What do you need to know about protecting documents in M365

Most of the time, when we are talking about security in M365, we talk about how to encrypt files and give permission to those files. But… did you know you can Protect a document in SharePoint and OneDrive from being accidentally altered or overwritten? What I can say that It is a very useful feature when autosave is enabled in Excel or Word files.

But… What key points do you need to know?

  1. You can only protect individual documents, not a complete document library.
  2. You can not protect OneNote documents, in desktop nor online nor that half-baked OneNote for Windows 10.
  3. In the desktop apps you can protect Word, Excel and PowerPoint documents against overwriting.
    (You can also use other ways of protection, but that is out-of-scope for now)
  4. In the online apps you can only protect Word and Excel, but not PowerPoint.
  5. You can protect Word and Excel files in SharePoint and OneDrive.
  6. You can only send with “review-only” in Word, not in Excel, PowerPoint or OneNote (I hope that in the future this will change).
  7. You can only send with “review-only” when you share with “people you specify” or “people in your tenant with the link”.
  8. You can use “review-only” in Word in SharePoint and OneDrive.
  9. When you share the document from SharePoint with an external person who has no access to the site, they receive a code via mail as soon as they try to open the document.
  10. How does a Word-document open, and which options do you have when you share the document with or without protection, with our without “review-only” and with people with various roles in your SharePoint site? See the table below. The first word is the option that the document opens with.

Disabling RDP access by PowerShell

When we have to do that, most of the times we try to change a registry key that will enable or disable RDP connectivity on a Windows Server or desktop. But sometimes, modifying the registry is not always convenient. For those out there who thinks there should be much easier way, this post is for them

You can enable RDP on a remote host by simply running the below two lines.

$tsobj = Get-WmiObject -Class Win32_TerminalServiceSetting -Namespace Root\CimV2\TerminalServices -ComputerName SERVER01$tsobj.SetAllowTSConnections(1,1)

Or, if you want to disable it…

$tsobj = Get-WmiObject -Class Win32_TerminalServiceSetting -Namespace Root\CimV2\TerminalServices -ComputerName SERVER01$tsobj.SetAllowTSConnections(0,0)

and waht about if you want to check if its currently enabled or disabled?

$tsobj = Get-WmiObject -Class Win32_TerminalServiceSetting -Namespace Root\CimV2\TerminalServices -ComputerName SERVER01$tsobj.AllowTSConnections

If you are wondering what are the 2 arguments for SetAllowTSConnections function, let me answer to that:

  • The first one represents AllowTSConnections(0 – disable, 1 – enable)
  • The second one represents ModifyFirewallException (0 – don’t modify firewall rules, 1 – modify firewall rules)

Till next time!

Enabling Microsoft Whiteboard

Have you ever used Whiteboad? If not it is a useful application where users can create a canvas, to shared ideas and content, also Whiteboard can be used to collaborate with yout team wether you’re in the same place or multiple locations.

But, the main problem is to be able to store & retrieve canvas or share them with other people, you’ll need to sign in with Office 365 credentials.

In my case, I was receiving the following message “Your admin has disabled sign in for Whiteboard”

But the fix is pretty simple… Simply go to the Office 365 admin portal, navigate to Settings and then to “Services & add-ins”, where you will see the new Whiteboard option and you will see that it is set to Off, so slide it over to On and press save:

The effect is immediate, and you’ll then be able to log in straight away and start working on whiteboards together!

This is an all or nothing approach, and at this point there are no administrative controls to enable or disable this on a per-user level – so you will need to be wary of content being stored in yet another location

What is the app@sharepoint account?

if you’re digging into Cloud App logs, Sentinel or even log analytics logs, probably you’ll realize that there are some activities done by an account named “app@sharepoint”.

Coming from the worlds of SharePoint OnPrem, my first reaction was… what is this? but then, I feel curious about that account and I started to dig in for some more detail. So you can follow the same steps as I did:

First, in your log analytics query, type the following:

So… what we can extract from this information? that app@sharepoint is an account used a service principal for SharePoint operations (and yes for teams, OneDrive as well).

Now, we have solved a little mistery and you can go on and whitelist the acoount if you think it’s necessary to not to make more noise in your logs

till next time!

Start and Stop Azure VM’s in Parallel

During a project I had to start and stop about 100 VMs, if I put the runbook in serial mode, it took about 2 hours to be execute, so… the only way to do it in a fast way, was to program the runbook to be executed in parallel mode. How can it be done? Easy!
#list and start vm with tag "OpeningHours" and value "7 to 19"
$vms = get-azvm | where {$_.Tags["OpeningHours"] -contains "7 to 16"}
$jobs = @()
foreach ($vm in $vms)
$job = Start-Job -ScriptBlock {
start-Azvm -Name $vm.name
$jobs = $jobs + $job
# Wait for it all to complete
Wait-Job -Job $jobs

That’s all, you can change the start-azvm with a stop-azvm -force and you will be done

Enabling zero trust security in your environment

Zero Trust is a principle that is coming to all business, why? because helps secure corporate resources by eliminating unknown and unmanaged devices and limiting lateral movement.

