1. In-Place Archive in Exchange
Depending on the plan that you have for Microsoft 365, it may include an option for in-place archiving. If your plan does not already include place archiving, it is now available as an add-on. When you have archiving in place, you can actually turn it on for your users. No, it’s not on by default.
You must enable it for the users. The ability for them to actually go out there and have an archive mailbox once it’s turned on in Outlook or Outlook on the Web means that the user, when connected to the Internet, will actually see another archive box that they can move mail into. In that environment, they can view that box. They have the ability to move things from their primary mailbox into the archive. They can actually go the other way too, moving things from the archive back into their primary boxes if they want to. Right? But it’s an environment for them to be able to store things in, and when they move things into the archive, it no longer counts against their mailbox quota. So if they’re hitting hard up against their 50- or 100-gig mailbox quota, the archive will help them drop below that quota environment so they can send and receive more mail. Right now, it’s not cash.
That’s one of the things you have to be aware of. The archived mailbox is not part of the offline cache. So oftentimes, users are used to having Outlook on their computers, and they’ll maybe open it up when they’re not connected to the network or the internet. Perhaps they are flying somewhere without internet access, but they have the ability to go through and look at their emails, even create some replies and such. The archived mailbox will not show up there. They have to be connected, and you have to be online in order for the archived mailbox to be available. But the big advantage of this archived mailbox is that we can control the messages. What I mean by that is, in a lot of organizations, when users start getting close to their mailbox quotas, they’re told, “Oh, create a PST file, a personal storage for your mail, and take it offline.” And when they do that, it puts a lot of those messages into a file on their local computer that you don’t have control over.
When you do a legal hold search because you have to apply some kind of policy to messages, those things in the PST file will not be impacted. Instead, by having all of these things in the in-place archive now, the users will have the ability to still have access to that information and reduce the size of their mailboxes so they’re below the quotas. But now we can also go through the process of searching those items, placing those items on legal hold, and having a lot more control in terms of our corporate requirements with their email systems.
2. Enabling In-Place Archiving
If your subscription includes Inlays Archive, or if you purchased it as an add-on and assigned the licenses to your users, you actually still have to activate it. It’s not enabled by default in the Security and Compliance Center. If you go into your Data Governance section, you’ll notice an Archive option. You can click on “Archive.” In an archive, you’ll get a list of all of your users, and you can see the status of their archived mailbox. You’ll see if it’s enabled or disabled, and then simply select a user. Here I’ve got Carlos as an example. He is disabled.
Click on Enable, and just like that, I’ve enabled his mailbox for the Archive. Now, do understand this. I also have the ability to disable it, so if I were to disable the archive, as long as I enable it again within 30 days, that user’s archive will come back to them and anything that was in it will be part of it. But if I disable it, wait 31 days, and then enable the archive for the user, they’re getting a brand new archive box that has no information in it whatsoever. So just be aware of that. Now, besides doing it in the Security and Compliance Center, you can also change this setting in the Exchange Admin Center. It’s the same setting. We’re not changing any different features.
It’s the exact same setting. You just happen to have two different places where you can do it. In the Exchange Admin Center, if you go into your recipients and go into your mailboxes, you can select a user, edit that user, go through their features, and do it just like you would with anything else, and turn on their archive mailbox. Scroll down a little bit here. When that comes up correctly, we can go in there and enable the archiving there if we want to. But the other thing I can do is that I have the ability to multiselect. So I can go out there and select a couple of users. I get the bulk editing tool. Now I’m going to have to scroll to the bottom. I’m going to have to click on more options to get the ability to do the archive under the Bulk Edit tool.
But then you’ll see it pop up right there, and I can enable the archive for both of those users just by clicking on the Enable button, right? Are you certain you want us to enable these two objects? Yes, I do. and we’ll turn that on. So now I’m able to turn the archive on for two users or multiple users at once. Now, I could also have done that in the Security and Compliance Center as well. Notice they’re saying, “Hey, the changes won’t become effective until a directory replication occurs.” As a result, we must wait for some of the settings to replicate. But eventually the user will have that archive if we refresh it there. You can now see that they all have the archive activated for them.
3. In-Place Records Management in SharePoint
One of the things you have with exchanges is the ability to turn on the in-place archive. In SharePoint. We call this “in place.” Records management. Records Management in SharePoint is where we’re going to actually go out there and archive some items, some documents, so that we have the ability to keep them in that state for an extended period of time, right? You really go through and analyses the process of declaring something a record versus a document.
