Organizations can utilize available M365 tools to ensure information segregation for compliance with regulatory requirements. One such tool is Information Barriers, which are covered in this blog post.
Another objective not addressed by Information Barriers is ensuring that eDiscovery Managers cannot breach these barriers when conducting Content Searches within the Compliance Center.
This document also outlines Compliance Boundaries as another method for segregating information.
Compliance Boundaries is another method for segregating information.
Compliance Boundaries Overview
In the M365 Compliance Center, the eDiscovery Manager Role grants Compliance officers unrestricted access to search all locations within a tenant. Additionally, eDiscovery Managers can view all discovered files, including those in sensitive mailboxes or document libraries intended for specific audiences. This behavior is intentional and necessary for eDiscovery Content Searches, as the ability to access all information within a tenant is crucial.
To address this issue, Microsoft introduced the Compliance Boundaries concept and a set of specific features to enforce these boundaries. These features complement other organizational segmentation tools such as Information Barriers but do not serve as substitutes. Instead, they work in conjunction with them and other segmentation features.
Compliance Security Filters
Compliance Security Filters offer a mechanism for segmenting data by country, region, business/organizational unit, or department, thereby setting boundaries for eDiscovery Content Searches.
In addition to ensuring organizational compliance, judicious implementation of Compliance Security Filters can help prevent the overwhelming influx of data returned by Content Searches. This, in turn, assists eDiscovery officers by reducing the volume of data they need to review.
An easy way to conceptualize Compliance Security Filters is by likening them to the views applied to a SharePoint List. Just as a View Filter in a SharePoint List fetches only items that match specific criteria, Compliance Security Filters provide access only to a restricted view of data.
While List Views offer logical data segregation and allow for criteria modification, Compliance Security Filters enforce security criteria to control access to data.
Workloads & Locations
Compliance Security Filters can be applied to the following workloads & features:
Exchange mailboxes, including Inactive mailboxes (special configurations apply, see below)
SharePoint Sites
OneDrive Sites
Compliance Security Filters are implemented within a single Tenant and cannot be applied across different tenants.
M365 Compliance Boundaries, on the other hand, can be implemented for geographical locations, with the barriers imposed at the datacenter boundaries.
Security Filters are created for a specific location within a specific workload. This means you need to explicitly create filters for SharePoint Sites and for the mailboxes.
Planning Compliance Boundaries
To plan Compliance Boundaries effectively, start by creating a comprehensive list of the users, departments, mailboxes, Sites, and role groups that require segregation.
Next, define the specific actions that will be restricted across these boundaries when conducting eDiscovery Searches. These actions typically include Export, Preview, Purge, Search, and All. By clearly defining these restrictions, you can ensure that sensitive data remains protected and compliant with regulatory requirements.
Scalability of Compliance Security Filters
M365 does not set an upper limit on the number of Compliance Security Filters for a tenant.
However, it's important to note that performance may degrade after configuring approximately 100 Security Filters.
This performance degradation is observed solely with the number of actual Security Filter objects created within a tenant.
Creating many compound rules within each Security Filter does not affect performance.
Under the Hood
When executing an eDiscovery Content Search, M365 combines the search query with the configured Security Filter query using the "AND" operator. This ensures that the search results adhere to both the criteria specified by the eDiscovery Manager and the restrictions imposed by the Security Filters.
Multiple Filters
M365 combines multiple Security Filters using "OR" operators.
"In a Content Search query, multiple permissions filters are combined by OR Boolean operators. So results will be returned if any of the filters are true. In a Content Search, all filters (combined by OR operators) are then combined with the search query by the AND operator."
You can create multiple filters of the same type. For example:
"Mailbox_CustomAttribute10 -eq 'FTE' -and Mailbox_MemberOfGroup -eq '$($DG.DistinguishedName)'"
Using a filters list to combine filter types:
A filters list includes a mailbox filter and a site filter separated by a comma. This is the only supported method for combining different types of filters. In the following example, notice that a comma separates the Mailbox and Site filters:
-Filters "Mailbox_CustomAttribute10 -eq 'OttawaUsers'", "Site_Path -like 'https://contoso.sharepoint.com/sites/doctors*'"
When a filter containing a filters list is processed during a content search, two search permissions filters are created: one for each filter separated by a comma. For example, in the previous example, one mailbox search permissions filter and one site search permissions filter would be created.
Each component of a filters list can contain a complex filter syntax.
