Microsoft 365 collaboration framework training

On February 14th 2023 I’ll be running a collaboration framework training course for Microsoft 365 environments. Training will held remotely via Microsoft Teams. The session will be two (2) hours and run from 9am Sydney time.

The sessions will be recorded and other materials from the sessions (checklists, etc) will be available to attendees afterwards.

The aim of this training is to help you better prepare for the move to the Microsoft 365 collaboration environment utilising services such as Teams, SharePoint, OneDrive for Business, and so on. You’ll be shown a tested framework that you can use when designing a modern collaboration environment to ensure a business gets the most from their investment in Microsoft 365. You’ll also learn tips and tricks on how to implement this successfully inside a modern organisation, whether large or small. If you want to get the most from your Microsoft 365 collaboration environment, this course is for you. The price for this event will be:

Gold Enterprise Patron = Free

Gold Patron = Free

Silver Patron = Free

Bronze Patron = $33 inc GST

Non Patron = $99 inc GST

You can learn more about the CIAOPS Patron community at www.ciaopspatron.com.

I hope that you’ll join me in February for this event as I believe it help you improve how to get the most from the Microsoft 365 to improve day to day operations.

You can register you interest in attending this course here – http://bit.ly/ciaopsroi after which I’ll be in contact with you to arrange payment and get you enrolled.

As always, if you have any questions about this training please email me on – director@ciaops.com.

I hope to see you there.

Need to Know podcast–Episode 292

The editorial for this episode is an always controversial topic on backing up Microsoft/Office 365. I am going to highlight some of the facts that, unlike what some say, Microsoft does indeed backup customer data and you’ll find all the links in the show notes.

This is the last episode before Christmas so thanks to all listeners for their support and I wish everyone a happy and safe time over the holidays. No break here, and I’ll be back with the latest news and updates again soon.

You can listen directly to this episode at:

https://ciaops.podbean.com/e/episode-292-microsoft-365-backup/

Subscribe via iTunes at:

https://itunes.apple.com/au/podcast/ciaops-need-to-know-podcasts/id406891445?mt=2

The podcast is also available on Stitcher at:

http://www.stitcher.com/podcast/ciaops/need-to-know-podcast?refid=stpr

Don’t forget to give the show a rating as well as send me any feedback or suggestions you may have for the show.

This episode was recorded using Microsoft Teams and produced with Camtasia 2022.

Brought to you by www.ciaopspatron.com

Resources

@directorcia

@directorcia@twit.social

Join my shared channel

CIAOPS merch store

Become a CIAOPS Patron

CIAOPS Blog

YouTube edition of this podcast

Use Access policies to require multiple administrative approvals

Introducing enhanced company branding for sign-in experiences in Azure AD

Office 365 company branding requirements have changed

New Admin Center Unifies Azure AD with Other Identity and Access Products

New Layout Options for OneNote on Windows are coming soon

Introducing Microsoft Teams Premium

Announcing new removable storage management features on Windows

Microsoft Defender for Cloud Apps data protection series: Understand your data types

Microsoft Security Product Reviews: Give product feedback & get rewarded!

Backup

Revisiting some facts around Microsoft 365 backup

Do you need to backup Office 365?

Microsoft policy on backup (Sept 2022)

“Additionally, each service has established a set of standards for storing and backing up data, and securely deleting data upon request from the customer.”

The Essential 8 Security guidelines

Search essential 8

Office 365 company branding requirements have changed

*** Update ***

The issue with my tenant not displaying company branding as it used to was due to a bug in the interface. Microsoft have now rectified that and I have access to company branding as I once used to.

It seems that the requirements to configure Office 365 company branding have changed. The official documentation is here:

https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/customize-branding#license-requirements

which says:

License requirements

Adding custom branding requires one of the following licenses:

Azure AD Premium 1
Azure AD Premium 2
Office 365 (for Office apps)

However, I definitely know this wasn’t the case until very recently, because a tenant I have without Azure AD P1 or P2 that allowed company branding configuration and now does not. So, something has indeed changed recently and I can find no acknowledgement or documentation of that. The existing branding of the tenant remains unchanged but I can no longer make changes.

If you don’t have Azure AD P1 or P2 in your environment you can always sign up for a 30 day trial and make changes. However, after that 30 days ends you’ll need to buy a full Azure AD P1 or P2 license it seems, if you wish to modify the company branding it seems.

I would have thought that in a world where we want to make tenants more secure using something like branding to help reduce the risk of phishing attacks tricking users into putting their details into false portals, the ability to brand a tenant would be available to all licenses.

Hopefully, this is simply an over sight by Microsoft and the ability is returned. However, for now it appears they are fully enforcing the licensing when it comes to company branding and requiring an Azure AD P1 or P2 licenced user to make changes.