Okay, at what point in time does something need to be a historical marker of an activity, right? When something is referred to as a document, it is usually something living and breathing that can be modified, updated, or changed. But when we call something a record, it usually represents some historical marker that we need to keep in that condition at that point in time. And that’s really what Place Records Management and SharePoint are all about: taking a document and converting it into a record so that we can maintain that record for a period of time. Right now, we can either go out there and classify these records right where they are. So I’ve got a document library, maybe for human resources. We entered into a new contract. It was in the document library. Now we want to be able to maintain that contract as a record, so I can just mark it or declare it as a record right there. And it will always be there, and people outside of human resources will understand where to find it.
Or I have the ability to take those records and move them to a record center, where we’re going to go out there and we’re just going to keep all of our records in a centralized location. Now, oftentimes when you move into those other locations, people may forget where they are and not be able to find them, and they have to search for them and things like that. So keeping them in their original location often makes it a little bit easier. One of the things that some companies will actually do is they’ll create records in the spot where the record existed initially, where the document existed initially, and then, after some period of time, move them over to a record centre in the environment out there. And these records can be created in an automated way. You can go out there and, for example, say that once a document hasn’t been modified for the last year, let’s make it a record. That or we can do it in a manual way, where a user with the permissions actually goes in and declares a given document a record at some point in time.
4. Activating In-Place Records Management
In order to work with in-place document management and SharePoint, you actually start at the site collection level. At the site collection level, you need to turn on the feature for in-place records management. Management. So if I go in here in my site collection, go into the Settings icon, then the Settings icon, I go in here and click into my site settings. You can see it right there. Just make it a little bigger so you can see it. So I’ve got my site settings there.
We’ll click into that in the site settings section under site collection administration. This is where we’re going to go in and look for our site collection features, right? So we’re going to go in here and look for our site collection features. We’ve got our site collection features right here. We’ll make that available and improve our site collection features. If we scroll down, you’ll see “In place Records Management” as an option. In place. Records management.
Now we’ll note that it is actually not active right now. So I have to turn it on just by clicking on the activate button. It’s just that simple. Now you can see that my in-place record management is active. I could turn it off if I wanted to. So I’ve activated it for the entire site collection. Now, any lists or libraries that exist in this site collection have the ability to take advantage of in-place record management. But one of the other things I want to look at real quick is, let’s go back into our site settings. Now that we’ve activated it, we actually get the ability to go out there and have record declaration settings. How can documents be declared as records?
These settings are going to be at the site collection level, and this will be the default setting. But at a given list or library, I can also go in and change some of those settings. So let’s go take a look at that momentarily and see what kinds of things we can choose. You’ll notice here we have no additional restrictions. So even though I made a record, you can edit it, modify it, or delete it. Making something a record was probably not the goal. You can allow someone to change it but not delete it if you want. Or where you can see the defaults, which are block and edit. So it’s going to block people from modifying it as well as stop them from being able to go out there and actually delete the environment. So we can block the edit and delete the manual record declarations in the list and libraries. Are we going to do this across the board by default? What do we want people to do?
Or do we only want to do it in an automated way so we can make it available in all locations? Or we could say it is not available in all locations by default. Even if we set that, we could still go to a list or library and allow. So we’ll just go ahead and leave the defaults here for now. All list contributors and administrators have access to the declaration records. So we’re deciding now who has permission to go out there and actually do this. List admins are only bound by policy actions, and we can reverse that process of taking something that was a record and making it back into just a document. So declaring it right in this case is something only list administrators can do it.
We could do contributors as well, or only as a matter of policy. So you’ve got some settings that you can actually set in that environment. Let’s go ahead and get out of there. We’re not going to save any of those settings once you’ve activated it; once you’ve configured it the way you want to, the next step is to actually go to your document list or library and change the settings for that. So if we go into our documents here, into my document library, in my document library, I’m going to go up here and click on Settings, and I’m going to go into my library settings now.
So I’m going to click on Library Settings, and in Library Settings, you see down here at the bottom, I have record declaration settings since I turned on the feature for the site collection. That option wasn’t there. But now that we’ve got it on, we have the ability to go in here and set our record declaration settings. And in this library, for example, we’re going to say to use the site collection default settings. We can say that manual declaration is acceptable in this case. Maybe we weren’t doing it for site collection, but we’ll allow it here in our environment if we want to. So we can do it just in this library or never allow manuals. So we go out there and configure that automatic declaration if we want to. But for now, we’ll just allow manual record declaration.
