Hero Banner

Ask Me Anything

Join and stay up to date with the latest Ask Me Anything Sessions!

Not applicable

Ask Me Anything Topic: Security & Compliance

AnkurBio.jpgIntroducing Ankur Arora, this week's Microsoft Expert. Ankur is the WW Partner Strategy Lead: Security & Compliance, OCP. He has been at Microsoft for almost 10 years and has a wealth of experience in the S&C field. 

Please ask Ankur any questions on this thread from October 18-25 and he will respond on the 25th; the top kudoed questions will be answered first.

This AMA is live Wednesday, October 25th, 7am-11am PST.

To ensure you do not forget, please download the calendar invite below!


Dear Ankur, 

Where do you see the best opportunities for new services in this space?


Regards, Per


Not applicable



It depends on what you want to focus on and for which segment....let me give a few examples:


1. Consulting and Assessments

2. Technology Sales and/or Deployment

3. Data Breach notification (Managed Service)

4. Evidence of Risk Mitigation Services

5. Virtual DPO for Customers (typically SMB).

Product/Functionality Specific examples:

1. Managed Services around WD-ATP

2. Managed and Professional Services around AIP, DLP, Compliance Manager, Intelligent Security Graph...



Thanks Ankur! I like this list! Always great to get insights from an esteemed expert!

I'm actively looking for teams and companies in this field to invest in - and even better if AI is involved as a component in a managed service of some kind (I love recurring reveneue streams).

Regards Per

Not applicable

1. What would be CON's for using Security&Compliance Retention as a backup solution for O365 services. PRO's are - protect data with functionality included in license, everything at one place.
2. How to deal with GDPR "right to be forgoten" if we keep data in O365 services based on retention policies

Not applicable

GDPR Right To be Forgotten:

This is complicated...the framework that we current use is Discover, Manage, Protect, Report.   The Discover part is where one if discovering personal information in the organization across the mail and collaboration platform, data bases, CRM, ERP Applications, Web Data and unstructured information.   www.microsoft.com/GDPR is a great starting place....


A quick overview of the Discovery Phase is as follows:

In-scope: Any data that helps you identify a person

  • Name
  • Email address
  • Social media posts
  • Physical, physiological, or genetic information
  • Medical information
  • Location
  • Bank details
  • IP address
  • Cookies
  • Cultural identity

Inventory: Identifying where personal data is collected and stored

  • Emails
  • Documents
  • Databases
  • Removable media
  • Metadata
  • Log files
  • Backups

Technologies Leveraged:

Microsoft Azure: Microsoft Azure Data Catalog

Enterprise Mobility + Security (EMS): Microsoft Cloud App Security

Dynamics 365: Audit Data & User Activity AND Reporting & Analytics:

Office & Office 365: Data Loss Prevention, Advanced Data Governance, Office 365 eDiscovery

SQL Server and Azure SQL Database: SQL Query Language 

Windows & Windows Server: Windows Search

Not applicable

Backup: Version: Lots of things can disrupt service availability, such as hardware failure, natural disasters, or human error. To ensure that your data is always available and that services continue, even when unexpected events occur, Exchange Online uses a feature known as Database Availability Groups to replicate Exchange Online mailboxes to multiple databases in separate Microsoft datacenters. As a result, you can readily access up-to-date mailbox data in the event of a failure that affects one of the database copies. In addition to having multiple copies of each mailbox database, the different datacenters back up data for one another. If one fails, the affected data are transferred to another datacenter with limited service interruption and users experience seamless connectivity.

Retention:  Exchange Online service provides several options for Deleted item recovery, which include manual recovery from Deleted Items, recovery from Recoverable Items, Single Items recovery, and retention policies and tags. Archiving and litigation hold are also available within the appropriate licensing to complement the needs of preserving data.

  • Deleted item retention: Users can restore email items that have been deleted from any email folder. When a user deletes an item, it is kept in the Deletions subfolder of the Recoverable Items folder. Items remain in this folder until the user manually removes them, or until they are automatically removed by retention policies. For more information about recoverable items, see Recoverable Items folder

  • Single item recovery:  Email recovery has improved in Exchange Online to allow users to recover single items without having to restore mailbox databases. When the Managed Folder Assistant processes the Recoverable Items folder for a mailbox that has single item recovery enabled, any item in the Purges subfolder isn't purged if the deleted item retention period hasn't elapsed for that item.

