A painful bulk email sending lesson

I needed to get some event registration and Microsoft Teams meeting details out to around 100+ users recently. So, I composed the email, Bcc’d people and pressed Send as I always do.

image

Not longer after, I get a failed delivery to all those addresses as you can see above. The message reads:

Your message couldn’t be delivered because you weren’t recognized as a valid sender. The most common reason for this is that your email address is suspected of sending spam and it’s no longer allowed to send email. Contact your email admin for assistance.

What the hell is going on here I thought? I’ve done this before, what’s wrong?

image

As always, the issue has to do with the email security settings I have. One of my primary recommendations with outbound spam filtering is to limit the amount of emails that a user can send per hour and then block them once they reach this threshold.

I had, of course, gone for a very low setting because ‘I never send more than 90 email per hour’ to external recipients. We’ll guess what? The email I just tried to send  crossed that threshold and now I was blocked as a user. I could no longer send ANY emails!

So that’s the why, now the how to fix it so I could again send emails?

image

Initially, I thought that I’d just go in and change the policy and bump up the threshold plus set the action to alert only. Surely, that’ll fix my problem, right? After retrying 5 minutes, 10 minutes, etc up to 1 hour after the change, I still had the same issue. Damm!

image

As it turns out, because I had contravened that outbound spam policy I’d ended up as a ‘Restricted user’, as shown above. The direct URL to this portal is:

https://security.microsoft.com/restrictedusers

I could go in there and select the Unblock link to the right of my login.

image

I’m take through a wizard as shown above, giving me the reason why I have been restricted and some recommendations.

image

Given that I already have MFA enabled and I’m happy that my password has not been compromised, I select the Unblock user button at the bottom of the page. Note, the warning at the bottom of the page here:

It may take up to 1 hour before restrictions are removed

Damm!

image

I receive a last warning about removing the restrictions, to which I select Yes to continue.

After waiting the 1 hour, as directed, I was back in business.

In summary, it is always the exception that catches you out. I had never before crossed the outbound threshold limits before. I must have been close, but clearly this send was above those limits and resulted in contravention of the policy. The result being that I ended up on the restricted user list, unable to send. Once I had worked out how to get myself off that list, by visiting the appropriate portal, it was easy enough to get things back in order, although the up to 1 hour wait for this removal process to complete should not be overlooked.

After this learning experience, the question is now, what should my outbound spam policy be set to? I rarely send this many emails within an hour time frame, but I may indeed need to do so in the future again at some point? Should I increase the limit from 90? Should I also change the action from restrict to just alert? All very good questions I’ll need to consider.

So the learning from this experience is, when you get a security exception, where do you look to work out why it has happened? Second, how to ‘allow’ it if the action was not an exploit? Finally, what adjustments should be taken in the policy to avoid the same instance happening again in the future. Security is not an exact science and it is exceptions that cause you the greatest pain. Sometimes that pain will be due to a false positive, but in the end, I’d rather experience that pain than a full on breach!

CIAOPS Need to Know Microsoft 365 Webinar – March

laptop-eyes-technology-computer

Security is something that you need to regularly re-visit and re-evaluate. It’s about time we did this for Microsoft 365 to learn what’s new and how best to defend our tenants against attackers. In this session I’ll cover off the latest security learnings and provide you with a check list to help you secure your Microsoft 365 information better. I’ll also have the latest news from Microsoft and as always there will be time for your questions.

You can register for the regular monthly webinar here:

March Webinar Registrations

The details are:

CIAOPS Need to Know Webinar – March 2021
Friday 26th of March 2021
11.00am – 12.00am Sydney Time

All sessions are recorded and posted to the CIAOPS Academy.

The CIAOPS Need to Know Webinars are free to attend but if you want to receive the recording of the session you need to sign up as a CIAOPS patron which you can do here:

http://www.ciaopspatron.com

or purchase them individually at:

http://www.ciaopsacademy.com/

Also feel free at any stage to email me directly via director@ciaops.com with your webinar topic suggestions.

I’d also appreciate you sharing information about this webinar with anyone you feel may benefit from the session and I look forward to seeing you there.