So I’ve got a document in my library. Let’s go take a look at my document library. And I can see I have a payroll contract. So this is a contract that we entered into with the payroll company for the services they’re going to provide for us here in the human resources environment. and I’ve decided I want to make that a record. I want to declare that a record.
I actually have the ability to go in, and if I click on the More button here and scroll down here to More, you’ll see I have the ability to open up something called compliance details, right? That’s what I’m going to actually click into for its compliance details. That’s going to open up all of the compliance details for this environment. And you’ll note here that this is where I can declare it an in-place record. Once I declare this as an in-place record, it’ll lock the item down for editing. not going to be able to go out there and modify it anymore. I’ve declared it a record. If I wanted to reverse the process, I could also come here to undeclared it because we allow manual declaration.
So once I’ve got that for a record, Now, if someone comes in and tries to open that up and start working with the document therein the environment, you’ll notice that we’re only viewing it right now. Let’s go ahead and edit the document. We’ll edit it right in the browser, and sorry, you can’t do it right now; it’s letting us know that someone else has checked it out. But the real reason is because it’s a declared record out there in the environment. So we can again go out there and view it, but we can’t edit, modify, or change the item because it has been declared a record in that record center. So it’s an in-place record, and now we have the ability to make sure that nobody else can go out there and modify it.
5. Messaging Records Management
One of the features of Exchange Online is the ability to go out there and use message record management, or messaging records management, in Exchange. Message record management is now all about giving us the ability to sort and organize a user’s mailbox in an automated manner. We’re talking about the fact that they may have messages sitting in their junk mail folder. They may have messages in their deleted environment. They may have messages in their inbox that have been sitting there for an extremely long time. And wouldn’t it be nice to give them a way to have that sort of thing cleaned up in an automated way? And that’s what MRM is all about here, right? We can move messages from their primary mailbox into the archive for them.
We have the ability to go out there and delete messages after a certain period of time for them in an automated way, so they don’t have to go through and clean things out on their own, right? We have the ability to go out there and do this as well, but we don’t. Or we implement this through something called a “retention policy” as part of the message record management solution in Exchange Online. What we need to understand is that our retention policy allows me to decide what we want to delete and what we want to keep in our archive for a user based on a time frame that takes into account when something was received, its age, and how long it’s been sitting around. Now, we can delete our archived messages based on their location, right? So, for example, if it’s in the junk mail folder, let’s delete it after 30 days.
Things like that. If it’s in my inbox, I’ll move it to the archive after two years. We can also allow the end user to go out there and modify that behavior. They can tag boxes. They can tag messages and have the ability to go out there and decide when they want certain things to be moved or deleted on their own, right? And they have the ability to also go out there and use different policies or different tags. Now, there are different tags that are involved. There are three types of tags: default tags, retention policy tags, and personal tags. A default tag will apply to the entire mailbox. So if you have an MRM policy applied to you and it has a default tag that says something like “move to archive after two years,” regardless of where that mail item is in your mailbox, after two years, it’s going to get moved into the archive. Now, that assumes you have an archive. If you don’t, it’s not going to do anything for the message.
It won’t delete it because you don’t have an archive, for example. You don’t have to be concerned about that. Retention policy tags are applied at the box level. So I might have a retention policy tag I applied to the junk mailbox, for example, that says delete everything out of the junk mail after 30 days, and then you have what are called personal policy tags. Personal policy tags are available to the end user. The end user has the ability to use them to actually tag specific boxes. So maybe they wanted to treat a box differently, or they could tag individual items. For example, we could give them a tag that says “keep forever.” And they could tag a specific message in their inbox so that they keep it in their inbox forever rather than having it move to the archive. Now, it’s important that you understand that we’re talking about and using the word “retention” here. Retention policies, as they relate to message record management, are all about organizing or cleaning up their mailboxes.
It is not a retention policy where we want to make sure we keep or retain information for an extended period of time. That is something that you would set up in the security and compliance center. Go out there and set a retention policy for that. So don’t confuse this phrase, “retention policy,” because it’s being used in two slightly different ways. If I had an email in my inbox and I had a retention policy set on the mailbox for my message record management policy to move to archive after two years, that’s not going to stop me from going into that inbox and deleting the item early, right? Whereas if I had a security and compliance centre retention policy, something we talked about in another video, I’d have the ability, even if you deleted it, to maintain that item for whatever period of time we delineated. So don’t get those two things confused, because sometimes people do.