For example, the mailbox and site filters can contain multiple filters separated by an -or operator:
-Filters "Mailbox_Department -eq 'CohoWinery' -or Mailbox_CustomAttribute10 -eq 'CohoUsers'", "Site_ComplianceAttribute -eq 'CohoWinery' -or Site_Path -like 'https://contoso.sharepoint.com/sites/CohoWinery*'"
Plan Security Filters to combine multiple workloads and compound criteria to enhance scalability.
Implementation
Microsoft doesn't offer UI elements for Compliance Boundaries implementation. All tasks related to Compliance Boundaries must be performed using PowerShell scripts.
Compliance Security Filters are configured using the Security & Compliance Center PowerShell module.
To connect to the Security & Compliance Center, follow these steps:
Set the execution policy to RemoteSigned.
Enter your credentials.
Create a new PowerShell session using the New-PSSession cmdlet.
Import the session using the Import-PSSession cmdlet, disabling name checking.
Here's an example of the PowerShell commands:
Set-ExecutionPolicy RemoteSigned $UserCredential = Get-Credential $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.compliance.protection.outlook.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic –AllowRedirection Import-PSSession $Session –DisableNameChecking
Remember to terminate your session after completing your tasks:
Remove-PSSession $Session
Security Permissions
To execute the compliance security filter cmdlets, your administrator must grant you permissions in the Organization Management role group in the Security & Compliance Center.
You need to connect Windows PowerShell to both the Security & Compliance Center and your Exchange Online organization to use the compliance security filter cmdlets. This is because these cmdlets require access to mailbox properties, necessitating a connection to Exchange Online. Follow the steps outlined in the next section.
Create Compliance Security Filter cmdlet
Use the New-ComplianceSecurityFilter cmdlet to create a new Compliance Security Filter.
Syntax:
New-ComplianceSecurityFilter -Action <ComplianceSecurityFilterActionType> -FilterName <String> -Users <MultiValuedProperty> -Confirm -Description <String> -Filters <MultiValuedProperty> -Region <String> -WhatIf [<CommonParameters>]
Parameters:
Action: Type of Search Action Value Description
Export: The filter is applied when exporting search results or preparing them for analysis in Office 365 Advanced eDiscovery.
Preview: The filter is applied when previewing search results.
Purge: The filter is applied when purging search results. How the items are deleted is controlled by the PurgeType parameter value on the New-ComplianceSearchAction cmdlet. The default value is SoftDelete, meaning the purged items are recoverable by users until the deleted items retention period expires.
Search: The filter is applied when running a search.
All: The filter is applied to all search actions.
Confirm: The Confirm switch specifies whether to show or hide the confirmation prompt. How this switch affects the cmdlet depends on if the cmdlet requires confirmation before proceeding.
Description: The Description parameter specifies a description for the compliance security filter. The maximum length is 256 characters. If the value contains spaces, enclose the value in quotation marks (").
FilterName: The FilterName parameter specifies the name for the compliance security filter. If the value contains spaces, enclose the value in quotation marks (").
Filters: The Filters parameter specifies the search criteria for the compliance security filter. The filters are applied to the users specified by the Users parameter. You can create three different types of filters:
Mailbox filter: Specifies the mailboxes that can be searched by the assigned users.
Mailbox content filter: Specifies the mailbox content the assigned users can search for.
Site and site content filter: Specifies site-related properties and content-related properties.
Region: The Region parameter specifies the satellite location for multi-geo tenants to conduct eDiscovery searches in.
Users: The Users parameter specifies the user who gets this filter applied to their searches. Valid values include one or more users, the value "All" to assign the filter to all users, and one or more role groups. You can specify multiple values separated by commas.
Note: You can't specify distribution groups with this parameter.
Examples
Add user to Security Filter:
$filterusers = Get-ComplianceSecurityFilter -FilterName PBCFilter
$filterusers.users.add("Tatiana@cloud-confidential.com")
Set-ComplianceSecurityFilter -FilterName PBCFilter -Users $filterusers.users
Remove user from Security Filter:
$filterusers = Get-ComplianceSecurityFilter -FilterName PBCFilter
$filterusers.users.remove("Oskar@cloud-confidential.com")
Set-ComplianceSecurityFilter -FilterName PBCFilter -Users $filterusers.users
Security Filter for Custom Attribute
In this example, users TAT and OSKAR are granted access to search only the mailboxes with the value CSC for the CustomAttribute1 property.
