Information about SharePoint, Microsoft 365, Azure, Mobility and Productivity from the Computer Information Agency
Slides from this month’s webinar are at:
February 2021 Microsoft 365 Need to Know Webinar
If you are not a CIAOPS patron you want to view or download a full copy of the video from the session you can do so here:
http://www.ciaopsacademy.com.au/p/need-to-know-webinars
Watch out for next month’s webinar.
I swear it was all working and now BOOM, it doesn’t! Using PowerShell I had been creating Endpoint Security policies but now those same policies were still being created but WITHOUT the configuration settings I had configured.
You can try this for yourself if you wish, without needing to code. Firstly visit the Microsoft Graph Explorer and authenticate.
Change the method to POST, set the API to beta and use the URL = https://graph.microsoft.com/beta/deviceManagement/templates/6cc38b89-6087-49c5-9fcf-a9b8c2eca81d/createInstance
Then in the Request body use the following:
https://gist.github.com/directorcia/6d8d2e5199c32b22b6fe782739447dc4
If you do you’ll find a new Endpoint Security Attack Surface Reduction – ASR rule has been created like so:
If you look at settings for this policy you’ll see:
all the settings are Not configured!
So, no errors during the POST but no settings! Strange.
If however you return to the Request body and change the word value to settingDelta as shown above and then run the same query.
Now, the Endpoint Security policy is created and the settings are configured.
So in summary, don’t use value any more it seems with the request body, use settingsDelta.
I see a lot of email configurations in Microsoft 365 that use some form of override to ‘get around’ a delivery issue. Doing so is simply not best practice and in fact opens you up for additional attacks.
For more information, let’s review the Microsoft document:
Create safe sender lists in EOP
which says:
In short, if you are using white lists or the like you are creating a vulnerability in your environment that attackers can exploit. All inbound messages should be filtered through appropriately configured mail filtering policies. If you want information on setting these appropriately see:
Mail flow best practices for Exchange Online and Office 365
Best practices for configuring standalone EOP
Recommended settings for EOP and Defender for Office 365 security
To get an overall picture of all the message overrides in your environment visit the Security and Compliance admin portal:
Locate the Reports option on the left and then select Dashboard as shown, from the expanded options. Then on the right locate the Threat protection status tile as shown and select it.
From the pull down options in the top right, as shown above, select Message override.
You should now see a nice summary of any messages passing through your environment that are overriding your configurations. Don’t forget that you can also View details table and select to Filter in the top right of this report.
A direct link to this report can be found here:
Threat Protection status – Message override
Overriding policies conditions is something that should be avoided as much as possible, simply because it increases the risk in your environment. Also, if you haven’t already, go take a look at what messages are overriding in your environment today and try to eliminate these to improve your security.
Recently, I did a video demonstrating how PowerShell can be used to automate Endpoint Management:
PowerShell with Endpoint Manager
I’ve now also created a video demonstrating how to automate Azure Conditional Access using PowerShell. As before, I am only making these scripts available via the CIAOPS Paton program.
In this video you’ll see me automatically backup up both Conditional Access locations and policies, then apply best practices locations and policies, finally restore the original policies, all using scripting.
Again, these scripts are not free and part of the CIAOPS Paton program. You’ll find my free stuff at https://www.github.com/directorcia.
To better understand the mailbox capacities in Microsoft 365, think of an Exchange Online mailbox as potentially being made up of three distinct components like so:
The process by which the Compliance mailbox is provided 1.5TB of storage is by adding 100GB blocks of space as required. Thus you start with 100GB and when you exceed that another 100GB is added and so on. You can read about this in more detail here:
Overview of auto-expanding archive
Now the capabilities and capacities of each of these individual mailboxes is defined in the Exchange Online limits, which currently are:
The configuration for Microsoft 365 Business Basic, Business Standard, Office 365 E1 and Exchange Online Plan 1 stand alone look like:
For all these licenses you get a 50GB primary mailbox and a 50GB cloud only archive.
So a user with Microsoft 365 Business Standard like so:
will have a primary mailbox of capacity 50GB:
and an archive also of 50GB like so:
Thus, the total mailbox capacity across primary and archive combined here will be 100GB for these plans.
A Microsoft 365 Enterprise E3, E5, Office 365 E3, E5 or Exchange Online Plan 2 mailbox looks like:
It has a 100GB primary mailbox and a 1.5TB max capacity archive thanks to the fact that the features of the Compliance mailbox are baked into these plans as shown above. Confirming this in the Exchange Online limits documentation:
This 1.5TB capacity is provisioned by Auto expanding archive as mentioned previously per:
Where confusion is common is when the capacity of Microsoft 365 Business Premium mailboxes is considered.
As you can see from the above diagram, Microsoft 365 Business Premium is a little bit special because it takes a standard Exchange Online Plan 1 as discussed previously and adds something called Exchange Online Archiving. In simple terms, think of Exchange Online Archiving mapping directly to the Compliance mailbox mentioned early on. In essence, it provides an Exchange Online Plan 1 mailbox will features like 1.5TB storage, litigation hold and so on.
