Cloud App Security: Masking with File Policy

To be honest, I felt a bit fooled by the “masking” method. Well at first just by looking at the feature at file policy, I thought it has the capability to mask sensitive information on the files but I was wrong until I test it out myself.

Another honesty from me is that I had read 7 times on one of the paragraphs from Microsoft Docs, about masking, then only I notice this feature is just plain masking to prevent from viewing at administration side. #sadme #dummy


  • There are administration permission/role settings that you could manage. Will talk about this more on another blog
  • This doesn’t limit to only Office 365 Products.

It was this paragraph;

In addition, you can specify a regular expression to exclude a file from the results. This option is highly useful if you have an inner classification keyword standard that you want to exclude from the policy.
You can decide set the minimum number of content violations that you want to match before the file is considered a violation. For example, you can choose 10 if you want to be alerted on files with at least 10 credit card numbers found within its content.
When content is matched against the selected expression, the violation text is replaced with “X” characters. By default, violations are masked and shown in their context displaying 100 characters before and after the violation. Numbers in the context of the expression are replaced with “#” characters and are never stored within Cloud App Security. You can select the option to Unmask the last four characters of a violation to unmask the last four characters of the violation itself. It’s necessary to set which data types the regular expression searches: content, metadata and/or file name. By default, it searches the content and the metadata. 

So the policy is all the same stage;

  1. Define Condition
  2. Define Actions
  3. Define Exception
  4. Define Notification

Anyway, this blog will elaborate on how the masking works;

So I have created a file policy named “ID Card Masking”, so the purpose of this policy is to identify documents that contain “Malaysian Identification Card” and enable masking to prevent administrator to have the privilege to view full details and prevent having it to store in Cloud App Security.

  1. Go to Control > Policies



2. Expand ID Card Masking policy settings

  • I selected no template
  • Give a policy name
  • Give a level of severity
  • Give a Category type
  • Give some Filtering that this policy will act on (The clearer the better the match)
  • I selected a specific folder in my OneDrive for Business for this policy to act on
  • Next, I selected the Inspection method > Data Classification Service > Malaysian Identification Card
    • This part you can only choose 1 Data Classification for each file policy you created
  •  I checked Unmask last 4 sensitive information



3. Next, you will have to define notification and actions

  • So for notification, I leave it as default
  • For action, you have the option to apply AIP  on this document that matches to this policy


*The AIP label contain DLP labelling and AIP labelling for you to choose from

4. So after 3 minutes of this policy creation, you will be able to view matching result from Investigation tab or Policy.

  • Click on the Policy name (highligted)



  • Then it will show you the statement where the sensitive information found in the documents
  • And these sensitive informatino are masked and last 4 value are unmask


So yeah…that is how the masking works and looks like. If you would like more about what and how, do drop me an email or comment below 😀




How to perform Citrix XenServer update via CLI?

I prefer running via CLI so this blog will teach you how to perform Citrix XenServer update via CLI. This also requires a basic knowledge of using Citrix XenCenter. You can refer the GUI method at the reference.


  1. If you have the XenCenter version lower then 7.1 then please upgrade it else you will not see what are the Needed updates required for the XenServer.
  2. Never ever put your pool master host in maintenance mode (You will be having other pool that has higher level)
  3. Always perform updates at the pool master level first


Pool =  Host


  1. Identify what are the updates needed for each pool
  2. Download the updates from Citrix portal, make sure you have Citrix account to verify yourself
  3. Extract the updates zip file
  4. Download WinSCP (SFTP/FTP tool) and install
  5. Identify your Pool master (You can find it at the XenCenter Interface > Pool Master >  General)
    • Usually, the pool master is the top host
  6. Identify your pool master’s local storage, whether is enough for updates to be store
  7. Migrate VMs in the pool master to another host (this may have downtime)
    • If you don’t have other hosts, then no choice, and may need to bear with the downtime
  8.  Restart your pool master
    • Perform this restart is to make sure that the pool master is alright (If got problem, please raise a case to Citrix Support)
  9. Reconnect to your pool
  10. Open your WinSCP
  11. Connect your WinSCP with the pool master management IP address (You can find it at XenCenter > Pool Master > General > Network) and key in the credential
  12.  Copy and paste the updates to the pool master storage
    • You only need to perform this ONCE at pool master only
  13.  Go to XenCenter > Pool Master > Console
  14.  You will see a CLI Console
  15. Type in the password
  16.  Then Type the following commands

#below this command Is provide a list of the updates filename

> ll

#below this command is to upload the update to the main database using the update filename and it will generate the uuid of the update. Make sure to copy & paste & save the uuid somewhere in a notepad or OneNote, if you will be performing updates more than one host. You can repeat this command for different updates then only moving forward to the apply command. No need to repeat this command for other host, only repeat if necessary.