What to check with spoofed email in Microsoft 365

If you find that a spoofed email is reaching users inboxes in Microsoft 365 (say something like managing.director@gmail.com pretending to be managing.director@yourdomain.com) then here are some initial suggestions and things to check.

Firstly, ensure you have SPF, DKIM DMARC configured for your domain. They all help reduce spoofed emails getting to the inbox.

Set up SPF to help prevent spoofing

Support for validation of DKIM signed messages

Use DMARC to validate email

Next, run the analyzer that is built into the Microsoft 365 Security Center to see where your policies may deviate from best practices.

Configuration analyzer for protection policies in EOP and Microsoft Defender for Office 365

and you’ll find those best practice settings here:

I’d be checking against the strict rather than the standard settings if it was me.

In the settings for your spam policy in Exchange Online there are a few additional settings you can enable as shown above. Even though the Microsoft best practices doesn’t recommend it, I still have most of these set and at a minimum recommend that the SPF hard fail option be enabled.

In your Anti-phishing policies ensure the option for Show first contact safety tip is enabled as shown above. Microsoft Best Practice policies don’t set this. In general make sure all the above settings are all enabled as shown.

Another good indicator to configure is

Set-ExternalInOutlook -Enabled $true

using PowerShell, that will let you know about

Native external sender callouts on email in Outlook

Another custom adjustment you can consider is changing the Spam Confidence Level (SCL)

Spam Confidence level (SCL) in EOP

A further option you may wish to tweak beyond Microsoft’s recommended best practices is the phishing thresholds in anti-phishing policies:

Advanced phishing thresholds in anti-phishing policies in Microsoft Defender for Office 365

When you get emails that are confirmed as trying to trick users, make sure you report them to Microsoft

How do I report a suspicious email or file to Microsoft?

Use the Submissions portal to submit suspected spam, phish, URLs, legitimate email getting blocked, and email attachments to Microsoft

Probably the best way to do that is to use the free add-in that works with Outlook.

Enable the Report Message or the Report Phishing add-ins

doing so helps build the intelligence for Exchange Online as well as helping others who may see similar insecure emails.

The final option available to you is always to reach out to Microsoft for assistance.

Get help or support for Microsoft 365 for business

I would also suggest you check any white listing options you may have in Exchange Online as these are easily forgotten over time. Best practice is not to white list any domain or specific email address but always check when you see repeated emails get through filtering. I can’t tell you how many times I find this as the cause of any issue. Keep in mind, there are few places that you can white list emails:

Create safe sender lists in EOP

You can of course also block the insecure sender:

Create blocked sender lists in EOP

Remember that if you tighten your email security the result will probably be an increase in false positives, at least initially, as Exchange Online learns to evaluate the changes and user behaviours based on the updated settings. Email security is not an exact science. The bad operators are working just as hard to bypass all these settings so it is always going to be a game of cat and mouse. However, hopefully, using the Microsoft recommended best practices and some additional tweaks as suggested above, you can prevent the vast majority of insecure emails out of your users email boxes.

Enabling security defaults will enforce MFA on external users

A really good questions that I came across was whether enabling security defaults on a tenant will enforce MFA for external guest users.

Here is the documentation for security defaults:

Security defaults in Azure AD

and when enabled one of the things it will do is:

Require all users to register for Azure AD Multi Factor

which says:

All users in your tenant must register for multi-factor authentication (MFA) in the form of the Azure AD Multi-Factor Authentication. Users have 14 days to register for Azure AD Multi-Factor Authentication by using the Microsoft Authenticator app. After the 14 days have passed, the user can’t sign in until registration is completed. A user’s 14-day period begins after their first successful interactive sign-in after enabling security defaults.

The question is does “all users” include external guest users who have been invite into a tenant for collaboration on Microsoft Teams say? This is important because Microsoft is starting to enforce security defaults on all tenants.

Interestingly, none of the documentation seems to call out specifically whether “all users” does in fact include external guest users. After some digging I came across this post:

All users should be changed to all “member” users · Issue #78194 · MicrosoftDocs/azure-docs (github.com)

which has a response from someone at Microsoft and it says:

“Follow up from the product group… Security defaults should apply to guest users as well.”

So it looks as though it does indeed appear that security defaults applies to external guest users but I wanted to be sure.

I took a generic Gmail account I use and invited that user into a demo tenant that didn’t have security defaults enabled.

That user went through the expected process of connecting to the tenant.

using the email code verification process.

until they could access the tenant.

I also verified that they appeared in the Azure AD for that tenant.

So everything as expected so far.

Next, I invited that same user to a Microsoft Team inside that tenant.

and they could access that Team using the normal email code authentication process. I tried this a few times to ensure they could access the Team without needing anything but the usual email code. So far, so good still.

I then went in an enabled security defaults for the tenant.