Thus, an easier way to think about a Microsoft 365 Business Premium mailbox is as being almost identical to the mailboxes found in Microsoft E3, E5, Office 365 E3, E5 and Exchange Online Plan 2 stand alone. That is except for one important difference. The Microsoft 365 Business Premium mailbox has a primary mailbox limit of 50GB which is just like the other Microsoft 365 Business mailboxes. This means that maximum amount of data that can be accommodated by a Microsoft 365 Business mailbox in a local OST file is 50GB NOT 100GB like what you receive with Enterprise mailboxes.
In summary then:
Microsoft 365 Business Premium receives this 1.5TB mailbox capability thanks to the inclusion of Exchange Online Archiving as shown above.
To get the best performance of any mailbox it is recommended best practice to ensure that capacities don’t get anywhere near what is detailed here. However, if you must, just keep the capacities and limitations for your license in mind.
Yes Virginia, it is now possible to use PowerShell with Azure Sentinel. Microsoft has made available the Az.Security insights module that allows you to work with Azure Sentinel. You’ll find the module here:
https://www.powershellgallery.com/packages/Az.SecurityInsights/0.1.0
and you install it in your elevated PowerShell environment via the command:
Install-Module -Name Az.SecurityInsights –AllowClobber
To use the module commands you’ll also need to login to Azure. You can do that by using my connection scripts which are here:
An easier way to connect using PowerShell
However, what I’ve done to make it even easier for you by creating a complete script here:
https://github.com/directorcia/Office365/blob/master/az-sentinel-ruleget.ps1
You run the script in your environment like so:
You’ll then be prompted to login to your Azure tenant like so:
You’ll then be prompted to select your Azure subscription where Sentinel is configured:
You should see a list of all the subscriptions in your tenant as shown above. Select the one where Azure Sentinel is configured and select OK to continue.
You’ll then be prompted to select which workspace Azure Sentinel is configured with. Again, just select the appropriate workspace and then OK to continue.
The script will now display a list of all the available Rule Templates in Sentinel as shown above, sorted by most recently added (handy to see what’s new!).
This list is what you see in the Azure Sentinel portal when you select Analytics, then Rule templates as shown above. In effect, this is every analytics rule Sentinel makes available to you.
The next part of the script output will show you every rule in use.
This corresponds with the Active rules area in the web portal as shown above.
The next section of the script output will show you all the available rules and whether they are in use or Active as shown above.
You’ll see something similar if you return to the Rule templates, and note the rules “IN USE”, as shown above.
If you have a close look here, you’ll see rules that have no display name. I’ll cover that a bit further on, as it is still a bit of a mystery to me at this stage.
The last listing in script will show you all the rules that are NOT in use in date order. This is handy as I don’t see anything like this in the web portal.
Finally, the script will give you a summary as shown above.
It is interesting to note that 11 scripts report errors? These seem to be the ones with no names? Still haven’t quite worked that one out yet. You might also see this mismatch in the rules in use as I have above. I need to dig into this a little more. Also a bit strange is the fact that I have 191 scripts reporting in total but if I add the 104 templates in use with the 112 not in use I come to a total of 216! If I then look in the web interface I see:
only 182 templates in total??
This new Azure Sentinel module is only a month old as of writing this article, so early days. Hopefully, these items are minor bugs that will get fixed soon. You can also double check my code to ensure I haven’t something silly. If I have, let me know so I can fix it and share.
However, that considered, I can see this new Azure Sentinel PowerShell module being pretty handy if I’m honest. This script allows me to see when Microsoft adds new rules that I need to go and configure for one. I’ll be spending more time with this PowerShell module to automate how I deploy Azure Sentinel, which I reckon will save me a bucket-load of time.
Looking forward to future updates to this module, but there is no reason you can’t start automating Azure Sentinel yourself today!
Here is video demonstrating what I’ve been working of late. I am only making these scripts available via the CIAOPS Paton program.
The video will show you how I both create and erase policies via script, as well as generate a set of best practice policies and alternatively, importing them from previously saved policies. This saves a huge amount of time when compared creating and assigning policies manually.
Again, these scripts are not free and part of the CIAOPS Paton program. You’ll find my free stuff at https://www.github.com/directorcia.
Welcome to 2021. I’m back with another year of podcasts focused on the Microsoft Cloud. Hope every one had a good break and ready to get into it. We kick of 2021 talking to MVP Alex Fields about security for SMB. Plenty of great take aways, so listen in a learn. I kick things off with news and updates from Microsoft as well. A jam packed episode.
This episode was recorded using Microsoft Teams and produced with Camtasia 2020.
Brough to you by www.ciaopspatron.com
Take a listen and let us know what you think – feedback@needtoknow.cloud
You can listen directly to this episode at:
https://ciaops.podbean.com/e/episode-263-alex-fields/
Subscribe via iTunes at:
https://itunes.apple.com/au/podcast/ciaops-need-to-know-podcasts/id406891445?mt=2
The podcast is also available on Stitcher at:
http://www.stitcher.com/podcast/ciaops/need-to-know-podcast?refid=stpr
Don’t forget to give the show a rating as well as send us any feedback or suggestions you may have for the show.Resources
@vanvfields – Alex Fields
Microsoft Edge 88 Privacy and Security Updates
Bringing OneDrive settings into SharePoint admin center for streamlined, centralized control
Get the Microsoft Lists app for iOS
CIAOPS 