Need to Know podcast–Episode 213

A quick news update followed by an engaging interview with Amy Babinchak around some of the cloud topics she will be presenting at some upcoming events. Amy is owner of Harbor Computer, Third Tier Consulting and an Office 365 MVP to boot, so plenty of great learnings to he had listening in.

This episode was recorded using Microsoft Teams and produced with Camtasia 2019

Take a listen and let us know what you think –

You can listen directly to this episode at:

Subscribe via iTunes at:

The podcast is also available on Stitcher at:

Don’t forget to give the show a rating as well as send us any feedback or suggestions you may have for the show.





Samsung and Microsoft Alliance

Updates to SharePoint authoring

Top 5 advantages of OneDrive for Business

MFA and end user impacts

Set up conditional access with Microsoft Search in Bing

New Azure files authentication

Lower pricing for Azure storage

Chromium version of Edge now has a beta channel

Impact of a password spray attack

Basically, when someone launches a password spray attack on one of your accounts, they are basically using automated processes to guess your password and brute force their way into the account. These attacks typically happen via legacy protocols that should be disabled in your Microsoft 365 tenant as i have mentioned before:

Disable basic auth to improve Office 365 security

This can be tricker than you think because many legacy applications require basic authentication to operate. Therein lies the challenge.

I have purposely left legacy authentication enabled on some accounts to track what happens during brute force attempts. Experience is the best teacher as they say. Thanks to Cloud App Security:

A great security add on for Microsoft 365

I have configured it to alert me when there is failed login from outside my corporate locations:

Tracking failed logins using Cloud App Security


I would occasionally get the odd failed alert but nothing sustained. That was until today!


As you can see from my inbox, all of sudden I started to get massive volumes of alerts from Cloud App Security. The spray was on!


I jumped across to Azure AD sign-ins for the account and filtered the location down to be largely from China (i.e. CN is the location filter in the above results).


Due to the intensity of attack I started to get login failures and reported locks outs as shown above. So how does Azure AD handle lockouts? You’ll find that information here:

Azure Active Directory smart lockout

which says:

By default, smart lockout locks the account from sign-in attempts for one minute after 10 failed attempts. The account locks again after each subsequent failed sign-in attempt, for one minute at first and longer in subsequent attempts.

Smart lockout tracks the last three bad password hashes to avoid incrementing the lockout counter for the same password. If someone enters the same bad password multiple times, this behavior will not cause the account to lockout.

Smart lockout is always on for all Azure AD customers with these default settings that offer the right mix of security and usability. Customization of the smart lockout settings, with values specific to your organization, requires paid Azure AD licenses for your users.

In this case, the tenant didn’t have a premium version of Azure AD so the standard defaults were in effect.


The next application to feel the strain was the OneDrive for Business sync client which started requiring re-authentication.


Then the Azure portal began to struggle under the weight of so many failed login attempts.


Then the Microsoft Teams desktop application also started to have authentication issues.


Next, it was OneNote’s turn to start requiring re-authentication.

The attacks came in waves, typically separated by a few minutes (as happens with spray attacks) and then it was back again.


So what can you do if an account is subject to a spray attack and you are effectively getting denial of service thanks to that? Microsoft has provided every tenant with a number of free Baseline Conditional Access policies. The most appropriate one in this case is Block legacy authentication.


Enabling this policy will basically prevent legacy protocols like IMAP, POP and SMTP BUT it will do this across the WHOLE tenant! That is, for ALL users. That may be an issue if you have other accounts that depend on these older protocols for operation. However, this is certainly the quickest and easiest way to block spray attacks if you need to.


A more refined approach is to use PowerShell and create a new authentication policy as shown above. This creates a policy that disables the legacy protocols.



With the policy in place you can now apply it to just the user in question. Most authentication policies can take up to twenty four hors to take effect, however you can force an immediate refresh using the –STSRefreshTokenValidFrom option as shown above.



After doing all this, it is advisable to check to ensure the user has this authentication policy enabled as shown above.


When you dive into the Azure AD logs you’ll see that the brute force attempts have happened via SMTP, confirming a spray attack against the account.


Another service that may be affected by these attacks is Flow as seen above.


You may need to go into the Flow and re-authenticate as with the other affected apps. The issue may not be come evident until the next time your Flow actually runs.

So what my ten take aways?

1. Spray attacks are easy to automate and initiate. That means they will continue because they have a great ROI for attackers.

