Determining the time Office 365 ATP takes to scan an attachment

Office 365 Advanced Threat Protection (ATP) has the ability to sandbox and test attachments prior to delivery to an Office 365 inbox. This is known as ATP Safe Attachments which you read about here:

Office 365 ATP Safe Attachments

Basically, it takes email attachments and opens them in a protected sandbox inside the Microsoft data center to see whether they do any malicious or unexpected. If it does, then actions can be taken to prevent that attachment from reaching the inbox. If not, the attachment is delivered as normal.

Now this sandbox testing does cause a slight delay in delivery of attachment. In my experience, I have never seen any attachment, no matter how large take longer than 2 minutes to deliver. However, there maybe the need to test this delivery time when troubleshooting.

Luckily, I looked around and found this great article from Kloud:

https://blog.kloud.com.au/2018/07/19/measure-o365-atp-safe-attachments-latency-using-powershell/

which contains some handy scripting to allow you to determine the time ATP takes to verify an attachment. So I thought I’d build on that.

To complete this process you firstly need to have a tenant that has Office 365 ATP assigned to it. You’ll also need to target a recipient that has an Office 365 ATP license assigned to them. You’ll basically send this recipient two emails, one with an attachment and one without, and then we’ll use a script to determine and report the time difference.

So step 1 is to send a standard email without an attachment to the recipient. I’ll do this here from my Yahoo account.

Once that has been successfully sent, I’ll immediately send another email that is basically the same but this time with an attachment. In this case, I’m send a Word document of 52KB in size.

I need to now wait to ensure both emails are FULLY delivered to the recipient.

If you have Safe Attachment Dynamic Delivery enabled where the body is received while the attachment is still being scanned you need to wait until this scanning process has FULLY completed.

That is, you need to wait until the whole message, including the attachment has been delivered to the Inbox as shown above.

Ensure that you are connected to Exchange Online with PowerShell already and then run my script, which you can find at:

https://github.com/directorcia/Office365/blob/master/o365-atp-timer.ps1

After a few moments you should see the results like that shown above, giving you the number of additional second it took to scan the attachment. In this case around 101 seconds.

There is no real guidance from Microsoft on how long ATP scanning should take so if you do run this script I’d really appreciate you completing this short survey:

ATP Timings

so we can get an idea of what people are seeing out there with ATP. That should also give us an ‘average’ figure we can use to understand ‘normal’ ATP performance.

The survey has one required field of the time in seconds you received but if you could also indicate the size of the attachment you tested that would also help understand whether the size of attachment play a role in any way.

Like I said, my experience has been that ATP never takes more than around 2 minutes to do attachment scanning but I’d love to get your feedback in the survey if you run this script. Thanks again to Kloud for their blog post around this and doing the hard scripting yards.

CIAOPS Learn is here

One of the most common stumbling blocks I see with business today, especially when it comes to using technology is that most simply don’t have the minimum skills to drive productivity benefits. This means that technology becomes more of a hinderance than a help.

This lack of digital literacy has arisen simply because of the low priority that training has been given within the organisation. Many businesses seem to expect their staff to learn technology on ‘the fly’ or in their own time. This is not an environment where people can grow their knowledge about the products and most simply revert to using the ‘minimum’ with each product and fail to explore the full range of options and services that are available to them.

This lack of digital literacy is even more the case with services like Office 365 that are constantly being upgraded and enhanced. Without dedicated time to learning the vast majority of the benefits of these tools are going to remain hidden from the business. This in turn makes them less competitive and productive.

The challenge with traditional training is that sending people ‘back to school’, where they attend all day training courses is simply not feasible or consistent enough not to mention being expensive. Trying to pick up information from the web or YouTube can result in actually getting the wrong or misleading information.

With these challenges in mind I am happy to announce the CIAOPS Learn program that provides web based video training for Office 365 across the whole range of services. From Outlook to OneNote, from OneDrive to Stream, you’ll find it here. For a simple per user per month cost you can give people access to a vast array of up to date training material. You can also customise the learning paths that people take as well as see a dashboard of their progress.

Because this a per user per month service, you can subscribe for as long as you need. You can also sign up for as many licenses as you need at any time. There are single and multiple user options. Payments are handled directly via the CIAOPS Academy but invoicing in AU$ is also possible as well as options for resellers.

