Office 365 and new Conditional Access policies

Good news from Microsoft! Now we have a new feature that has been requested by many of my customers, which is to control access to portal.office.com.

o365preview

You probably now that office portal is controlled by Conditional Access, but acessing to the portal itself you can gain a lot of information from this portal itself…

With this new feature, we can target multiple apps at once. Another major benefit is that when Microsoft adds another app to the Office 365 suite, it is automatically controlled by Conditional Access which is unfortunately currently not the case.

Currently the following Office 365 applications are included in the Office 365 (preview) client;

  • Microsoft Exchange Online Protection
  • Microsoft Flow
  • Microsoft Forms
  • Microsoft Office 365 Portal (including admin.microsoft.com)
  • Microsoft Teams
  • Microsoft Teams Services
  • Microsoft To-Do WebApp
  • Office 365 Exchange Online
  • Office 365 Search Service
  • Office 365 SharePoint Online
  • Office 365 Yammer
  • Office Delve
  • Office Hive
  • Office Online
  • OneDrive
  • OneNote
  • PowerApps
  • Skype for Business Online
  • Sway
  • Workplace Analytics

So, the advantages that we can find are:

  • Less Conditional Access rules needed to control access Office 365 services.
  • New Office 365 services are automatically controlled by Conditional Access
  • Portal access controlled: A scenario to test this could be to only allow access to the Office 365 apps from compliant devices. We will see that access to the Office Portal, where a lot of meta data is show is not allowed anymore from a non-managed or non-complaint device.
  • But also adding an Office 365 account an Office 365 ProPlus installation on a non-managed device can be blocked.

It’s great!!

Requirements for setting up self service password reset

One of the important steps of modern workplace is try to achieve great user experience, one of them is the give the ability to users to do self-service password reset, which is one of the most common support issues that SCS have.

As part of Azure AD you have the ability to setup Self-Service Password Reset as long as you possess one of the following licenses:

  • Azure AD Premium P1
  • Azure AD Premium P2
  • Enterprise Mobility + Security E3 or A3
  • Enterprise Mobility + Security E5 or A5
  • Microsoft 365 E3 or A3
  • Microsoft 365 E5 or A5
  • Microsoft 365 F1
  • Microsoft 365 Business

In theory, you only need 1 premium license to activate the service, but take into account that this is something legal from Microsoft perspective, so my recommendation is to license all users that will use this feature.

Other questions that I heard from some customers, is because they are concerned about security with this feature, but I can assure you that this is quite safe. All the operations run trough Azure AD Connect and cannot be initiated directly.

Regarding, sync method, it doesn’t matter which type are you using it works with all of them. Continuing with necessary requirements, your OnPrem users must have populated the following attributes

  • Telephonenumber
  • OfficePhone
  • Mobile
  • mobile phone

And in case you have created an account for ADConnect with limited permissions (which is a best practice), this user will need the following additional permissions in AD:

  • Reset password
  • change password
  • Write permissions on lockoutTime
  • Write permissions on pwdLastSet

You will need to tweak some parameters in AzureAD as well regarding password writeback… So have a user with ability to set parameters in AzureAD

And finally, if you want to use this feature from Windows 10 login-screen, you will need the following enabled:

but for to do this, you will need to tweak some Registry parameters or using OMA-Uri policy in Intune…

That’s all for today!

All users in the local Active Directory should have the following attributes populated. This can either be sourced from attributes in Active Directory that are synced out or if users have already enabled MFA on the users in Azure AD.
If MFA is not enabled that ensure that users have the following attributes added.

telephoneNumber Office phone
mobile Mobile phone

And if you have created your Azure AD connect service account with limited access you need to ensure that the service account has the following access to your local Active Directory to ensure it can change passwords.

  • Reset password
  • Change password
  • Write permissions on lockoutTime
  • Write permissions on pwdLastSet

Once it is enabled you can see the feature will be reporting as available in the Azure AD Portal.
Here you can also define if users are allowed to reset their passwords without changing their passwords as well.

3

Under Properties you also define which user groups which are allowed to change their passwords.
You should only have a Azure AD Group enabled which contains users that are licensed to reset their passwords in case not all users have the correct licenses.

2

Also under registration you need to to define what kind of methods that need to be configured in order for the password reset option to be used for an end-users. If we have this enabled,

5

Password reset from Windows 10

This feature can also be used directly from Windows 10 login-screen. In order to have this feature enabled you need to have the following enabled.

