Hi guys and ladies, today I’m going to write about the hidden guru in your Exchange Online Protection, a.k.a Office 365 Mail Security or Microsoft Defender for Office 365.
Why improving your mail security configuration is important? Well, malicious attacks gets improve from time to time, so does security too. In the past, scammers used to send fake letters to houses claiming to be from the bank or police officer, to lure you into turning yourself in with money. Now 2022, scammers are sending blast mails to any IP address or available legit domain in the world, claiming to be an authorized organization and to seek their victims.
There are times you would like to compare what your vendors recommendation and the global recommendation of mail security configuration, now you have it in your Microsoft Exchange Online portal. Basically configuration analyzer scans your existing policies and provide either Standard or strict recommendation to improve your mail policies.
Do not make changes to default policies by Microsoft. Recommended to create new ones.
At the left taskbar, you can see the “Email and collaboration” category
Select the “Policies & rules”
Select “Threat policy”
Select “Configuration Analyzer”
As you can see they do scan your default policies by you can ignore them. The most important thing inside this table, is the structured and convenient information that provide you understanding on how you can improve your existing policies.
You may refer to the references below to know whether is your license has this feature available.
Hey guys and girls, hope you guys are having a great weekend! Remember to stay healthy and stay safe as your priority.
Today’s blog is more towards talking about the Microsoft information protection labels, how to plan before deploying it. Each organization has their own preferences and requirements. Planning is a crucial part of every deployment especially when the deployment would have to roll-out to the users to use it for their daily work. Layman is the key to the users understanding.
Some organization have a compliance team and some does not have it. Having a compliance team would able to make this deployment much more clearer in terms of what the organization needs. If the organization does not have a compliance team, then we would help to identity together in terms what do they require only. Labels are structure in the form of priorities, so best to make it simple, and easier for administrator to manage too.
Phase 1: Give them the feel and look
Microsoft do provide default labels to organization, you can roll-out these default labels to smaller team or compliance team, allowing them to play around with it for a period of time. This allows them to have an idea how sensitive labels works and coming out a template would be easier for them. Having a template is the quickest way and easier way to roll-out the labels.
Phase 2: Feedback and Drafting Template
Getting feedback and drafting template phase, is a closer phase to rolling out the labels that suits the organization needs. In this phase, there are few items that you would need to involve into and would take a bit of time,
Categories the labels based on location (Exchange online, SPO, OneDrive and etc)
There is difference in terms of protection features for each location
What can or can’t do in the labels
Users description about the labels (keep it as layman as you can)
Priority of the labels
Design structure of the labels/sub-labels (Simple is better)
Permissions (Flexible or Set)
Action for the priority labels (Flexible, Warning or Strict-Justification)
Customization notifications (Majority would decide to maintain the default, so you don’t need to spend too much time on this part)
Here are some design types that you can reference,
Design type 1
This design is for organization that would like to remain some default labels, and has new labels for other departments and its purposes. No sub-labels to be manage.
Design type 2
This design is for organization that would wish to keep some default labels but does not want to have other new labels to manage. Has sub-labels to manage.
Design type 3
This design is for organization that would like to manage their labels in the form of departments and with each department has their own labels. I wouldn’t recommend this though, because is complicated. As I mention earlier, labels are arrange in the form of priority.
Phase 3: Final Template
This is the phase where you can start to roll-out the final template of the labels back to the small team or compliance team to give it one last confirmation.
Hey guys and girls, happy new year and hope you guys are healthy and safe! I’ve come across of issues of users kept login their own corporate user accounts into a meeting room device through Microsoft Teams. Thus, this will also registered the meeting room device under the user’s account.
Kept manually deleting the devices objects from the user account is not flexible to administrators. Clean up is really not something that as administrators has to do every time a user uses that meeting room device. Our meeting room devices are not hybrid join. So this solution does not really impact the Windows license but this does not mean it would not cause issue for your environment. Recommended that you test it out at your lab environment. Our meeting room devices are custom made/design.
I was able to came across an article that really helps my situation. This solution require to modify the device’s registry editor.
Please run a lab test.
Launch the registry editor on the affected machine
Direct to this location HKLM\SOFTWARE\Policies\Microsoft\Windows\WorkplaceJoin
Create a new DWORD item and name it BlockAADWorkplaceJoin with the value of 1
Reboot the machine
You may run a command line “dsregcmd /status” to check the MDM status
SSO state: No
If you have multiple devices that you would need to apply this settings you could export and save this registry settings or use PowerShell method. You may refer the PowerShell method via the references below.
