Join my free Microsoft Team

image

A while ago I create a free Yammer network for people to see what Yammer is all about as well as share Microsoft Cloud information. Since then, Microsoft has announced that it is making a version of Teams freely available, so I thought why not do the same there as well.

So I have gone out and created a free Microsoft Team which you are more than welcome to join. All you need to do is send me an email (director@ciaops.com) and I’ll arrange an invite for you that will allow access.

I think making a free version of Teams is great move by Microsoft and will allow more people to see what Teams is all about without the need for Office 365.

Of course, you can go out and create your own free Microsoft Team but hopefully, if we can get some people into this free Team I have created, you’ll get a better idea of exactly how it works with a group of people.

Locate all Office 365 Site Collection Administrators

image

One of the other things you probably need to check in your tenant is exactly who is a Site Collection administrator in your SharePoint sites in Office 365.

Site Collection administrators have full access to that SharePoint site and can only be removed by another Site Collection administrator. Also, they generally don’t appear inside the permission settings inside a site. So, knowing who has full rights to your SharePoint sites is a good thing I feel.

You can find the script to display all your SharePoint sites and Site Collection administrators inside those sites in my GitHub repository here:

https://github.com/directorcia/Office365/blob/master/o365-spo-admins.ps1

The interesting thing I discovered when I ran the script was that I have a number of site with no Site Collection administrator (most likely deleted sites it seems) and a number of sites I didn’t have access to (again, seems to have something to do with becoming orphaned during deletion). So, I have some further work to do now to clean all this up.

The script won’t fix or deal with any errors, but it will tell you about them and you can go investigate further.

Run it and see what it turns up for you!

Need to Know podcast–Episode 185

A great interview this episode with Marcus Dervin from Webvine focused on Digital Transformation. Marcus has some real insights to share from his recent book on this very subject and we even have a special offer to listeners of this podcast to also grab a copy and learn from an experienced operator. If you are looking to digitally transform or help other business do the same, don’t miss this episode.

You’ll also get the latest round of Microsoft cloud updates from Brenton and myself as we aim to keep you up to date with the ever changing face of the cloud.

Take a listen and let us know what you think –feedback@needtoknow.cloud

You can listen directly to this episode at:

https://ciaops.podbean.com/e/episode-185-marcus-dervin/

Subscribe via iTunes at:

https://itunes.apple.com/au/podcast/ciaops-need-to-know-podcasts/id406891445?mt=2

The podcast is also available on Stitcher at:

http://www.stitcher.com/podcast/ciaops/need-to-know-podcast?refid=stpr

Don’t forget to give the show a rating as well as send us any feedback or suggestions you may have for the show.

Resources

@marcusdervin

@contactbrenton

@directorcia

Marcus’s book – Digital Transformation, from the inside out (use coupon code CIAOPS for 20% off)

Webvine

Page metadata coming to SharePoint and Office 365

Idle session timeout policy in SharePoint and OneDrive is now generally available

New Office ribbon

Microsoft Surface Go

New Planner capabilities

Determining Office Add ins

After posting how to protect your Office tenant from malicious add-ins recently:

Thwarting the Office 365 Ransomware cloud

I was asked whether you could determine what add-ins users had already authorised? Thanks to PowerShell the answer is always “Yes”.

You need to ensure that you are connected to Exchange Online first and then you can run:

$mailboxes = get-mailbox –resultsize unlimited

foreach ($mailbox in $mailboxes) {
     write-host “Mailbox =”,$mailbox.primarysmtpaddress
     get-app -mailbox $mailbox.primarysmtpaddress | Select-Object displayname,enabled,appversion | Format-Table
}

This will basically spit out something that looks like:

image

So you can easily see what is already configured for each mailbox.

I have uploaded the file to my GitHub repository here:

https://github.com/directorcia/Office365/blob/master/o365-exo-addins.ps1

if you want it.

Thwarting the Office 365 Ransomware cloud

The above video is an interesting presentation around a ‘new variant of ransomware’ (to quote the video). In essence, what it does is trick the user to installing a malicious plug-in in for their Office 365 environment. That malicious plug can then effectively run riot across everything the user has access to, including shared files. The video shows how this control can be used to encrypt the users emails even though they are ‘in the cloud’. This is simply because the user has been tricked to giving the malicious application full access to their environment.

Is there a way to prevent or mitigate this risk? First the bad news. Generally, every Office 365 out of the box allows all users to add these types of add-ins to their environment. Typically, the ability is designed to allow legitimate Outlook plugins like Boomerang or Harmon.ie to be added to help the user be more productive. However, that also means malicious add-ins can also be easily added just as the video demonstrates. So, it is definitely a security issue to pay attention to.

You can verify whether this option is enabled in your Office 365 tenant by firstly connecting to Exchange Online PowerShell and then running the following command:

get-MsolCompanyInformation | fl DisplayName,UsersPermissionToUserConsentToAppEnabled

If the result comes back as True then you are potentially vulnerable to this style of attack.

