Need to Know podcast–Episode 217

We are in the run up to Microsoft Ignite in November but there is still lots and lots of news, however before that we have an interview with Jason LeGuier from Hotline IT about communicating the value of Microsoft 365. Brenton speaks with Jason and teases out how to explain the benefits technology to the average small business and not get lost just in the tech. We also get an update from Brenton on his recent speaking gig at Cybercon in Melbourne.

This episode was recorded using Microsoft Teams and produced with Camtasia 2019

Take a listen and let us know what you think – feedback@needtoknow.cloud

You can listen directly to this episode at:

https://ciaops.podbean.com/e/episode-217-jason-leguier/

Subscribe via iTunes at:

https://itunes.apple.com/au/podcast/ciaops-need-to-know-podcasts/id406891445?mt=2

The podcast is also available on Stitcher at:

http://www.stitcher.com/podcast/ciaops/need-to-know-podcast?refid=stpr

Don’t forget to give the show a rating as well as send us any feedback or suggestions you may have for the show.

Resources

Jason LeGuier

@contactbrenton

@directorcia

Windows Virtual Desktop now generally available

Windows Virtual Desktop now available for Microsoft 365 Business Subscribers

Changes to blocked file types in Outlook on the web

New Office 365 phishing attack with your branding

More Dark mode

All your code belongs to us

Microsoft and NIST partner

How to pronounce Azure

Security is shared responsibility

The good and bad thing about the Internet is that we are all now pretty much connected to each other all the time. The growth in attacks by bad actors continues to expand and become ever more sophisticated.

One of the ways I have suggested that can help yourself be that little bit more secure is to brand your Microsoft 365 tenant. I wrote an article on how to do this:

Office 365 branding using Azure Resource Manager

Why this makes you a little bit more secure is that most phishing attacks are generic and take you to an unbranded, generic Microsoft 365 login page. Thus, having your own branding on your tenant will hopefully get users to stop and think before giving up their credentials to malicious sites. Yes, I know it is not fool proof, but every little bit helps.

It however, was only a matter of time before the bad actors worked out how to get around this as has now been brought to my attention.

SNAGHTML5ec48a3

image

As you can see from the above, I am getting my tenant branding displayed even though the URL is not for the Microsoft Online URL!

image

You can see the attack does have a flaw on a large screen as shown above, but I’m sure it will fool most people.

So, how can I make sure Microsoft knows about this? I can use my (real) Microsoft 365 Admin portal to report the URL.

image

I go to the Microsoft 365 Security Center and select Submissions from under the Threat Management section. You then select +New submission as shown.

image

You then simply complete the details for what you wish to tell Microsoft about and select the Submit button down the bottom.

image

You should get a confirmation like shown above.

image

You should then also be able to see your submission in the bottom of the screen. Just make sure you select the correct query options and results to see this.

You can read more about this at:

How to submit suspected spam, phish, URLs, and files to Microsoft for Office 365 scanning

Security it never an exact science. Attackers work hard to bypass barriers configured, so you should never be complacent. However, you should also share what you find with people like Microsoft to help them harden their systems against attack and thereby help others.

We are all in this together, so let’s work together to make it a safer place for all.

Legitimate non-MFA protection

image

There is no doubt that multi-factor authentication (MFA) is the great thing for the majority of accounts. It is probably the best protection against account compromise, however are there times that perhaps, MFA doesn’t make sense?

Security is about minimising, not eliminating risk. This means that it is a compromise and never an absolute. Unfortunately, MFA is a technology and all technologies can fail. If MFA did fail, or be unavailable for any reason, then accounts would be unavailable. This could be rather a bad thing if such an issue persisted for an extended period of time.

In such a situation, it would be nice to be able to turn off MFA for accounts, so users could get back to work, and re-enable it when the MFA service is restored. However, today’s best practice is to have all accounts, especially administrators, protected by MFA.

A good example is the baseline policies that are provided for free in Microsoft 365 as shown above.

image

You’ll see that such a policy requires MFA for all admin roles.

image

And yes, there is a risk for admin accounts that don’t have it enabled but there is also a risk if it is enabled and MFA is not working for some reason.

The challenge I have with these types of policies is that they are absolute. It is either on (good) or off (bad), and in the complex world of security that is not the case.

I for one, suggest there is the case for a ‘break glass’ administration account, with no MFA, that be used in the contingency that MFA is unavailable to get into accounts and re-configure them if needed. Such an account, although it has no MFA, is protected by a very long and complex pass phrase along with other measures. Most importantly, it is locked away and never used, except in case of emergency. There should also be additional reporting on this account, so it’s actions are better scrutinised.

Unfortunately, taking such an approach means that you can’t apply such absolute policies. It also means that you won’t be assessed as well in things like Secure Score. However, I think such an approach is more prudent that locking everything under MFA.

As I said initially, security is a compromise, however it would be nice to see the ability to make at least on exception to the current absolute approach because service unavailability can be just as impactful as account compromise for many businesses.