Email overrides are not best practice

I see a lot of email configurations in Microsoft 365 that use some form of override to ‘get around’ a delivery issue. Doing so is simply not best practice and in fact opens you up for additional attacks.

For more information, let’s review the Microsoft document:

Create safe sender lists in EOP

which says:

  • We don’t recommend managing false positives by using safe sender lists, because exceptions to spam filtering can open your organization to spoofing and other attacks.
  • Use Outlook safe senders – This method creates a high risk of attackers successfully delivering email to the Inbox that would otherwise be filtered; however, the user’s Safe Senders or Safe Domains lists don’t prevent malware or high confidence phishing messages from being filtered.
  • Use the IP allow lists – Without additional verification like mail flow rules, email from sources in the IP Allow List skips spam filtering and sender authentication (SPF, DKIM, DMARC) checks. This creates a high risk of attackers successfully delivering email to the Inbox that would otherwise be filtered; however, the IP Allow List doesn’t prevent malware or high confidence phishing messages from being filtered.
  • Use allowed sender lists or allowed domain lists – This method creates a high risk of attackers successfully delivering email to the Inbox that would otherwise be filtered; however, the allowed senders or allowed domains lists don’t prevent malware or high confidence phishing messages from being filtered. Do not use domains you own (also known as accepted domains) or popular domains (for example, microsoft.com) in allowed domain lists.

In short, if you are using white lists or the like you are creating a vulnerability in your environment that attackers can exploit. All inbound messages should be filtered through appropriately configured mail filtering policies. If you want information on setting these appropriately see:

Mail flow best practices for Exchange Online and Office 365

Best practices for configuring standalone EOP

Recommended settings for EOP and Defender for Office 365 security

To get an overall picture of all the message overrides in your environment visit the Security and Compliance admin portal:

image

Locate the Reports option on the left and then select Dashboard as shown, from the expanded options. Then on the right locate the Threat protection status tile as shown and select it.

image

From the pull down options in the top right, as shown above, select Message override.

image

You should now see a nice summary of any messages passing through your environment that are overriding your configurations. Don’t forget that you can also View details table and select to Filter in the top right of this report.

A direct link to this report can be found here:

Threat Protection status – Message override

Overriding policies conditions is something that should be avoided as much as possible, simply because it increases the risk in your environment. Also, if you haven’t already, go take a look at what messages are overriding in your environment today and try to eliminate these to improve your security.

Need to Know podcast–Episode 263

Welcome to 2021. I’m back with another year of podcasts focused on the Microsoft Cloud. Hope every one had a good break and ready to get into it. We kick of 2021 talking to MVP Alex Fields about security for SMB. Plenty of great take aways, so listen in a learn. I kick things off with news and updates from Microsoft as well. A jam packed episode.

This episode was recorded using Microsoft Teams and produced with Camtasia 2020.

Brough to you by www.ciaopspatron.com

Take a listen and let us know what you think – feedback@needtoknow.cloud

You can listen directly to this episode at:

https://ciaops.podbean.com/e/episode-263-alex-fields/

Subscribe via iTunes at:

https://itunes.apple.com/au/podcast/ciaops-need-to-know-podcasts/id406891445?mt=2

The podcast is also available on Stitcher at:

http://www.stitcher.com/podcast/ciaops/need-to-know-podcast?refid=stpr

Don’t forget to give the show a rating as well as send us any feedback or suggestions you may have for the show.Resources

@vanvfields – Alex Fields

@directorcia

ITProMentor

Alex’s publications

Center for Internet Security

What’s New in Microsoft Teams

Microsoft Lists Adoption

Microsoft Edge 88 Privacy and Security Updates

Bringing OneDrive settings into SharePoint admin center for streamlined, centralized control

Get the Microsoft Lists app for iOS

250GB File support in Microsoft 365

Microsoft surpasses $10 billion in security business revenue, more than 40 percent year-over-year growth