However, if you run this command:

set-MsolCompanysettings -UsersPermissionToUserConsentToAppEnabled $false

You can disable the ability for users to authorise plug-ins. They can still add plug-ins to their environment but they cannot authorise applications that ask for permissions to their environment.

Thus, add ins like the Exchange Message Header Analyzer are fine as they simply report on email headers but something like Harmon.ie, which requests access to resources will be blocked.

image

So above you can see the user has added the Harmon.ie add in to their environment. To use it, they need to select the Connect to Office 365 button highlighted.

image

Normally the user would see the above Permission Request dialog, click Accept and the add-in would have access.

However, after disabling the ability for users to consent for apps this will appear as:

image

As you can see the user isn’t permitted to provide permissions, it can only be done by an administrator. This is going to prevent the user randomly installing add-ins as well as protecting them from potentially malicious apps.

Of course, the downside for administrators is the fact that they will have to consent to user added apps manually but that is small price to pay for better security I would suggest. As I like to say ‘Got access denied when you doing something silly? GOOD! That means the security is doing it’s job!”

My own experience is that users rarely add legitimate applications and if there is a need for them to be added they can be pushed out from the Office 365 Admin Center by an administrator and then authorised as needed on a per user basis. Alternatively, the required apps can be pushed out and authorised by users and then the tenant can be locked down.

However, in my opinion, out of the box, most Office 365 tenants should have this default ability blocked as shown to thwart the ‘new Ransomware cloud’ threat.

CIAOPS Need to Know Azure Webinar–July 2018

pexels-photo-325229

We are going to take a closer look at the newest Azure service – Intune. You’ll learn what Intune is and how you can use it to manage and secure your devices all from the Azure console There’ll also be news, updates and Q and A. I hope to see you there.

July Azure Webinar Registrations

The details are:

CIAOPS Need to Know Azure Webinar – July 2018
Thursday 26th of July 2018
2pm – 3pm Sydney Time

All sessions are recorded and posted to the CIAOPS Academy.

There of course will also be open Q and A so make sure you bring your questions for me and I’ll do my best to answer them.

The CIAOPS Need to Know Webinars are free to attend but if you want to receive the recording of the session you need to sign up as a CIAOPS patron which you can do here:

http://www.ciaopspatron.com

or purchase them individually at:

http://www.ciaopsacademy.com/

Also feel free at any stage to email me directly via director@ciaops.com with your webinar topic suggestions.

I’d also appreciate you sharing information about this webinar with anyone you feel may benefit from the session.

CIAOPS Need to Know Office 365 Webinar–July

laptop-eyes-technology-computer

A new financial year here in Australia is good reason to start planning. Luckily, Office 365 has just the right tool to help us – Planner, which is what we’ll be taking a look at in detail during this month’s webinar. I’ll also bring you up to date with everything happening in the Microsoft and Office 365 space as always.

You can register for free at:

July Webinar Registrations

The details are:

CIAOPS Need to Know Webinar – July 2018
Thursday 26th of July 2018
11am – 12am Sydney Time

All sessions are recorded and posted to the CIAOPS Academy.

There of course will also be open Q and A so make sure you bring your questions for me and I’ll do my best to answer them.

The CIAOPS Need to Know Webinars are free to attend but if you want to receive the recording of the session you need to sign up as a CIAOPS patron which you can do here:

http://www.ciaopspatron.com

or purchase them individually at:

http://www.ciaopsacademy.com/

Also feel free at any stage to email me directly via director@ciaops.com with your webinar topic suggestions.

I’d also appreciate you sharing information about this webinar with anyone you feel may benefit from the session.

Preventing Malware downloads from Office 365

image

If you are unfortunate enough to somehow get malware in your Office 365 tenant you may not appreciate that by default you can still download this, even though it gets detected as shown above.

image

Best practice would be to use the PowerShell command:

Set-SPOTenant –DisallowInfectedFileDownload $true

to prevent users from having the option to download the infected file. Basically, it removes the Download button as shown above. Doing this will apply the setting across all SharePoint Sites, including OneDrive for Business, Teams and stand alone site collections.

From the Microsoft documentation:

If the Set-SPOTenant cmdlet has the DisallowInfectedFileDownload parameter set to:

true (recommended), this happens:

  • All actions, except Delete, are blocked for detected files.

  • People cannot open, move, copy, or share detected files.

  • People see a visual cue that indicates that a file has been identified as malicious. No one can download the file.

false, this happens:

  • All actions, except Delete and Download, are blocked for detected files.

  • People cannot open, move, copy, or share detected files.

  • People see a visual cue that indicates a file has been identified as malicious, but they can choose to accept the risk and download the file anyway.

Allow up to 30 minutes for your changes to spread to all Office 365 datacenters.

The recommended best practice is then to turn this on for all tenants as it is not on by default.