To find out more about the service visit:

www.ciaopslearn.com

where you’ll find more information as well as how to sign up immediately using the portal. CIAOPS Gold and Silver patrons also receive free access to the portal as part of their benefits as well, so if you are supporting the Microsoft Cloud you should become a Patron today to receive access to this plus a range of additional benefits.

The better you can utilise technologies like Office 365, the productive and profitable your business will be. With CIAOPS Learn you are now to do this and stay up to date for a low monthly fee.

Become digitally literate today, join the CIAOPS Learn program

Using Azure Automation to schedule Office 365 mailbox forward checks

One of the many things I say is that you should not think of Office 365 or Microsoft 365 alone, you should think of incorporating services like Azure as well since they provide a huge amount of additional functionality as I have detailed here before:

Add Azure to Office 365 for more flexibility

As I have also pointed out, I believe you should deploy Azure immediately with Office 365

Deploy Office 365 and Azure together

because until you start using Azure it isn’t going to cost you anything since Azure billing is typically consumption based. That is, you are only billed for what you use.

Now, one of the ways that you can use Azure to take advantage of the automation abilities it has. This is really handy when you want to run repeated process. One such process that you should run regularly I believe is checking for mailbox forwards in Office 365 tenants. I have detailed how to do manually this using a PowerShell script here:

PowerShell script to check email forwards

So, thanks to Azure automation we can take the heart of this script and automate it to run regularly against our tenant and provide an email report on which mailboxes have forwards enabled. Thus, Azure Automation allows us to automate the execution of PowerShell scripts to make life easier.

To enable all this you are going to need to use an Azure account with a paid subscription. It doesn’t have to be the same tenant as the Office 365 one, it just has to be a tenant with a paid subscription because there are costs (very slight) to running Azure Automation.

Once you have logged into you Azure tenant locate the Azure Automation Accounts and select the Add button in the top left to create a new account to use.

Give the new Azure Automation Account a name, paid subscription, resource group and location. Then select Create.

Once created, you’ll see an overview of the new account as shown above.

From the menu on the left locate Modules and select it.

Because this is a new automation account it will only have the standard PowerShell modules included. We need to go and add the one for Office 365.

We can find the Office 365 PowerShell module by selecting the option to Browse gallery from the buttons across the top on the right.

Do a search for “online” and the first result should be MSOnline as you see above.

Select this module to add it.

You should now see more detail about the module displayed. Select the Import button at the to of the page to include that module in this new Automation Account.

In a few moments you should get a message letting you know the module has been imported successfully. Remember, you only need to do this once for any new Automation Account that you wish to run commands against Office 365.

Return to the list of items for the Automation Account and locate the option for Credentials and select it. It is a few below the Modules one you just selected.

Select Add a credential at the top of the page.

Now enter the user details for the user who is going to login to the Office 365 tenant when executing the script. This will typically be a global administrator that doesn’t have MFA enabled on the account. The credentials are stored securely in Azure and will be accessed with the name of the credential account you used (here m365B555418).

Generally, you will only need one set of credentials in your Automation Account but it is possible to have as many as you want for performing different tasks.

Select Create to complete this process.

From the Automation Account menu locate Runbooks and select it.

From the menu across the top select Add a runbook.

Select the option to Create a new runbook. Give the runbook a Name and select the type as PowerShell. Then select Create to establish the area for your code.

This should then take you to an editor where you can enter your code as shown above.

Rather then re-inventing the wheel you can use my code here:

https://github.com/directorcia/Azure/blob/master/runbook/scripts/O365.ps1

which you can just copy and paste in place.

With that done, your screen should look like the above.

A few things to note here. Ensure that you change the name in the first line of the code to match the name of the credential you created earlier because it is from here that the login details for the Office 365 tenant will be sourced. You will also need to change email addresses on the last line of the script to match your environment. Remember, if you don’t I’ll know who it is!

The code is pretty short and sweet. All it does is look for any account that has any sort of forward enabled and sends those details through. If no forwards are found you’ll also get a message indicating that.

Feel free to modify and improve the script as you see fit, this version is simply designed to demonstrate what is possible.

When you have finished editing your script, select Publish in the top left as shown. Remember to always do this anytime your code changes or is updated.

