Office 365 services PowerShell bulk connection script

I spend a lot of my time logging in and out of various tenants using PowerShell. Some tenants require Multi Factor Authentication (MFA), others don’t. Sometimes I need to just use SharePoint Online or maybe Exchange and Teams.

Already having all the appropriate online services connection scripts in my Github repo here:

https://github.com/directorcia/Office365

I wanted a way to make it easy for me to login to any tenant, MFA or not, as well as an service, or combination of services. Thus my latest script at:

https://github.com/directorcia/Office365/blob/master/o365-connect-bulk.ps1

provides a neat solution I believe.

They way it works is that:

1. You need to copy all the files from my Github repo to a directory on your local environment.

2. Execute the o365-connect-bulk.ps1 script where all the scripts are with following command line options:

-mfa if MFA required for login

-std if Microsoft Online connect required

-aad if Azure AD connect required

-exo if Exchange Online connect required

-s4b if Skype for Business Online connect required

-sac if Security and Compliance Center connect required

-spo if SharePoint Online connect required

-tms if Microsoft Teams connect required

-aadrm if Azure AD Rights Management connect required

You can combine some or all of these onto the command line like so:

.\o365-connect-bulk.ps1 –mfa –exo –tms

which will do a login with MFA for Exchange Online and Microsoft Teams. Or:

.\o365-connect-bulk.ps1 –std –spo

which will login with no MFA to Microsoft Online and SharePoint Online.

The way that I use scripts is to break them down into small scripts. I don’t like the idea of large ‘mega’ scripts that do everything because they are harder to maintain and when they break they are harder to debug. This way, o365-connect-bulk.ps1 relies in the other stand alone scripts in the same directory which it calls as needed.

The down side to this approach is that you may need to login to the tenant multiple times as each independent script runs. That is only initially and a small price to pay for the added flexibility and functionality I would suggest.

If need to login to many different tenants and services throughout the day then this bulk connection script should help you.

Configuring Office 365 DLP with PowerShell

Data Loss Prevention (DLP) is typically an outbound scanning technology in Office 365 that monitors and prevents sensitive information from leaving the organisation.

image

Previous, DLP was only part of Exchange Online. It is still possible to configure policies only in Exchange Online as you can see above, in the Exchange Online Admin console.

To do this in PowerShell you’d use the command:

new-dlppolicy

image

The new of way doing DLP in Office 365 is via the Security and Compliance Center as you see above. The benefits of using this new method is that it is possible to use policies to not only protect Exchange Online but SharePoint and OneDrive for Business from data leakage.

image

Office 365 DLP has a number of pre-canned policy templates you can use as shown above. It is always best practices to at least start with these since they cover the basics.

You’ll note above that I’m looking to configure a policy based on Australian Financial Data. This in effects scans material looking for SWIFT code, Australia Tax File Number, Australia Bank Account Number and Credit Card as you see in the lower right.

image

Proceeding with the GUI wizard then asks for the areas in Office 365 to protect. As you can see from the above, these locations include Exchange email, SharePoint sites and OneDrive accounts. You can modify the inclusion and exclusions to all these different areas if you wish.

image

You then determine what content you are looking for in the policy settings, as well as when to detect.

image

You can customise these rules if you wish, as shown above.

image

Finally, you can determine how this policy will operate and whether it is active.

Why is all this important for using PowerShell? The simple answer is, that with many options, knowing what everything does in the web interface is going to help when it comes to implementing via PowerShell.

So, to start the PowerShell configuration process you are going to need to connect to the Office 365 Security and Compliance center using PowerShell. You’ll find scripts to do that at my GitHub repo here:

https://github.com/directorcia/Office365

We don’t want to use the older, Exchange Online only cmdlets like:

new-dlppolicy

we’ll be using the newer Security and Compliance cmdlets like

new-dlpcompliancepolicy

The first thing I need to is create a new DLP policy called ‘Australian Privacy Act’ and do that with the commands:

$params = @{
‘Name’ = ‘Australian Privacy Act’;
‘ExchangeLocation’ =’All’;
‘OneDriveLocation’ = ‘All’;
‘SharePointLocation’ = ‘All’;
‘Mode’ = ‘Enable’
}
new-dlpcompliancepolicy @params

Now, this basically establishes the policy and the location that it applies to in Office 365. There are not any rules yet to check the content.