Good day everyone, hope you all are taking care of your health and safety during this pandemic. Hope you guys are also getting your booster shots.
Today’s issue is related to Microsoft Endpoint Manager, on hybrid device joined. I notice that when a device’s Azure AD Registered icon is removed from the Endpoint Manager portal and if the machine didn’t reboot immediately and leaving the device there for more than an hour after I have made the changes in the portal, the device will have issue in joining/registering as hybrid join.
There is this cache that the device stored, I’m not too sure about what is the refresh time that the device retrieve the new update from portal.
Symptoms that your hybrid join was not successful:
The device’s Register status keeps showing/stuck at Pending, at Endpoint Manager
The device’s MDM status keeps showing/stuck System Center Configuration instead of Microsoft Intune, at Endpoint Manager
Command prompt keeps showing the MDM warning, when I perform “gpupdate /force” even though the machine’s object is no longer found in Endpoint Manager
In the dsregcmd /status shows the DeviceAuth: Failed.Device is either disconnected or deleted.
Steps to resolve:
First clear the machine object from Endpoint Manager
Run an Azure AD Connect synchronization from on-premises
Once the Azure AD Connect synchronization completed then proceed to the next step…
Reboot the machine
Launch the command prompt as administrator on the affected machine, and run the following command “dsregcmd /leave”
Then run “dsregcmd /status”, check to make sure the the device is unjoined
Go to the registry editor, “HKLM\SOFTWARE\MICROSOFT\Enrollments” delete all the GUID looking keys
Reboot the machine
Try again the hybrid join procedure
If you can’t delete some of the keys due to the system not allow, then it is fine, you can proceed deleting the ones that can delete.
Good day everyone. Even with the Covid-19 is rising drastically in Malaysia, kind of brings my hopes down. Anyway, I still have to keep going with life.
Today’s topic is about the Azure’s conditional access policy. We found a bug in conditional access for iOS device platform. So basically our situation is that, if we would need the conditional app control to be functioning in the Cloud App Security, we would need to setup a conditional access policy. Our setup was only to achieve monitoring mode only. However, after enabling the policy we retrieve reports saying that all iOS devices are having trouble accessing their exchange online. Users are receiving an email notification, stating that their exchange online access is being blocked. We had to disable the policy temporary to troubleshoot it.
This was the email notification:
This was our configuration for the conditional access policy;
Assignment: Include a test group, Exclude the VIP accounts
Cloud apps: All cloud apps
Session: Use conditional app control (Monitor Only)
So this is the Microsoft article shows how the configuration/enablement is being setup in the conditional access in order for the app control to work, as you can see there weren’t any conditions being setup. Hence, it should not be doing any requirements checking or blocking.
To be honest, I had raise ticket to MCAS, Exchange Online and Azure team, and none of them able to get back to me an answers. MCAS team state that “no conditions are setup it SHOULD NOT be performing blocking”.
I had to stop relying the Microsoft Support for this case, as I had to find a way to identify it. So based on the image above, we can see that the article is not mature enough, because there weren’t any solid references or notes stating the limitations/restriction of monitor only of conditional app control.
Upon further checking, I had to analyze the logs of Azure Sign-in activity and Cloud App Security Activity log of that user whom experience the issue. We notice that the sign-in was shown as “Interrupted” and there was no failure sign in status. For your information, the iOS version is 14.
Error code 1:This is not an error – this is an interrupt that triggers device authentication when required due to a Conditional Access policy or because the application or resource requested the device ID in a token. This code alone does not indicate a failure on your users part to sign in. The sign in logs may indicate that the device authentication challenge was passed succesfully or failed.
Another finding was that there weren’t any Exchange mobile device access policy/rules being configure to perform the blocking.
I do know that once this conditional app control is enabled there will have this prompt page before entering into the Exchange online, this is my iPad Air by the way, running on the latest version. The prompt page can be turn off though. Anyway, that is not the case here. I ran a test to mimic the situation but I didn’t experience any email notification send to me stating my exchange online access is being blocked. There is no MFA or Biometric setup on my iPad.
The questions still lies is there a pre-requisites for iOS devices for conditional access policy, even though there is no conditions being set?
Hey guys and girls, hope you all are having a good day. Today’s topic has a relation of 3 platform.
