Get All AIP encrypted files - SharePoint Online

Ravikaran Patel -
One of the recent project merger and acquisition.  Technology - M365 tenant to Tenant migration Areas of consolidation 1. Mailboxes  2. SharePoint online data 3. OneDrive for Business data 4. Teams data migration 5. Security and Compliance Migration  Area of concern from security and compliance side was the encrypted files within EXO, SPO, Teams, ODB. Issue with encrypted data migration - end users will not be able to access the documents once the Source tenant is decommissioned.   Solution available -  Ask end users to unencrypt the data before migration  Alternet Solution - 1. Decrypt the files, mails using eDiscovery - This will give us output in PST format will is available for offline access, but the data in source will still be encrypted.  Decryption in eDiscovery - Microsoft Purview (compliance) | Microsoft Docs   2. Use Get-AIPfileLabel and Get-AIPFileLabel but in order to use this you must be aware of all the files paths.  Challenges -  1. We do not want end user intervention
5 comments

How to block employee access to Office 365 data

Ravikaran Patel -

"What do I do to protect data when an employee leaves the organization?" and "How do I block a former employees access to Office 365 after they leave?"
IMPORTANT: The steps in this article are for Office 365 Business Essentials, Office 365 Business Premium and Office 365 Enterprise.
A quick overview of the of the process looks like this:
  • Block employee access to Office 365 data.
  • (Optional) Get access to the data of the former employee.
  • (Optional) Send the former employee's email to another employee.
  • Delete the former employee's user account.
IMPORTANT: You need to be a member of the Office 365 global admin role to perform the steps in this topic. Make sure the user that performs these steps has the right permissions to complete these steps.
Block employee access to Office 365 data
The first thing you'll want to do is block the former employee from logging in and accessing Office 365 data. There are a few steps you'll want to take to make this happen.
  1. Sign in to Office 365 with your work or school account.
  2. Go to the Office 365 admin center.
  3. Go to Users > Active Users. Select the employee that you want to block, and then click EditEdit.
  4. Click the Settings tab, and under Set sign-in status, select Blocked, and then Save.
NOTE: If you block a user from having sign-in access to Office 365, it might take as long as 24 hours to take effect on all that user’s devices and clients. Also, make sure that you remove or disable the user from your on-premises Blackberry Enterprise Service. You should also disable any Blackberry devices for the user. Refer to the Blackberry Business Cloud Services Administration Guide if you need specific steps on how to disable the user.
Stop access to Exchange Online
If you have Exchange Online as part of your Office 365 subscription, you need to log in to the Exchange admin center to follow these steps to block your former employee from accessing their email.
  1. Sign in to Office 365 with your work or school account.
  2. Go to the Office 365 admin center.
  3. In the lower-left navigation pane, expand Admin and select Exchange.

  1. In the Exchange admin center, navigate to Recipients > Mailboxes.
  2. Select the user, and on the user properties page, under Mobile Devices, select or click Disable Exchange ActiveSync and Disable OWA for Devices, and Disable email connectivity.
  3. Under Email Connectivity, select Disable.
Wipe and block the former employee's mobile device
If your former employee had a company phone, you can use the Exchange Admin Center to wipe and block that device so that all company data is removed from the device and so that device can no longer connect to Office 365
  1. Sign in to Office 365 with your work or school account.
  2. Go to the Office 365 admin center.
  3. In the lower-left navigation pane, expand Admin and select Exchange.

  1. In the Exchange admin center, navigate to Recipients > Mailboxes.
  2. Select the user, and under Mobile Devices, choose View details.
  3. On the Mobile Device Details page, under Mobile devices, select the mobile device, select Wipe Data, and then select Block.
  4. Select Save.
Get access to the data of the former employee
The next thing you'll want to do is preserve the email and business documents or files created by the former employee, and make them available to your new employee or others in your organization. Learn more about individual document storage in What is OneDrive for Business.
To gain access to a former employee’s OneDrive for Business documents, you can sign in to Office 365 as that user (which can require first changing that user’s password), then move those files to an easily accessible location. Or, you can take over the former employee’s OneDrive for Business, and move the files yourself. The following steps explain this approach.
To gain access to a former employee's email, you'll want to export the user's Outlook email information to a .pst file and then import it into another employee's Outlook inbox.
Part 1 – Get access to the former employee’s OneDrive for Business documents
  1. Sign in to Office 365 with your work or school account.
  2. Go to the Office 365 admin center.
  3. In the lower-left navigation, expand Admin, and select SharePoint.

  1. Choose user profiles.
  2. Choose Manage User Profiles.
  3. Search for the former employee’s name (use their alias or full name).
  4. Select the drop-down menu beside their name, and choose Manage site collection owners.

  1. In the Site Collection Administrators field, add your name, the administrator’s name (see the example below), or the future employee’s name (if known).

  1. Scroll down, and select OK.
Part 2 – Copy the former employee’s OneDrive for Business documents to a shared location
  1. With the former employee’s name selected under Manage User Profiles, select the drop-down menu again, and select Manage Personal Site.