Removing Azure Enterprise app consented permissions

image

After installing the appropriate PowerShell modules you can connect to  the Microsoft Graph with PowerShell using the command:

connect-graph

as shown above. First thing to remember is that this process can’t be completed in the Power ISE, you’ll need to do it elsewhere (here, using Windows terminal). The second thing to note is that you can specific the scope with which you to connect. Thus, in this case, the scope will be Files.ReadWrite.All and Sites.Readwrite.all. The scope is in effect the permissions the current user will be given when they connect to the Microsoft Graph. This allows you to only provide permissions for exactly what you need.

image

During the connection process you’ll be asked to consent to the permissions just requested, as shown above. If you simply select Accept here, you are just consenting for the current user. However, if you check the Consent in behalf of your organization option you’ll be providing these permissions to ALL users in your tenant! For now, only consent will be granted for the current user. However, be very, very careful consenting for the whole organization as I will illustrate.

You can now happily go off and perform whatever actions you need to using PowerShell for the Microsoft Graph.

image

With security in mind, I went to have a look at where these permissions just consented to actually appear. You’ll find them by opening the Azure Portal and navigating to Azure Active Directory as shown above. From here, select Enterprise applications from the menu on the left.

image

From the screen that appears ensure All applications is select from the menu on the left. Then on the right, locate and select Microsoft Graph PowerShell as shown.

image

From the screen that now appears, select Permissions from the menu on the left as shown. On the right you’ll then be able to select either Admin consent or User consent.

Because the permissions assigned were only for a single user, the User consent item will show these to us as shown above. This list of permissions matches those consented to when connecting to the Microsoft Graph.

The right hand most column in this display, Grant by, has a hyperlink to show the number of users with this assigned permission.

image

If you select any of these hyperlinks, you’ll see a list of users, on the right, that have been assigned this permission appear on the right as shown above.

Can you see the problem yet? No? Well…….how do you REMOVE or revoke a permission here?

image

From what I can determine, you can’t remove the permissions via the portal. If you select Review permissions menu option you’ll see a item displayed from the right as shown above. If you select the option This application has more permissions that I want and basically told to use PowerShell to revoke all permissions for this application as well as being provided with the code to do so.

The issue is that even after you disconnect from the Microsoft Graph, having completed any scripting, those consented permissions remain in place i.e. they are NOT rescinded. This means that if the user account with these permissions to the Graph is compromised then that attacker has access to the Microsoft Graph and potentially lots of sensitive areas in a tenant, especially if the permissions have been added to over time. Imagine how much WORSE it gets if permissions were consented tenant wide, rather than to an individual user?

image

Selecting that little check box in the above Permissions requested dialog, which I see MANY people do without thinking, can really give you a security headache by opening up your Microsoft Graph permissions for EVERY user in the tenant!

Thus, best security practice is going to be to remove these permissions when they are no longer required as well as limiting who has them initially. Personally, I’d remove them after each interaction so I don’t forget and leave a potential attack vector.

To make doing all that a little easier, I have gone out and created a script that you’ll find in my Github repo:

https://github.com/directorcia/Office365/blob/master/graph-adappperm-del.ps1

image

If you run the script, it will first check whether the Azure AD PowerShell module is loaded. If it is, it will then ask you to login to your tenant. Then it will display a list of all the Azure AD applications in your tenant and allow you to select the ones you want to change (yes, you can select multiple Azure AD apps if you want) as shown above.

In this case, Microsoft Graph PowerShell application is selected.

image

You’ll then be prompted to select whether you wish to select Admin consent and/or User Consent permissions. You can select both here if you wish by using the CTRL and/or SHIFT key when making selections (i.e. just like when you use Windows Explorer).

image

If you selected User consent, you’ll then be prompted to select the users you want. Again, multiple selections are available if offered.

image

You’ll now be prompted to confirm you wish to delete these permissions for these users.

image

Those permissions will be removed and the script will continue to work through the rest of your selections.

In this case, because there were no Admin consented permissions for this application we receive a notification line as shown in above output.

image

If you now return and have a look at the permissions for that app in the portal, you should see they have all been removed as shown above.

Leaving users with standing permissions to something as powerful as the Microsoft Graph is not best security practice. It is therefore important to regularly review these and remove what is not required. If you need those permissions again in eth future, after they have been removed, you can always re-consent to them when you next connect to the Microsoft Graph.

