Behind the scenes of this blog is me, Seán O'Farrell. I am a Solution Architect with Evros Technology Group in Dublin, Ireland. You can find me on Linkedin
My blog posts are completely my own views & provide no warranty. My blog posts are in no way affiliated with my current employer, Microsoft, Quest or any vendor’s technologies mentioned in my blog.
I started my blog in 2009 and at this point in time I was not even aware of the Microsoft MVP programme, having a family and a very busy career in some ways held me back from the commitment it takes to obtain the prestigious MVP award. A lot of my colleagues that I have worked with for over 10 years are MVPs.
Over the years some of my clients have presented my blog posts by searching the net to resolve problems and some vendors have officially published some of my blog posts.
I acquired the domain informationprotection.ie, I was surprised the domain name was available, given all the so called GDPR experts that have suddenly appeared.
I have focused on Office365 since before BPOS and the Office365 platform is now a mature platform, the Office365 skillset is not so special anymore and a standard requirement for most IT professionals, Since the start of 2018 nearly all of my professional services engagements have been focused on Office365 & Azure security.
I am going to try and focus on Microsoft cloud security with this blog and invite guest peers to post security blog postings. I do not want to post generic material and always want to post items that are unique and will help people in the industry.
If you have found the blog helpful in any way, and/or like what I am doing, please nominate me for the Microsoft MVP award here. It's very quick and easy, fill in your own details, then the details in the screen grab below for me. Thank you!
The first task is to assign a security group with all users in scope for Microsoft Defender for Endpoint via Azure Licensing Mnagement.
The second part is to apply the policies to a group of users. The syntax below can be used to create an Azure Dynamic user group which will auto populate based on whether a user has a license for Microsoft Defender for Endpoint.
The container and content classification graphical representation above represents a high-level starting point around formalizing your data classification requirements. Microsoft have created an innovative solutions suite around data protection that is scalable for small, medium and enterprise requirements.
In some Sectors data classification has already been implemented and applied as part of the general operational procedures to support regulatory compliance (i.e., Pharma and Finance).
Since data classification has been established, it has been expanded to 204 different sensitive information types as defined by Microsoft in compliance.microsoft.com
Policy creation can be created easily to protect personally identifiable information via DLP (data loss prevention), classification and retention policies by using these sensitive information types that Microsoft provide as part of their Office365 platform.
Regex101.com is a free utility that provides the ability to create regular expressions (regex) and test the regex against input of a sensitive information types.
As an example, to implement – within the Office365 platform, Microsoft only provide three sensitive information types applicable to Ireland:
Ireland Driver’s License Number
Ireland Passport Number
Ireland Personal Public Service (PPS) Number
There is however some more common sensitive information type unique to Ireland as follows:
Eircode
Mobile phone number
Landline phone number
Regex101 also provides a regex library to cater for a particular sensitive information type.
The European Union caused quite considerable anxiety when the GDPR regulation was released during 2018.
The GDPR regulation’s primary purpose is to provide individuals control over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.
Regrettably, this regulation does not protect an organization’s intellectual property.
Use cases listed below could however enable organisations to protect their intellectual property more effectively:
Food Industry: Using document fingerprinting and if working for Coca Cola or Guinness and an employee attempts to leak the secret recipe. Office365 can prevent this.
Manufacturing Industry: If a patent or manufacturing process were attempted to be shared outside the organization to that organizations’ competitors, it could cause the source organization to lose market share or cease to exist. If an employee sends an email with 100 mobile phone numbers or 100 land line phone numbers, this could be classed as data exfiltration and the employee is leaking their employers’ customers information to a competitor.
Technology Industry (Nokia, Ericsson or Huawei): may invent the next Wi-Fi standard and before the company that invents the technology registers the patent for this new technology and the information is leaked to one of their competitors, it could cause billions in lost revenue.
Legal industry: GDPR in certain scenarios can mandate that data is deleted after 7 years. This can really suit legal organization’s as they are no longer liable if the data has been permanently destroyed via a retention policy.
Pharmaceutical Industry: The first company that manufactures a permanent vaccine for Covid 19 and all Covid variants that successfully patents the solution would not like their intellectual property falling into the hands of their competitors.
AIP (Azure Information Protection) scanner is generally the initiation point of data classification as it can scan file shares and on-premises SharePoint farms. To prove the benefit of data classification, define some sensitive information types for an organization. Use AIP scanner to integrate with an Azure Log Analytics workspace and then demonstrate to an organization, how much of their critical intellectual property is not protected.
The basic overall implementation approach to enable data classification is as follows:
Monitor
Provide Tips
Protect.
AIP scanner can auto classify data, depending on the organization’s Office365 license plan, but this is all useless unless the organization has begun their data classification journey. Obviously sharing a credit card number is the most common instance of data loss prevention, but what about protecting critical intellectual property for an organization.
Another use case is when an organization has already begun their data classification journey with another vendor like Forcepoint, Symantec or McAffee. If Office365 is in the organization’s roadmap then it is easy to transfer all the custom sensitive information types and regexs’ into Office365. Regex is a universal standard and works across all vendors.