6. Creating MRM Policy and Tags
If you want to set up some retention policies, you actually do it in the Exchange Admin Center. And in the Exchange Admin Center, I’m going to come in here and go into compliance management. Compliance management. You’ll notice I have retention policies and retention tags. We’re going to start by creating some retention tags. Now, when you go to click on the plus sign to create a retention tag, you notice that you have three different choices. The tag can be applied to the entire mailbox as a default tag. We can create a policy tag that applies to a specific folder or a personal tag that the end user will have access to to apply to an item or to a folder. In exchange, let’s start by creating a default tag here. So I’ll click on the default tag. We’ll give this one a name. Assume we want to move some items to the archives.
So we’ll say after a year, move to archive. All right, so now we make the choice. What do we want this tag to do when it’s applied to something? Notice again, delete, and allow recovery. Delete permanently. So it’s not going to allow recovery. Or just move it to the archives. And then, if you choose one of these, we’ll decide what the retention period is going to be. In this case, we’ll move it to the archive after 365 days. All right, so I’ve got a default tag that I’ve created. You can also create a policy tag that will apply to a folder. Now, when you’re doing that, let’s say this one was clean junk mail, right? So we’ll make this a clean junk mail environment. We’ll apply that and notice the boxes that I have the ability to choose from, and we’ll choose the junk email folder to delete and allow recovery. But we’ll do this at a faster pace, right? Instead, we want to clean out their junk mail out instead of doing it. There’s one already for, say, 30 days. Let’s do this in 15 days, and we’ll clean the junk mail out a little bit faster for them. Then we can make some personal tags as well.
A personal tag is something that an end user would have the ability to assign to an item or a box in their environment. And for this one, let’s say after 45 days, move to archive. So we’ll create a 45-day rule here, and we’ll say we’ll move it to the archive after 45 days. So if it’s something the user doesn’t need, they want to clean it out a little bit sooner. Instead of waiting the full year, they can go out there and apply that tag. Now, we’ve created a bunch of tags, but we haven’t applied this anywhere yet, so it’s not impacting anyone. The next step is for us to go out there and create the retention policy. So I’m going to switch over to retention policy, and you can see there’s a default message about record management policy. And if you look at that, you’ll see all of the various tags that are actually available right in that.
So anybody who has this applied to their mailbox will have all of these tags. Let’s go create a new one. So we’ll create a new one here. We’ll just call this one our sample policy. Now, every single tag that I want a user to have needs to be part of this policy. And what I mean by that is that, at any point in time, a user can only have one message record management policy applied to them. So I can’t say, “Oh, I want you to have the default one and this one.” So any tag I want them to have, I need to include here in this retention policy. So we’ll go through and just click on the plus sign here to add some retention tags. Now it will bring up the list. One of the things I like to do when the list of available tags comes up is actually sort it by type, because that way I can make sure, for example, that I’ve got some default tags out in here. And we’ll do the “Move to Archive” tag after a Year tag.We’ll add that in.
We’ll go ahead and use the 15-day junk mail folder, and we’ll clean it up a little sooner. But I can also offer them some personal tags here. the five-year delete tag, for example. Go through and give them the “Never delete” tag. If we move to Archive after 45 days, never deleting any tags that I want them to have, we’ll go out there and click okay and save that. So now I have a new retention policy, but the next step is actually applying it to the users. So in order to do that, I’m going to go into my recipients, and in my recipients, I can choose an individual user or I could multiselect and do a bulk select on my users. Either way, whichever direction you want to go with the environment, you can make your choice as to whether you want to edit one or multiples. For now, let’s go ahead and edit just one. So we’ll open up Carlos Perez here, and in Carlos Perez’s detail pane, I’m going to actually go into what we call Mailbox Features, right? So I’m going to go into mailbox features. When I click on “Mailbox Features,” you’ll see that there is a retention policy for Carlos. And right now, Carlos doesn’t have a retention policy assigned to them.