To do this. you need to create a variable that holds the sensitive data types you want to check. Yo can do that with the following:

$senstiveinfo = @(@{Name =”Australia Driver’s License Number”; minCount = “1”},@{Name =”Australia Passport Number”;minCount=”1″})

You’ll find information about the specific sensitive data types for you region here:

https://docs.microsoft.com/en-us/exchange/policy-and-compliance/data-loss-prevention/sensitive-information-types?view=exchserver-2019

With all that in place, the rule can be added to the existing policy using the following:

$Rulevalue = @{
‘Name’ = ‘Low volume of content detected Australia Privacy Act’;
‘Comment’ = “Helps detect the presence of information commonly considered to be subject to the privacy act in Australia, like driver’s license and passport number.”;
‘Policy’ = ‘Australian Privacy Act’;
‘ContentContainsSensitiveInformation’=$senstiveinfo;
‘BlockAccess’ = $true;
‘AccessScope’=’NotInOrganization’;
‘BlockAccessScope’=’All’;
‘Disabled’=$false;
‘GenerateAlert’=’SiteAdmin’;
‘GenerateIncidentReport’=’SiteAdmin’;
‘IncidentReportContent’=’All’;
‘NotifyAllowOverride’=’FalsePositive,WithJustification’;
‘NotifyUser’=’Owner’,’SiteAdmin’,’LastModifer’
}

New-dlpcompliancerule @rulevalue

You should recognise many of these settings from what is in the web interface. Don’t forget that DLP takes a while to crawl through all the different content areas you have selected and be applied.

image

If all of that executes successfully, then you should see a new DLP policy in the web interface as shown above.

If you have an Office 365 or Microsoft 365 licenses that includes DLP, you should use the pre-existing templates that Microsoft provides you for you region and create a new policy for each.

You can, of course, customise these easily by changing the PowerShell parameters or creating your own rules to suit. The great thing is, once you have worked all of this out you now a configuration you can apply to every tenant quickly and easily.

That is the power of automation thanks to PowerShell!

Microsoft Cloud service descriptions

pexels-photo-408503

One of the common pain points that people are reporting in my recent Challenges with Microsoft Cloud survey here:

What is you biggest challenge with the Microsoft Cloud

is wanting a single location that compares all of the offerings side by side.

Unfortunately, given the huge number of options across different teams in Microsoft there really isn’t a single place. This stems back to an earlier article I wrote about

Why IT today is like coffee

which in short details how we live in a world were people want lots of choices rather than a single monolithic solution. This is so people can get EXACTLY what they want and not have to pay for things they don’t want or need. The price we pay for lots of choice is, lots of choice.

All is not lost however because there are few places you can go to get a pretty good overview what the Microsoft Cloud offers.

The first place to start is the Office 365 service descriptions. This will lay out in great detail all the plans side by side and features that each include. You can drill down beyond the suites into individual service like Exchange and SharePoint Online if you want.

Now for Azure the best option is probably Products by region. This will show you each Azure service as well the region that it is available in. To get an idea of all the abilities of Azure have a look at the list of Azure products as a reference guide.

If you are interested in what Microsoft 365 Business contains then look at the Microsoft 365 Business Service Description.

Of course, much of this gets updated regularly so how can you keep up with changes? Well, use the Recent services description changes to see what’s new in Office 365. There is also the new and updated Microsoft 365 Roadmap, which will help you plan what changes are down the pipe.

Azure has something similar over at Azure updates.

Many of these update locations have the ability for you to subscribe to via RSS or email so you can get prompted when things change. I have detailed previous how you can use Microsoft Teams, Office 365 and Yammer to stay up to date by pushing the change feeds into these services automatically.

With lots of options comes lots of detailed information. It is simply a fact of life these days. I would suggest that the services descriptions should be the source of truth for what is included in Office 365 and Microsoft 365. Everything else I have seen is a summary of this. Azure is a different kind of beast, so start with the list of Azure products and drill in from there.