> xe patch-upload file-name=xxxx.xsupdate

#below this command is to apply the update using the host’s uuid and the filename uuid

> xe patch-apply host-uuid=xxxx uuid=xxxx
UUID > is the unique Identity of the update
Host-UUID > is the host unique id which you can find it from the XenCenter > Host > General

16. After that, then restart your host/pool master

17. Migrate the VM back to the host

18. Monitor it for 24 hours

19. The End

*Try not to get it wrong with the unique identity

*If you are performing for other host updates too, sometime you will receive an error about the applying action rejected (because some update patches have clear command inside), no need to panic, just re-upload the update using the upload command (patch-upload).

*You can patch the updates for other hosts by running on the same console. Example,  Run updates for Pool_02 via Pool_01(Pool Master) console. Easier for you, from changing different host console.






Get-AIPFileStatus Script for users

Just having thought about how to extract the AIP File status from storage via PowerShell Scripting. Hope this helps. Do leave comments if you find some faulty or beside faulty.


  1. This script doesn’t limit to what you want, you could modify it.



  1. Has AADRM module installed
  2. Has the Execution Policy modified
  3. Has PowerShell 3.0  above or Azure Module PowerShell console

Below is the script;

#Purpose: To export data of AIP labelled files from users devices
#You can do this into a GPO but beware of vulnerabilities and 50-50 percent chance that this could actually work
#If you want to run this in a GPO, you have to modify this script

#Connect to the aadrm service
$AADRM = Connect-AADRMService

#Please enter the path
 $ReadPath = Read-Host -Prompt "Enter Path that you wish to check"
 $ReadPath = $ReadPath.ToString()
 $AIPFileStatus = Get-AIPFileStatus -Path "$ReadPath" | where-object {$_.IsLabeled -eq $true}

#Count number of AIP files inside the path
 $CountFile = $AIPFileStatus.Count
 Write-Host "There are total $CountFile AIP File(s)."

#Prompt for export
 $a = Read-Host -Prompt "Do you want to export this data? (Yes/No)"

 $CurrentDate = Get-Date
 $CurrentDate = $CurrentDate.ToString('MM-dd-yyyy_hh-mm-ss')

 If ($a -eq "Yes" -Or $a -eq "yes"){ 
 $Export = $AIPFileStatus | Export-Csv "AIPFileStatus_$CurrentDate.csv"
 Write-Host "Successfully Exported!"

 Write-Host "End..."

 Write-Host "Fail to connect"

Troubleshoot ADFS Token Signing and Decrypting Cutover

I read through many articles and done much research, and I really thought that the AutomaticRolloverCertificate function would take up its work seamlessly but guess what it didn’t. Well, it did generate the new token correct and changing the new token to the Primary and append the changes to Office 365 federation but it wasn’t able to update the changes in Office 365 federation.

I am not sure whether is this got to do with a single domain environment.


Commands/PowerShell you can only run from Primary ADFS unless you had run some PowerShell to allow session establish from another computer. (Which is also fine to proceed, as long as you could establish the connection)


  1. Federated Users unable to login



Actions are taken:

  1. I have checked the event logs
    • Noticed there is an error about Event ID 111 WS-Trust or Value is null unable to perform the update
    • token01
  2. I have query the output via PowerShell from ADFS server
    • Connect-MsolServices
    • Key in Your Office 365 Global Admin credential (the
    • Get-MsolFederationProperty -DomainName

Based on the above 2 actions, I have noticed that it didn’t update the federation in Office 365. It was able to append the changes of the new tokens to the Office 365 but it didn’t update.

Next was;

  1. Run the PowerShell command from primary ADFS to force the update of the new token for Office 365


#enter your global admin credential

Update-MsolFederatedDomain -DomainName -SupportMultipleDomain

#Check whether the token in office 365 is updated

Get-MsolFederationProperty -DomainName

2. Then Restart ADFS services, restart from primary ADFS then to the secondary ADFS

3. Retry to access, then you should be able to access


I am trying to simplify this situation with PowerShell Scripting…so stay tuned!