So I can click the drop-down menu and choose my sample policy. And now those tags will be applied to Carlos. Now, if I wanted to do a bulk edit, I could multi-select. I could pick a couple of people or even everyone. And when I do that, the bulk edit tool appears over here on the right side. When you scan through there now that the bulk edit tool is available, you don’t see anything about the retention policy or the message record management policy right away. But at the very bottom, you see a more options button, so let’s go ahead and click on that. And when I do that, that’s when it opens up the ability for me to see the retention policy, where I can now update the retention policy. So I’ll click on “update” there and have the ability to go in there and say, “You know what, let’s apply the sample policy to everybody,” click “Save,” and apply it to a lot of users at once. Rather than having to individually go in there and actually set the retention policy on each user.
7. Troubleshooting MRM Policies that Don’t Run
Having applied message record management policies to your users’ mailboxes, sometimes things may not behave or turn out the way that you expected. For some of those issues, it may just be a waiting game. What I mean by that is that there’s something called “Managed Folder Assistance” that runs on every user’s mailbox, but it only runs once every seven days.
So if, let’s say, it ran yesterday and then today there was an item that reached its age limit where it needed to be moved to the archive, that item would actually still sit in that user’s mailbox for another seven days until the Manage Folder Assistant ran. So don’t be surprised if something is there, maybe for a week longer than you anticipated, because it’s just a question of when does the ManageFolder Assistant run on that mailbox to process all of the message record management policies?
That is exactly what it will do once every seven days. Right now, if somebody is trying to work with an older version of Outlook, like Outlook 7 or older, they don’t have the ability to actually set retention tags on items. So for some reason you’re working with a much older product; they’re not going to be able to use that, and that’s why they can’t actually see it or have the ability to do it. The other thing is to confirm that the tags have been added to the policy and that the policy has been assigned to the mailbox. I could assign a policy to you, but if we accidentally left a specific tag, say, to delete the junk mail folder after 30 days and the user complains about the fact that their junk mail folder has gotten very full, let’s go confirm that.
The policy that is applied to them includes a tag that actually cleans out the junk mail folder for them. It’s possible that in the configuration, you may have forgotten to do that, right? In addition to that, if there is a legal hold placed on that mailbox, items will not be allowed to be removed or deleted based on the legal hold. And so it may just be that it’s not processing it because of that legal hold applied to that mailbox. And the other thing could just be the size of a mailbox. I’ve worked with a lot of people who do things like keep their mailboxes pristine. They empty it all the time. They basically get a message, read it, act on it, and then get rid of the message. If that is the case, the Manage Folder Assistant will not run on that mailbox if it is less than ten megabytes in size.
It simply won’t react to it. Now, if that’s the case, one of the things you could do is actually force the Manage Folder Assistant to run. You have the ability to go out there and use PowerShell. You can connect to your Exchange online or via PowerShell, and then start the Managed Folder Assistant PowerShell command. You just tell it the identity of the mailbox that you want it to run on, and it will run. This is also a great command to use if you’ve got a new Manage Folder Assistant Policy and you want to test it, right? So we’ll set a policy, but we’ll change it from 30 days to one day. I’ll apply the policy to the mailboxes and wait the 24-hour period, and then I’ll go in and manually run the Manage Folder Assistant. Start the Manage Folder Assistant against that box just to test the policy before I roll it out into production.
8. Information Rights Management in Exchange
Information Rights Management in Exchange gives us the ability to control what happens to a message after we send it to the user. For example, I can restrict them from being able to forward it, give them the ability to modify it, or even let them print it out. In exchange, we have the ability to use this right away. Now, it used to be that if you wanted to use information rights management in Exchange and your tenant was created prior to January of 2018, you would have to go through a process of activating it and setting it up. But starting in January 2018, it is now enabled by default in our environment now.
So we have the ability now to control the permissions that they have in their email. We can go out there and apply this in Outlook and Outlook on the web, right? We actually have the ability, depending on the policy we have, to have it applied in an automated way, so if a message contains a certain kind of content, we can go out there and restrict how it’s actually being processed in the environment. But here’s the limitation: And it’s one of those things that you always have to think about because it’s there to keep honest people honest. It’s kind of like the lock on the front door of your house. If someone wants to break into your house, they will break into your house, but they will not stop. But if somebody were to come by your house and just want to pop in for a second, the lock would stop them from getting in. They’re not intending to break into your house.
