The following log extract shows some example entries from using the Get-AipServiceAdminLog cmdlet. If you do not need the super user feature for everyday services, enable the feature only when you need it, and disable it again by using the Disable-AipServiceSuperUserFeature cmdlet.Įxample auditing for the super user feature Use the logs together with the cmdlets listed above to first collect a list of super users that you can identify in the logs. While the logs include details about the decryption, including the user who decrypted the file, they do not note when the user is a super user. When super users decrypt files, this action is logged and can be audited with usage logging. For example, see Example auditing for the super user feature. Like all administration actions, enabling or disabling the super feature, and adding or removing super users are logged and can be audited by using the Get-AipServiceAdminLog command. To see whether a super user group is configured, use the Get-AipServiceSuperUserGroup cmdlet and your standard user management tools to check which users are a member of this group. To see which users and service accounts are individually assigned as super users, use the Get-AipServiceSuperUser cmdlet. These users can enable the super user feature and assign users (and themselves) as super users, and potentially decrypt all files that your organization protects. Restrict and monitor the administrators who are assigned a global administrator for your Microsoft 365 or Azure Information Protection tenant, or who are assigned the GlobalAdministrator role by using the Add-AipServiceRoleBasedAdministrator cmdlet. Security best practices for the super user feature
For example, if you enable the feature on Thursday and then add a user on Friday, that user can immediately open content that was protected at the very beginning of the week. It doesn't matter when you enable the super user feature or when you add users as super users.
#Run postico as super user windows
If you have not yet installed the Windows PowerShell module for Azure Rights Management, see Installing the AIPService PowerShell module. When adding a user with the Add-AipServiceSuperUser cmdlet, you must also add the primary mail address or user principal name to the group. So if you need to assign a new user to be a super user to decrypt content immediately, add that user by using Add-AipServiceSuperUser, rather than adding the user to an existing group that you have configured by using Set-AipServiceSuperUserGroup. If you need to manually enable the super user feature, use the PowerShell cmdlet Enable-AipServiceSuperUserFeature, and then assign users (or service accounts) as needed by using the Add-AipServiceSuperUser cmdlet or the Set-AipServiceSuperUserGroup cmdlet and add users (or other groups) as needed to this group.Īlthough using a group for your super users is easier to manage, be aware that for performance reasons, Azure Rights Management caches the group membership. It is enabled for you automatically if you configure the Rights Management connector for Exchange, and it is not required for standard services that run Exchange Online, Microsoft Sharepoint Server, or SharePoint in Microsoft 365. You need to bulk decrypt files for auditing, legal, or other compliance reasons.īy default, the super user feature is not enabled, and no users are assigned this role. You have existing IT services for data loss prevention (DLP) solutions, content encryption gateways (CEG), and anti-malware products that need to inspect files that are already protected.
For example, you would use this feature for any of the following scenarios:Īn employee leaves the organization and you need to read the files that they protected.Īn IT administrator needs to remove the current protection policy that was configured for files and apply a new protection policy.Įxchange Server needs to index mailboxes for search operations.
This ability is sometimes referred to as "reasoning over data" and is a crucial element in maintaining control of your organization’s data.
#Run postico as super user full
If necessary, the protection can then be removed or changed.Ī super user always has the Rights Management Full Control usage right for documents and emails that have been protected by your organization’s Azure Information Protection tenant. The super user feature of the Azure Rights Management service from Azure Information Protection ensures that authorized people and services can always read and inspect the data that Azure Rights Management protects for your organization.
0 kommentar(er)