End to End email protection with Microsoft 365–Part 6

This is part of a series of articles about email security in Microsoft 365. Please check out previous articles here:

End to End email protection with Microsoft 365 – Part 1

End to End email protection with Microsoft 365 – Part 2

End to End email protection with Microsoft 365 – Part 3

End to End email protection with Microsoft 365 – Part 4

End to End email protection with Microsoft 365 – Part 5

These articles are based on a model I have previously created, which you can read about here:

CIAOPS Cyber protection model

designed to help better explain expansive security included with Microsoft 365.


Email reporting and auditing

It’s now time to look at all the logging that occurs during even the simply process of receiving and viewing an email. For starters there is:

Message tracing

and

Message trace in the modern Exchange admin center

Message trace in the Security & Compliance Center follows email messages as they travel through your Exchange Online organization. You can determine if a message was received, rejected, deferred, or delivered by the service. It also shows what actions were taken on the message before it reached its final status.

There is also reporting options like:

Mail flow insights in the Security & Compliance Center

and

Mail flow reports in the Reports dashboard in Security & Compliance Center

as well as:

Microsoft 365 Reports in the admin center – Email activity

If you want to specifically look at email security there is:

Email security reports in the Security & Compliance Center

as well as:

Defender for Office 365 reports in the Reports dashboard in the Security & Compliance Center

and

Reports for data loss prevention (DLP)

I have also spoken about the importance of the Unified Audit Logs (UAL) in Microsoft 365:

Enable activity auditing in Office 365

Unified Audit Logs in Microsoft 365

and you need to ensure that these have been enabled so that you can:

View mailbox auditing

Starting in January 2019, Microsoft is turning on mailbox audit logging by default for all organizations. This means that certain actions performed by mailbox owners, delegates, and admins are automatically logged, and the corresponding mailbox audit records will be available when you search for them in the mailbox audit log.

Here are some benefits of mailbox auditing on by default:

  • Auditing is automatically enabled when you create a new mailbox. You don’t need to manually enable it for new users.

  • You don’t need to manage the mailbox actions that are audited. A predefined set of mailbox actions are audited by default for each logon type (Admin, Delegate, and Owner).

  • When Microsoft releases a new mailbox action, the action might be automatically added to the list of mailbox actions that are audited by default (subject to the user having the appropriate license). This means you don’t need to monitor add new actions on mailboxes.

  • You have a consistent mailbox auditing policy across your organization (because you’re auditing the same actions for all mailboxes).

With this auditing enabled you can do things like:

Reporting mailbox logins

and

Search the Office 365 activity log for failed logins

as well as

Audit Office 365 user logins via PowerShell

Many of the reports that you find in the Microsoft 365 Admin area can be scheduled to be sent via email per:

Scheduling compliance reports

Apart from auditing and security you can also do more typical things like:

Viewing mailbox usage

Viewing Email apps usage

The availability of all this data is covered here:

Reporting and message trace data availability and latency

typically being 90 days.


User reporting and auditing

For information more specifically about user logins into the service and the Identity container, the best place to look is in Azure Active Directory (AD).

What are Azure Active Directory reports?

Find activity reports in the Azure portal

Azure Active Directory sign-in activity reports – preview

Audit activity reports in the Azure Active Directory portal

and if you want use PowerShell

Azure AD PowerShell cmdlets for reporting

Device reporting and auditing

There are lots of options when it comes to monitoring and reporting on devices. Apart from what is offered locally you also have:

Intune report

Create diagnostic settings to send platform logs and metrics to different destinations

Manage devices with endpoint security in Microsoft Intune

You can even get telemetry data and analytics reports from your desktop applications via:

Windows Desktop Application Program


Aggregated data reporting and monitoring

As you can see with all the options above, it is easy to get to information overload trying to keep up with all those signals. Luckily Microsoft provides a range of services to aggregate all this for you to make monitoring and report easier.

The first is Microsoft Cloud App Security services:

Cloud App Discovery/Security

Microsoft Cloud App Security overview

Microsoft Cloud App Security data security and privacy

There are plenty of reasons why you really should have Microsoft Cloud App Security in your environment:

A great security add on for Microsoft 365

Office 365 Cloud App Discovery

Next, is Microsoft Defender for Endpoint that will aggregate security and threat information for devices in your environment and make it available in a single console.

