Define an IP range in Cloud App Security

image

For me, Office 365 Cloud App Security is a must have add on for any Microsoft or Office 365 tenant as I have spoken about here:

A great security add on for Microsoft 365

As with all services, once you have enabled it you need to do some customisation to get the best from it. The first thing you should do is define your ‘corporate’ IP addresses. These typically refer to your on premises environment.

The first step in defining these is to access Office 365 Cloud App security, which you can do from the Microsoft 365 Security Center. Once at the home page, select the COG in the top right hand corner.

image

That should reveal a menu like you see above. From this menu select the option IP address ranges.

image

Then select the Category option in the middle of the page and the option for Corporate.

image

You will then see an IP address ranges that have been defined as ‘corporate’ already. To add more ranges simply select the + (plus) button in the upper right. Doing show will provide you a dialog box like shown above where you can now enter the appropriate details.

Why is defining your ‘corporate’ IP addresses important? It helps prevent false positives, especially when you have multiple locations. This is handy when you start setting up rules in Office 365 Cloud App Security, you can easily use the ‘corporate’ definition to designate your known environment. It means also that when you add new locations you don;t have to go and change all your rules, just add top the ‘corporate’ IP range list.

Enabling Microsoft Stream transcribing

image

Every plan in Microsoft 365 and just about every plan in Office 365 includes Microsoft Stream, which is a private video hosting service from Microsoft. Stream is also integrated into Microsoft Teams, so that, if you record a meeting in Teams it is automatically saved in Stream for replay later. You can also transcribe anything spoken in the video to searchable text within Stream.

You may however find that this automatic captioning is not enabled by default in Stream. To see whether it is, simply connect to your tenant via PowerShell and run the command:

get-CsTeamsMeetingPolicy -Identity global

In the results look for the line:

AllowTranscription

as shown above. If it is set to False, run the command:

Set-CsTeamsMeetingPolicy -Identity Global -AllowTranscription $True

to enable Stream transcription. Note, that it may take a little while for the policy to be applied.

Now, when you upload a video to Stream or record a meeting in Teams any speech should be transcribed for you automatically.

Need to Know podcast–Episode 203

We catch you up with everything in the Microsoft Cloud and then spend some time talking about the new certifications that have just become available from Microsoft for both Microsoft 365 and Azure. I share some of my experiences and thought around doing these exams and their value to all IT Professionals going forward. We’ll be covering more about certifications down the track but this one should get you thinking about which one you should do!

Take a listen and let us know what you think – feedback@needtoknow.cloud

You can listen directly to this episode at:

https://ciaops.podbean.com/e/episode-203-certifications/

Subscribe via iTunes at:

https://itunes.apple.com/au/podcast/ciaops-need-to-know-podcasts/id406891445?mt=2

The podcast is also available on Stitcher at:

http://www.stitcher.com/podcast/ciaops/need-to-know-podcast?refid=stpr

Don’t forget to give the show a rating as well as send us any feedback or suggestions you may have for the show.

Resources

@contactbrenton

@directorcia

Patron Community

Azure opens datacenters in Africa

Microsoft announces Azure Sentinel

Introducing Microsoft Threat Experts

Get the latest Microsoft Security Intelligence report

Teams V Slack

Connect to Office 365 PowerShell via GUI

MS-100 Certification

MS-101 Certification

Email message traces in Office 365

A very common need these days is to do an email message trace. This can be done the old way in the Exchange Online Admin center or the new way via Mail Flow in the Security and Compliance center.

image

You simply enter the details and then run a search.

image

and the output looks like the above, where you can also drill in and get more detail.

image

As with all things Office 365, you can achieve the exact same thing using PowerShell as I have shown above. The code to achieve this is quite straight forward but I have uploaded it to my GitHub repo to save you the trouble:

https://github.com/directorcia/Office365/blob/master/o365-msgtrace.ps1

Where PowerShell comes into its own is when you need to a variety of tasks, perhaps an investigation of a breach. Using PowerShell you can easily dump all the information to CSV for further analysis rather than having to root it out in the web interface.

Reporting mailbox logins

Before much of what is covered here is possible you need to ensure you have enabled all the logging in your Office 365 tenant. I’ve covered how to do that here:

Enabling Office 365 mailbox auditing

Enable mailbox auditing in Exchange Online

Enable activity auditing in Office 365

Once you have done that you will be able to track what’s going on in your tenant much better.

In the situation of a compromised mailbox, a bad actor has control of it using legitimate credentials. This eliminates looking for failed logins, because there won’t be any. It also makes the finding the bad actor tougher because their access is most likely mixed in with the legitimate user.

The place to start is to run an audit log search as I have detailed here:

Searching the Office 365 activity log for failed logins

image

However, as I mentioned, we can no longer search for failed logins, we need to use a different search criteria. I would suggest that you instead run a search using the attribute “User signed in to mailbox” as shown above. That will produce something like shown for all users. Problem with this is that times and dates are in UTC not local time and it is cumbersome to manipulate in a web page. You can of course manipulate by exporting the results to a spreadsheet for more control.

image

Unsurprisingly, I feel PowerShell offers a much better solution to check the logs and report as you can see above. The script to do this I have made freely available at my Github repo here:

https://github.com/directorcia/Office365/blob/master/o365-mblogin-audit.ps1

Basically, it will search the Audit log for Exchange Items that are Mailbox logins and send that output to a nice table via the Out-Grid command. As you can see, using Out-Grid you can now easily sort by time by clicking the column heading, and thanks to the script, the times are local not UTC!

By default, the script will check the last 48 hours but you can easily modify that to suit your needs by either entering the scope in hours or entering a start and end date in the variables at the top of the script.

With this output I can now look for suspect IPs that login into the mailbox and begin hunting from there. However, remember, all of this relies on you enable your auditing BEFORE you need it. So, if you haven’t enabled it, go do it now! You’ll find scripts to enable the logs also in my Office 365 repo here:

https://github.com/directorcia/office365

Monitor outbound spam as well

image

Hopefully everyone is well aware of the need to protect Office 365 email from inbound spam, however what are you doing about outbound spam?

Hopefully, no bad actor gains access to your environment BUT if they did and they started using you accounts to send spam email how would know?

image

For this reason, I suggest that it is a good idea to go into the Exchange Administration console, select Protection, then Outbound spam. Edit the default policy (that’s really your only option), then select outbound spam protection on the left hand side. Then I suggest you should enable the option to send an email when there is a suspicious outbound email to somewhere that is monitored.

That obviously, won’t stop outbound spam but it should at least give you a heads up that it is happening.

OneNote error code 0XE0001462 bukxq 19999

I received the not so helpful error code OXE0001462bukxq 19999 on an iOS device when trying to sync some OneNote notebooks.

This error I believed was the because I was mixing and matching identities on the device and inside OneNote. The result was that the notebooks would load into OneNote, I could see the sections but not any pages. I will also say that I was also playing with Intune app protection policies at the same time on the device, which probably really didn’t help.

To get rid of the error I figured that I needed to change the login credentials for each notebook. Problem was I couldn’t see how to do that within OneNote.

image

Turns out, what I needed to do was go into the iOS Settings, select OneNote and then down the bottom you’ll find an option to Reset OneNote as shown above.

image

Once you select that you’ll see the above screen giving you the option to Delete all notebooks or Delete Login credentials, which is what I selected.

I then restarted OneNote and re-authenticated to the notebooks and I was away. An easy fix when you know how, just wish the error message was a little bit more helpful. However, in the end, problem solved and new lesson learned.