Intune/Microsoft Endpoint Manager
Outlook App (Windows)
This topic is more related to migration situations, so basically the environment is running IMAP and are on the stage of migrating to Office 365. Hence, to allow users to able to proceed to make use of the new mailbox and having to receive latest emails without disruption or downtime, would need to create the office365 email account on their Outlook profile.
If you notice that you have an email account, firstname.lastname@example.org with the type “IMAP” on your outlook default profile, but you would like to also add the email@example.com with the type “Microsoft Exchange” on the outlook default profile too. This is where the issue happen, majority would just proceed to try to add the account from the Outlook app but it will never let you successfully add the new account in and return with the message saying “This account has been added.” It seems to me that the Outlook App unable to differentiate TYPES. If you dig into Google Search you will only get articles, guiding you to create a new Profile just for the Office 365 account.
Wait…there is a solution to this. Please don’t bother raising case to Microsoft Support from Intune, if you’re lucky you will meet a support that willing to go extra miles for you. Usually the support would recommend you to turn on this feature from Intune “Automating the creation of outlook profile for Exchange Accounts” this only applies to new profile not existing profile.
So basically the solution is simple but I’m still unable to find an automation way to perform this. Hence, manually, but luckily is was just a small business organization, else I’m poof of words. Just type organization that is not willing to spent other migration products such as BitTitan and etc..
Anyway, to create an email account o the default outlook profile we would need to
Launch your Start/Windows button
Search for “Control Panel”
Search for “Mail” in Control Panel
Select the Mail > select “email accounts”
Then select “New”
Enter the following details and click Next
Wait for the establish processing…
You will now have 2 firstname.lastname@example.org accounts in the default Outlook Profile with different types, IMAP and Microsoft Exchange.
If you are still wanting to go with having 2 profiles in Outlook to serve each types here is a simple PowerShell Script that you can upload to Intune;
#This is to create new Profile with the new Profile name New-Item -Path "HKCU:\Software\Microsoft\Office\16.0\Outlook\Profiles\<Profile Name>" -Value ""
#This is to allow the prompt to users to choose which Outlook profile Set-ItemProperty -Path "HKCU:\Software\Microsoft\Exchange\Client\Options" -Name "PickLogonProfile" -Value "1"
Hey guys good morning! Is a rainy day today, just brings the relax mood on.
Here is another topic on Microsoft Defender for Identity, is the troubleshooting on sensors.
When you notice that your sensor keeps disconnecting, while it was fine during the first 2 weeks of the deployment.
There are many possibilities that causes this issue, so I’m glad that there is this Sizing tool that you can use to identify the traffic on the domain controllers and it will provide you recommendation of the hardware requirements that needs increasing or look into it.
Sometimes this is not due to domain controllers or the sensor issue, it could meant that the environment is growing and numbers of applications required the LDAP authentications with the closest domain controllers or the FSMO holder domain controller.
This is how the alert looks like on the ATP portal;
To proof that whether the domain controller needs increment of the hardware resources
Hey every good evening, and hope you guys are having a nice day today. Just another topic about Azure ATP here, a.k.a Microsoft Defender for Identity.
If you come across this before and then you would already know what is it for. If you are new here, then let’s just have a brief explanation what is it about. Azure ATP is basically a cloud-service that leverages your on-premises to perform identifying, detection and monitoring of your domain controller’s user objects activities and behaviors.
Newly deploy Azure ATP in your environment would take 48 hours to 72 hours for the Azure ATP to study the behaviors of each accounts, but this is also depend how large is your objects in your environment.
Anyway, a bit of side track just now. This blog post objective here is that if you ever encounter the 5 types of attacks, Reconnaissance, Compromised credentials, lateral movements, domain dominance and exfiltration alerts from the Azure ATP.
You may refer to this link here to learn how to remediate and understand how to manage the alerts.
Hey everyone, hope you guys are having a nice evening. Today’s blog post is about Azure ATP and Office 365 audit.
So the situation is like this;
Majority Office 365 tenant has more then 1 global administrators. Whenever, a global administrator would like to capture other administrators actions, they would query those events from Office 365 audit. So for Azure ATP, I notice it is not available in Office 365 audit, but for Defender Endpoint it exist in the audit. Summary, you can’t audit actions being taken in Azure ATP portal.
Scenario: If a global administrator, deletes an alerts from Azure ATP, it would remain deleted and there is no recycle bin to restore the alert back unless you regenerate the same situation to trigger the detection. This delete action is not recorded into the Office 365 audit.
I do not see this as a show stopper, I am still testing other ways to get this working. Stay tune…