Troubleshoot MFA for Outlook with Modern Authentication turned on

First of all, understand that I also went through trouble with this modern authentication that is turn on and causing you to see “Always prompt for logon credentials” option is grey out under Outlook application. You would like to have app password for your outlook application but got stop to proceed so because of modern authentication. Is also troublesome to have to keep on keying the code whenever you are re-login your Outlook application without the app password setup on your Outlook account.

*Modern authentication only supports 2013 or the earlier release, please refer to reference for further information

Example for Outlook 2016;

Where to see the grey out “Always prompt for logon credentials”?

File > Info > Account settings > Account Name and Sync Settings > Select More Settings > go to Security tab



However, to sign in with app password, there are 2 options;

  1. If you have an existing account in your Outlook application and have “Always prompt for a password to log in” is enabled then you will just have to key in the app password in the prompt panel.
  2. If you are re-adding or add new account then you will have to key in the app password during your setup of the account for your Outlook application.

*These options doesn’t just limit to Outlook application only

So to disable the modern authentication you may need to add-on a registry;

  1. Go to registry
  2. Locate this directory HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Identity\EnableADAL
  3. If “EnableADAL” registry is not created yet then create it as DWORD and set the value to “0”
  4. If you have already has this registry then just change the value to “0”
  5. Close the registry and restart your Outlook application (by closing and re-open)
  6. You will see the prompt for the credential to log in is shown while you launch your Outlook application
  7. Key in your app password and select remember password

*Is much simple to add registry 

*But I recommend that you remove the profile and then re-add



How to know what Azure AD Connect version I’m running?

Control Panel

Just open up the Control Panel > Uninstall Programs and features > Programs and features > Find Microsoft Azure AD Connect. From there you could identify the version.

Control Panel

Locate Azure AD Connect file

You could locate the Azure AD Connect Synchronize file and right click properties to locate the version. (Please refer to reference for further explanation)

Example below;


File Location


Help Panel

You could even open up your Azure AD Connect Synchronize services Manager console and click on the help button on the taskbar.


Help Panel





In-Place Upgrade: Azure AD Connect stuck at upgrading


*If you have an environment where Java is a common problem then make sure they are enable

*If you have an environment where IE Security Configuration is always on then make sure they are off

*If you are stuck at “Connect to AD” section and where your sign in got block by IE Security then this blog is for you.

If you’re doing an in-place upgrade then there are few requirements that you may need to take precaution before rolling out.

These are the few precautions;

  1. Make sure your IE > Internet option > Security tab > Custom level > Scroll down >  Java applet is turn on and restart your IE
  2. Make sure that your IE Security Configuration from Server Manager is turn off.


If you have run the Azure AD Connect installer and you face the stuck issue then you have to cancel the upgrade progress. Go and check the precaution requirements are met first then try to repair your Azure AD Connect upgrade using the installer.

Error may pop-up when you cancel your half way of your upgrade progress. Rerun the Azure AD Connect installer and select repair will finish up where you last left.



  1. Synchronization is stopped while you are upgrading or repairing
  2. New User creation will not get sync immediately while you are upgrading or repairing
  3. If you have larger amount of users and devices (example 2000 and above) then you will have longer upgrading time. Estimated 10 to 15 minutes






Office 365 Secure Score


Security is a Journey

Secure Score is here to help.

Secure Score analyzes your organization’s security based on your regular activities and security settings in Office 365 and then assign a score.

Secure Score also provides you few guidelines on how to meet the score but not all of the score is needed by your organization to meet.

If you like to know how this Secure Score works and calculates, then you could refer to the link below at the “References”.

If you would like to know what are the requirement license to have this Secure Score, then you could refer to the link below at the “References”.

If you have any questions or concerns, then you could drop comments in this blog and I’ll get back to you.


*For Your Information

Please try not to modify any default security policies ,else you have no fallback plan.



Microsoft Ignite Singapore 2019 : My first experience

This may not be a technical blog but is a blog about my first experience at Microsoft Ignite, Singapore 2019 as an attendee. Sorry if I have grammar mistakes and this blog is boring to you because I am not a perfect writer.

This is a 2 days Microsoft Ignite Singapore and I was in Singapore a day earlier before the event. This blog will elaborate my each day experience on this 2 days at Microsoft Ignite, Singapore.

