Recover Deleted items in Exchange online (Microsoft office 365)

Image
  In Exchange online we provide 3 layers of Recovery so that messages can be recovered Deleted Items Folder Recover Deleted Items Folder Purges Folder     Deleted Items Folder When a mail is deleted(normal Delete not shift Delete) its moved to Deleted Items folder and its present there until, either we manually delete the messages from there or its deleted automatically as per the Retention Policy of the Organization(default value is 30 days)   Recover Deleted Items Folder   When a mail is Shift deleted(hard deleted), or deleted from Deleted items or removed from deleted items by the Retention policy, its moved to the Recover Deleted Items Folder and it remains there for next 14 days (can be extended to 30 days).   There are 2 folders under Recovery Deleted Items Deleted Folder(its not the normal Deleted folder in the mailbox) Purges Folder    When the mail is present in Recovery Deleted Items(Deleted folder) i

Restrict Access (View only) to org data on Windows 10 Personal device (BYOD)

One of the recent need from the client was as follows :-

He has 3 types of Employees working in his organization. 

1. Company Employees (on-Payroll) - Company owned device

2. Outsourced Consultants - Accessing org data on Payroll org device (non client owned devices)

3. Guest users 

Need

Company employees should have full access to org data on Company owned devices, however if they access org data from their personal device it should be View only.

Consultant - They can access the Data on the device but cannot save anything on device.

Guest - They should have view only access and not able to save anything on device. 

This above should be applicable to Email, One Drive,  SharePoint & Teams Data. 


Solution - 

Step 1 -  Enable limited Access.

Step 2 - Create a conditional access policy for EXO with device and browser based condition to apply app restriction policy.

Step 3 - modify the Sharepoint limited access policy and add the device exception.

Step 4 - Create a policy for guest users to allow access on browser only and apply app condition to block download.

Non-Microsoft Browser is not supported and users will get limited access only. 

After creating  the above policies we were getting issues :- 

Even on the corporate owned devices we were getting limited access and the download/Sync of One Drive for business was not stopped.

We tried Edge and it was the same experience. While looking for the cause for the error we discovered this

Browser is not sending "Device State" Status to Azure AD, resulting this error.

To Fix this we signed in to Edge browser using end users Microsoft 365 account credentials, this fixed the issue.

In order to ensure all the users are signed into Edge we created a policy. 

Create - 

  • Windows 10 configuration policy 
  • Administrative Templates 
  • Select the Edge policies and select the Settings as per the image. 


This helped us to fix the issue across the org.

Comments

Popular posts from this blog

Error - AttributeValueMustBeUnique in Azure AD connect sync

Add members to office 365 Security Group Using PowerShell and CSV

Error - QuarantinedAttributeValueMustBeUnique

Analyze Office 365 Message headers

Enforce MFA using CSV