Stephen Hackers – Exam PASSED – Managing Microsoft Teams MS700
#Teams #MSTeams #Exam #AlwaysBeLearning #MS365
MS365 – Azure AD – Dynamic Groups and Expiration Settings
Maintain groups in Azure AD with dynamic groups and set expiration settings.
Example scenario : Controlling remote access to sub contractors working on a short term project. The project owner should remove all access for sub contractors after the project completes
How to guide :
If we combine Dynamic Groups and Expiration settings, we can automatically populate groups and then invoke regular check to maintain groups are still required. Group owners will be reminded regularly to verify groups are required. Owners will have a better understanding of who has access and this help assist with your security policies.
Dynamic Group Example
Steps: Azure Active Directory > New Group > Type : Office 365 > Name, Description, Dynamic User > Owner > Dynamic user Members
Group Name : Sub Contractors – Set the value for department equals “Sub Contractor”
Dynamic User Members – Add Experssion
(user.department -eq “Sub Contractor”)
Configure Group lifetime / Expiration Settings
Steps: Azure Active Directory > Groups > Expiration > Days > No Owner email > Selected > Group > Save
“Renewal notifications are emailed to group owners 30 days, 15 days, and one day prior to group expiration. Group owners must have Exchange licenses to receive notification emails. If a group is not renewed, it is deleted along with its associated content from sources such as Outlook, SharePoint, Teams, and PowerBI.” Info from the portal Expiration settings.
Office 365 Security and Compliance – Alert When A Specific File Is Accessed
When a very important file stored in OneDrive needs to be monitored. This is how to create an alert on file activity. We specifically want to monitor and alert on any activity done to the specific file by any user.
This example file is called HR.doc and is stored in OneDrive.
This is how we created an alert policy for file activity of the file “HR.doc”.
Open Office 365 Security & Compliance
https://protection.office.com/alertpolicies
Alerts > Alert Policies > New Policy
Options selected
- Status – Enabled
- Severity – Medium
- Category – Information Governance
- Conditions – Activity is File Activity and File name is HR.doc
- Scope – All Users
- Email Recipients – email address
- Limit the number of notifications – optional. 5 in this example
Test the alert by trying to modify or access the file.
Result
Alert email notification as shown below.
This logs an alert which then should be reviewed and investigated
Action the Alert
Content Search – Security And Compliance – Search A Mailbox For Specific Content And Then Export Results
If you’re doing some compliance investigation work, you may need to search a user’s mailbox for specific words.
This is how To Search Email Content in Office 365 Security & Compliance for a specific user which sent email containing a specific word then export results.
Reference guides – Content search
Microsoft Docs Content Search
Microsoft Docs Export Search
Content Search : How to search a mailbox for specific keywords and export the data
Mircosoft 365 Admin Center -> Compliance Admin Center
Content Search > + New Search
New Search > Keywords “Blog” example > Specific Locations > Modify > Choose Users, Groups or Teams
Enter users name > Select > Choose
Done > Save > Save & Run > Save Search
This search will trigger a default alert email to be sent out
Next step, Export the results
Unable to preview results problem or export?
If you cannot preview, you need to add a role to the user account, eDiscovery Administrator role (Example) or eDiscovery Manager for specific cases / Compliance Admin / Compliance Data Administrator
You must sign out and sign in for the groups to take effect.
Now back to the search
After the you can see the preview, now you can click Export
Click Export > ReportsOnly or Export > Copy to clipboard export key > Download report > Install eDiscovery Export Tool
Export tool installs
Use the Export Key and Set a directory.
File Downloads
Now you can open the report exported
MS 365 Compliance Admin Portal Error – Status code: 503
Issue : Trying to connect to Compliance Admin Portal to Run a content search. Error – Status Code : 503
“The operation could not be completed. Please try again later. If the problem persists, contact Microsoft support.”
https://compliance.microsoft.com/homepage
Error – Status Code : 503
Error
The operation could not be completed. Please try again later. If the problem persists, contact Microsoft support.
Show details
Request: /api/contextinfo/
Status code: 503
Diagnostic information: **{Version:17.00.4803.004,Environment:WEUPROD,DeploymentId:ee****************e9d84,InstanceId:WebRole_IN_3,SID:ea*********81c9,CID:5b8***416}
Time: Tue, 09 Jun 2020 09:47:27 GMT
Trouble loading the page
REFRESH. Tried once. Same. Waited a few mins. Connected
Searches crashing.. Tuesday problems
Request: /api/ComplianceSearch?id=Blog+Mail+Search
Status code: 503
Diagnostic information: **{Version:17.00.4803.004,Environment:WEUPROD,DeploymentId:ee608**********84,InstanceId:WebRole_IN_3,SID:eaf****1c9,CID:433***0}
Time: Tue, 09 Jun 2020 10:28:55 GMT
Finally Ran a Content Search and another page loading error
Content search
Show in navigation
Sorry, we’re having trouble loading the page. Try refreshing the page later. (page: /Ediscovery/ContentSearch/Management)
Refreshed… Paused… Refreshed 5mins later…
Reason : Check Service Health
Service Incident “Users may also encounter similar issues when attempting to access the Security & Compliance Center.”
Solution : Intermittent Refresh Screen / Wait for Microsoft to Resolve Service Issues
MS-101: Microsoft 365 Mobility and Security – EXAM PASSED!!!
MS-101: Microsoft 365 Mobility and Security
EXAM PASSED!!!
