Azure: Troubleshooting Conditional Access App Control for iOS

Good day everyone. Even with the Covid-19 is rising drastically in Malaysia, kind of brings my hopes down. Anyway, I still have to keep going with life.

Today’s topic is about the Azure’s conditional access policy. We found a bug in conditional access for iOS device platform. So basically our situation is that, if we would need the conditional app control to be functioning in the Cloud App Security, we would need to setup a conditional access policy. Our setup was only to achieve monitoring mode only. However, after enabling the policy we retrieve reports saying that all iOS devices are having trouble accessing their exchange online. Users are receiving an email notification, stating that their exchange online access is being blocked. We had to disable the policy temporary to troubleshoot it.

This was the email notification:

No Exchange Server, just Exchange Online
  • This was our configuration for the conditional access policy;
    • Assignment: Include a test group, Exclude the VIP accounts
    • Cloud apps: All cloud apps
    • Conditions: None
    • Session: Use conditional app control (Monitor Only)

So this is the Microsoft article shows how the configuration/enablement is being setup in the conditional access in order for the app control to work, as you can see there weren’t any conditions being setup. Hence, it should not be doing any requirements checking or blocking.

There are not enough explanation
As you can see the condition shows zero

To be honest, I had raise ticket to MCAS, Exchange Online and Azure team, and none of them able to get back to me an answers. MCAS team state that “no conditions are setup it SHOULD NOT be performing blocking”.

I had to stop relying the Microsoft Support for this case, as I had to find a way to identify it. So based on the image above, we can see that the article is not mature enough, because there weren’t any solid references or notes stating the limitations/restriction of monitor only of conditional app control.

Upon further checking, I had to analyze the logs of Azure Sign-in activity and Cloud App Security Activity log of that user whom experience the issue. We notice that the sign-in was shown as “Interrupted” and there was no failure sign in status. For your information, the iOS version is 14.

Error code 1: This is not an error – this is an interrupt that triggers device authentication when required due to a Conditional Access policy or because the application or resource requested the device ID in a token. This code alone does not indicate a failure on your users part to sign in. The sign in logs may indicate that the device authentication challenge was passed succesfully or failed.

Error code 2 : This is an expected part of the login flow, where a user is asked if they want to remain signed into this browser to make further logins easier. For more details, see https://techcommunity.microsoft.com/t5/Azure-Active-Directory/The-new-Azure-AD-sign-in-and-Keep-me-signed-in-experiences/td-p/128267

Error code 3: 50097

Another finding was that there weren’t any Exchange mobile device access policy/rules being configure to perform the blocking.

I do know that once this conditional app control is enabled there will have this prompt page before entering into the Exchange online, this is my iPad Air by the way, running on the latest version. The prompt page can be turn off though. Anyway, that is not the case here. I ran a test to mimic the situation but I didn’t experience any email notification send to me stating my exchange online access is being blocked. There is no MFA or Biometric setup on my iPad.

The questions still lies is there a pre-requisites for iOS devices for conditional access policy, even though there is no conditions being set?

Below is image from web browser;

Below image from my iOS outlook app;

Intune & PowerShell: Creation of Email accounts automation on Outlook

Hey guys and girls, hope you all are having a good day. Today’s topic has a relation of 3 platform.

  • Intune/Microsoft Endpoint Manager
  • PowerShell
  • Outlook App (Windows)

This topic is more related to migration situations, so basically the environment is running IMAP and are on the stage of migrating to Office 365. Hence, to allow users to able to proceed to make use of the new mailbox and having to receive latest emails without disruption or downtime, would need to create the office365 email account on their Outlook profile.

If you notice that you have an email account, user@abc.com with the type “IMAP” on your outlook default profile, but you would like to also add the user@abc.com with the type “Microsoft Exchange” on the outlook default profile too. This is where the issue happen, majority would just proceed to try to add the account from the Outlook app but it will never let you successfully add the new account in and return with the message saying “This account has been added.” It seems to me that the Outlook App unable to differentiate TYPES. If you dig into Google Search you will only get articles, guiding you to create a new Profile just for the Office 365 account.

Wait…there is a solution to this. Please don’t bother raising case to Microsoft Support from Intune, if you’re lucky you will meet a support that willing to go extra miles for you. Usually the support would recommend you to turn on this feature from Intune “Automating the creation of outlook profile for Exchange Accounts” this only applies to new profile not existing profile.