  • Retention tags and retention policies: These settings specify how long a message remains in a mailbox and the action to be taken when the message reaches the specified retention age. When a message reaches its retention age, it's moved to the user’s In-Place Archive or deleted. For more information about Retention tags and policies, see Retention tags and retention policies.


These questions about retention in Security & Compliance center were sent to me:

1. If I configure organization wide retention policy, will policy retain content in shared mailboxes?

2. What is difference between mailbox on litigation hold (active user - all content preserved, inactive mailbox preserved) and Retention policy in Security & Compliance center (if any)

Not applicable

Litigation Hold (with or without a time preiod):

When a reasonable expectation of litigation exists, organizations are required to preserve electronically stored information (ESI), including email that's relevant to the case. This expectation can occur before the specifics of the case are known, and preservation is often broad. Organizations may preserve all email related to a specific topic, or all email for certain individuals.

In Exchange Online, you can use In-Place Hold or Litigation Hold to accomplish the following goals:

  • Enable users to be placed on hold and preserve mailbox items immutably

  • Preserve mailbox items deleted by users or automatic deletion processes such as MRM

  • Protect mailbox items from tampering, changes by a user, or automatic processes by saving a copy of the original item

  • Preserve items indefinitely or for a specific duration

  • Keep holds transparent from the user by not having to suspend MRM

  • Use In-Place eDiscovery to search mailbox items, including items placed on hold

Additionally, you can use In-Place Hold to:

  • Search and hold items matching specified criteria

  • Place a user on multiple In-Place Holds for different cases or investigations

Retention Tags and Policies:

Exchange Online offers retention policies to help organizations reduce the liabilities associated with email and other communications. With these policies, administrators can apply retention settings to specific folders in users’ inboxes. Administrators can also give users a menu of retention policies and let them apply the policies to specific items, conversations, or folders using Outlook 2010 or later or Outlook Web App.

In Exchange Online, administrators manage retention policies by using the Exchange admin center (EAC) or remote Windows PowerShell.

Exchange Online offers two types of policies: archive policies and delete policies. Both types can be combined on the same item or folder. For example, a user can tag an email message to be automatically moved to the In-Place Archive in a specified number of days and deleted after another span of days.

With Outlook 2010 or later and Outlook Web App, users can apply retention policies to folders, conversations, or individual messages. They can also view the applied retention policies and expected deletion dates on messages. Users of other email clients can only have email messages deleted or archived based on server-side retention policies set by the administrator.

The retention policy capabilities offered in Exchange Online are the same as those offered in Exchange Server 2010 Service Pack 2 RU4. Administrators can use remote Windows PowerShell to migrate retention policies from on-premises Exchange Server 2010 or later environments to Exchange Online.


Not applicable

How do customers integrate Office ATP, ATA with their existing SIEM (Splunk for many of mine)? I know you can download logs and integrate that way, but is there an option to set up pub/sub topology to provide that information as the events occur?

Not applicable

SIEM connector now available for Office 365 Advanced Security Management

A year ago, we announced a way for you to get greater visibility and control over Office 365 with Advanced Security Management (ASM). Since then, we have added new features to help you better determine shadow IT activity. We also enhanced control over third-party apps connected to Office 365. After these updates, we started hearing that some of you were looking for a way to export alerts to other systems that are integrated into your existing workflows. Today, we are releasing a solution that supports centralized monitoring of ASM alerts with your security information and event management (SIEM) software. Integrating with an SIEM allows you to better protect Office 365 while maintaining your organizations security workflow, automate your security procedures and correlate between your cloud-based and on-premises events.

There is no additional cost for an SIEM connector for ASM; you just need to have Office 365 E5 or the ASM add-on. To learn how to setup the ASM SIEM connector, please read SIEM integration with Office 365 Advanced Security Management.