:24:49,240 --> 00:24:50,280
Teams chat.

791
00:24:50,280 --> 00:24:51,720
Channel posts.

792
00:24:51,720 --> 00:24:54,120
Files in SharePoint and OneDrive.

793
00:24:54,120 --> 00:24:55,880
Meeting recordings and transcripts.

794
00:24:55,880 --> 00:24:57,080
All different pipes.

795
00:24:57,080 --> 00:24:57,880
One story.

796
00:24:57,880 --> 00:24:59,000
Open purview.

797
00:24:59,000 --> 00:25:00,040
Retention.

798
00:25:00,040 --> 00:25:02,360
Create policies for teams messages.

799
00:25:02,360 --> 00:25:03,480
Set minimum keep.

800
00:25:03,480 --> 00:25:06,120
Two to seven years fits most regs.

801
00:25:06,120 --> 00:25:08,280
No delete before no user purge.

802
00:25:08,280 --> 00:25:10,280
For files aligned to your rule book,

803
00:25:10,280 --> 00:25:13,720
finance longer, general shorter label where you can.

804
00:25:13,720 --> 00:25:15,640
Let the label drive the clock.

805
00:25:15,640 --> 00:25:17,400
Legal hold next.

806
00:25:17,400 --> 00:25:18,760
E-discovery premium.

807
00:25:18,760 --> 00:25:19,960
If you have it.

808
00:25:19,960 --> 00:25:21,160
Create a case.

809
00:25:21,160 --> 00:25:22,680
Add custodians.

810
00:25:22,680 --> 00:25:25,880
Add sites for hot teams and private channels.

811
00:25:25,880 --> 00:25:28,360
Place hold holds override deletion.

812
00:25:28,360 --> 00:25:30,680
That's the steel bar on the archive door.

813
00:25:30,680 --> 00:25:32,360
Less is more after that.

814
00:25:32,360 --> 00:25:35,000
Outside the hold, delete what you don't need.

815
00:25:35,000 --> 00:25:37,240
Short retention trims blast radius.

816
00:25:37,240 --> 00:25:39,320
You can't leak what you don't hold.

817
00:25:39,320 --> 00:25:40,680
Audit the process.

818
00:25:40,680 --> 00:25:42,440
Export hold actions.

819
00:25:42,440 --> 00:25:43,880
Log who placed it?

820
00:25:43,880 --> 00:25:44,440
Why?

821
00:25:44,440 --> 00:25:45,000
When?

822
00:25:45,000 --> 00:25:46,120
Scope.

823
00:25:46,120 --> 00:25:48,040
Maintain chain of custody notes.

824
00:25:48,040 --> 00:25:49,160
Prove it.

825
00:25:49,160 --> 00:25:51,320
Delete a message in a held channel.

826
00:25:51,320 --> 00:25:52,120
Search the case.

827
00:25:52,120 --> 00:25:53,160
It's still there.

828
00:25:53,160 --> 00:25:54,840
Delete a file on a held site.

829
00:25:54,840 --> 00:25:57,000
The preservation copy answers.

830
00:25:57,000 --> 00:25:58,440
Discovery runs.

831
00:25:58,440 --> 00:25:59,640
Ledger sings.

832
00:25:59,640 --> 00:26:00,520
Walls.

833
00:26:00,520 --> 00:26:01,560
Drains.

834
00:26:01,560 --> 00:26:02,280
Ledger.

835
00:26:02,280 --> 00:26:04,280
Hold system breathes.

836
00:26:04,280 --> 00:26:05,640
Key truth?

837
00:26:05,640 --> 00:26:06,520
Defaults.

838
00:26:06,520 --> 00:26:07,560
Trust too much.

839
00:26:07,560 --> 00:26:09,320
And your tenant bleeds for it.

840
00:26:09,320 --> 00:26:10,760
Lock this down now.

841
00:26:10,760 --> 00:26:12,280
Run the five layers.

842
00:26:12,280 --> 00:26:13,240
Test them.

843
00:26:13,240 --> 00:26:14,040
Watch alerts.

844
00:26:14,040 --> 00:26:15,800
Bark and logs line up.

845
00:26:15,800 --> 00:26:17,240
Subscribe if this helped.

846
00:26:17,240 --> 00:26:20,040
Then open the next walkthrough on zero trust teams

847
00:26:20,040 --> 00:26:21,240
with app control.