After a few minutes wait to let the policies kick in I tried to login as the external guest user again to Microsoft Teams directly, and after providing a login and getting an email code I was prompted to enable MFA for the user as seen above.

Selecting Next will take you through the standard MFA registration process as you see above.

It is therefore the case that if you enable security defaults for a tenant, all users, INCLUDING any external guest users, will be REQUIRED to enable MFA to access resources inside that tenant.

Why this is important is because Microsoft will be enabling security defaults on ALL tenants as detailed here:

Raising the Baseline Security of all organizations in the World

which says:

“Based on usage patterns, we’ll start with organizations that are a good fit for security defaults. Specifically, we will start with customers who aren’t using Conditional Access, haven’t used security defaults before, and aren’t actively using legacy authentication clients.

Global admins of eligible tenants will be notified through email and the Microsoft 365 Message Center. Then, starting in late June [2022], they’ll receive [a] following prompt during sign-in”

Being it is now June 2022, this process has commenced. You can disable security defaults if you wish, even after they have been enabled, if desired per the details in the above link.

Given that I couldn’t find a specific answer about global external users being impact by security defaults, hopefully this now provides a reference for other looking for the same information.

Teams on the web failing to login

(Be patient, the video might take a few moments to load)

I recently had an issue accessing Microsoft Teams using a web browser even after logging into Microsoft 365. I could get to just about everything else but Teams, which always threw up a login dialog as shown above.

The issue turned out to be the time of the local device which hadn’t updated for some reason after a change to daylight savings time. Thus, the local devices (Windows 11) for some reason was one hour ahead. After changing this so the workstation had the correct time, everything worked as expected.

Hopefully,this helps someone else who is searching for this strange one.

Get a list of devices from Defender for Business into a SharePoint list

One of great things about an API is that it can be used in many places. I showed how to:

Offboard devices from Microsoft Defender for Business using an API with PowerShell

and I can do something similar with the Power Platform.

First step in that process is to get a list of Microsoft Defender for Endpoint devices and put them into a pre-existing list in SharePoint. For that I use the above Flow.

Once the Flow has been triggered I grab the Azure AD application credentials from the Azure Key Vault. I’ve covered off how to create an Azure AD application here:

https://blog.ciaops.com/2019/04/17/using-interactive-powershell-to-access-the-microsoft-graph/

and using a PowerShell script I wrote here:

https://blog.ciaops.com/2020/04/18/using-the-microsoft-graph-with-multiple-tenants/

Getting the Azure AD application credentials into an Azure Key Vault can be done manually or by using this scripted process I’ve covered previously:

Uploading Graph credentials to Azure Key Vault

Once they are in the Azure Key Vault they are easy to access securely using the Flow action Get secret as shown above.

The next step is to delete devices I already have in the list in SharePoint because I want only current devices to be brought in. To achieve this, I get all the items from my destination SharePoint list using the Get items action. Then, using the Apply to each action and the Delete item action inside that loop, existing entries will be removed so I have a clean list.

I’ll now use the HTTP action to execute an API call to the Defender environment as shown above. The API endpoint URI to get a list of devices in Defender for Endpoint is:

https://api.securitycenter.microsoft.com/api/machines

Access is granted via Active Directory Auth and the Authority is https://login.microsoftonline.com. You also need to use the credentials of the Azure AD application obtained previously from the Azure Key Vault, as shown above. Ensure that the Audience is https://api.securitycenter.microsoft.com/.

The output of this API request will be a JSON file so we now use the Parse JSON action to obtain the fields needed. To understand what the JSON looks like and insert a copy into this action look at the Microsoft documentation here:

List machines API

which provides a response sample that you can use.

The last action in the Flow is to take the parsed JSON output and enter those details into the pre-existing SharePoint list that you need to create to house this information.

I’ve kept the destination list simple, as you can see above. Basically, the final Apply to each action places each device and its information as a row into the destination SharePoint list.

If I now run this Flow, I see it runs successfully.

Looking at my SharePoint list I see I have a new list of items as expected.

If you weren’t aware, the ‘eyelashes’ on an entry in SharePoint indicate it is new.

Now I have copy of all the machines in my Defender for Endpoint in a SharePoint list. You will also see that my SharePoint device list contains an additional ‘Offboard” column that I am going to use when I implement another Flow to offboard devices from Defender for Endpoint, much like I did with PowerShell previously.

You can also easily extend the operation across multiple tenants if I want using Azure AD applications in each.

The great thing about using the Power Platform and APIs is that for many, it is much easier to get the result they want rather than having to write code like PowerShell. Also, the Power Platform environment has many capabilities, such as sending emails, adding extra metadata, etc. that are much easier to do than using PowerShell. Once the Defender for Endpoint device list is in SharePoint there is really no end to what could be done.