Day 1 (Wed, 16th January 2019)

The event started at 0800 am till 1730 pm and the venue is Marina Bay Sands, Singapore. I was there at 0730 am but I didn’t know that the guards were so strict about timing and doesn’t allow anyone to enter for registration, and I have to wait when the time is 0800 am sharp. So yes indeed there were quite an amount of people were waiting outside of the entrance. While waiting for the time to passed, I had a conversation with a person that is also waiting for the entrance door to open.

Once the time hit 0800 am, the long wait for the entrance door to open has open! Well the next thing you will see is a bunch of humans rush in to get registered.

After I got my registration done, then I head in to the Hub there you can see a board banner (written sponsors and Microsoft Ignite | The Tour) was placed at the side, for people to take photo with.

Just me with my awkward smile

Moving on, you’ll see different companies booths where they are here to talk/present about their technology (example, Logitech, HPE, Microsoft Learn, Modern Desktop and etc.. ) and there’s small single Microsoft booths, where there’s a Professional at each small booth that will help you to answers questions regarding a specific Microsoft products. Those companies booths aren’t just plain Q&A, they also provide useful goodies too! Next, is you’ll see a buffet of breakfast (well only like 3 to 5 kinds of food), the food was still alright (My purpose of being here wasn’t about the food). In Ignite they do provide breakfast, lunch and tea times.

After I had my light breakfast, is time to walk around the hub, there’s a ping pong table and 4 different arcade games for attendees to play with it and have fun with it, which is pretty cool! If you get bored/tired with talking/mingle then you can have a silent moment to yourself while playing with the arcade game (Recharging).

4 Awesome Arcade Games
Diversity Superpower

Going through the sessions schedule it seems that this Ignite is focusing much more on Azure technology, such as Cloud App Security, Artificial Intelligent, Bot and etc. The speakers in Ignite are either Microsoft MVPs or volunteered Professionals. The sessions given are either informative/theory or practical which are pretty useful. These sessions are not all technical so don’t get it all wrong, they even have session on teaching you on how to persuade your organization to use this technology, keeping your organization up-to-date with today’s technology. These sessions are not all boring (well depending on how the speaker’s presentation).

SCCM Session
2 fascinating IoT young sisters (age of 9 and age of 12)

Hmm…which sessions did I chose to go? Basically, I chose Security, AI, Bot, Microsoft Teams and IoT, I find them interesting categories and much related to what I do (technical or non-technical sessions). Sorry I can’t elaborate further on each sessions information, which I would find it unfair to exploit it. If you do wish to know what is it like in those sessions, then I recommend you to go to the next Microsoft Ignite 2019 to have your own experience, is open to public so get yourself register fast!

Besides, I even met a very old friend and it was great to reconnect with them, Day 1 of this Ignite was fun and exciting to meet new people, and get to know what are the Microsoft products updates. I didn’t spend much time on going through booths on Day 1, so that will have to be my Day 2 plan. Well that’s a wrap up for Day 1.

Day 2 (Thurs, 17th January 2019)

I was pack full of excitement looking forward for this Day 2! Day 2 wasn’t as crowded as Day 1 in the hub but it does feel crowded during sessions. Day 2’s sessions end as early as 1630 pm. So as for Day 2, is more practical sessions and deep learning sessions. As you can see there will be people writing down notes during practical sessions (Wow…so serious and focus!). I went for 3 different levels of Artificial Intelligent session, it is highly technical, informative, entertaining and creative on how the speaker present and their slides. Entertaining? Well you will have to find out yourself by going these kind of events. As I had said not all speakers are boring and not all speakers wish their audience to feel bored too. I even went to a session that speak about how to help us getting organization to use Microsoft Teams. There is also a session about Microsoft Kaizala, that I also went too.

As I was saying, I had a plan for Day 2 is to go to few booths and get more information and goodies. I went to Microsoft Learn booth and got myself registered for Microsoft Certification, I also went for Microsoft FastTrack wanting to know more what is it about and etc.. I think I visited 40% of the booths.

Microsoft Learn (MCP)

Since that Day 2 ends early, so time is important. Well I do had a another great time on Day 2. That’s another wrap up for Day 2!

I do look forward in going to these kind of events.

What’s my favorite part of Ignite? I would say the people, because I am pretty conservative person but I do love conversation (small talks/technical) and I choose to step out from my comfort zone by speaking with attendees. Asking them why they come to Ignite and etc..

Hope you enjoy this blog, if you don’t then I hope you have a nice day ahead!

Do follow me on twitter if you want to know more about such events, @oh_is_sabrina