You’ll now be taken back to to the Runbook overview. Here, select the Start button in the menu to run the script immediately.

You will now be taken to the Job summary page as shown above. You can check on the progress of the job from the Job Status field as shown.

The job will first be queued and then run.

In a matter of moments the job should complete as you see above. If there are any errors or exceptions with your code then they will be visible in this summary page.

If everything went to plan, you should see an email like that shown above indicating the process has completed successfully.

Each job run is recorded in a log on the summary page as shown above. Clicking on that job will give you more details.

Now, we started this whole process with the aim of automating something so now we need to do this once we have confirmed our script is running as expected.

From the Runbook menu across the top select Schedule.

Complete your desired schedule for this process. Typically, it will be daily as shown above. When you have configured the desired options select Create and your job will now run on that schedule.

You can return to Azure Automation at any time to view and adjust your job but always remember to Publish your code if you make any changes.

Hopefully, I’ve shown you how straight forward it is to use Azure Automation with PowerShell scripting to target regular processes for you Office 365 tenants. There are many, many things you can automate thanks to PowerShell and Azure, so go forth and automate!

Script to check mailbox settings

I’ve just uploaded a new PowerShell script to my Github repository, which you can find here:

https://github.com/directorcia/Office365/blob/master/o365-mx-check.ps1

This one will cycle through all the mailboxes you have and then report back the status as you can see above. Basically, anything in red is bad (i.e. have POP3 and IMAP enabled as well as an email forward) and green is good (like have Litigation Hold and Archive enabled).

The script doesn’t make any changes to the mailboxes it basically just reports back the status so you can see what is configured and what is not. You can adjust the variables like log and deleted item limits to suit your needs but they are set at the default levels of the tenant (which should be generally increased).

Ensure you check back over time as I improve the scripts and don’t forget to check the others that I have available there.

August Office 365 Webinar Resources

August 2018 Office 365 Need to Know webinar from Robert Crane

Slides from this month’s webinar are at:

https://www.slideshare.net/directorcia/august-2018-office-365-need-to-know-webinar

If you are not a CIAOPS patron you want to view or download a full copy of the video from the session you can do so here:

http://www.ciaopsacademy.com.au/p/need-to-know-webinars

Watch out for next month’s webinar.

Initial setup of an Office 365 PowerShell environment

Here’s a video I did to help people set up their PowerShell environment to support Office 365 and Microsoft 365 environments.

You’ll see how to install the various modules on a Windows 10 desktop as well as how to configure the environment and run scripts.

Once you have all this set up, of course, you can visit my Github repository at:

https://github.com/directorcia

and grab all the scripts I have there for Office 365 and Azure. Why re-invent the wheel I say? just use what is already there fore free.

Hopefully, this will enable you to get started using scripting to managing your Microsoft Cloud environment.

Need to Know Podcast–Episode 188

I’m joined in this episode by a regular guest on the podcast, Jeff Alexander from Microsoft, to speak about modern identity in the cloud. We focus on the role that Azure Active directory can play in your organisation and how it can be used to protect users identity. If you are looking to understand how to better manage user security using the cloud, then look no further. Before this however Brenton and I cover all the latest Microsoft Cloud news for you to ensure you are up to date with the latest.

Take a listen and let us know what you think –feedback@needtoknow.cloud

You can listen directly to this episode at:

https://ciaops.podbean.com/e/episode-188-jeff-alexander/

Subscribe via iTunes at:

https://itunes.apple.com/au/podcast/ciaops-need-to-know-podcasts/id406891445?mt=2

The podcast is also available on Stitcher at:

http://www.stitcher.com/podcast/ciaops/need-to-know-podcast?refid=stpr

Don’t forget to give the show a rating as well as send us any feedback or suggestions you may have for the show.

Resources

Guides for consuming Azure AD workloads

Gartner magic quadrant

Piviledged Accounts

Enable subscription management in your tenant

Password spray attacks

Password Guidance

Security best practices

Azure AD Conditional access

Azure AD identity protection

Microsoft has new plan for managing Windows 10 devices

Office 365 anti spoofing

Not Petya cyberattack

OneDrive camera upload for OneDrive for Business on iOS

Microsoft Teams Australian data residency announced

Microsoft underwater data centers

Azure DNS 100% availability

Microsoft Ignite sessions

Office 365 Alert activity options

Recently I wrote an article about setting an alert for file download in Office 365. This is just one of many alert conditions you can configure in Office 365 here:

Here is a list of all the conditions you can set and more details on each.