With that in mind, stay tuned for an upcoming post on how to use what’s been done here and another Flow to actually offboard devices from Defender for Endpoint.

Celebrating anniversaries with Power Automate

A very common requirement is to remind people about anniversaries. In a business this could take the form of birthdays or commencement dates. It could, however, just as easily be any sort of event that happens on a certain date.

Previously, I’ve shown how to:

Send recurring tweets using Microsoft Flow

However, in this case, instead of simply rotating through a list of posts we want to match today’s date to a date on a list and then broadcast the message that corresponds to that date entry.

The starting point for this process is to create a reference list containing the dates and details you wish to share. I recommend that easiest place to do this is in a SharePoint list, as shown above. Of course, this list can contain as much detail and additional columns as you wish, but for this, I’ll keep it simple and just have two fields. It is important that you have at least one column (here Dateoption) that refers to the current year in which that item will be displayed.

For simplicity, I have also configured my date column in the SharePoint list to exclude time and display in standard format as shown above. There is nothing stopping you using Date & Time if you wish, it just makes the filtering a little more complex later in this process.

You’ll then want to create a Power Automate Flow that looks like this:

It all starts with a Recurrence action that will trigger this process once a day like so:

If you select the Show advanced options in this action like so:

You can set an exact time when this Recurrence action will be triggered (say 10am). However, since this example is a daily anniversary, we only need to trigger it at any time during the day.

We now need our process to determine what the current date is and we can do this using the Current time action as shown above.

Next, add the Convert time zone action. There are two reasons for adding this action. Firstly, the Current time action returns today’s date in UTC which may cause issues if you are not in that time zone like me. Thus, I want the current time BUT I want it as a local value (i.e. to reflect the actual time in Sydney, Australia), thus the Source and Destination time zone field settings.

The second reason for the Convert time zone action is so the time value is in the right format for a comparison test later on in the process. Thus, the Format string field should be set to yyyy-MM-dd as shown.

Now, I need to add the Get items action to actually go and look at what is in my SharePoint list.

In this action I enter the Site Address and List name, however I also expand the advanced options to reveal the Filter Query field as shown.

The Filter Query field will limit the items returned by this action to only those that match the filter. Thus, I want the returned items to only be those that match today’s date, which I have correctly formatted and stored in the Converted time action result. Thus, I want to compare the date field from my SharePoint list (here Dateoption) to the Converted time result. It is important to note that I have enclosed Converted time result in single quotes (‘) to convert the value to a string for comparison. It is very important that you do that, otherwise you’ll get errors when your Flow runs.

With the values that the Get Items action returns you’ll need to perform a number of steps. For this you use the Apply to each action as shown above.

In the case of this example, I’m simply going to post the text from the Title field in the SharePoint list that matches today’s date into a chat message as shown above. Again, this action could be anything you want, in fact, I’ll talk about how I use this with Twitter later on. For now the expectation is that if there is a match in the SharePoint list for today’s date, then the text for that entry will appear in a Teams chat message.

We need to do one more thing before we are finished here. As this is an anniversary calendar, we want to increment the current item for today and have it reoccur on the same date next year. To do that we use the Add to time action as shown by adding 12 months to the result date we have determined as shown above.

Before the new date can be added back to the SharePoint list it needs to be formatted correctly. This is achieved using the Compose action as shown using the following expression:

formatDateTime(body(‘Add_to_Time’),’yyyy-MM-dd’)

You’ll notice that that date format yyyy-MM-dd is the same as the one we set in Convert time zone action earlier.

All that remains is to use the Update item action to update the item in the SharePoint list with the new date entry just composed. As shown above, the same SharePoint site and list is selected, along with the item ID and Title but the Dateoption field is set to contain our new formatted date output from the previous action.

You can now save your Flow and run a manual test.

If I look at the chat in my Team I see the expected message that matches the item Title field in the original SharePoint list.

Also looking at my original SharePoint list I see that the date of today’s item has been incremented twelve months as shown.

One of the ways that I use this process with Twitter is to regularly post anniversary dates around ANZAC participation from World War One, which are taken from my site ANZACS in France.

The idea is that that the Flow checks this list of dates and then tweets out the text in the Title field if there is a match. Then it increments the PostDate field twelve months ready for next year. You’ll also see that I have added another custom column that records the original date of action just so I can filter and sort easily. Feel free to follow @ANZACSIF to be reminded of these dates.

As I initially mentioned, I believe there are plenty of applications for this type of process in a business. The most common ones I would suggest are for staff birthday and anniversary reminders. The great thing is that with Power Automate it is easy to modify this process to suit whatever need to have. It also makes it easy to edit the events and more if you need to because all you need to do is modify the SharePoint list that this process uses.

The possibilities are endless thanks to the Power Platform.