Tuesday, July 17, 2018

Cleaning up orphaned SharePoint Online sites

image

A while back I made a script available that allows you to find all the external users in your environment. You can learn about this here:

Checking SharePoint External Users PowerShell Script

Now when I ran the script on my own tenant I noticed a number of SharePoint sites that didn’t seem right. As you can see from the above screen shot, these typically have the word “management” (e.g.management71, management93, management59, etc).

Hmm…ok, seems like I have some orphaned SharePoint sites. I kinda of remember playing around when Microsoft Teams came out, creating and deleting Teams to test the functionality. So it seems that when I deleted the Teams stuff in the early days it didn’t delete everything.

Ok, time for a clean up

image

So I started with site Management71 and checked to see whether I could get to it. As you can see from the above, yes I can.

So back in the day, this would have been connected to the Office 365 Group. If I delete the site and it is isn’t fully orphaned (i.e. no Office 365 Group still exists) then I could have issues. So to see whether an Office 365 Group still existed with the word “management” in the title I ran this command to give me a list of every Office 365 Group in my tenant:

Get-UnifiedGroup | Format-List DisplayName,EmailAddresses,Notes,ManagedBy,AccessType

Turns out there still is an Office 365 Group called Management in my tenant as you can see from the results below.

image

So the question now, is whether the existing Office 365 Group called Management tied to the SharePoint site Management71 or another site also with management in the name? See how confusing I’ve made things?

image

So next I checked whether I could discover this operational Office 365 Group I see via PowerShell and indeed I could see it in my tenant as you see above.

SNAGHTML208e3e48

To determine whether this indeed was connected to Management71 I navigated to the SharePoint site connected to the Office 365 Group from the Group page. Low and behold, the Group Site in question is a different site, with a URL that includes the word Management not Management71. Hopefully you get why I’m trying to make all this go away!

So, not needing this valid Office 365 Group I decided the best way to remove it was to use the PowerShell command to delete it which you will find here:

Remove-UnifiedGroup -Identity "Management"

image

To see the sites created by Office 365 Groups you’ll need to go into the new SharePoint Online Admin console as you see above. Problem is, that this new portal doesn’t as yet allow you to delete sites. That means I’ll have to user PowerShell.

image

I was then able to locate the orphaned site in question – Management71 as shown above.

image

But if I look carefully at the properties for the site I see that it still thinks this site is connected to an Office 365 Group.

image

So I once again ran the PowerShell command to check the Office 365 Groups in the tenant and there is no longer one with the name management. I am therefore going to assume the site in question is orphaned and I’ll remove it using PowerShell.

image

When I look in the new SharePoint administration console, in the recycle bin for deleted sites I now see the site that was tied to the valid group that I just deleted called Management. To keep things tidy, I decided the best option was to purge unwanted items from here so the rogue SharePoint sites are completely gone from my tenant. To do that I ran:

remove-spodeletedsite -Identity https://ciaops365e1.sharepoint.com/sites/management –NoWait

To remove the other rogue SharePoint sites I firstly run:

remove-sposite -Identity https://ciaops365e1.sharepoint.com/sites/management71 –NoWait

Followed by the initial command to also remove them from the recycle bin and my tenant completely.

In the end, I have been able to remove active SharePoint sites in my tenant that appear to have been created by now defunct Office 365 Groups. I did all this via PowerShell to ensure that they weren’t still connected to something else in Office 365.

I feel much better have a clean tenant without these additional SharePoint sites float around and I got to also user PowerShell to get the job done. Win!

Monday, July 16, 2018

Join my free Microsoft Team

image

A while ago I create a free Yammer network for people to see what Yammer is all about as well as share Microsoft Cloud information. Since then, Microsoft has announced that it is making a version of Teams freely available, so I thought why not do the same there as well.

So I have gone out and created a free Microsoft Team which you are more than welcome to join. All you need to do is send me an email (director@ciaops.com) and I’ll arrange an invite for you that will allow access.

I think making a free version of Teams is great move by Microsoft and will allow more people to see what Teams is all about without the need for Office 365.

Of course, you can go out and create your own free Microsoft Team but hopefully, if we can get some people into this free Team I have created, you’ll get a better idea of exactly how it works with a group of people.

Sunday, July 15, 2018

Locate all Office 365 Site Collection Administrators

image

One of the other things you probably need to check in your tenant is exactly who is a Site Collection administrator in your SharePoint sites in Office 365.

Site Collection administrators have full access to that SharePoint site and can only be removed by another Site Collection administrator. Also, they generally don’t appear inside the permission settings inside a site. So, knowing who has full rights to your SharePoint sites is a good thing I feel.

You can find the script to display all your SharePoint sites and Site Collection administrators inside those sites in my GitHub repository here:

https://github.com/directorcia/Office365/blob/master/o365-spo-admins.ps1

The interesting thing I discovered when I ran the script was that I have a number of site with no Site Collection administrator (most likely deleted sites it seems) and a number of sites I didn’t have access to (again, seems to have something to do with becoming orphaned during deletion). So, I have some further work to do now to clean all this up.

The script won’t fix or deal with any errors, but it will tell you about them and you can go investigate further.

Run it and see what it turns up for you!

Friday, July 13, 2018

Need to Know podcast–Episode 185

A great interview this episode with Marcus Dervin from Webvine focused on Digital Transformation. Marcus has some real insights to share from his recent book on this very subject and we even have a special offer to listeners of this podcast to also grab a copy and learn from an experienced operator. If you are looking to digitally transform or help other business do the same, don't miss this episode.

