Legitimate non-MFA protection

image

There is no doubt that multi-factor authentication (MFA) is the great thing for the majority of accounts. It is probably the best protection against account compromise, however are there times that perhaps, MFA doesn’t make sense?

Security is about minimising, not eliminating risk. This means that it is a compromise and never an absolute. Unfortunately, MFA is a technology and all technologies can fail. If MFA did fail, or be unavailable for any reason, then accounts would be unavailable. This could be rather a bad thing if such an issue persisted for an extended period of time.

In such a situation, it would be nice to be able to turn off MFA for accounts, so users could get back to work, and re-enable it when the MFA service is restored. However, today’s best practice is to have all accounts, especially administrators, protected by MFA.

A good example is the baseline policies that are provided for free in Microsoft 365 as shown above.

image

You’ll see that such a policy requires MFA for all admin roles.

image

And yes, there is a risk for admin accounts that don’t have it enabled but there is also a risk if it is enabled and MFA is not working for some reason.

The challenge I have with these types of policies is that they are absolute. It is either on (good) or off (bad), and in the complex world of security that is not the case.

I for one, suggest there is the case for a ‘break glass’ administration account, with no MFA, that be used in the contingency that MFA is unavailable to get into accounts and re-configure them if needed. Such an account, although it has no MFA, is protected by a very long and complex pass phrase along with other measures. Most importantly, it is locked away and never used, except in case of emergency. There should also be additional reporting on this account, so it’s actions are better scrutinised.

Unfortunately, taking such an approach means that you can’t apply such absolute policies. It also means that you won’t be assessed as well in things like Secure Score. However, I think such an approach is more prudent that locking everything under MFA.

As I said initially, security is a compromise, however it would be nice to see the ability to make at least on exception to the current absolute approach because service unavailability can be just as impactful as account compromise for many businesses.

Connecting to Exchange Online with Azure Cloud Shell

I’ve written previously about

Azure Cloud Shell

and how handy it is when it comes to connecting to your tenant with PowerShell. What you may not realise is that you can also Azure Cloud Shell to connect to Exchange Online! All you need to do once you have launched Azure Cloud Shell is run the command:

connect-exopssession

image

As you can see from the above where I have connected and then used the command get-mailbox inside Azure Cloud Shell.
image

This now means you could copy my mailbox forwarding checking script:

https://github.com/directorcia/Office365/blob/master/o365-exo-fwd-chk.ps1

into your Clouddrive that is part of Azure Cloud Shell and run it.

image

And thanks to Clouddrive it will be there next time you use Azure Cloud Shell. Handy eh? If you want to learn about this capability, visit:

Azure Cloud Shell now supports Exchange Online

Need to Know podcast–Episode 215

In this episode I speak with Alex Fields about the power of conditional access. You’ll learn what it is, how to implement it as well as many best practices recommended by Alex based in his experience and knowledge. The great new is conditional access is part of Microsoft 365 Business, so listen in for the way to make it work to protect your information.

Brenton and I also bring you up to speed with all the latest Microsoft Cloud news, so listen in for the latest as always. We hope you enjoy this episode and don’t forget to send us your feedback.

This episode was recorded using Microsoft Teams and produced with Camtasia 2019

Take a listen and let us know what you think – feedback@needtoknow.cloud

You can listen directly to this episode at:

https://ciaops.podbean.com/e/episode-215-alex-fields/

Subscribe via iTunes at:

https://itunes.apple.com/au/podcast/ciaops-need-to-know-podcasts/id406891445?mt=2

The podcast is also available on Stitcher at:

http://www.stitcher.com/podcast/ciaops/need-to-know-podcast?refid=stpr

Don’t forget to give the show a rating as well as send us any feedback or suggestions you may have for the show.

Resources

@vanvfields

@contactbrenton

@directorcia

CIAOPS Patron Community

ITProMentor

ITProMentor – Best parctices

Attacker Kill Chain described

ITProMentor – Free Microsoft 365 Business eBook

ITProMentor – Licensing Guide

Telstra Purple

New version of To-Do

Authenticator backup on Android now available

Prepare for iPadiOS Launch

New webparts coming to SharePoint

Azure QuickStart Center

Top 5 advantages of syncing with OneDrive

Modernize your root site

Need to Know podcast–Episode 214

I chat with MVP Microsoft Mark O’Shea about the Microsoft 365 technical information from the recent Microsoft Inspire in Las Vegas. The focus is not on the partner information but the technical announcements from the conference, and yes there were plenty. Brenton and I are also back together to bring you up to date with everything that is happening in the Microsoft Cloud. Enjoy the episode.