2. Implementing MFA on accounts is going to protect against an account breech from these spray attacks.

3. Spray attacks are facilitated via basic authentication which is enabled on all tenants by default for legacy support and has to be manually disabled! Enabling MFA DOES NOT automatically disable basic authentication since it allows support for static app passwords for applications that don’t support MFA out of the box. Disabling legacy authentication can cause issues with older applications that don’t support modern authentication. Disabling legacy authentication across the whole tenant needs to be done with caution. A user by user approach may be a better approach initially.

4. If your applications are complaining about failed authentication, check to see whether your account is not in fact the subject of a spray attack. Azure AD is trying to protect the account by locking itself out for a time period which affects good and bad attempts.

5. Use Cloud App Security and you’ll get a heads up on this sort of thing early on. Knowing what is happening makes it much easier to deal with and there really isn’t a better way than using Cloud App Security.

6. Use conditional access to restrict who can attempt to login to your tenant. Every one gets some free basic baseline policies from Microsoft but it is worth paying for Azure AD P1 to get the ability to be more granular. Don’t forget that Microsoft 365 Business comes with this granular Conditional Access ability out of the box now!

7. Consider having a ‘break glass’ emergency administrator account that you can call on to make admin changes if your only other existing administration account comes under attack and access becomes denied. This account doesn’t need a licence, it just needs permissions. It is hard to make changes to a tenant as an administrator if that account is subject to denial of service by a spray attack!

8. Even if you have MFA enabled, if you leave legacy authentication enabled, then even though attackers can’t correctly guess the password, their continued attempts could effectively result in a denial of service. This is very hard to mitigate, so look to eliminate all your legacy apps and protocols to prevent becoming collateral damage.

9. Review:

Azure AD and ADFS best practices: Defending against password spray attacks

as a good refence for the steps to protect your tenant against spray attacks. Remember, security is a journey and requires eternal vigilance and education.

10. Documentation before, during and after any incident is critical to knowing, understand and mitigating attacks. This all starts with preparation and knowing your situation and what can and needs to be done in a logical manner using tools like checklists. Your information is too important and valuable to leave to chance. Have a plan, your attacker does.

The more hardened your environment, the more likely attackers will simply move on to easier targets. Leaving legacy settings enabled is going to ensure they keep coming back to test your defences and potentially impacting your productivity as a side effect. In this case, once legacy authentication was disabled for the account the attacks ceased.

Sharing an Azure Information Protected file


Let’s say that we have a super secret text file with the contents shown above that we want to share with an external contact outside our Microsoft 365 tenant. We want to ensure that the document is encrypted and only viewable by those we have deemed to have permissions. We also want to restrict external users to have read only access to the file. How can we achieve that? With Azure Information Protection (AIP).


The first step in the process is to define an Azure Information Protection label with the permissions desired. You can see in the above that access for this label is defined for a Gmail account and the permissions for this account are set to “Viewer” (i.e. read only).

This label then needs to be added to a policy and pushed out to those Microsoft 365 users who will be creating documents, so it is available on their machines.


Users should already have the Microsoft Azure Information Protection Clients for Windows client installed on their machines. Doing so will add an Azure Information Protection banner to their Office desktop applications as well as an extension to Windows Explorer when they right mouse click on a file as shown above.

You typically use this Windows Explorer extension when you want to protect non-Office documents. You do this by selecting Classify and Protect as shown above.


This will launch the AIP client and allow you to apply the protection label that was created previously in the Azure portal. To apply that specific label to protect the document simply select the label name as shown above. You should then see the Sensitivity set to that level in the top left. Don’t forget to select the Apply button in the bottom right to actually protect the file!


You should now see that the file is a “Protected Text File” and that it has a new icon. You will also notice that the extension here is now .PTXT for protected text file.


That file can now be uploaded to OneDrive for Business and appears as shown.


If that protected file is now sent outside the organisation, using any method,  and is opened with the native viewer, here Notepad, you’ll note the message saying that the file is protected and to view it you must download the Microsoft’s protected file viewer. This is actually exactly the same client that was used earlier – Microsoft Azure Information Protection Clients for Windows client. So, this will need to be downloaded and installed on the destination machine to allow viewing/access of the file.


Once the Microsoft Azure Information Protection Clients for Windows client has been installed, when you open the file it should open automatically in the Azure Information Protection Viewer. If it doesn’t just launch the Azure Information Protection Viewer first, and then use it to open the protected document.


Because the document is protected the user will now be asked to enter their credentials as shown. This will be their email address.