New-ComplianceSecurityFilter -FilterName CSC -Users OSKAR,TAT -Filters "Mailbox_CustomAttribute1 -eq 'CSC'" -Action Search
Security Filter for Document Library
This filter restricts access to a President Office Site document library for all users in the eDiscovery manager Role Group:
New-ComplianceSecurityFilter -FilterName NoPODocLibView -Users "All" -Filters "Site_Site -ne 'URL GOES HERE" -Action Preview
Security Filter for SharePoint Site
This filter restricts access to a CSC Site document library for the specific user (tatiana@cloud-conf.com):
New-ComplianceSecurityFilter -FilterName CountryFilter -Users tatiana@cloud-conf.com -Filters "Site_Site -eq 'URL GOES HERE" -Action All
Exchange Mailbox with Custom Attribute
This filter restricts access of a user "Oskar DG" to a Custom Attribute that points to a specific mailbox:
New-ComplianceSecurityFilter -FilterName POMailBox -Users "Oskar DG" -Filters "Mailbox_CustomAttribute9 -eq 'CSC'" -Action All
To set a custom attribute to the mailbox, use the following:
To add a mailbox to the set that searches performed by the users identified in the filter can find, update the CustomAttribute9 property as follows:
Set-Mailbox -Identity Tatiana.Z –CustomAttribute9 'CSC'
Test filter settings to assure it’s working:
Get-Recipient -RecipientType UserMailbox -RecipientPreviewFilter {CustomAttribute9 -eq 'CSC'}
Using Security Filters with Inactive Mailboxes
You can utilize Security Filters to restrict searching inactive mailboxes. Similar to a regular mailbox, an inactive mailbox requires configuration with the recipient property used to create a filter.
To display properties of inactive mailboxes, use the following script:
Get-Mailbox -InactiveMailboxOnly
Modify Compliance Security Filter
To modify existing Compliance Security Filters, use the Set-ComplianceSecurityFilter cmdlet with the following syntax:
Set-ComplianceSecurityFilter -FilterName <String> -Action <ComplianceSecurityFilterActionType> -Confirm -Description <String> -Filters <MultiValuedProperty> -Region <String> -Users <MultiValuedProperty> -WhatIf [<CommonParameters>]
Remove Compliance Security Filter
To remove a previously configured Compliance Security Filter, utilize the Remove-ComplianceSecurityFilter cmdlet with the following syntax:
Remove-ComplianceSecurityFilter -FilterName <String> -Confirm -WhatIf [<CommonParameters>]
View Compliance Security Filters
To view configured Compliance Security Filters, use the following cmdlet: Get-ComplianceSecurityFilter
Syntax:
Get-ComplianceSecurityFilter -Action <ComplianceSecurityFilterActionType> -Confirm -FilterName <String> -User <String> -WhatIf [<CommonParameters>]
Examples
To view all configured Compliance Security Filters, run the following command:
Get-ComplianceSecurityFilter | Format-Table -Auto FilterName,Action
To view a "PBC Filter" Compliance Security Filter (previously configured), run the following command:
Get-ComplianceSecurityFilter -FilterName "PBC Filter"
Additional Usage Examples
Here are some useful examples published on the Microsoft site:
This example allows members of the OneDrive eDiscovery Managers custom role group to only search for content in OneDrive for Business locations in the organization.
New-ComplianceSecurityFilter -FilterName OneDriveOnly -Users "OneDrive eDiscovery Managers" -Filters "Site_Path -like 'https://contoso-my.sharepoint.com/personal*'" -Action Search
This example prevents members of the "OneDrive Discovery Managers" role group from performing content search actions on any mailbox in the organization.
New-ComplianceSecurityFilter -FilterName NoEXO -Users "OneDrive Discovery Managers" -Filters "Mailbox_Alias -notlike '*'" -Action All
This example prevents anyone in the organization from searching for email messages that were sent or received by janets or sarad.
New-ComplianceSecurityFilter -FilterName NoSaraJanet -Users All -Filters "MailboxContent_Participants -notlike 'janets@contoso.onmicrosoft.com' -and MailboxContent_Participants -notlike 'sarad@contoso.onmicrosoft.com'" -Action Search
This example uses a filters list to combine mailbox and site filters.
New-ComplianceSecurityFilter -FilterName "Coho Winery Security Filter" -Users "Coho Winery eDiscovery Managers", "Coho Winery Investigators" -Filters "Mailbox_Department -eq 'CohoWinery'", "Site_ComplianceAttribute -eq 'CohoWinery' -or Site_Path -like 'https://contoso.sharepoint.com/sites/CohoWinery*'" -Action ALL
Comments