So it keeps an honest person honest. Information rights management is done the same way. If I sent you an email and applied information rights management to it so that the only thing you could do was look at it, you’re not allowed to forget it. You’re not allowed to print it. In the world that we live in today, I’m not going to be able to stop you. If you have some third-party screen capture program, it’s not going to block that screen capture programme from being able to capture that image that’s on your monitor and then give you the ability to use it. Heck, I’m not going to be able to stop you from using your cell phone. Take a picture of it. You take a picture of it, and off it goes, and you send it on its way to somebody else. And depending on your skills, some people could even go out there and just transcribe the whole thing, right? Simple enough. Open another email right next to the one they’re not supposed to forward, type everything in, and send it, right? So it’s really about keeping an honest person honest and trying to apply policy to your messages, but it’s not going to stop things.
Carp launch. Right now, we have the ability to go out there and apply this, and you can actually apply this manually in Outlook. You can go into Outlook with Exchange and have the ability to pick a policy and apply it to a message, right? Alec on the web says the exact same thing. You can click on the button that says “Protect,” and it will automatically go out there and label it confidential. But you could also then go in and modify some of those choices if you wanted to, right? We can even go out there if we have our mobile phones and we’re using Outlook on our mobile phones. We have the ability to go out there and apply policies so that when we’re using active sync and sending messages, we can have policies applied in that way. We can also apply it automatically; I don’t have to go out there and do this manually. I can go out there and create rules, and based on activity in that message, that rule might automatically apply information rights management and restrict what can be done with that message, right? And similarly, we can actually go out there and do this with our mailbox servers; we have the ability to go out there and have IRM messages have policy applied to them at the server level via a transport rule, for example.
9. Information Rights Management in SharePoint
In order to work with in-place document management and SharePoint, you actually start at the site collection level. At the site collection level, you need to turn on the feature for in-place records management. Management. So if I go in here in my site collection, go into the Settings icon, then the Settings icon, I go in here and click into my site settings. You can see it right there. Just make it a little bigger so you can see it. So I’ve got my site settings there. We’ll click into that in the site settings section under site collection administration. This is where we’re going to go in and look for our site collection features, right? So we’re going to go in here and look for our site collection features. We’ve got our site collection features right here. We’ll make that available and improve our site collection features. If we scroll down, you’ll see “In place Records Management” as an option. In place.
Records management. Now we’ll note that it is actually not active right now. So I have to turn it on just by clicking on the activate button. It’s just that simple. Now you can see that my in-place record management is active. I could turn it off if I wanted to. So I’ve activated it for the entire site collection. Now, any lists or libraries that exist in this site collection have the ability to take advantage of in-place record management. But one of the other things I want to look at real quick is, let’s go back into our site settings.
Now that we’ve activated it, we actually get the ability to go out there and have record declaration settings. How can documents be declared as records? These settings are going to be at the site collection level, and this will be the default setting. But at a given list or library, I can also go in and change some of those settings. So let’s go take a look at that momentarily and see what kinds of things we can choose. You’ll notice here we have no additional restrictions. So even though I made a record, you can edit it, modify it, or delete it. Making something a record was probably not the goal. You can allow someone to change it but not delete it if you want. Or where you can see the defaults, which are block and edit.
So it’s going to block people from modifying it as well as stop them from being able to go out there and actually delete the environment. So we can block the edit and delete the manual record declarations in the list and libraries. Are we going to do this across the board by default? What do we want people to do? Or do we only want to do it in an automated way so we can make it available in all locations? Or we could say it is not available in all locations by default. Even if we set that, we could still go to a list or library and allow. So we’ll just go ahead and leave the defaults here for now. All list contributors and administrators have access to the declaration records. So we’re deciding now who has permission to go out there and actually do this. List admins are only bound by policy actions, and we can reverse that process of taking something that was a record and making it back into just a document. So declaring it right in this case is something only list administrators can do it.
We could do contributors as well, or only as a matter of policy. So you’ve got some settings that you can actually set in that environment. Let’s go ahead and get out of there. We’re not going to save any of those settings once you’ve activated it; once you’ve configured it the way you want to, the next step is to actually go to your document list or library and change the settings for that. So if we go into our documents here, into my document library, in my document library, I’m going to go up here and click on Settings, and I’m going to go into my library settings now. So I’m going to click on Library Settings, and in Library Settings, you see down here at the bottom, I have record declaration settings since I turned on the feature for the site collection. That option wasn’t there. But now that we’ve got it on, we have the ability to go in here and set our record declaration settings. And in this library, for example, we’re going to say to use the site collection default settings. We can say that manual declaration is acceptable in this case.