This can be done either using OMA-URI with Intune or using Registry with Group Policy. The following OMA-URI settings needs to be configured in order to the option to be available for the end-users.

OMA-URI

  • OMA-URI set to ./Vendor/MSFT/Policy/Config/Authentication/AllowAadPasswordReset
  • Data type set to Integer
  • Value set to 1

Registry

  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AzureADAccount
  • "AllowPasswordReset"=dword:00000001

After this has been configured you can see the following option appear from the login screen.
NOTE: This option will show regardless if the user has an assigned license or not or if the service has been configured.

6

It is important that this feature does not work for networks with 802.1x network authentication deployed and the option “Perform immediately before user logon”. For networks with 802.1x network authentication deployed it is recommended to use machine authentication to enable this feature.

If your Windows 10 machines are behind a proxy server or firewall, HTTPS traffic (443) to passwordreset.microsoftonline.com and ajax.aspnetcdn.com should be allowed.

ASC or Sentinel? Both!

Azure is adding new features day by day, so the change rate is being so fast, and one of them is Azure Sentinel. Many people confuse Sentinel with ASC, at first glance both products look quite similar, both secure Azure subscription and both must be included in a cybersecurity perspective.

Meanwhile ASC collects and detect data in Azure, Sentinel adds to these functionalities Investigate and Respond

ASCvsSentinel

ASC gives recommendations regarding Azure security to:

  • Get Secure faster & Strength your security posture
  • Protect against threats

While Sentinel, which is considered a SIEM, delivers intelligent security analytics and threat intelligence across Azure (including AAD)

  • Collect al type of data (users, devices, applications, etc…), you can ingest a lot of information, even from external systems like AWS (workbooks are supergreat!)
  • detect previously undetected threats and minimize false positive
  • Investigate threats with artificial intelligence and hunt those threats
  • respond to incidents rapidly

ASCSentinel

In conclusion, both products works better together, so if have some word regarding your enterprise security, give a try to sentinel and ASC.

Brief introduction to ATP

I’m sure that most of the people have been listening the word ATP, but what it is? In this blog post, I will try to introduce it…

But first things first, what is ATP? is a new cloud-based solution from Microsoft to provide advanced threat detection. So being said that, let’s begin with the explanation:

Working in IT, we know that attacks are becoming more and more complicated, therefore to achieve good security, three things security professionals need to do:

  • Understand how advance attacks work on-premises and on the cloud (tools, techniques…)
  • Once the attack happened successfully, how the attacker start moving inside the network, and whether the attack propagates from on-premises to cloud resources (what is known as Lateral Movement)
  • Build a security model or strategy to address those advance attacks.

To protect ourselves from those kind of attacks, Microsoft responded with their new Advance Threat Protection Security Model consisting of Office 365 ATP, Azure ATP and Windows Defender ATP.

  • Office 365 ATP (let’s thinks as a 1st line of protection): Zero-day attack and malware inspection received via email or uploaded to SharePoint online using Safe Attachment and Safe Links features.
  • Windows ATP (2nd line of protection): device level protection on machines to detected advanced persistent malware, and provide post breach investigation and automated responses.
  • Azure ATP (3rd line of protection): Allows IT Admins to monitor attackers who are inside a network (not malware), what they are doing/what they did and actions to take.

The problem (for most companies) is that all those features are licensed under E5 suite (or M365) and they work together to protect your enterprise. These products provide defense in depth mechanism as per the following:

  • Since most malware attacks come from email, then Office 365 ATP can be considered the first line of support.
  • If Office 365 ATP fails to identify the malware, then the device endpoint Windows Defender ATP will try to catch the malware by identifying unusual right elevation or strange behavior on the machine.
  • If identity theft was successful, then you can monitor how the attacker is using that identity to move from machine to another, through Azure ATP. That is, after successful credential theft, what activities the attacker is performing using that stolen identity

That’s all, till next post!

The Path Length Limit of 400 chars in SPO

Have you ever had problems with SPO path lengths? This post probably will help you to determine and solve that problems

First of all, let’s check how the path length is calculated, the first difference here is the following, path Length is not the same as the URL length. It is the relative Url.

