A simplified protection model


As much as third party cyber security protection models are handy (i.e NIST Cybersecurity Framework), I personally find them far too complicated for my liking. Complicated generally translates to poorly or not full implemented. That translates into lower levels of security, especially in the SMB space. I think that good security is all about keeping things as simple as possible.

With that in mind, I’ve started to try and nut out my own model. My thoughts so far centre on the above diagram. In the centre is your data. Data is moved and changed via four basic connectors:

1. Email

2. Connections (i.e. to removeable storage, network connections, Internet, etc)

3. Applications

4. Browser

The Data is normally protected by a Device, being a workstation, server or mobile. However, typically it is a workstation as hopefully most people aren’t browsing on servers. The aim also here is to focus on cloud deployments here without on-premises infra-structure.

For the Connectors to interact with Data they must do so across the Device boundary. In the security context, this means that these Connectors also need access to not only the Data but also the Device. Thus, attacks are going to be targeted at either the Data or the Device via the Connectors as I see it.

If we consider that most Data doesn’t include it’s own defensive capabilities because, typically, it is the container in which the data lives that has the defensive capabilities, then we need to look at the defensive capabilities of the Device I believe. It is also worth noting that data on it’s own generally isn’t a threat, it is only when action is taken with Data that risk arises. For example, a phishing email sitting in an inbox unopened is not an active threat. It only becomes active when it is read and the link inside is clicked allowing a process to take place, typically, on the device. In short, Data typically isn’t the source of active threats, it is actions taken with that data that generates active threats. These are typically activated on the device.

That means the major security focus should be on the defensive capabilities of the Device. It also means that the major threats are going to come from the four connectors; email, browser, connections and applications. Of these four, I would suggest that the most likely source of introduced threats is going to be from email and the browser.

Reducing the risks from both email and the browser start at the source of these two connectors. For email that means appropriately configuring things like DNS, then mail filtering policies to provide protection even before the connection passes onto the device. Likewise for the browser, this means content filtering before results are returned to the browser. However, setting those items aside for the moment and let’s just focus on what threats the device faces from the email and browser connections.

The threat from email is going to be a message that either:

1. delivers a malicious attachment that when opened by the user and takes action

2. delivers a message that contains a malicious link that is clicked by the user and takes action

3. delivers a message that convinces the user to take some risky action

The threat from the browser is going to be either:

1. navigating to a web site that contains malicious content that is downloaded and takes action

2. navigating to a web site that harvests credentials

The interesting thing with all of these is that it requires some sort of user interaction. As I said, a phishing email isn’t a major threat until a user click on a link it contains.

So what’s kind of missing from my model so far is the person or identity. let me go away and think about this some more but I appreciate sharing my thoughts with you and if you have any feedback on this model I’m trying to develop, please let me know.

Microsoft Cloud Best practices


I get asked quite regularly about best practices for the Microsoft Cloud so what I have done is start a new file in my GitHub repository here:


where you’ll find links to articles from Microsoft and others (i.e. NIST, CIS, etc) around best practices for the Microsoft Cloud.

Let me know if you have any more and I’ll add them.

November poll


For November I’m asking people:

Are you using a third party product/service to ‘backup’ Office 365 outside of what Microsoft provides?

which I greatly appreciate you thoughts here:


You can view the results during the month here:


and I’ll post a summary at the end of the month here on the blog.

Please feel free to share this survey with as many people as you can so we can get better idea on this question.

Disabling basic authentication in Microsoft 365 admin console

I’ve previously spoken about why it is important to:

Disable basic auth to improve Office 365 security

PowerShell is generally the easiest manner in which that can be done. However it is possible via the Microsoft admin portal.


Navigate to:


and select Settings from the options on the left. Then select Org settings and then Modern authentication on the right as shown above.


You should then see a dialog box appear like that shown above. At the bottom you will find the capability to enable or disable basic authentication.


If you want to disable basic authentication for the protocols listed simply unselect that option as shown above where it has been done for IMAP4 and POP3.