NOTE: This is a shortcut to the OneDrive for Business site. Alternatively, you can enter: https://<company_name>-my.sharepoint.com/personal/<employee>_<company name>_onmicrosoft_com.
  1. Select Documents in the left navigation.

  1. You should see your former employee’s OneDrive for Business documents.

  1. From here, copy them to your own OneDrive for Business or a common location, like your team site.
There are a few ways to copy files in Office 365. See Video: Set up document storage and sharing in Office 365 orSync OneDrive for Business files locally, and then upload those files to your OneDrive for Business or your team site.
Part 3 - Get access to the Outlook information of the former employee
To save the email messages, calendar, tasks, and contacts of the former employee, export the information to an Outlook Data File (.pst).
  1. Click File > Open & Export > Import/Export.

  1. Click Export to a file, and then click Next.

  1. Click Outlook Data File (.pst), and then click Next.
  2. Select the account you want to export by clicking the name or email address, such as Mailbox – Anne Weileror anne@contoso.com. If you want to export everything in your account, including mail, calendar, contacts, tasks, and notes, make sure the Include subfolders check box is selected.
NOTE:  You can export one account at a time. If you want to export multiple accounts, after one account is exported, repeat these steps.

  1. Click Next.
  2. Click Browse to select where to save the Outlook Data File (.pst). Type a file name, and then click OK to continue.
NOTE:  If you’ve used export before, the previous folder location and file name appear. Type a different file name before clicking OK.
  1. If you are exporting to an existing Outlook Data File (.pst), under Options, specify what to do when exporting items that already exist in the file.
  2. Click Finish.
Outlook begins the export immediately unless a new Outlook Data File (.pst) is created or a password-protected file is used.
  1. If you’re creating an Outlook Data File (.pst), an optional password can help protect the file. When the Create Outlook Data File dialog box appears, type the password in the Password and Verify Password boxes, and then click OK. In the Outlook Data File Password dialog box, type the password, and then click OK.
  2. If you’re exporting to an existing Outlook Data File (.pst) that is password protected, in the Outlook Data File Password dialog box, type the password, and then click OK.
Check out Export or backup email, contacts, and calendar to an Outlook .pst file for the steps for Outlook 2010.
Part 4 - Give access of former employee's email to another user
To give access of the email messages, calendar, tasks, and contacts of the former employee to another employee, import the information to another employee's Outlook inbox.
  1. Click File > Open & Export > Import/Export.
This starts the Import and Export Wizard.
  1. Choose Import from another program or file, and then click Next.

  1. Choose Outlook Data File (.pst), and click Next.
  2. Browse to the .pst file you want to import.
  3. Under Options, choose how you want to deal with duplicates
  4. Click Next.
  5. If a password was assigned to the Outlook Data File (.pst), enter the password, and then click OK.
  6. Set the options for importing items. The default settings usually don’t need to be changed.
  7. Click Finish.
 
Send the former employee's new email to another employee
These steps are optional, but you can send any new email to the former employee's email address to another person by adding the former employee's email address to a secondary employee. By doing this, any new emails sent to the former employee's email address will be sent to the employee you specify.
  1. Sign in to Office 365 with your work or school account.
  2. Go to the Office 365 admin center.
  3. Go to Admin > Users > Active users.
  4. On the Active users page, select the check box next to the user, click Edit Edit, and then click the email addresses tab.
  5. On the Manage email addresses tab, in the text box under Add more email address, type the first part of the new email alias. If you added your own domain to Office 365, you can choose the domain for the new email alias by using the drop-down list.
  6. Next to the email alias you want to add, click Add.
  7. When you're done, click Save.
Remove license from employee
The next step, you'll want to take is to remove the Office 365 license from your former employee. When you remove the license, all that user's data is held for 30 days. After 30 days, all the user's data (except for documents stored on SharePoint Online) is deleted from Office 365 and can't be recovered. If you reassign a license to the user within 30 days, the user's mailbox and data will be saved. Once you remove the license from this user, their license becomes available for another user.
NOTE: All additional email addresses that go with this user are also deleted. If you need someone to receive emails, assign the email address to another user.
NOTE: The user's Lync Online Contacts list may also be deleted. If you restore the Exchange Online license within 30 days, the Contacts list will be restored as well. For more information, see Removing a user’s license for Exchange Online may also remove their Lync Online Contacts list.
  1. Sign in to Office 365 with your work or school account.
  2. Go to the Office 365 admin center.
  3. Select Users > Active Users.
  4. Check the box for your former employee.
  5. Click Edit Edit

  1. Select Licenses.

  1. Under Assign licenses, clear the box for the former employee to remove the license.
  2. Click Save.
Delete the former employee's user account
After you've saved and accessed all the former employee's user data, you can delete the former employee's account.
  1. Sign in to Office 365 with your work or school account.
  2. Go to the Office 365 admin center.
  3. Go to Users > Active Users.
  4. Choose the names of the users that you want to delete, and then select DELETE Delete.
  5. In the confirmation box, select Yes.
When you delete a user, the user becomes inactive. However, for approximately 30 days after you have deleted the user, you can restore the user.
 