So basically the solution is simple but I’m still unable to find an automation way to perform this. Hence, manually, but luckily is was just a small business organization, else I’m poof of words. Just type organization that is not willing to spent other migration products such as BitTitan and etc..

Anyway, to create an email account o the default outlook profile we would need to

  1. Launch your Start/Windows button
  2. Search for “Control Panel”
  3. Search for “Mail” in Control Panel
  4. Select the Mail > select “email accounts”
  5. Then select “New”
  6. Enter the following details and click Next
  7. Wait for the establish processing…
  8. You will now have 2 user@abc.com accounts in the default Outlook Profile with different types, IMAP and Microsoft Exchange.

If you are still wanting to go with having 2 profiles in Outlook to serve each types here is a simple PowerShell Script that you can upload to Intune;

#This is to create new Profile with the new Profile name
New-Item -Path "HKCU:\Software\Microsoft\Office\16.0\Outlook\Profiles\<Profile Name>" -Value ""

#This is to allow the prompt to users to choose which Outlook profile
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Exchange\Client\Options" -Name "PickLogonProfile" -Value "1"

Azure ATP: Troubleshoot sensor keeps disconnecting

Hey guys good morning! Is a rainy day today, just brings the relax mood on.

Here is another topic on Microsoft Defender for Identity, is the troubleshooting on sensors.

When you notice that your sensor keeps disconnecting, while it was fine during the first 2 weeks of the deployment.

There are many possibilities that causes this issue, so I’m glad that there is this Sizing tool that you can use to identify the traffic on the domain controllers and it will provide you recommendation of the hardware requirements that needs increasing or look into it.

Sometimes this is not due to domain controllers or the sensor issue, it could meant that the environment is growing and numbers of applications required the LDAP authentications with the closest domain controllers or the FSMO holder domain controller.

This is how the alert looks like on the ATP portal;

To proof that whether the domain controller needs increment of the hardware resources

  1. Download the sizing tool
  2. Install the sizing tool on the domain controller that has issue with the sensor
  3. *it does not require restart of domain controller
  4. Run the application for 24 hours
  5. It will export a excel file on directory of the application

This is how the reports looks like, filename is TriSizingToolResults_<date>

ATA Summary
Azure ATP Summary

As you can see above the I have 3 domain controllers that exceeds 30k of packets per second, and it recommended me to increase the RAM size.

Below is a diagram of requirements needs to be meet;

I highlighted ones is needs to be met for my 3 domain controllers.

References:

  1. Planning your Microsoft Defender for Identity deployment | Microsoft Docs

Azure ATP: How to Remediate Enumeration activities or other attacks?

Hey every good evening, and hope you guys are having a nice day today. Just another topic about Azure ATP here, a.k.a Microsoft Defender for Identity.

If you come across this before and then you would already know what is it for. If you are new here, then let’s just have a brief explanation what is it about. Azure ATP is basically a cloud-service that leverages your on-premises to perform identifying, detection and monitoring of your domain controller’s user objects activities and behaviors.

Newly deploy Azure ATP in your environment would take 48 hours to 72 hours for the Azure ATP to study the behaviors of each accounts, but this is also depend how large is your objects in your environment.

Anyway, a bit of side track just now. This blog post objective here is that if you ever encounter the 5 types of attacks, Reconnaissance, Compromised credentials, lateral movements, domain dominance and exfiltration alerts from the Azure ATP.

You may refer to this link here to learn how to remediate and understand how to manage the alerts.

Azure ATP: Does Admin’s actions recorded by Office 365 Audit?

Hey everyone, hope you guys are having a nice evening. Today’s blog post is about Azure ATP and Office 365 audit.

So the situation is like this;

Majority Office 365 tenant has more then 1 global administrators. Whenever, a global administrator would like to capture other administrators actions, they would query those events from Office 365 audit. So for Azure ATP, I notice it is not available in Office 365 audit, but for Defender Endpoint it exist in the audit. Summary, you can’t audit actions being taken in Azure ATP portal.

Scenario: If a global administrator, deletes an alerts from Azure ATP, it would remain deleted and there is no recycle bin to restore the alert back unless you regenerate the same situation to trigger the detection. This delete action is not recorded into the Office 365 audit.

