Need to Know podcast–Episode 202

The Microsoft Ignite tour has been to town so Brenton and I share our thoughts on attending the event. We wrap up what we believed to be the best sessions and overall take aways from the premier Microsoft IT Professional conference in Australia for 2019. We also cover off a few of the important updates from the Microsoft Cloud to make sure that you don’t miss anything in the meantime. I also share my thoughts on using the Kaizala app during the conference with the CIAOPS Patron community which is great lead in for our interview this episode – Parveen Maloo who is the Senior Product Marketing Manager for Kaizala. Sit back and enjoy something about a product you probably never knew Microsoft had.

Take a listen and let us know what you think – feedback@needtoknow.cloud

You can listen directly to this episode at:

https://ciaops.podbean.com/e/episode-202-kaizala/

Subscribe via iTunes at:

https://itunes.apple.com/au/podcast/ciaops-need-to-know-podcasts/id406891445?mt=2

The podcast is also available on Stitcher at:

http://www.stitcher.com/podcast/ciaops/need-to-know-podcast?refid=stpr

Don’t forget to give the show a rating as well as send us any feedback or suggestions you may have for the show.

Resources

@contactbrenton

@directorcia

@praveen_maloo

CIAOPS Patron Program

BRK3610 – Layers of Office 365 communication

Sessions from Ignite The Tour – Sydney

Step 4: Set conditional access policies: top 10 actions to secure your environment

Microsoft authenticator app now sends security notifications

Windows Update for Business and the retirement of SAC-T

Microsoft begs you to stop using Internet Explorer

Microsoft Kaizala

Microsoft Kaizala – Tech Community

Microsoft Kaizala – Feedback

Adding Acrobat Reader as an Allowed app

When you set up an Intune App Protection Policy for Windows 10 you are effectively enabling Windows Information Protection (WIP). This is designed to protect your business information being shared with non-business approved applications. This means there are a range of standard business ‘approved’ applications that are enabled by default. These are typically ‘enlightened’ apps that can differentiate between corporate and personal data. This allows them to abide by the policies set in the Intune App Protection policy you create. Applications that are not ‘enlightened’ are typically blocked from working with corporate data.

In a previous article:

Intune App Protection Policy blocking browser

I detailed how this could affect third party, non-Microsoft browsers, like Chrome, accessing the Internet. That article, also showed you how to easily overcome that issue with some minor configuration changes.

In this article I’ll look another way that ‘non-enlightened’ apps get blocked and how you can easily enable them.

So, let’s say that you have created an Intune Windows 10 App Protection policy like that shown above. When you do you configure a number of Protected apps as you can see. Typically, these a Microsoft products like Office, Internet Explorer, Edge and so on.

With that default protection policy successfully applied to a Windows 10 machine you can then see the data identified as personal or business on that machine now. The above shows you some files in OneDrive for Business, which is considered a business location. You can tell they are business files by the little brief case in the upper right of the file icon. Thus, all these files are considered to be business and are protected by WIP.

Let’s say that I now want to open the business PDF file with Adobe Acrobat Reader.

The result is, you are unable to do this because Acrobat Reader is not an ‘enlightened’ app. Thus, it is considered a personal app and is therefore denied access to business information.

To rectify this situation we need to return to the Protected apps section of the Intune App Protection policy and select the Add apps button as shown.

You then need to select the option Desktop apps from the pull down at the top of the screen. When you do so, you will probably see no apps listed below.

You should now enter the following information into the fields:

Name = Acrobat Reader DC
Publisher = *
Product Name = Acrobat Reader
File = acrord32.exe
Min version = *
Max version = *
Action = Allow

The most important item here is the filename for the program is entered correctly, (without any path) into the File field. In this case, the executable for Acrobat Reader is acrord32.exe.

Select Ok, once you are entered all the file details correctly here. Basically we are creating an exception for this app with WIP.

You should now see the program you just added in the list as shown above. Make sure you also Save your changes so they get applied to the policy.