This episode was recorded using Microsoft Teams and produced with Camtasia 2019

Take a listen and let us know what you think – feedback@needtoknow.cloud

You can listen directly to this episode at:

https://ciaops.podbean.com/e/episode-214-mark-oshea/

Subscribe via iTunes at:

https://itunes.apple.com/au/podcast/ciaops-need-to-know-podcasts/id406891445?mt=2

The podcast is also available on Stitcher at:

http://www.stitcher.com/podcast/ciaops/need-to-know-podcast?refid=stpr

Don’t forget to give the show a rating as well as send us any feedback or suggestions you may have for the show.

Resources

@intunedin

@contactbrenton

@directorcia

Intunedin

Microsoft 365 Dark Mode

What’s new in Microsoft 365 [VIDEO]

New to Microsoft 365 in August

Outlook Flow connector changes

Higher tech for higher ed

Soft Delete for Azure Backup Virtual Machines

Microsoft Azure available from new cloud region in Switzerland

Requested features for list groups

Enhanced QuickEdit for SharePoint Online

Meet the new Outlook on the web

Azure Sentintel

Windows 7 end of support

Office 2010 end of support

Microsoft 365 Security and Compliance

Conditional Access

Windows Virtual Desktop

Edge Insider Enterprise preview

Microsoft 365 Training Day: Security and Compliance day

MyAnalytics

CIAOPS Techwerks 8 – Adelaide October 2019

CIAOPS Techwerks 9 – Melbourne November 2019

Need to Know podcast–Episode 213

A quick news update followed by an engaging interview with Amy Babinchak around some of the cloud topics she will be presenting at some upcoming events. Amy is owner of Harbor Computer, Third Tier Consulting and an Office 365 MVP to boot, so plenty of great learnings to he had listening in.

This episode was recorded using Microsoft Teams and produced with Camtasia 2019

Take a listen and let us know what you think – feedback@needtoknow.cloud

You can listen directly to this episode at:

https://ciaops.podbean.com/e/episode-213-amy-babinchak/

Subscribe via iTunes at:

https://itunes.apple.com/au/podcast/ciaops-need-to-know-podcasts/id406891445?mt=2

The podcast is also available on Stitcher at:

http://www.stitcher.com/podcast/ciaops/need-to-know-podcast?refid=stpr

Don’t forget to give the show a rating as well as send us any feedback or suggestions you may have for the show.

Resources

@ababinchak

@contactbrenton

@directorcia

Samsung and Microsoft Alliance

Updates to SharePoint authoring

Top 5 advantages of OneDrive for Business

MFA and end user impacts

Set up conditional access with Microsoft Search in Bing

New Azure files authentication

Lower pricing for Azure storage

Chromium version of Edge now has a beta channel

Sharing an Azure Information Protected file

image

Let’s say that we have a super secret text file with the contents shown above that we want to share with an external contact outside our Microsoft 365 tenant. We want to ensure that the document is encrypted and only viewable by those we have deemed to have permissions. We also want to restrict external users to have read only access to the file. How can we achieve that? With Azure Information Protection (AIP).

image

The first step in the process is to define an Azure Information Protection label with the permissions desired. You can see in the above that access for this label is defined for a Gmail account and the permissions for this account are set to “Viewer” (i.e. read only).

This label then needs to be added to a policy and pushed out to those Microsoft 365 users who will be creating documents, so it is available on their machines.

image

Users should already have the Microsoft Azure Information Protection Clients for Windows client installed on their machines. Doing so will add an Azure Information Protection banner to their Office desktop applications as well as an extension to Windows Explorer when they right mouse click on a file as shown above.

You typically use this Windows Explorer extension when you want to protect non-Office documents. You do this by selecting Classify and Protect as shown above.

image

This will launch the AIP client and allow you to apply the protection label that was created previously in the Azure portal. To apply that specific label to protect the document simply select the label name as shown above. You should then see the Sensitivity set to that level in the top left. Don’t forget to select the Apply button in the bottom right to actually protect the file!

SNAGHTML128bdeb6

You should now see that the file is a “Protected Text File” and that it has a new icon. You will also notice that the extension here is now .PTXT for protected text file.

image

That file can now be uploaded to OneDrive for Business and appears as shown.

image

If that protected file is now sent outside the organisation, using any method,  and is opened with the native viewer, here Notepad, you’ll note the message saying that the file is protected and to view it you must download the Microsoft’s protected file viewer. This is actually exactly the same client that was used earlier – Microsoft Azure Information Protection Clients for Windows client. So, this will need to be downloaded and installed on the destination machine to allow viewing/access of the file.