Office 365 audit
Azure ATP on deleted alerts

I do not see this as a show stopper, I am still testing other ways to get this working. Stay tune…

References:

  1. https://docs.microsoft.com/en-us/defender-for-identity/working-with-suspicious-activities
  2. Search the audit log in the Security & Compliance Center – Microsoft 365 Compliance | Microsoft Docs
  3. DefenderATP Audit logs – Microsoft Tech Community

Azure ATP: What is the Retention Period of Reports?

Hey Hey everyone, good morning, is Saturday here in Malaysia. Hope you guys are doing well. This week blog post is about another Microsoft Defender for Identity, a.k.a Azure ATP. The terms are up to your suit and understanding.

I think is very reasonable to know what is the retention period that the Azure ATP’s Reports. Why? Because of Auditors

Upon researching to gather articles from Microsoft site and there weren’t an article talking about how long the reports store in Azure ATP. I do know that the reports in Microsoft security max are either 30, 60 or 90 days.

Thus, I had to raised a case to Microsoft Support and they return the answer that the retention period is 180 days. I did request whether they were able to locate any article from Microsoft that state it but none.

To locate Reports in Azure ATP, simply go to https://portal.atp.azure.com , select the 2nd Icon on the left taskbar.

Microsoft Endpoint Manager ATP: Onboarding Methods For Windows 10

Hey fellow humans, how are you guys doing? With this covid-19 happening around us, hope that you are cautions about your health and safety of yourself and others too. I still can not believe that there are people still thinks that this virus is a myth. It really hurts to see the increases of cases in Malaysia has reach 4 thousand covid-19 cases yesterday in a day.

Anyway, lets start this blog post with another ATP, if you are new with this technology ATP stands for Advanced Threat Protection. My last post about ATP , is Azure ATP / Microsoft Endpoint Identity Defender ATP, do feel free to read about it.

This blog post would be about onboarding methods Endpoint to Microsoft Endpoint Defender ATP, if you haven’t notice Microsoft has launch 1 new onboarding methods that you can enroll for your lab environment or customers.

If you are new to the ATP here are the steps to get these methods;

  1. Sign up for a Office E3 trial license
  2. Setup the account
  3. Sign in to Office 365 Admin center> Billing > Select Purchases Services
  4. Under the purchases services select M365 E5 trial license
  5. Assign your Office 365 account with M365 E5 license
  6. Would take an hour or few minutes for the ATP Admin portal to setup for ready to use
  7. Head to Microsoft Endpoint Manager Admin Center
  8. At the side bar you can see “Endpoint security” > Setup > Microsoft Defender ATP
  9. There you would need to start setup of the Microsoft Defender ATP, it only takes 5 mins to setup, yes from the setup page here you may able to view the onboarding methods too but is only one-time setup page, so the actual location of this onboarding is at their Microsoft Defender ATP Admin portal.
  10. Enter the Microsoft Defender ATP Admin portal and there it will direct you to another portal where all the Endpoint’s onboarding , offboarding, analytics and etc.. located
  11. At the side bar > Select Settings icon > Device Management > Onboarding
Onboarding methods

As you can see the above image, these are the following onboarding methods that you can use to onboard your endpoint devices.

  1. Local Script
    • Has limitation, per script only for 10 devices. Meaning that Script 1 has been used for 10 devices and to enroll the number 11 device you would need to re-download the new script package from the onboarding method.
    • If you are doing a quick lab this would be the best method to test the onboarding
  2. Group Policy
  3. Microsoft Endpoint Configuration Manager current branch and later
  4. System Center Configuration Manager 2021 /2012 R2/1511/1602
  5. MDM/Microsoft Intune
  6. VDI onboarding scripts for non-persistent devices

Onboarding are run at the backend of your endpoint, and it dependent on the licenses that you purchase and also the environment type. Meaning if your environment has SCCM then you would need to use the SCCM onboarding method to enroll the devices to Microsoft Defender ATP.

Microsoft has really ease quite a lot for administrators work in enroll their devices to ATP services and having integration between ATP and other security features inside. I will write more about it on the next blog post. Have a nice weekend!

References:

  1. https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/onboard-configure
  2. Microsoft Defender for Endpoint – Windows security | Microsoft Docs
  3. https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints

Azure ATP: Azure ATP capabilities and mechanism

Hey everyone, hope you guys had a wonderful day. Starting of a new year 2021. I hope everyone stay healthy and stay safe distance from one another or avoid crowded places.