Now with the policy updated, and the exemption for your app created, (in this case Acrobat Reader), you just need to wait a short time until the policy is applied to your machines.

With a few minutes, you should be able to repeat the process of opening that same business file and find that you can now view the file as shown above is the program that you couldn’t before.

You can now basically repeat the same process for any other custom applications you have that are ‘non-enlightened’ and you wish to have open business information saved in Microsoft 365 protected with WIP.

Intune App Protection Policy blocking browser

Within Intune I went and created a Windows 10 App Protection Policy.

I defined my Protected apps as you see above.

So the Required settings are as shown and utilise Windows Information protection (WIP). The idea is WIP is:

“Windows Information Protection (WIP), previously known as enterprise data protection (EDP), helps to protect against this potential data leakage without otherwise interfering with the employee experience. WIP also helps to protect enterprise apps and data against accidental data leak on enterprise-owned devices and personal devices that employees bring to work without requiring changes to your environment or other apps.”

according to Protect your enterprise data using Windows Information Protection (WIP).

After creating the policy I applied it to a test machine.

Most things worked as expected EXCEPT that I couldn’t use non-Microsoft browsers like Chrome! I kept getting a block message as shown above. if I removed the Application Protection policy then I could browse fine on non-Microsoft apps again. Clearly something to do with the policy was blocking Chrome browsing!

The root cause is the concept of enlightened apps in WIP.

“Windows Information Protection (WIP) classifies apps into two categories: enlightened and unenlightened. Enlighted apps can differentiate between corporate and personal data, correctly determining which to protect based on internal policies.”

from Unenlightended and enlightended app behavior while using Windows Information Protection (WIP).

As it turns out, third party browsers like Chrome are considered unenlightened apps. If you read a little bit further down that article you find the following table:

This explains why Chrome (unenlightened app) is being blocked because it is trying to connect via an IP address effectively. Ok, so now we know why, how do we fix the problem?

Turns out the fix is in the last column as highlighted above. We need to use the /*AppCompat*/ string!

To do this navigate to Advanced settings from the menu on the left. Then select the entry you should have there called Cloud resources as shown above.

Here you should see your Microsoft 365 SharePoint and OneDrive sites as shown above.

Add the string

|/*AppCompat*/

to the end of the line. Ensure the little green tick appears on the right hand side. Select OK to close that blade and the Save to update the Advanced settings page.

If you now look closely on the Advanced settings page you will see the above information box alerting you to the need for the /*AppCompat*/ string if you want TLS by personal apps that connect directly to cloud resources via an IP. You can consider a third party browser unenlightened and therefore a personal app. Thus, it is telling us to do what we just did to allow third party browsers to connect to the Internet on machines where the policy is applied. Always read the configuration page eh?

Once you have saved the updated App Protection Policy and it has been applied to the devices, you should no longer be blocked when using third party browsers like Chrome and Firefox.

BRK3601–Layers of Office 365 Communication

Last week I gave a presentation at Microsoft Ignite – The Tour in Sydney. Here are the slides from that presentation.

Scheduling compliance reports

If you go into the Microsoft 365 Security portal and locate the Reports option from the menu on the left and expand it, you should find the Dashboard option. This option, when selected, will show a range of reports like that shown above. You can get more details by simply selecting the body of the tile you wish to view. Here, I’ll select the Spam detections tile to get further information.

You’ll now see a more focused report but you’ll also notice that many graphs have the Create schedule in the top right hand corner as shown. Selecting this allows you to schedule a report to be delivered via email.

By selecting Create schedule you should see a tile appear from the right with the above options that you can configure.

If you scroll down to the bottom of the window you will see that there is a Customize schedule option as shown above.

Selecting this will give you much greater options as shown above.

Once you have saved your schedule, you will then receive a regular email like that show above with the report you configured. You’ll note that there is also a CSV file attached that you can use for further analysis.

You can adjust the schedules you have configured via the Manage schedules option as shown above.