So… when we are trying to implement a Zero Trust model, we will touching all components—user identity, device, network, and applications— to be validated and more important to be trustworthy.

But, what about the main components to be aware of? Let’s keep a further detail to that list:

  1. Identity – Identity is the best starting point for Zero Trust. I’am a big fan of AAD identity, and Conditional Access, PIM is a great way to start
  2. Implement conditional access controls – we can stop compromise identity credentials from accessing to corporate resources and more important, avoid a move laterally in the network.
  3. Strengthen credentials – Weak passwords undermine the security of your identity system, so take aware of that and use MFA
  4. Integrate intelligence and behavior analytics – Having tools to automate tasks and detect some behaviours, are great! Keep an eye to ATP, WDATP, MCAS…
  5. Reduce your attack surface – nothing to explain here 🙂
  6. Increase security awareness – Use a Security Information and Event Management (SIEM) system to aggregate and correlate the data to better detect suspicious activities and patterns.
  7. Enable end-user self-help – users are the core of the business, we cannot enable security tools without thinking in them
  8. Don’t overpromise – Zero Trust is not a single ‘big bang’ initiative, so keep in that mind
  9. Show value along the way – One of the most effective ways to build long-term support for a Zero Trust initiative is to demonstrate incremental value with each investment.

As you can see here A Zero Trust model is not easy to achieve, but it’s a key element of any long-term modernization objective for the digital enterprise. If you want to assess your system yourself, keep an eye to the following tool: Take the Zero Trust Assessment (microsoft.com)

What is Azure Data Box?

Azure Data Box is cloud solution that lets you send terabytes of data into Azure in a quick, inexpensive, and reliable way.

Microsoft send the data secured by shipping you a proprietary Data Box storage device. Each storage device has a maximum usable storage capacity of 80 TB and is transported to your datacenter through a regional carrier. The main features of that service are:

  1. Data are protected and secure data during the transit.
  2. Provides simple, secure, SSD disk-based offering for offline data transfer to Azure or from Azure to OnPrem
  3. Transport as much as 40TB of data into Azure by connecting the disks to a computer via USB or SATA
  4. Cost 100€ + shipping both ways + Egress charges if exporting from Azure
  5. 7-10 days processing time from device receipt date
  6. Data on the device is secured with an AES 256-bit encryption at all times.
  7. The device can only be unlocked with a password provided in the Azure portal.
  8. Lastly but not more important, once your data is uploaded to Azure, the disks on the device are wiped clean, in accordance with NIST 800-88r1 standards

Ok, that’s cool, but… what are the use cases?

Data Box is ideally suited to transfer data sizes larger than 40 TBs. The data movement can be one-time, periodic, or an initial bulk data transfer followed by periodic transfers. So… possible scenarios that can be:

  1. One time migration – when large amount of on-premises data is moved to Azure. Moving a media library from offline tapes into Azure to create an online media library. Migrating your VM farm, SQL server, and applications to Azure. Moving historical data to Azure for in-depth analysis and reporting using HDInsight
  2. Initial bulk transfer – when an initial bulk transfer is done using Data Box (seed) followed by incremental transfers over the network. For example, backup solutions partners such as Commvault and Data Box are used to move initial large historical backup to Azure. Once complete, the incremental data is transferred via network to Azure storage.
  3. Bulk export – when using online backup solutions from O365, and you want to transfer back the data to OnPrem. Imagine from O365 to Azure. You can backup the data to Azure, and then ship it to your datacenter
  4. Periodic uploads – when large amount of data is generated periodically and needs to be moved to Azure. For example in energy exploration, where video content is generated on oil rigs and windmill farms

So… as you can see here, Data Box is designed to move large amounts of data to Azure with little to no impact to network

Are you planning to take a Microsoft exam? Get a FREE voucher from Ignite!

You know that getting free training and also a free voucher currently is a bit complicated but… you should know that all participants of Microsoft Ignite 2020 who complete at least one collection in the Microsoft Ignite Cloud Skills Challenge are eligible for a free certification exam. There are up to six different challenges to complete on Microsoft Learn.

Once you have registered yourself to attend to Ignite, you can access to that information Microsoft Ignite | Cloud Skills Challenge

There are almost all of the current general available exams are included, but you can check all the Eligible exams list

Don’t miss the change to get certified!