Calculations rules

  • Only the server relative url part is counted. The “https://tenantname.sharepoint.com” has no impact on that. It starts from the foward slash: “/sites” or /teams
  • An encoded value like blankspace (%20) is treated as one character, not three.
  • A unicode character, and an emoji is treated as one character.
  • Url Parameters, like “?Web=1” are not calculated.
  • The site url and the document library url is taken into account
  • All slashes are included
  • A file extension is also included, and even the dot, e.g. “.docx”
  • A site url and a group name can only be 64 characters max.
  • The path in the “Copy Link” is much shorter than the “real” path

So if you’re having problems with long URLs (I had in the past with a user which has a lot of nested folders), take into account those points and I’m sure that you will led the way to solve that problem.

My O365 account has been compromised. Now what?

Nowadays, one of the most common security support requests from our customers (and increasing) is for assistance with remediating an account compromise. The most common scenario is that a member of their organization became the victim of a phishing scam and the attacker obtained the password for their account.

If your Office 365 subscription has been compromised, your accounts may be blocked to defend you and your contacts. Take into account that sometimes, hackers may have added back-door entries to your account which empowers attacker to regain control of your account even after you have recovered it. In order to protect the account, you must complete the following instructions.

These steps allow you to get rid of any back-door entries added to your account:

First of all, Block user sign-in

    • Go to Office365 Admin Center – https://admin.microsoft.com/
    • Expand “Users” and press “Active users”
    • Select user that you need and block sing-in
    • Confirm blocking
    • Press “Save Changes”

Check O365 environment

EXO Message Flow

      • Check the message flow to identify suspicious emails that might have been sent on behalf of the user. Go to Exchange Online Admin Panel – https://outlook.office365.com/ecp
      • Click “Message flow”, then select “Message Trace” tab.
      • Select user by pressing “add sender” and press “search”
      • Сheck all outgoing messages for suspicious emails.
      • Also check tabs “rules” and “connectors” for any strange data

Check Physical Devices

  • Check all user’s workstations, laptops and mobile devices.
    • Install AV software, for example https://malwarebytes.com/ or any other
    • Run full scan and check results.
    • Install all Windows updates.

Determine the source

    • Ask the user about any recently lost devices.
    • Ask the user about any suspicious situations and actions, like download and open strange attachments, software installation, visited web-sites and others
    • Ask the user about any public Wi-Fi networks he used.

Eliminate the source of infection, if found

Reset user password and unlock account

I know that probably you have pass over this situation, but maybe for other people will help to take immediate actions to recover from an Office 365 compromise.

Recommendations to secure your Office 365 tenant – Part 2

Last week I post a little talk about security, so my idea is to continue it. Regarding security in business, we can acquire Microsoft 365 (M365), which is super cool in terms of security. It includes all the best from Office 365 but also includes features available only as add-ons for Office package, plus, of course, Windows Defender and EMS.

Office message encryption

Encryption can easily make your corporate communication a lot safer, for me, this feature is cool, It makes it possible to:

  • Send encrypted emails to anyone inside your organization or outside
  • To any email address, including Office 365, Microsoft accounts (like Hotmail or Outlook.com), etc…
    • receive encrypted messages and open them from any app on any device
    • be sure that recipients won’t be able to forward this email to others, as encrypted emails are sent with a “Do Not Forward” setting.

 

Anti-phishing protection (ATP)

M365 Business includes Office 365 Advanced Threat Protection (ATP), where specialized code unmasks phishing attacks trying to penetrate the organization via corporate e-mail.

Often such attacks are impersonation based. You can easily set it right by choosing among various policy options to better identify and prevent phishing and spoofing attempts.

ATP safe attachments and safe links

ATP safe attachments tool opens every attached file in a virtual environment before releasing it to the user. The possible outcomes are:

  • safe attachment will be open right away after scanning;
  • attachment containing malicious content will be removed and a warning message will be displayed.

Exchange Online Archiving

Organizations often need to keep their business correspondence for litigation, compliance or other purposes. Online Archiving can complete the task of backing up emails.

  • an archive mailbox is created within the user’s primary mailbox
  • users may use both their archives and primary mailboxes
  • deleted items or even a deleted mailbox can be recovered
  • Able to set retention tags, which specifies how long the message is kept and the action taken when retention time expires
  • if retention tag is not applied, default retention tag will be applied to the file.

Azure Information protection

It offers capabilities for detecting, classifying and labelling files. Once applied label makes them confidential, general or any other to your choice. AIP can classify and label your data:

  • at rest
  • in use
  • in motion

And wherever it may reside:

  • Microsoft’s Cloud
  • SaaS apps
  • non-Microsoft Clouds
  • your own data center in on-premises file servers (needs the AIP P2 license)
  • other platforms such as Apple/Mac
  • non-Microsoft file types (e.g. PDFs in Adobe Reader).