You'll also get the latest round of Microsoft cloud updates from Brenton and myself as we aim to keep you up to date with the ever changing face of the cloud.

Take a listen and let us know what you think -feedback@needtoknow.cloud

You can listen directly to this episode at:

https://ciaops.podbean.com/e/episode-185-marcus-dervin/

Subscribe via iTunes at:

https://itunes.apple.com/au/podcast/ciaops-need-to-know-podcasts/id406891445?mt=2

The podcast is also available on Stitcher at:

http://www.stitcher.com/podcast/ciaops/need-to-know-podcast?refid=stpr

Don’t forget to give the show a rating as well as send us any feedback or suggestions you may have for the show.

Resources

@marcusdervin

@contactbrenton

@directorcia

Marcus's book - Digital Transformation, from the inside out (use coupon code CIAOPS for 20% off)

Webvine

Page metadata coming to SharePoint and Office 365

Idle session timeout policy in SharePoint and OneDrive is now generally available

New Office ribbon

Microsoft Surface Go

New Planner capabilities

Thursday, July 12, 2018

Determining Office Add ins

After posting how to protect your Office tenant from malicious add-ins recently:

Thwarting the Office 365 Ransomware cloud

I was asked whether you could determine what add-ins users had already authorised? Thanks to PowerShell the answer is always “Yes”.

You need to ensure that you are connected to Exchange Online first and then you can run:

$mailboxes = get-mailbox –resultsize unlimited

foreach ($mailbox in $mailboxes) {
     write-host "Mailbox =",$mailbox.primarysmtpaddress
     get-app -mailbox $mailbox.primarysmtpaddress | Select-Object displayname,enabled,appversion | Format-Table
}

This will basically spit out something that looks like:

image

So you can easily see what is already configured for each mailbox.

I have uploaded the file to my GitHub repository here:

https://github.com/directorcia/Office365/blob/master/o365-exo-addins.ps1

if you want it.

Wednesday, July 11, 2018

Thwarting the Office 365 Ransomware cloud

The above video is an interesting presentation around a ‘new variant of ransomware’ (to quote the video). In essence, what it does is trick the user to installing a malicious plug-in in for their Office 365 environment. That malicious plug can then effectively run riot across everything the user has access to, including shared files. The video shows how this control can be used to encrypt the users emails even though they are ‘in the cloud’. This is simply because the user has been tricked to giving the malicious application full access to their environment.

Is there a way to prevent or mitigate this risk? First the bad news. Generally, every Office 365 out of the box allows all users to add these types of add-ins to their environment. Typically, the ability is designed to allow legitimate Outlook plugins like Boomerang or Harmon.ie to be added to help the user be more productive. However, that also means malicious add-ins can also be easily added just as the video demonstrates. So, it is definitely a security issue to pay attention to.

You can verify whether this option is enabled in your Office 365 tenant by firstly connecting to Exchange Online PowerShell and then running the following command:

get-MsolCompanyInformation | fl DisplayName,UsersPermissionToUserConsentToAppEnabled

If the result comes back as True then you are potentially vulnerable to this style of attack.

However, if you run this command:

set-MsolCompanysettings -UsersPermissionToUserConsentToAppEnabled $false

You can disable the ability for users to authorise plug-ins. They can still add plug-ins to their environment but they cannot authorise applications that ask for permissions to their environment.

Thus, add ins like the Exchange Message Header Analyzer are fine as they simply report on email headers but something like Harmon.ie, which requests access to resources will be blocked.

image

So above you can see the user has added the Harmon.ie add in to their environment. To use it, they need to select the Connect to Office 365 button highlighted.

image

Normally the user would see the above Permission Request dialog, click Accept and the add-in would have access.

However, after disabling the ability for users to consent for apps this will appear as:

image

As you can see the user isn’t permitted to provide permissions, it can only be done by an administrator. This is going to prevent the user randomly installing add-ins as well as protecting them from potentially malicious apps.

Of course, the downside for administrators is the fact that they will have to consent to user added apps manually but that is small price to pay for better security I would suggest. As I like to say ‘Got access denied when you doing something silly? GOOD! That means the security is doing it’s job!”

My own experience is that users rarely add legitimate applications and if there is a need for them to be added they can be pushed out from the Office 365 Admin Center by an administrator and then authorised as needed on a per user basis. Alternatively, the required apps can be pushed out and authorised by users and then the tenant can be locked down.

However, in my opinion, out of the box, most Office 365 tenants should have this default ability blocked as shown to thwart the ‘new Ransomware cloud’ threat.

Tuesday, July 10, 2018

CIAOPS Need to Know Azure Webinar–July 2018

pexels-photo-325229

We are going to take a closer look at the newest Azure service – Intune. You’ll learn what Intune is and how you can use it to manage and secure your devices all from the Azure console There’ll also be news, updates and Q and A. I hope to see you there.

July Azure Webinar Registrations

The details are:

CIAOPS Need to Know Azure Webinar – July 2018
Thursday 26th of July 2018
2pm – 3pm Sydney Time

All sessions are recorded and posted to the CIAOPS Academy.

There of course will also be open Q and A so make sure you bring your questions for me and I’ll do my best to answer them.

The CIAOPS Need to Know Webinars are free to attend but if you want to receive the recording of the session you need to sign up as a CIAOPS patron which you can do here:

http://www.ciaopspatron.com

or purchase them individually at:

http://www.ciaopsacademy.com/

Also feel free at any stage to email me directly via director@ciaops.com with your webinar topic suggestions.

I’d also appreciate you sharing information about this webinar with anyone you feel may benefit from the session.