ScopeMBs.zip (20.9 KB)
Summary: SDD for Exchange does not currently have the ability to continue where a previous scan left off while simultaneously taking too long to complete in one scan.
Original solution created and authored by: Michael Nanos
Modified by: Devon Anderson
Issue: Currently the Exchange sensitive data scan can take an extremely long time to complete. Since the scan does not keep track of history, any interruption would cause subsequent runs to start from the beginning again. For some folks, the length of the scan could take months to complete. This might far exceed the patching cycle for many and never allow for the scan to be completed. While breaking the scan up into multiple jobs/batches could potentially work, situations like a high rate of turnover could result in too much time managing scoping options as well as a complicated job tree and scheduling scheme.
Instructions: The solution is a group of jobs meant to discover the current list of mailboxes containing messages, compare it to a register of previously scanned mailboxes by the SDD scan job, and then edit the scoping of a singular EX SDD scan to reflect the appropriate next batch of mailboxes to be scanned. The scoping is designed to always prioritize any mailboxes with no previous scan date (initially to get through all mailboxes, eventually to pick up new employees). Once all unscanned mailboxes have been queued, it will then add previously scanned mailboxes based on their last scan date, beginning with the oldest first.
The Job group is intended to be placed in the Exchange > 7. Sensitive Data > 0.Collection group.
The host list for the ‘EX_AutoScope_Collection’ job should contain the target Exchange server (for on-prem Exchange) or Entra ID tenant (for Exchange Online). Connection profile should be the same used in other EX collections.
Host list:
Connection profile:
The ‘EX_AutoScope_Report’ job should be configured to specify the batch of mailboxes to scan during next ‘EX_Mailbox_SDD’ run. This will ultimately go hand in hand with the scanning cadence you wish to adopt (25 mailboxes/day vs. 175/week). It will also depend on the speed at which you can scan (25/day vs. 50/day).
The host list for the ‘EX_SetScope’ job should be set to localhost. The whole job group is recommended to be run via schedule, so ensure the configured account running jobs via schedule has local admin rights to localhost to prevent any issues with running PowerShell script on job.
Host List:
Scheduled Account:
Important: The ‘EX_SetScope’ job assumes that the ‘EX_Mailbox_SDD’ job has already been configured to be scoped by mailbox. If it has not already been set, you can use the UI to set it as such (a single mailbox is fine, any mailbox).
Doing so adds a required entry to the Job.change file for the ‘EX_Mailbox_SDD’ job which later allows the ability to modify the entry as desired with the ‘EX_SetScope’ job.
Schedule the ‘EX_AutoScope_Collection’ job to run first before any of the other jobs. This could take a bit of time depending on the size of the environment. This will get the current list of mailboxes in environment that contain messages.
After the first run complete, the ‘EX_AutoScope_Collection’ job can then be disabled temporarily to focus on working through the full list of identified mailboxes from the first run before checking for any more new mailboxes by re-enabling the job later on.
Once the ‘EX_AutoScope_Collection’ job is completed, then proceed by running the ‘EX_AutoScope_Report’ job interactively.
Once the ‘EX_AutoScope_Report’ job completes (should be quite fast), then navigate to %sainstalldir% in File Explorer which will bring you to the NAA install directory.
Navigate to Reports → v3 → APPSERVERNAME (my NAA app server is ‘APP1’ in following screenshot but yours will most likely be different) → Pages → Data.
Find most current csv file in the Data folder and copy the name from it.
Configure the Query on the ‘EX_SetScope’ job and update the csv name at the top of the PowerShell script as well as the NAA app server name in the path.
Once configured, the Exchange > 7. Sensitive Data group can be scheduled and run in its entirety at the previously planned cadence. It may be desirable to run the ‘ScopeMBs’ group alone and verify that the ‘EX_Mailbox_SDD’ job’s scoping has been changed appropriately. This can be validated by viewing the Job.change file for the ‘EX_Mailbox_SDD’ job to see if the expected scope of mailboxes were successfully added as entries within.
Recommended to start with smaller batch sizes and monitor the ‘SDD Scan Summary’ report on the ‘EX_AutoScope_Report’ job to track length of time for each batch to judge desired batch size going forward.
In the screenshot above, the ‘DurationTime’ is in seconds, however in the released version (attached to this post) the report will show ‘DurationTime’ by rounding down by hour. If the ‘EX_Mailbox_SDD’ job takes 45 minutes to run, then the report would show the job having run 0 hours. If the ‘EX_Mailbox_SDD’ job runs for 1 hour and 15 minutes instead, then the report would show the job having run 1 hour. Most batches in an actual environment will take a significant amount of time to run, so rounding should not impact the visual changes of drastic batch increases with how they increase the job run time. Use the line chart to help determine the appropriate batch size for use.
The other two Widgets on the ‘SDD Scan Summary’ report can be utilized to track status of how many identified mailboxes have been scanned at least once.
Have fun and hope this helps with scanning and tracking the progress of what is scanned in your Exchange environment for sensitive data!!