Overview of Microsoft Defender Security Center

Microsoft Defender Security Center portal overview

Microsoft Defender for Endpoint

Microsoft Defender for Endpoint evaluation lab

Finally for me, there is Azure Sentinel, which I see as really the ultimate hub for event reporting, monitoring and alrtign across the whole service.

Another great security add on for Microsoft 365

Introduction to Azure Sentinel

Azure Sentinel is a service that growing in features rapidly:

A couple of new additions to Azure Sentinel

Stay ahead of threats with new innovations from Azure Sentinel


Summary

Hopefully, all this gives you some insight into all the auditing and usage data that Microsoft 365 captures during any interaction within the service. One of the biggest benefits is also how this information is integrated between services, especially those that aggregate information lime Microsoft Cloud App Security and Azure Sentinel. This means you don’t have to crawl through individual log entries, you can use a dashboard and drill down from there. I also like the fact that all of these services and data are accessible using a scripting tool like PowerShell if you want to automate this further.

Remember, throughout this six part series I’ve just looked at what happens when a single email is delivered and view with Microsoft 365. If you expand that out to all the services and capabilities that Microsoft 365 provides you can hopefully get a better appreciate of the protection it provides in place for your data on many different levels.

The call to action for readers is to go away and implement all the security features that Microsoft 365 provides. This may of course vary by the license that you have. You should then consider what additional security offerings the Microsoft cloud stack can offer that makes sense for your business, then implement those. Remember, security is not a destination, it is journey.

End to End email protection with Microsoft 365–Part 5

This is part of a series of articles about email security in Microsoft 365. Please check out previous articles here:

End to End email protection with Microsoft 365 – Part 1

End to End email protection with Microsoft 365 – Part 2

End to End email protection with Microsoft 365 – Part 3

End to End email protection with Microsoft 365 – Part 4

These articles are based on a model I have previously created, which you can read about here:

CIAOPS Cyber protection model

designed to help better explain expansive security included with Microsoft 365.

In the previous part we had arrived at the stage where the user had successfully logged into a Windows 10 device.

At this point, the user is most likely to launch Outlook to read their emails. Visually the process is going to look like:

image

The email has been delivered from outside the Microsoft 365 Service to the Data container. The User has authenticated themselves via various methods to the Device container. An App on the device will now apply the User authentication to allow the App access to Data container to retrieve the email so it can be displayed to the User.

The focus for this articles will be the access of the App (Outlook) to the email Data as mentioned.

When it comes to the security of this interaction the place to start is to ensure that the App (Outlook) is supported and up to date. The first thing to check is:

What version of Outlook do I have?

and make sure that it is supported by the Service:

Office versions and connectivity to Office 365 services

Given that most Microsoft 365 plans come with a subscription to Office on the desktop, the assumption here is that it is fact supported. There are various ways to:

Download and install or reinstall Microsoft 365 or Office 2019 on a PC or Mac

but for simplicity the assumption will be that it is installed and maintained using:

Deploy Microsoft 365 Apps with Microsoft Endpoint Configuration Manager

It is obviously very important to ensure that all applications that access secure data are updated regularly.

Choose how to manage updates to Microsoft 365 Apps

How to install the latest applicable updates for Microsoft Outlook (US English only)

The assumption will be that, via whatever method, the Microsoft Office desktop application are indeed up to date.

When the Outlook app runs, it will do so on the device, which will be typically connected to the public Internet. this means it is going to need top copy data from the secure Data container in the above model to the secure Device container which lives in another location.

Transferring secure data across an insecure medium like the Internet involves a lot of technology. A lot of them you can read here:

Exchange-Outlook Protocols Documentation

however the most relevant is probably:

How Exchange Online uses TLS to secure email connections

Microsoft 365 is also moving to TLS 1.2 in Office 365 for further security.

Once the email data has traversed from the Data container in Microsoft 365 to Outlook on the user Device is typically stored in an OST file on the local machine.