Connecting to Cloud App Security API

As I have said previously, I believe Microsoft Cloud App Security is a must have for every tenant:

A great security add on for Microsoft 365

You can also manipulate it via an API and PowerShell. Most of this manipulation is currently mainly to read not set information but that is still handy. Here’s how to set that up.

image

You’ll firstly need to go to the Microsoft Cloud App Security console and select the COG in the upper right corner of the screen. From the menu that appears, select Security Extensions as shown.

image

The option for API tokens should be selected, if not select this. Now select the + button in the top right to generate a new token.

image

Enter a name for this new token and select the Generate button.

image

Your API token should be generated as shown. Copy both the token and the URL and select the Close button. Note, you’ll need to take a copy of you token here as it won’t be available once you move forward.

image

You should now see the token listed in the Microsoft Cloud App Security portal as shown above.

This token can now be utilised to access Microsoft Cloud App Security via PowerShell. I have created a basic script for you to use here:

https://github.com/directorcia/Office365/blob/master/o365-mcas-api.ps1

that will basically return all of the data current in there.

You’ll then need enter the values from this configuration into the script prior to running it:

image

but in essence what that script does is take the token and uri and apply to the invoke-rest method to get a response. That return response contains a whole range of data from Microsoft Cloud App Security.

image

To see what you can and can’t do with the API visit the Microsoft Cloud App Security portal again and select the Question mark in the upper right this time. Select API documentation from the menu that appears.

image

In there you’ll find a range of information about the API.

As I said, most of the available command current just “get” information. Hopefully, commands that “set” information aren’t too far away.

Capturing ALL Microsoft Secure Score items

image

Ok, so you are telling me you have time on your hands and want to improve the security of your Microsoft 365 tenant? Ok, if you are only kind of serious, I’d tell you to go to:

https://security.microsoft.com/securescore

and select the Improvement actions as shown above.

image

That will show you a filtered view of items based on what hasn’t yet been completed in the tenant. In the case above, that equates to 67 items.

Oh, you want more to do you say?

image

Ok, if you remove that filter you’ll see the number in the list increase. In this case up from 67 to 84. That’s 36% increase in things you can address. Enough?

What? You want even more? Are you sure? Really sure?

image

Well, if you are, then the good news is that I have written a script for you that uses the Microsoft Graph to go in and grab all, and I mean ALL, of the secure score items. You’ll find the script in my Office 365 GitHub repo:

https://github.com/directorcia/Office365/blob/master/o365-ssdescpt-get.ps1

Now before you run this scripts, you’ll need to follow the instructions I have written about before:

Access the Microsoft Graph with a script

and set yourself up an OAuth token to access your tenant. You only need to do this once.

You’ll then need enter the values from this configuration into the script prior to running it:

image

You get these three items from the oAuth token set up I set out.

image

When run, the script will connect to the Microsoft Graph and start reading information from the Secure Score of YOUR tenant. It will also save the output to a text file in the parent directory. Why you ask?

SNAGHTML20f6be5

Well, as you can see from the output from my tenant above, there are now potentially 6,972 items that I can go look at and configure to make my tenant more secure. That’s a 8,200% increase in things to keep you busy.

Remember, you did ask for more after all.

Improved SharePoint Online List creation discovery!

image

The traditional way that I had been creating lists in a SharePoint Online site was to select the COG in the top right hand corner of the site and selecting Add an app from the menu that appears as shown above.

image

From there I’d select Custom List and follow the bouncing ball and create a list is one column and then have to go in and customised it. Hard work.

image

However, if you go to Site Contents and then select New and List you get a COMPLETELY different and much, much better experience!

image

The above options appear. Even better, if you select From an existing list on the left you get:

image

a list of every site across your WHOLE SharePoint Online experience! WOW! All you need to do is pick a list that is the same and bamm, you’ll get a new one just like it!

I can’t tell you how much time this saved me once I discovered it. I wonder how I missed the memo?

CIAOPS Need to Know Microsoft 365 Webinar–October

laptop-eyes-technology-computer

The October webinar is here. This month we’ll take a closer look at the various options available to manage tasks in Microsoft 365. You’ll learn how tasks can be completed using SharePoint, Planner and Microsoft To-Do as well as when to use each service. There will also be the latest Microsoft Cloud news as well as Q and A plus loads more. I’d love if you’d come along and be part of this.

You can register for the regular monthly webinar here:

October Webinar Registrations

The details are:

CIAOPS Need to Know Webinar – October 2019
Thursday 31st of October  2019
10.30am – 11.30am Sydney Time

All sessions are recorded and posted to the CIAOPS Academy.

There of course will also be open Q and A so make sure you bring your questions for me and I’ll do my best to answer them.

The CIAOPS Need to Know Webinars are free to attend but if you want to receive the recording of the session you need to sign up as a CIAOPS patron which you can do here:

http://www.ciaopspatron.com

or purchase them individually at:

http://www.ciaopsacademy.com/

Also feel free at any stage to email me directly via director@ciaops.com with your webinar topic suggestions.

I’d also appreciate you sharing information about this webinar with anyone you feel may benefit from the session and I look forward to seeing you there.

Edit Stream videos in admin mode

image

If you have users uploading videos into Microsoft Stream, you may have occasion to edit these as an administrator for some reason. You can easily do that from your own administration console by simply searching for the user’s video and then select the ellipse (three dots) to the right of the video, as shown above.

This should display a menu with the option Edit in admin mode, which you then select.

image

You should then see all the same settings as the user would see when they edit their video. However, you’ll also notice the big banner across the top of the page letting you know you are in Admin mode.

image

You can also to Admin mode by viewing the video and selecting the Settings Cog in the lower right. From the menu that appears you can select View in admin mode.

image

You can then select the option to again Edit in admin mode as shown above.