Common user activities
     – User submitted email = User reported a problem with mail filtering. This can include false positives, missed spam, or missed phishing email messages.
     – Detected malware in files = Office 365 detected malware in either a SharePoint or OneDrive file.
     – Shared file or folder = User shared or granted access to a file or folder.
     – Create mail forward/redirect rule = User created an inbox rule to forward or redirect mails.
     – Any file or folder activity = User performed any file or folder activity.
     – Change file or folder = User deleted, modified or renamed a file or folder.
     – Shared file externally = User shared, granted access of a file or folder to an external user, or created an anonymous link for it.
     – Granted Exchange admin permission = User granted admin permission to same or another user.
     – Granted mailbox permission = User granted permission for same or another user to access a target mailbox.
     – External user file activity = An external user accessed, modified, deleted, modified or checked in a file.
     – DLP policy match = A data loss prevention policy match is detected.

File and folder activities
     – Accessed files = User or system account accesses a file
     – Checked in file = User checks in a document that they checked out from a document library
     – Checked out file = User checks out a document located in a document library. Users can check out and make changes to documents that have been shared with them
     – Copied file = User copies a document from a site. The copied file can be saved to another folder on the site.
     – Deleted file = User deletes a document from a site.
     – Discarded file checkout = User discards (or undos) a checked out file. That means any changes they made to the file when it was checked out are discarded, and not saved to the version of the document in the document library.
     – Downloaded files = User downloads a document from a site.
     – Modified file = User downloads a document from a site.
     – Move file = User moves a document from its current location on a site to a new location.
     – Renamed file = User renames a document on a site.
     – Restored file = User restores a document from the recycle bin of a site.
     – Uploaded file = User uploads a document to a folder on a site.

File sharing activities
     – Accepted access request = An access request to a site, folder, or document was accepted and the requesting user has been granted access.
     – Accepted sharing invitation = User (member or guest) accepted a sharing invitation and was granted access to a resource. This event includes information about the user who was invited and the email address that was used to accept the invitation (they could be different). This activity is often accompanied by a second event that describes how the user was granted access to the resource, for example, adding the user to a group that has access to the resource.
     – Created company shareable link = User created a company-wide link to a resource. company-wide links can only be used by members in your organization. They can’t be used by guests.
     – Create access request = User requests access to a site, folder, or document they don’t have permissions to access.
     – Created anonymous link = User created an anonymous link to a resource. Anyone with this link can access the resource without having to be authenticated.
     – Created sharing invitation = User shared a resource in SharePoint Online or OneDrive for Business with a user who isn’t in your organization’s directory.
     – Denied access request = An access request to a site, folder, or document was denied.
     – Removed a company shareable link = User removed a company-wide link to a resource. The link can no longer be used to access the resource.
     – Removed anonymous link = User removed an anonymous link to a resource. The link can no longer be used to access the resource.
     – Shared file, folder or site = User (member or guest) shared a file, folder, or site in SharePoint or OneDrive for Business with a user in your organization’s directory. The value in the Detailcolumn for this activity identifies the name of the user the resource was shared with and whether this user is a member or a guest. This activity is often accompanied by a second event that describes how the user was granted access to the resource; for example, adding the user to a group that has access to the resource.
     – Updated an anonymous link = User updated an anonymous link to a resource. The updated field is included in the EventData property when you export the search results.
     – Used an anonymous link = An anonymous user accessed a resource by using an anonymous link. The user’s identity might be unknown, but you can get other details such as the user’s IP address.