As yet, I haven’t found an easy way to configure these using PowerShell. There is way using the Microsoft Graph but that requires some setup so I’m trying to find a way just to use a pure script. If I work that out, I’ll post an article on how to do it. Till then, you’ll just have to manually go in a select and configure the reports you wish to receive regularly.

Azure Public DNS costs

I have previously written about:

Using Azure DNS with Office 365

and in my experience it works really, really well. What I like about it is mainly the fact that I can implement and manage the whole thing via PowerShell. I run up a lot of demo environments and have an automated script that adds a custom domain to Office 365 and then adds the required DNS records to Azure. All that happens at the touch of a button, consistently. Brilliant stuff.

However, Azure DNS is a paid service, it isn’t free. So what does it cost? Well, the place to start is the Azure pricing calculator where we see:

that the total estimated cost for 1 DNS zone with 1 million queries is AU$1.24 and I will note , also includes support!

So how does such an estimate translate into the real world? Well, I host a number of domains in Azure DNS but the most active one would be ciaops.com. The DNS records for this very blog are there.

So the next really cool thing that Azure gives you is the ability to drill down into your services, like Azure DNS, and produce information like what you see above, which is the total queries against the ciaops.com domain in Azure DNS. The amount for the last 30 days was 204,210 requests, well below the initial one million estimate. Clearly that amount will vary for different domains based on popularity, but remember that not every DNS request for your domain will hit the root DNS servers for the domain, especially if the records don’t change that much.

So I then used Azure to show me the actual cost for this previous 30 day period and you can see that the grand total was AU$0.37.

Sure Azure DNS is not free, but it might as well be! So, if you are looking to get started with Azure, I’d suggest that you start with Azure DNS as being the cheapest, quickest and easiest way to dip your toe in. That will provide you some familiarity and from there you can start scaling up.

Looks like Office 365 ATP is splitting in two

Seen some chatter here in Australia about there now being two Office 365 ATP SKUs (it appeared on a pricing sheet). Everything I could find suggested that this was not the case, however a US contact pointed out to me the following web site:

https://products.office.com/en-us/exchange/advance-threat-protection

That clearly shows 2 x Office 365 ATP SKUs.

There is not as yet an equivalent AU page.

The main things that Plan 2 adds according to that page are:

Even the services descriptions for Office 365 ATP here:

https://docs.microsoft.com/en-us/office365/servicedescriptions/office-365-advanced-threat-protection-service-description?fbclid=IwAR2FQUfHsjY3Ka03RSpcGGD9bLP8RFRI5VFc7aMUAcr936QPEYLY_-ZETLE

don’t talk about there being two plans. Thus, I (and others) are somewhat confused as to which version will be included in suites like Microsoft 365 Business. My guess is that most plans that have Office 365 ATP will get Plan 1, with Plan 2 going for higher end enterprise plans. However, that is all here say for now.

So, it looks like are going to get a new ‘advanced’ Office 365 ATP plan soon (Plan 2) but we are unsure in which suites it will be available. More as it becomes available.

Updated script to now check for Sweep

The bad actors out there are clever and they’ll use any means at their disposal. Normally, when a user is successfully phished the first thing bad actors do is manipulate the email handling rules of the mailbox to hide their activity.

Unfortunately, there are quite a lot of different ways to forward email in Office 365 including via the mailbox and via Outlook client rules. It was brought to my attention that there is in fact another way that forwarding can be done, using the Sweep function. You can read more about this ability at:

Organize your inbox with Archive, Sweep and other tools in Outlook.com

Sweep rules only run once a day but do provide a potential way for bad actors to hide their activity, however as it turned out Sweep was in fact being exploited by bad actors inside a compromised mailbox.

I have therefore updated my publicly available PowerShell script at:

https://github.com/directorcia/Office365/blob/master/o365-exo-fwd-chk.ps1

That will now also check and report on any Sweep rules in finds in mailboxes as well as any other forwards configured in the tenant.

Let me know if you find any other methods that this doesn’t cover and I’ll look at incorporating those as well.