Introduction to Outlook Data Files (.pst and .ost)

This OST data file is not itself encrypted but the location in which it resides on the device is encrypted using BitLocker.

Outlook incorporates a number of in-built security features including:

Outlook blocked access to the following potentially unsafe attachments

Security Behavior of the Outlook Object Model

Protected Properties and Methods

New feature in Office 2016 can block macros and help prevent infection

Plan security settings for VBA macros in Office 2016

Enable or disable macros in Office files

Overview of the Junk Email Filter

Emails in Outlook will also be protected by Defender for Office 365:

Zero-hour auto purge (ZAP) in Exchange Online

Safe Links in Microsoft Defender for Office 365

Safe Attachments in Microsoft Defender for Office 365

Yet another layer of protection will be:

Microsoft Defender for Endpoint

including technologies like Attack Surface Reduction (ASR) which I have detailed previously:

Attack surface reduction for Windows 10

Further data protection can then be provided by Windows Information Protection (WIP) per:

Protect your enterprise data using Windows Information Protection (WIP)

“Windows Information Protection (WIP), previously known as enterprise data protection (EDP), helps to protect against this potential data leakage without otherwise interfering with the employee experience. WIP also helps to protect enterprise apps and data against accidental data leak on enterprise-owned devices and personal devices that employees bring to work without requiring changes to your environment or other apps.”

For example, if WIP was implemented, it would prevent user saving corporate attachment to non-compliant devices. Perhaps like a USB key.

Further still there is:

Azure Information Protection

which protects information no matter where it travels.

So even when a copy of the email is sitting in Outlook on the desktop it is and can be protected by a wide variety of technologies in Microsoft 365.

image

If we now take a step back and have a look at a summary of many of the protections we have been talking about so far we would see something like shown above. Remember here that all we have focused so far on is email! Many of these protections will in fact protect information as well as the protection it provides for email. The take away is, in a nutshell, there is a lot of stuff protecting user data provided by Microsoft 365.

Although there is a lot of protection capabilities in Microsoft 365, many of the protection services are either not enabled by default, require unique policies or have generic policies. It is important for each organisation to evaluate what their security requirements are (i.e. what they want to protect) and then implement the services available to them in Microsoft 365 to meet these requirements. The take away is, if you want all the protection features available in you need to configure them, they don’t all magically work to your requirements out of the box!

Also, simply enabling or configuring all these services is something that will need to be continually reviewed and adjusted over time. We’ll also cover that topic in some details in upcoming articles.

Now you can enable all these services and make everything super secure but doesn’t provide absolute security, because that simply doesn’t exist. It will certainly mitigate the majority of threats out there but it still means that the whole environment needs to be monitored constantly to ensure nothing is getting through. Remember, every time we cross a container boundary above, logs are generated. Where and how to use these logs will be the subject of the next part in this series, so stay tuned.

End to End email protection with Microsoft 365–Part 6


End to End email protection with Microsoft 365–Part 4

This is part of a series of articles about email security in Microsoft 365. Please check out previous articles here:

End to End email protection with Microsoft 365 – Part 1

End to End email protection with Microsoft 365 – Part 2

End to End email protection with Microsoft 365 – Part 3

These articles are based on a model I have previously created, which you can read about here:

CIAOPS Cyber protection model

designed to help better explain expansive security included with Microsoft 365.

In previous parts, we covered how an external email was delivered into the Microsoft 365 service and all the protections that it passed through until it finally came to rest in the Data container (user’s inbox) ready to be viewed. The next step in the process will therefore for the user to fire up their device to read the email. This article will therefore focus on the protections available for that device.

For the sake of simplicity we’ll focus on that being a modern device running at least a Windows 10 Professional. Of course, email from Microsoft 365 can be viewed on just about any devices these days, Windows or not, and all of these have unique and overlapping protections. However for the sake of brevity let’s just focus on the more common Windows 10 device for now.

A range of hardware device protection is available and recommended including:

and should already be in place to protect the device.