In this case, the email address with permissions is a Gmail account which isn’t an Azure AD account like say an Office 365 account. Access will therefore be granted in a very similar way to the way OneDrive for Business does it’s sharing. This means, that after entering a non-Azure AD account, the account will be sent a verification code that needs to be entered as shown above.


Checking back in the Gmail account, the user sees the Account verification code and enters that at the prompt. You’ll also notice that this code is good for 30 minutes. Access outside that will require re-authorisation and a new code.


With the code entered, the user can view the document as shown above. You’ll notice that both the Print and Save As are greyed out.


Upon selecting the View Permissions option for the file, the user can see which permissions they are allowed. Here, as expected, the only permissions available are View.

Now there are some restrictions around the file types supported for classification, labelling and protection. You can read more about those here:

Admin Guide: File types supported by AIP unified labelling client

However, you should be able to protect just about any file and allow the Save As upon delivery to protect the file contents during transmission.

Azure Information Protection basically allows you to apply unique permissions to an individual document. This ensures that the permissions travel with, and are obeyed, no matter where or to whom the document is sent. That is a very powerful way to protection your information and as you can see, once you have configured the label it is very easy to apply to any document directly using Windows Explorer.

Azure Information Protection in some form is included in most Office 365 Enterprise SKUs but is also importantly included in Microsoft 365 Business. You cab also purchase it as a stand alone offering. Have a look at:

Requirements for Azure Information Protection

for more details.

CIAOPS Need to Know Microsoft 365 Webinar–August


Time for the August webinar. This month we’ll take a look at device management using Microsoft 365. The aim will be to show you how Microsoft 365 can help secure and manage iOS, Android, Windows 10 and even MacOS easily. I’ll again be using Microsoft Teams Live Events to host this, so by being part of this you’ll also see how this great technology from Microsoft functions. There will also be the latest Microsoft Cloud news as well as Q and A plus loads more. I’d love if you’d come along and be part of this.

You can register for the regular monthly webinar here:

August Webinar Registrations

The details are:

CIAOPS Need to Know Webinar – August 2019
Friday 30th of August  2019
11am – 12am Sydney Time

All sessions are recorded and posted to the CIAOPS Academy.

There of course will also be open Q and A so make sure you bring your questions for me and I’ll do my best to answer them.

The CIAOPS Need to Know Webinars are free to attend but if you want to receive the recording of the session you need to sign up as a CIAOPS patron which you can do here:

or purchase them individually at:

Also feel free at any stage to email me directly via with your webinar topic suggestions.

I’d also appreciate you sharing information about this webinar with anyone you feel may benefit from the session and I look forward to seeing you there.

Need to Know podcast–Episode 212

In this episode I speak with Darrell Webster about what happens behind the scenes with the Regarding365 community. A really good discussion around community and the process of regularly creating content. Of course there is also the latest Microsoft Cloud news and yes, Brenton is back to explain where he has been. Tune in for all the details.

This episode was recorded using Microsoft Teams and produced with Camtasia 2019

Take a listen and let us know what you think –

You can listen directly to this episode at:

Subscribe via iTunes at:

The podcast is also available on Stitcher at:

Don’t forget to give the show a rating as well as send us any feedback or suggestions you may have for the show.






What’s new in Teams – July 2019

New to Microsoft 365 in July

OneDrive round up – July 2019

New Flow and PowerApps licensing

An Office 365 Guide to PowerApps and Flow licensing

Microsoft Defender ATP evaluation lab is now available

Without enrollment and Outlook for iOS and Android general app configuration

What’s new with Microsoft 365 – July [VIDEO]

Ring Central Teams

Teams in the Classroom [VIDEO]

CIAOPS MS-100 online Certification training


I have just opened up the next round of the CIAOPS MS-100 online certification training.

The cost of the course is:

Patron Level AU$ Price inc GST
Gold Enterprise Free
Gold $33
Silver $99
Bronze $176
Non patron $399

The course will include:

The course will run over 4 weeks commencing on Monday the 12 of August and finish on Sunday the 15th of September.

The aim of this course is help you prepare to pass the MS-100 certification and should not be considered as a ‘general’ training course on Microsoft 365. I will ask you to commit to sitting the exam prior to the 1st of October 2019. If you pass the exam prior to this date you will be eligible for some special offers, however if you wish to take longer than that you can complete the exam at your leisure but with no additional benefits.

If you wish to be part of this program email me ( asap so I can reserve you place. Enrolment closes on Friday the 9th of August at 5pm.

You may want to read my thoughts on why I believe certification is becoming increasingly important with the cloud:

The benefits of certification

I hope you’ll sign up to become certified in Microsoft 365.