Cyber Attacks are most commonly associated with phishing attacks and most commonly performed by BOTs on the dark web, however in a targeted attack and when the bad actor’s are trying to specify the exact information they are trying to steal from an organization, if this information is classified then there is a very strong chance the bad actors attempt to steal the information will be unsuccessful and the attack will generate alerts and notify the security admins of an organization.
Microsoft have also introduced some new technology: trainable classifiers. Trainable classifiers introduce the power of Azure and AI (artificial intelligence). An organization can choose not to classify their data but let a trainable classifier analyze their data and then report on all the known sensitive information types defined in an organisation’s Office365 tenant.
A Microsoft 365 trainable classifier is a useful tool you can train to recognize various types of content by giving it samples to look at. Once trained, you can use it to identify information for the application of Office sensitivity labels, Communications compliance policies, and retention label policies.
The security component to complete the overall Microsoft suite was lacking but has been resolved by Microsoft releasing Microsoft Defender for EndPoint. Microsoft Defender for Endpoint integrates seamlessly with MCASB (Microsoft cloud app security broker) and enforces corporate security policies for devices that are not connected to the corporate LAN – which is a likely scenario, during the current Covid-19 Pandemic.
After a clean successful installation of Exchange 2016 CU20 and reboot on completion of the installation. I was presented with the following error when trying to login to the ECP and OWA.
Now this was a unique scenario. There were two Exchange 2013 production servers patched to the highest level and each Exchange 2013 server had a certificate issued from an internal certificate authority, the certificate included all of the required subject alternate names, but the certificate was also acting as the Microsoft Exchange Server Auth server on the Exchange 2013 servers and included .local domain names.
The design decision to introduce Exchange 2016 to the environment was purely to act as an Exchange Hybrid and not touch the production Exchange 2013 servers.
I installed Exchange 2016 CU20 with April 2021 security patches and got the errors listed above. Exchange Management Shell access was fine. I decided to install an additional Exchange 2016 CU19 server to see if CU20 was buggy. But unfortunately I received the same error on the fresh build of Exchange 2016 CU19 server.
The Exchange 2016 servers did not have rights to the private key of the certificate issued by the internal certificate authority that was in use by the Exchange 2013 servers as the Microsoft Auth Server certificate and the Exchange 2016 servers picked up this cert by default as it was in use in the existing Exchange organisation.
So how did i resolve this issue??
Firstly I created a new Microsoft Server Auth certificate with the following commands
New-ExchangeCertificate -KeySize 2048 -PrivateKeyExportable $true -SubjectName “CN= Microsoft Exchange Server Auth Certificate” -DomainName “*.contoso.com” -FriendlyName “Microsoft Exchange Server Auth Certificate” -Services SMTP
The next thing was to export the newly created certificate and import the certificate into the computer trusted root certification authorities location on each Exchange server.
Next we need to review and run the commands described in this Microsoft KB
Next we rename the sharedwebconfig file in the following directories to sharedwebconfig.bak. C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy
But replace the environmental variable in the two commands specified in the article ‘%ExchangeInstallPath%’ with the actual install path as the install path can change from the default locations defending on the Exchange build and the environmental variable ‘%ExchangeInstallPath%’ may not resolve in the Exchange management shell.
Run the commands and then restart the server and all should be fine , at this point you can import a trusted certificate like DigiCert and assign IIS & SMTP services to the certificate.
And run a health check on the Exchange 2016 server and – Get-ServerComponentState
Quite a nasty phishing email that sailed past Mimecast and Microsoft Defender for ATP. It brings the user to a site and the the end user clicks on another link to listen to their voicemail and this is when the payload is delivered and it can perform the following malicious acts
Copy cached credentials Modify Outlook Rules Infect the entire global address list Attempt data exfiltration via One Drive for Business
Phishing email displayed below , Careful folks. End user security awareness training is the best defense against the phishing emails that get through and breach your message hygiene services.
One of the most desirable Conditional Access policy controls is to only grant access to cloud applications if the Windows 10 devices are Azure AD Hybrid joined.
To ensure all Windows 10 devices are Azure AD Hybrid joined can be quite tricky , It is not as simple as enabling Azure AD Hybrid join in the AD connect wizard and simply synching an organizational unit that contains all of the Window 10 machines
The Windows 10 devices must be able to communicate with the Microsoft Office365 and Intune endpoints.
Microsoft Azure AD Conditional Access Policy – Report Mode only has been available for some time, however trying to demonstrate and analyze the impact of enabling the new conditional access policy was quite difficult when trying to review the activity for the new policy in the Azure AD sign in logs or even via a csv export of the policy activity.
Microsoft released Conditional Access Insights and Reporting : Overview and setup available HERE Power BI can also connect to the Log Analytics workspace to create custom dashboards if required.
Now when attempting to review conditional access policies in report mode only and in this example the policy is a report mode only if devices were blocked from signing in unless they were Azure AD Hybrid joined.
The impact summary is simple to read and break down
The next page summarizes user sign in details and which users would be impacted most by enabling the policy and then allow IT administrators to take action and get the users \ devices compliant before enabling the policy.
I have been working very closely with BitTitan for a number of years and BitTitan have been working very closely with Microsoft with the development of their Teams migration service.