I know that this pandemic has test us in many ways, in terms of physically and mentally. If you manage to get through year 2020 challenges, then give yourself a pad on the back, you did good.

This blog post I’m going to write about what is Azure ATP, before I jump into the topic, I want to say that security is a journey. If you guys have read about the recent news about attacks rises double/triple in the year 2020 and also the news about solarwinds attack, then these are enough proof that hackers are given more chances to attack in this situation, because they know majority businesses or corporates are still vulnerable or not up to par in terms of securing their environment and providing security training to users. Users mistakes in allowing attackers are also risk to the corporate that is why users training is still important to corporates. Losing money/profit to attackers is twice painful to the corporates then purchasing and implementing security technologies/products in the environment. Let’s take ransomwares as an example for this case. Due to this pandemic, I notice quite an amount of corporates are now implementing the concept of “Zero-trust“. If you would like to know what is “Zero-trust”, do feel free to Google them up.

Anyway, alright lets start our topic. The ATP term has been quite awhile in the security industry, or if you still not too sure what is ATP, ATP stands for Advanced Threat Protection. It contains advanced intelligent technology and combination of algorithms to identify and investigate types of malicious behavior and it will select appropriate action to quarantine/block the malicious actions before doing any harm to the environment and provide deep dive detailed reports to administrators.

Azure ATP has been known quite awhile in Microsoft 365, and Microsoft had given a different naming, Microsoft Identity Defender. It’s capability is to:

  1. Identify compromised accounts
  2. Investigate malicious activities of accounts
  3. Provide best practice security actions to administrators on how to handle accounts that reported by Azure ATP as suspicious or compromised
  4. Provide detail visibility authentication of attacks
  5. Azure ATP able to provide details of attack’s source
  6. Reports are real-time and signals back to Microsoft Identity Defender portal

This is just a summary of the entire structure looks like implementing Azure ATP into the environment with Domain Controllers only.

Azure ATP agent is only for on-premises like Domain controllers and ADFS and the agent will send a signal back to Microsoft Identity Defender if detected malicious activities or compromised accounts. I do recommend that you read more about requirements of deploying Azure ATP, before deploying into your customer’s environment. There is a medium impact required.

References

  1. What is Microsoft Defender for Identity? | Microsoft Docs
  2. Microsoft Defender for Identity architecture | Microsoft Docs

aOSKL 2020: How secure your endpoint protection?

Hey guys and girls, hope you are having a good day. I know is Monday Blues, I was having the blue mood this morning, not a good way to start the new day. Anyway, Covid-19 is still high alert in our area, it went from 600 to 800 users per day affected. Please don’t travel as a huge group, stay concern about people around you.

Is almost end of 2020, and here is another event that I am going to speak at, virtually of course. This is my 3rd year speaking at aOS Community event. Every year is a new experience and meeting new people in this event.

This year event, I’m going to talk about Endpoint Protection. Do register yourself if you are interested in this event.

Peace Out!

PowerShell: Unable to delete Stuck Data Leak Policy using “-ForceDeletion”

Hi Guys and girls, hope you all are doing well, and remember to stay safe. Just got the PowerShell check on the command “Remove-DlpCompliancePolicy“, it seems that Microsoft had made some changes to it and had removed the “-ForceDeletion” parameter from the “Remove-DlpCompliancePolicy” command.

Appreciated and thanks to the commenter that ping me on this at one of my older blog post https://sabrinaksy.com/2019/01/04/office-365-security-and-compliance-data-leak-protection-dlp-azure-information-protection-aip-integration-unable-to-delete-dlp-policy/ .

Just to announce that if you would like to remove or delete the stuck DLP policy in Security and Compliance, you would have to raise a ticket to Microsoft and inform them to perform the force deletion at their backend. There are users experience this and it is resolved through Microsoft Support.

 

References

  1. https://docs.microsoft.com/en-us/powershell/module/exchange/remove-dlpcompliancepolicy?view=exchange-ps
  2. https://answers.microsoft.com/en-us/msoffice/forum/all/dlp-policy-stuck-on-deleting/6b7bc384-e330-4ca8-bfdd-f84101f814c8