Remember, as Clay Shirky says, it isn’t information overload, it is filter failure. You can’t ingest everything, so find the best stuff and consume that. Be selective with your information sources and always search for the highest quality. Hopefully, I’ve given you some quality places to start here.

Final chance before price increase

As I have mentioned over the past few months, I am planning to increase the entry price for my CIAOPS Patron program from the 1st of January 2019.

You can view a current summary table below:

image

If you are keen to stay up to date with the Microsoft Cloud including Office 365, Microsoft 365, Azure and more, then now is the time to jump on board so you can be grand fathered in at current rates. After the 1st of January the new rates will apply.

I have created what I believe to be single source of the best Microsoft Cloud information that can be found anywhere out there. The amount of time it will save you each and every day is well worth the subscription if you work in this space.

Join the community of people getting benefit today. Visit:

www.ciaopspatron.com

to sign up.

What is your biggest challenge with the Microsoft Cloud

pexels-photo-356079

Tis the season for a survey I think. What I’d like to do is start off with this one question:

What is the biggest challenge you face with the Microsoft Cloud?

That’s it. Just one question. You can answer the question here:

http://bit.ly/mscloudsurvey

I’ll collate all the answers and report back on the results. I’ll try and group the issues into categories so you get a better of idea of what generally are the major challenges a majority of people have.

It doesn’t matter whether you are an end user, business, IT resellers, IT professional, whatever, please take a moment to share what you find most challenging about the Microsoft Cloud (Office 365, Microsoft 365, Azure, etc)

The more people that take a moment to answer the more results and information we’ll have to share. The results are anonymous.

Thanks in advance for completing the survey.

Microsoft Online PowerShell Setup/Update scripts

One of the biggest challenges setting up a PowerShell environment for Microsoft Online is install ALL the different modules for each service into PowerShell. Thankfully, the latest version of PowerShell makes that really easy. All you need to do is:

1. Run your PowerShell environment as an administrator

2. Run install-module

for each service.

Now the challenge is finding all the module names, because unfortunately they are not consistent.

Thus, to make life easier I have uploaded a script to do this for you at my GitHub repository here:

https://github.com/directorcia/Office365/blob/master/o365-setup.ps1

This script will install the following modules for you:

1. Azure AD

2. Azure AD Rights Management

3. Microsoft Teams

4. SharePoint Online

5. Microsoft Online

6. Azure

Unfortunately, at this point in time, the Skype for Business module is a downloadable MSI install, not something we can do inside PowerShell easily.

Of course, once you have these installed, they’ll also need to be updated regularly as updated modules are released. I’ve taken care of that for you also with an module update script here:

https://github.com/directorcia/Office365/blob/master/o365-update.ps1

So you only need to run the install script once to get the modules and then you just need to run the update script to ensure you have the latest version of the modules.

That should make using PowerShell with Microsoft Online easier.

Need to Know podcast–Episode 197

In this episode we focus on security starting with our interview of Alex Wilson from Yubico talking all about multi factor authentication. We take the time to dive deep into the benefits of using devices like the Yubikey to protect identities an help prevent phishing attacks. Brenton and I also discuss a number of interesting security items before the interview as well as give you the latest updates from the Microsoft Cloud.

Take a listen and let us know what you think –feedback@needtoknow.cloud

You can listen directly to this episode at:

https://ciaops.podbean.com/e/episode-197-yubikey/

Subscribe via iTunes at:

https://itunes.apple.com/au/podcast/ciaops-need-to-know-podcasts/id406891445?mt=2

The podcast is also available on Stitcher at:

http://www.stitcher.com/podcast/ciaops/need-to-know-podcast?refid=stpr

Don’t forget to give the show a rating as well as send us any feedback or suggestions you may have for the show.

Resources

Alex Wilson – alex.wilson@yubico.com

Yubico

@contactbrenton

@directorcia

Join us for the 200th episode

Australia gets world-first encryption busting laws

Australia passes new law to thwart strong encryption

Microsoft adopts ethical principles aiming to bar misuse of facial recognition technology

New breakthrough in combating tech support scams

Mastercard and Microsoft join forces to Advance Digital Identity Innovations

New Office app icons

Outlook on iOS gets a redesign

CIAOPS Patron program