This is pretty cool. It means that your data is protected no matter which service it actually ends up in, because all these services recognize the labels, so protections, implied by labels, are always going to be respected.

Intune

Allows to manage and control both Microsoft and non-Microsoft devices.

Data loss prevention

Data loss prevention (DLP) is a specific policy which may assist you in detecting personal sensitive data stored in various locations, like SharePoint or OneDrive etc., and prevent your users from inadvertently sharing it.

Windows Defender

Windows Defender in M365 is protecting end points running Windows in your organization. Similar to O365 and Azure AD, Windows Defender has its own Advanced Threat Protection and these three ATPs actually collaborate

As you can see, M365 offers many more advanced security features that will turn threat protection into something that meet all your security requirements.

Till next time folks!

Recommendations to secure your Office 365 tenant

As is well known, online security is given attention to a lot lately with high-profile hacks and cyber-attacks all over the world. Unfortunately, small and medium sized businesses are often becoming targets of cyber-criminals too, due to low investment in security…

So with this post, I will try to outcome some solutions to help small and medium size business to mitigate those problems. Here we go!

Training users

The biggest threat by far in companies, are the users… the best thing that we can do is train them, so my two cents are:

  • build a culture of security awareness informing users about most common threats
  • follow the ultimate rule “Think before click”
  • make absolutely certain that you’re on the website you think you’re on,

Check out Secure Score

Secure score gives a lot of information in security posture. Every company and organization has his own indicators in terms of security. Also we can find possible threats and recommendations to improve the security and get a better score. So don’t underestimate it!

The use of MFA

Two-step authentication is one of the simplest methods to protect an account, because even if hackers get a password, we will have a second factor to protect the account.

Check out your admin accounts

Identity is a weak point in security, so users with privilege presents a valuable target for hackers, so follow the next points:

  • MFA use is a must
  • use only for administrative functions (not regular users)

Protect against spam and malware

Office 365 already has built-in malware and spam filters, but you can increase your protection regarding that by the following:

  • set anti-malware policy that will block attachments most often used by hackers.
  • fine tune your Exchange Online or EOP

Protect against ransomware

Ransomware is the main problem nowadays, your files are being encrypted and the hackers demand money to restore the access. It is better to prevent rather than deal the consequences. So the main point here are:

  • educate users (remember first point)
  • create back-up copies of your files (Azure backup is great!)
  • create mail flow rules to block some attachment types

Disable mail auto forwarding

Sometimes when hackers gain access to credentials, they create auto-forwarding rules, that it may present in data leakage or even data loss. We can prevent this behaviour creating a transport rule blocking any auto-forward message types is among the simplest and handy ways to do it.

Enable mailbox auditing

The information pointing out who was logging in, sending e-mails or performing other mailbox activities may turn out to be very useful for identifying suspicious behavior and possibly showing that account was compromised.

I know that I am not covering all the points, but following this, I’m sure that your organization would be a bit more secure 😉

Using Azure Ad Connect Sync Security Groups

During setup, Azure AD Connect automatically creates Azure AD Connect Sync Security Groups. A Microsoft 365 Enterprise Administrator can use these groups to delegate control in Azure AD Connect to other users. You can also use these groups to assign a user temporary permission to run a manual synchronization or to use Azure AD Connect to troubleshoot directory synchronization issues.

Group Name Description
ADSyncAdmins Administrators Group: Members of this group have Full Access to do anything in the Azure AD Connect Sync Service Manager.
ADSyncOperators Operators Group: Members of this group have access to the operations of the Azure AD Connect Sync Service Manager, including:

  • Execution of Management Agents
  • View of Synchronization Statistics for each run
  • Ability to save the Run History (Operations Tab) to a file

Members of this group must be a member of the ADSyncBrowse Group.

ADSyncBrowse Browse Group: Members of this group have permission to gather information about a user’s lineage when resetting passwords.
ADSyncPasswordSet Password Reset Group: Members of this group have permission to perform all operations by using the password management interface.

Members of this group must be a member of the ADSyncBrowse Group.

The groups are created as local groups on domain-joined servers, or as Active Directory domain groups when you install Azure AD Connect on a domain controller