Synchronization events
     – Allowed computer to sync files = User successfully establishes a sync relationship with a site. The sync relationship is successful because the user’s computer is a member of a domain that’s been added to the list of domains (called the safe recipients list) that can access document libraries in your organization.
     – Block computer from syncing files = User tries to establish a sync relationship with a site from a computer that isn’t a member of your organization’s domain or is a member of a domain that hasn’t been added to the list of domains (called the safe recipients list)that can access document libraries in your organization. The sync relationship is not allowed, and the user’s computer is blocked from syncing, downloading, or uploading files on a document library.
     – Downloaded files to computer = User establishes a sync relationship and successfully downloads files for the first time to their computer from a document library.
     – Downloaded file changes to computer = User successfully downloads any changes to files from a document library. This activity indicates that any changes that were made to files in the document library were downloaded to the user’s computer. Only changes were downloaded because the document library was previously downloaded by the user (as indicated by the Downloaded files to computer activity).
     – Uploaded files to a document library = User establishes a sync relationship and successfully uploads files for the first time from their computer to a document library.
     – Uploaded file changes to document library = User successfully uploads changes to files on a document library. This event indicates that any changes made to the local version of a file from a document library are successfully uploaded to the document library. Only changes are unloaded because those files were previously uploaded by the user (as indicated by the Uploaded files to document library activity).

Site administration activities
     – Added exempt user agent = Global administrator adds a user agent to the list of exempt user agents in the SharePoint admin center.
     – Added site collection admin = Site collection administrator or owner adds a person as a site collection administrator for a site. Site collection administrators have full control permissions for the site collection and all subsites.
     – Added user or group to SharePoint group = User added a member or guest to a SharePoint group. This might have been an intentional action or the result of another activity, such as a sharing event.
     – Allowed user to create groups = Site administrator or owner adds a permission level to a site that allows a user assigned that permission to create a group for that site.
     – Change exempt user agents = Global administrator customized the list of exempt user agents in the SharePoint admin center. You can specify which user agents to exempt from receiving an entire web page to index. This means when a user agent you’ve specified as exempt encounters an InfoPath form, the form will be returned as an XML file, instead of an entire web page. This makes indexing InfoPath forms faster.
     – Changed sharing policy = An administrator changed a SharePoint sharing policy by using the Office 365 Admin center, SharePoint admin center, or SharePoint Online Management Shell. Any change to the settings in the sharing policy in your organization will be logged. The policy that was changed is identified in the ModifiedProperty field property when you export the search results.
     – Created group = Site administrator or owner creates a group for a site, or performs a task that results in a group being created. For example, the first time a user creates a link to share a file, a system group is added to the user’s OneDrive for Business site. This event can also be a result of a user creating a link with edit permissions to a shared file.
     – Created send to connection = Global administrator creates a new Send To connection on the Records management page in the SharePoint admin center. A Send To connection specifies settings for a document repository or a records center. When you create a Send To connection, a Content Organizer can submit documents to the specified location.
     – Created site collection = Global administrator creates a new site collection in your SharePoint Online organization.
     – Deleted group = User deletes a group from a site.
     – Deleted sent to connection = Global administrator deletes a Send To connection on the Records management page in the SharePoint admin center.
     – Enabled document preview = Site administrator enables document preview for a site.
     – Enabled legacy workflow = Site administrator or owner adds the SharePoint 2013 Workflow Task content type to the site. Global administrators can also enable work flows for the entire organization in the SharePoint admin center.
     – Enabled Office on Demand = Site administrator enables Office on Demand, which lets users access the latest version of Office desktop applications. Office on Demand is enabled in the SharePoint admin center and requires an Office 365 subscription that includes full, installed Office applications.
     – Enabled RSS feeds = Site administrator or owner enables RSS feeds for a site. Global administrators can enable RSS feeds for the entire organization in the SharePoint admin center.
     – Enabled result source for People Searches = Site administrator creates or changes the result source for People Searches for a site.
     – Modified site permissions = Site administrator or owner (or system account) changes the permission level that are assigned to a group on a site. This activity is also logged if all permissions are removed from a group.
     – Removed user or group from SharePoint group = User removed a member or guest from a SharePoint group. This might have been an intentional action or the result of another activity, such as an unsharing event.
     – Renamed site = Site administrator or owner renames a site
     – Requested site admin permissions = User requests to be added as a site collection administrator for a site collection. Site collection administrators have full control permissions for the site collection and all subsites.
     – Set host site = Global administrator changes the designated site to host personal or OneDrive for Business sites.
     – Updated group = Site administrator or owner changes the settings of a group for a site. This can include changing the group’s name, who can view or edit the group membership, and how membership requests are handled.