The service was updated towards the end of August and this update brought a large number of enhancements which can be reviewed HERE
For years I have been migrating Office365 Tenants to other Office365 tenants and the problem still remains whereby a custom domain like contoso.com cannot exist in two Office365 tenants at once. So during acquisition or merger migration projects at what point do you migrate the Microsoft Teams sites. My recommendation is to take care of the following data sources first with the Migration Wiz user migration bundle.
Primary Mailbox Archive Mailbox OneDrive for Business Outlook switch over via deployment pro.
Once the data sources above have been migrated , I would recommend that Outlook Web App access to the legacy source tenant mailboxes is blocked via running the following command
The official MigrationWiz migration guide is available HERE Also follow this ARTICLE and setup the Teams-FullControlApp in each source tenant. I recommend that you use the autodiscover method to populate the project as this will also identify any incompatible items in Teams sites or channels
First step is to create the teams site in the target tenant , and do this 24 hours in advance
Next Step is to do the data migration
Validate the data and then remove the Teams licenses from the users in the source tenants with the following powershell commands. Create a new variable for each Offfice365 licensing sku that contains Teams.
And now all the Teams sites have been migrated and there is no chance of split brain because the Teams license has been removed from the source tenanat.
One really important point to note: MigrationWiz match users from the source to the destination based on the user prefix which is so useful when you are moving one domain from an Office365 tenant to another for example in a merger or aquistion.
A customer recently asked me how can we delete chat history in Microsoft Teams and the answer was really simple. Provided the tenant has the correct Office365 licensing. The solution was to create a retention policy and delete all chat history older than 1 day.
How to delete Teams Chats and Meeting Chat Moderation Settings
Free busy not working in an Exchange 2016 CU17 Hybrid environment.
When a customer forgets to tell you that they previously configured Exchange Hybrid using the Modern hybrid agent, The modern hybrid agent leaves behind some configuration settings that prevent free-busy working from EOL to EOP.
I always use the classic hybrid wizard for organisations that require long term rich co-existence.
The frustrating this with this issue is that the Exchange Remote Connectivity analyzer tests WORK, which would lead you to believe everything is ok and configured correctly. But when you attempt to query availability requests for a user or resource from OWA or Outlook , the look up fails.
What does the Hybrid Agent leave behind in Exchange Online?
Two values are populated that will prevent free \ busy from EOL to EOP working.
OrganizationRelationship -targetsharingepr
Intraorgconnector -targetsharingepr
When you query these values , You may see a value like https://a75aa21a-2f8d-4b2e-85fe-1234.resource.mailboxmigration.his.msappproxy.net/EWS/E
xchange.asmx
To resolve the issue run the following commands
set-intraorgconnector -TargetSharingEpr $null
set-OrganizationRelationship “Name of Org Relationship” -TargetSharingEpr $null
One of the pre-requisites for Teams (online) integration with Exchange on-premise calendars is oauth authentication.
Sometimes solution providers just install a single or multiple Exchange 2016 servers to ensure the oauth pre-requisite is delivered. However if the project scenario requires Exchange on-premise mailboxes to be migrated as quickly as possible to Exchange Online then it may seem overkill to implement Exchange 2016 servers during this transition period.
Exchange 2013 CU24 and above does not complete the oauth authentication part of the Hybrid wizard, however Microsoft do have an article on how to configure OAUTH for Exchange 2013.
This solution works perfectly and allows an organization to transition from Exchange 2013 to Exchange Online without the requirement for Exchange 2016 servers and enables Teams to interact with Exchange 2013 on-premise calendars.
Every organisation is different and has different requirements. I have been working with conditional access for quite some time and have settled on the following policies for every organisation.
Create a security group that contains users that are permitted to access the organisations cloud services when outside of trusted locations.
Blocked Countries Conditional Access Policy
All Users
Exclude Break Glass Admin account
All Cloud Apps
Location : Blocked Countries that have been setup in the named locations section of Azure Conditional Access.
Access Control : Block Access
Blocked External Access
All users , except Break Glass Admin account and security group that contains users that are permitted access.
All Cloud Apps
Locations : Any location except trusted locations
Access Control : Block Access
Permit External Access
Users : security group that contains users that are permitted access.
All Cloud Apps
Locations : Any location except trusted locations
Client Apps
Browser
Mobile apps and desktop clients
Modern authentication clients
Grant Access : Require all of these controls
Require Multi factor Authentication
Require Hybrid Azure AD joined device
Require approved client app
Terms of Use
Mobile Device Access
Users : security group that contains users that are permitted access.
Exchange Online
Locations : Any location except trusted locations
Device Platforms : Android & IOS
Client Apps
Browser
Mobile apps and desktop clients
Modern authentication clients
Grant Access : Require all of these controls
Require Multi factor Authentication
Require device to be marked as compliant (Enrolled in Intune)
Require approved client app
Terms of Use
Why still enable MFA for the mobile device access policy. When the Microsoft Authenticator application is installed on an Android or IOS device. It acts like an SSO broker and can communicate with the modern authentication Microsoft Outlook client.
Microsoft Information Protection 