#MS365 #Security #365Security #CertifiedProfessional #CloudSecurity #CloudFamily #CyberSecurity #Microsoft365 #MicrosoftCloud #Microsoft #alwaysbelearning #MS101 #EXAM #PASSED
Microsoft 365 – Audit Log Search – UserLoginFailed
M365 Admin Portal > “Security & Compliance” > “Search”>”Audit log search” Learn more about searching the audit log
https://protection.office.com/unifiedauditlog
Audit log search, a great place to start regularly checking for unauthorised User Login Failed attempts. This example shows multiple attempts to login from various locations. None physically possible from this user based in the UK. We suspect there has been a breach where this email address / user name was previously registered. Thankfully, this is now only an Alias used these days on a domain we imported into the tenancy. In addition, we have features like MFA, and failed login attempt setting configured on all users.
There are no more than two attempts tried at each IP address logged. So we have avoided a user account being compromised by using a mix of, basic security login attempt policies, MFA enabled and an Alias.
Where can we see Failed login attempts
Audit Log Search
Audit Log Search > Set Activities / Dates > Search
Next apply a filter
Click >Filter Results> “Activity” = “UserLoginFailed”
After identifying the IP – Next Step, check the IPs out. https://whois.domaintools.com
A quick check on the details confirm it was not possible for one of our live users to be in the locations at the time of the failed logins and the IP addresses also weren’t blacklisted.
“78.140.7.9” – Russia
“203.147.83.159” – New Caledonia
“119.160.136.138” – Brunei
One attempt maybe just a one-off end user error, but multiple attempts and various locations something has been compromised. I would certainly suggest a quick change of password and recreate and App Passwords in use.
Check if the accounts have been pwned. A quick check to see if the account has be pwned https://haveibeenpwned.com/
In this case the account has previously had information “email address” & “Password” compromised.
Now going back to the IP address’s
This example located in Australia. Not blacklisted.
So what are the next options suggestions?
- Conditional Access
- Disable Basic Authentication
We could look at Conditional Access and block locations. However, that doesn’t block basic authentication (from my research, maybe wrong info).
So to help block any brute force basic authentication attempts, we could disable basic authentication, but is there any challenges? So before a blanket disable basic auth, legacy applications would need to be upgraded before disabling basic authentication. Note “Blocking Basic authentication will block app passwords in Exchange Online. For more information about app passwords, see Create an app password for Office 365.”.
Outlook Credentials Flashing and Closing Constantly
Challenge : Outlook would connect to one MS365 mailbox but then started constantly flashing for authentication for the disconnected Hotmail mailbox, but the credentials window disappears before being able to click on the box to enter a password.
Cause : Unknown ? Clash of accounts? Glitch in the Matrix?
Solution : More of a workaround solution.
- Close Outlook
- Open Word > Create a blank document
-
File > Account > Sign Out
- Then click sign in, Username and Password prompts. Log in and authenticate.
- Close Word
- Open Outlook and everything worked as normal.
“Encrypt” option in Outlook Error
Licenses and Limitations of Encryption and Exchange Online in you Microsoft 365 subscription.
Example Send a New message and there is an “Encrypt” button. Great feature but is there a gotcha you need to configure or another license version you require?
Slightly frustrating a button exists even if its not configured and gives your end users and error message.
“Your machine isn’t set up for Information Rights Management (IRM). To set up IRM, sign in to Office, open and existing IRM protected message or document, or contact your help desk.”
Reason
You created and new message in Outlook, clicked options, Encrypt, and Connect to Rights Management Servers and get templates
Solution
You received this message because RMS isn’t setup in your Microsoft 365 tenancy. Azure Information Protection is only included with certain licenses in Office 365. See License Data Sheet.
OME stands for Office 365 Message Encryption (OME).
OME is offered as part of “Office 365 Enterprise E3 and E5, Microsoft Enterprise E3 and E5, Microsoft 365 Business Premium, Office 365 A1, A3, and A5, and Office 365 Government G3 and G5.”
Microsoft provide this guide to choosing your activation method.
EXO V2 Module – Microsoft 365 Exchange Online – PowerShell Module
EXO v2 Exchange Online PowerShell Module download here
Some PowerShell commands to help you manage your Microsof 365 Exchange.
More information on the Microsoft Site here
How to load the EXO v2 Module
Run PowerShell ( I used the ISE) as Administrator (+ be connected to the Internet)
Install-Module -Name ExchangeOnlineManagement #Execute this command
You will need to say “Yes to All” on Trust the repository prompt (Well that’s what I needed to do)
How do you connect to Exchange Online
Connect-ExchangeOnline -EnableErrorReporting -LogDirectoryPath C:\temp\logs –LogLevel All
Enter your tenancy credentials
(This will work and prompt for MFA enabled accounts.)
Example EXO V2 PowerShell Commands
Example 1 – Return Mailbox details for a specific user command (Settings you might see in Active Directory)
Get-EXOMailbox -Identity <ENTER EMAIL ADDRESS HERE> -Properties DisplayName,EmailAddresses,Alias
Example 2 – Return Mailbox details for a specific user command ( Settings like MAPI & POP status, Email Addresses)
Get-EXOCASMailbox -Identity “< ENTER EMAIL ADDRESS HERE >”
Example 3 – Check User Permissions
Get-EXOMailboxPermission -Identity “< ENTER EMAIL ADDRESS HERE >”
Example 4 – What Devices have accessed the mailbox.
This showed multiple devices and which supported remote wipe. If you are reviewing security footprint and what devices have access corporate email, this is a good starting point.
Get-EXOMobileDeviceStatistics -Mailbox “< ENTER EMAIL ADDRESS HERE >” -ActiveSync
Then finally how to Disconnect
DisConnect-ExchangeOnline
Then select “Yes to All”
Disconnected Successfully