Before you go and disable things it is a good idea to have and see what maybe using basic authentication. You can do that by following the steps I outlined in this article:

Determining legacy authentication usage

Disabling basic authentication is a major way to improve the security of your tenant and is strongly recommended for all environments.

New Exchange Policy Configuration analyzer


If you have a look in your Threat Management policies in Security and Compliance you’ll see a new tile called Configuration Analyzer as shown above. The direct URL is:



When you select this tile you’ll see a screen like that shown above which compares your current policy settings to Microsoft best practices.


If you expand any of the headings you’ll the settings in question and what the recommendation is on the right. You’ll also see a link that allows you to easily Adopt this setting.


If you do select the Adopt link, you’ll be presented with the above warning asking you whether you wish to proceed and Confirm or Cancel the change.


You will also see a Configuration drift analysis and history option as shown above. This allows you to compare changes in configuration over time and their effect. Basically, whether changes made improve email security or not.

If you want to learn more about Microsoft’s best practice configurations I suggest you take a look at my previous article:

New templated email policies

I see this as a further step towards what I spoke about here:

The changing security environment wit Microsoft 365

and how Ai will soon do all this automatically.

Custom Praise badges in Microsoft Teams


If you navigate to the Teams admin portal and expand the Teams apps option from the menu on the left, you should see a Managed apps option. You can locate the Praise app by using search on the right.


If you select the Praise app you’ll then see a screen like that shown above. If you then select the Settings option just under the information banner you get the badges options.

Generally, default badges are enabled but why not also enable the Social and emotional learning badges for education as well? They are free after all!

Preview of the Social and emotional learning badges for  education

When you do so, you’ll see the additional badges shown above in your Teams Praise app.


Even better, further down, you can also add you own custom Praise apps.


Just update a suitable badge graphic and add the details about the badge.


So now, when you Praise someone in Teams, you have many more options, including your own custom ones as shown above.

When selecting an image, keep badge dimensions in mind. For the best quality, we recommend uploading an image file that is 216 x 216 pixels (which are the maximum dimensions). Avoid stretching or distorting the image to fit these dimensions.

The above is from a great Microsoft article:

Manage the Praise app in the Microsoft Teams admin center

that provide lots of information about the Praise app and badges. So I recommend you take a look to learn more.

Revisiting some facts around Microsoft 365 backup

A while ago I wrote an article:

Do you need to backup Office 365?

Recently, Tony Redmond wrote this article on a similar topic:

Questioning Six Reasons Why Backing up Office 365 is Critical

That then lead to the following debate:

The Great Debate: The Need For Office 365 Backup [VIDEO]

I’ve also seen people quote the following from Microsoft:

Microsoft Services Agreement

which contains the following clause:


which reads:

“We recommend that you regularly backup Your Content and Data that you store on the Services or store using Third-Party Apps and Services.”

However, it is important to note at the top of that document:


which reads:

These terms (“Terms“) cover the use of those Microsoft consumer products, websites, and services listed at the end of these Terms here (#serviceslist) (the “Services“).”

Note hyperlink to “services” that agreement actually covers. That leads to the following URL:


and when you look through that list there are no M365/O365 commercial services listed:


Thus, that Microsoft Services Agreement doesn’t apply when talking about data retention in Microsoft 365 commercial products.

In fact, the following slide was taken from a recent Microsoft Ignite 2020 presentation:


Here’s the time stamped video it came from – https://youtu.be/zBHXVGrxBqM?t=1971 (Protecting Exchange Online Mailboxes As A Secure Vault)

I will also highlight the following article:

Set the OneDrive retention for deleted users

which says:


The minimum value is 30 days and the maximum value is 3650 days (ten years).

As my original article states and Tony Redmond reinforces, the importance is to understand what M365 does out of the box with data retention and how that can and ‘should’ be configured to reduce risk. After which, third party products can be added to supplement what Microsoft 365 does. As I say, more backups are good but at some point they fail to significantly reduce risk for the investment made in them. That point is up to the individual business to determine.

It is important to have the correct information when it comes to data retention and recovery in Microsoft 365, and if you don’t appreciate what can be done with Microsoft 365 out of box then I’d encourage you to go and take a closer look, because it does a pretty good job in my opinion.