image

Once the Microsoft Azure Information Protection Clients for Windows client has been installed, when you open the file it should open automatically in the Azure Information Protection Viewer. If it doesn’t just launch the Azure Information Protection Viewer first, and then use it to open the protected document.

image

Because the document is protected the user will now be asked to enter their credentials as shown. This will be their email address.

image

In this case, the email address with permissions is a Gmail account which isn’t an Azure AD account like say an Office 365 account. Access will therefore be granted in a very similar way to the way OneDrive for Business does it’s sharing. This means, that after entering a non-Azure AD account, the account will be sent a verification code that needs to be entered as shown above.

image

Checking back in the Gmail account, the user sees the Account verification code and enters that at the prompt. You’ll also notice that this code is good for 30 minutes. Access outside that will require re-authorisation and a new code.

image

With the code entered, the user can view the document as shown above. You’ll notice that both the Print and Save As are greyed out.

image

Upon selecting the View Permissions option for the file, the user can see which permissions they are allowed. Here, as expected, the only permissions available are View.

Now there are some restrictions around the file types supported for classification, labelling and protection. You can read more about those here:

Admin Guide: File types supported by AIP unified labelling client

However, you should be able to protect just about any file and allow the Save As upon delivery to protect the file contents during transmission.

Azure Information Protection basically allows you to apply unique permissions to an individual document. This ensures that the permissions travel with, and are obeyed, no matter where or to whom the document is sent. That is a very powerful way to protection your information and as you can see, once you have configured the label it is very easy to apply to any document directly using Windows Explorer.

Azure Information Protection in some form is included in most Office 365 Enterprise SKUs but is also importantly included in Microsoft 365 Business. You cab also purchase it as a stand alone offering. Have a look at:

Requirements for Azure Information Protection

for more details.

Need to Know podcast–Episode 211

Where’s Brenton? Share your thoughts here – http://bit.ly/whereisbj

Microsoft has rolled back it’s recent planned partner changes. we have some new Intune security baseline policies to try (and troubleshoot) and Teams leads Slack in user numbers. I speak with Marc Kean to get the low down on what Azure storage is all about. All this and a lot more on this episode.

This episode was recorded using Microsoft Teams and produced with Camtasia 2019

Take a listen and let us know what you think – feedback@needtoknow.cloud

You can listen directly to this episode at:

https://ciaops.podbean.com/e/episode-211-azure-storage/

Subscribe via iTunes at:

https://itunes.apple.com/au/podcast/ciaops-need-to-know-podcasts/id406891445?mt=2

The podcast is also available on Stitcher at:

http://www.stitcher.com/podcast/ciaops/need-to-know-podcast?refid=stpr

Don’t forget to give the show a rating as well as send us any feedback or suggestions you may have for the show.

Resources

@marckean

@directorcia

Updates to partner program (again)

Microsoft Intune announces security baselines

Exchange Online PowerShell WinRM issue

What is Azure Lighthouse?

Without-enrollment and Outlook for iOS and Android

Teams reaches 13 million active users

Planner and To-Do integration

New PowerApps and Flow licensing

Azure storage

Azure File Sync

CIAOPS Techwerks 8–Adelaide October 24

bw-car-vehicle

I am happy to announce that Techwerks 8 will be held in Adelaide on Thursday the 24th of October. The course is limited to 15 people and you can sign up and reserve your place now! You reserve a place by completing this form:

http://bit.ly/ciaopsroi

or  sending me an email (director@ciaops.com) expressing your interest.

The content of these all day face to face workshops is driven by the attendees. That means we cover exactly what people want to see and focus on doing hands on, real world scenarios. Attendees can vote on topics they’d like to see covered prior to the day and we continue to target exactly what the small group of attendees wants to see. Thus, this is an excellent way to get really deep into the technology and have all the questions you’ve been dying to know answered. Typically, the event produces a number of best practice take aways for each attendee. A special part of this event will be sessions by MVP Amy Babinchak as well as some other surprise guests.

Recent testimonial – “I just wanted to say a big thank you to Robert for the Brisbane Techworks day. It is such a good format with each attendee asking what matters them and the whole interactive nature of the day. So much better than death by PowerPoint.” – Mike H.

The cost to attend is:




























Patron Level Price Inc GST
Gold Enterprise Free
Gold $ 33
Silver $ 99
Bronze $ 176
Non Patron $ 399


The CIAOPS Techwerks events are run regularly in major Australian capital cities, so if you can’t make this one or you aren’t in Adelaide on that date, stay tuned for more details and announcements soon. If you are interested in signing up please contact me via emails (director@ciaops.com) or complete the form:

http://bit.ly/ciaopsroi

and I can let you know all the details as well as answer any questions you may have about the event.

I hope to see you there.