Maybe we weren’t doing it for site collection, but we’ll allow it here in our environment if we want to. So we can do it just in this library or never allow manuals. So we go out there and configure that automatic declaration if we want to. But for now, we’ll just allow manual record declaration. So I’ve got a document in my library. Let’s go take a look at my document library. And I can see I have a payroll contract. So this is a contract that we entered into with the payroll company for the services they’re going to provide for us here in the human resources environment. and I’ve decided I want to make that a record. I want to declare that a record. I actually have the ability to go in, and if I click on the More button here and scroll down here to More, you’ll see I have the ability to open up something called compliance details, right? That’s what I’m going to actually click into for its compliance details.
That’s going to open up all of the compliance details for this environment. And you’ll note here that this is where I can declare it an in-place record. Once I declare this as an in-place record, it’ll lock the item down for editing. not going to be able to go out there and modify it anymore. I’ve declared it a record. If I wanted to reverse the process, I could also come here to undeclare it because we allow manual undeclaration. So once I’ve got that for a record, Now, if someone comes in and tries to open that up and start working with the document therein the environment, you’ll notice that we’re only viewing it right now. Let’s go ahead and edit the document. We’ll edit it right in the browser, and sorry, you can’t do it right now; it’s letting us know that someone else has checked it out. But the real reason is because it’s a declared record out there in the environment. So we can again go out there and view it, but we can’t edit, modify, or change the item because it has been declared a record in that record center. So it’s an in-place record, and now we have the ability to make sure that nobody else can go out there and modify it.
10. Office 365 Message Encryption
One of the nice features built into Exchange Online is the ability for you to send encrypted messages not only to people inside your organization, but also to people outside. In fact, you can even send messages to people who don’t even have an Office 365 or an Azure Active Directory account, and they still have the ability to receive and view the encrypted message with Office Message encryption.
That RMS is combined. It uses the rights management services capability. Those were turned on by default starting in January of 2018 for Ome to be able to be used. Right. It uses a built-in certificate, which means we’re not going to have to supply certificates for this, and it’s going to be able to keep it up to date and roll it over when we need to, to have new certificates available. And again, the idea is to make sure that whoever I’m sending this to is the only person who can read it. So if somebody tries to intercept the packets in transit, it’s going to be completely encrypted, and they’re not going to be able to read it. And it doesn’t matter if I’m sending this to somebody who’s a 365 customer or not; it’s going to go out there, and they’ll be able to consume the content.
Now the message is actually sent out with an HTML attachment, and that’s going to give that user the ability to go through and actually start getting access to that message. If that user doesn’t have a 365 account, if I’m not sending it to a 365 user, they’ll actually have a message as to how to actually open the attachment and be able to read through that message and decrypt it. Right? And the idea there is that even if they don’t have a Microsoft account, Microsoft will walk them through a method of either getting a Microsoft account or generating a one-time passcode for them to be able to view the message. So let’s take a look at how that might actually work with a message that we send from Outlook. So if I go over here and create a new message, let’s say we’re going to send this message out to get rid of that there and that there. Let’s send this message to our friend Carlosmith at Gmail. So just a Gmail account, right? So we’ll send this to [email protected]. Top secret, what time do you want to go to lunch? Okay.
I have an extremely sensitive, top-secret message that I do not want anyone else to see. All I have to do now is choose to encrypt the message. You can see here in my environment that the “encrypt” option is right there. I can click on it. If, on the other hand, yours says “Protect there,” that’s fine. You can click on “Protect,” and then you’ll actually have the ability to change the permissions. When you click on Change Permissions here, you can see that you have choices—we can make it confidential. Do not forward or encrypt. And if you click on Protect and it makes employee information confidential by default, for example, you could then click on Permissions and change that to encrypt to send an encrypted message, and off the message goes. And I’m going to send this over to my good friend Carlos to figure out what time we’re getting together for lunch. Now Carlos has a Gmail account. doesn’t actually have the ability to open that up with Azure Active Directory. Let’s go take a look and see what kind of message Carlos received. So here we have Carlos, who came in. Hey. Well, that’s actually our welcome message, so we’ll go ahead and get rid of that. Carlos should be receiving a message momentarily so that he has the ability to then go in and actually read the message. And because this isn’t a Microsoft 365 account, Carlos will be presented with the opportunity to either register for a Microsoft account or use a one-time passcode. With the one-time passcode, a one-time passcode would be sent to Carl Carlos, and he would enter the code, which would give him the ability to actually open it up.