Reference –
https://support.office.com/en-us/article/Remove-a-former-employee-from-Office-365-44d96212-4d90-4027-9aa9-a95eddb367d1?ui=en-US&rs=en-US&ad=US
https://www.cloudsupport.help/hc/en-us/articles/218958227-How-to-block-employee-access-to-Office-365-data
 

Comments

Post a Comment

Popular posts from this blog

Error - AttributeValueMustBeUnique in Azure AD connect sync

Ravikaran Patel -
My customer had already created accounts in office 365 and managing them in Azure, however due to some changes in business they wanted to sync AD with Azure to sync Password and Manage Identity form AD. Solution - Deploy Azure AD connect on ADDC, and post that it will do a Soft Match. However there were error with some users, their identities did not sync and their status still reflected as Azure AD. Error -  Unable to update this object because the following attributes associated with this object have values that may already be associated with another object in your local directory services: [ProxyAddresses SMTP:user@domain.com;].  Correct or remove the duplicate values in your local directory.  Please refer to http://support.microsoft.com/kb/2647098 for more information on identifying objects with duplicate attribute values. Tracking Id: b8367c95-ae67-46e1-xxxx-xxxxxxxxxx ExtraErrorDetails: [{"Key":"ObjectId","Value":["cd088468-bb6a-4
Read more

Error - QuarantinedAttributeValueMustBeUnique

Ravikaran Patel -
Case History. 1. Client already had users created in office 365 2. Client wanted to setup SSO for office 365 users Approach for requirement fullfilment   1. Deployed and configured Azure AD connect      95% users were synced and soft match was successfully done  5% users were getting error - QuarantinedAttributeValueMustBeUnique  (to view the sync issues -  https://aad.portal.azure.com/#blade/Microsoft_Azure_ADHybridHealth/AadHealthMenuBlade/SyncErros )  When we checked 2 users were found under Active users  1. one in Cloud (this was created earlier/ already existed ) with active licenses and Mailbox 2. one unlicensed synced with AD Solution - 1. Delete the unwanted user in Azure or AD as per this document.  https://blogs.msdn.microsoft.com/hkong/2017/03/23/how-to-fix-attributevaluemustbeunique-error-message-when-trying-to-sync-an-object-from-on-premises-active-directory-to-office-365/   but  If we delete the user in Azure we will loose
Read more

Add members to office 365 Security Group Using PowerShell and CSV

Ravikaran Patel -
Step 1. Create a CSV file with a column “UserPrincipalName” and add all users under it who are to be added as a member of the group. Note – Sign In address need to be added under the userPrincipleName. Step 2.  Run The below command. $sub = Import-Csv C:\RAhul\sspruser.com.csv   csv   {enter the Path of same/Step1 CSV that was created by you with users details} $sub | Foreach {Get-Msoluser -UserPrincipalName $_.Userprincipalname | select Objectid } | Export-csv C:\RAhul\sspruser.com.csv This will convert the user’s identity to their unique guid details, and export it to the same CSV file. Step 3. Collect the guid ID of the security group. The below command will help with the object ID of the Group. Get-MsolGroup -all | where-object { $_.DisplayName -eq "SSPRSecurityGroupUsers"} | FL I have my object ID as below. ObjectId                  : XXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXX Step 4. Run the below command to Add members in the CS
Read more

Enforce MFA using CSV

Ravikaran Patel -
Step 1. Connect-MsolService Step 2. Run the following commands. $auth = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement $auth.RelyingParty = "*" Step 3. Choose the MFA State. You can choose between "Enabled" and "Enforced" $auth.State = "Enabled" Step 4: Choose the date . Any devices issued for a user before this date would require MFA setup. Normally, we would select the date of running the command. $auth.RememberDevicesNotIssuedBefore = (Get-Date) Step 5. Activate MFA. For one user Set-MsolUser -UserPrincipalName <UserPrincipalName> -StrongAuthenticationRequirements $auth Using CSV- Create a CSV with column UserPrincipalName and place users under this column. Import-Csv C:\RAhul\userMFA.csv | Get-MsolUser | Foreach{ Set-MsolUser -UserPrincipalName $_.UserPrincipalName -StrongAuthenticationRequirements $auth}
Read more

Analyze Office 365 Message headers

Ravikaran Patel -
Image
How to get the message headers? From outlook. i. Double click on the mail “This will open the mail in new window” ii. Go to File option in the tool bar. iii. File > Info > Properties In the new pop up window copy all the contents available under “Internet Header” option. From OWA a. Open the mail b. Click on dropdown option available under “reply all” option c. Under the dropdown options select “Message Properties”. Once you have the message headers, open search “EXRCA” on Internet or open https://testconnectivity.microsoft.com/ Once you are the Microsoft remote connectivity site is opened select the option “Message Analyzer” Paste the copied/saved header under “Insert the message header you would like to analyze” and click on analyze. You will see the results in the below order. ·          Summary will give the overview of the mail like o    Subject o    From , To , …etc ·         
Read more