We will also assume that the Windows device is fully up to date

How to keep your Windows computer up to date

The device in question should also already live inside the Device container as shown in the above model. This is largely achieved thanks to being joined to Azure Active Directory (AD):

Azure AD joined devices

Join your work device to your organization’s network

Tutorial: Join a new Windows 10 device with Azure AD during a first run

When that device is turned on we want it to complete the:

Secure Windows boot process

Once the machine has booted and before the user has logged into the machine, thanks to being Azure AD joined, Microsoft Endpoint device policies have already been pushed and implemented on that machine per:

Manage device security with endpoint security policies in Microsoft Intune

Such policies could be enforcing disk encryption, implementing Attack Surface Reduction (ASR) and so on.

Importantly, you can also enforce device compliance policies to ensure devices meet a security standard before they are allowed to access any data:

Use compliance policies to set rules for devices you manage

All of this is achieved via:

Microsoft Endpoint Manager

which I have also written a whole series of articles to help provide a better understanding of the role that it plays with device security. You can read these articles here:

Modern Device Management with Microsoft 365 Business Premium–Part 1 of 10

Assuming that the device has booted and successfully completed all the protection processes associated with that have been correctly applied, it is now time for the user to login to that devices. This means that we now follow the User connector in our model shown above, into the Service container from outside, then onto the Device Container and so on.

The user’s identity is protected inside the Microsoft 365 service via a variety of mechanisms. When logging into a Windows 10 device they will typically need to provide their account and password details that were set up with the service. However, best practice would now be to use Windows Hello for Business.

Windows Hello for Business Overview

Windows Hello addresses the following problems with passwords:

  • Strong passwords can be difficult to remember, and users often reuse passwords on multiple sites.

  • Server breaches can expose symmetric network credentials (passwords).

  • Passwords are subject to replay attacks.

  • Users can inadvertently expose their passwords due to phishing attacks.

Many mistakenly believe that the Windows Hello PIN is all that protects a users access to device and the service when at login. That is in fact not the case as Windows Hello leverages the TPM hardware to provide a highly secure login to the service.

Why a PIN is better than a password

How Windows Hello for Business works

These days just a login and password are not enough to secure any identity, you MUST implement Multi Factor Authentication (MFA). Why? As Microsoft will tell you:

Your password doesn’t matter, but MFA does! Based on our studies, your account is more than 99.9% less likely to be compromised if you use MFA.

Your Pa$$word doesn’t matter

All your creds are belong to us!

So MFA, along with a number of other recommended steps, are what can be done with Microsoft 365 to protect user identity.

Five steps to securing your identity infrastructure

Windows Hello for Business requires all users perform multi-factor authentication prior to creating and registering a Windows Hello for Business credential. Importantly, Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and uses a biometric or PIN. Many don’t appreciate that correctly configured Windows Hello for Business DOES provides MFA when users access their devices, while making the device login process seamless. If you are however still concerned about this ‘single credential’ being compromised then you can also implement:

Multifactor Unlock

It is also important to remember that MFA is provided FREE on all Microsoft 365 accounts and support a variety of methods including authenticator apps, hardware token and more.

Enable multi-factor authentication for free

Once the user has correctly provides a login and password, then completed their MFA challenged (or equivalent thanks to Windows Hello for Business) they would then be subject to Azure AD Conditional Access.

It is important to remember that Azure AD Conditional Access is evaluated AFTER a successful login from a user, not before! This means that it can’t be used to block things like Password Spray Attacks.

Conditional Access policies at their simplest are if-then statements, if a user wants to access a resource, then they must complete an action.

Conceptual Conditional signal plus decision to get enforcement

What is Conditional Access?

For example, user account access can be blocked if it comes from outside a specific country or region.

Conditional Access: Block access by location

and enforcing MFA

Conditional Access: Require MFA for all users

Conditional Access: Require MFA for administrators

Once any Conditional Access policies have been met the user will be able to login to their device. At this point additional Microsoft Endpoint Manager policies will be applied to that specific account now logged in. Such policies could restrict applications the user has access to, limit Windows functionality and so on.

Remember, all of these protections have taken only during the user has logging onto their device. They have not as yet run an application like Outlook to read the inbound emails. That is what is going to happen next and I’ll cover that process in the next part of the series, so stay tuned.

End to End email protection with Microsoft 365–Part 5