Time to enable more logging

Having logs enabled is a good thing because it allows you to track down information after the fact. This is especially handy when you are performing a security investigation. Here is some additional logging that I recommend you enable.

Start by navigating to:

https://entra.microsoft.com

You’ll need to login with an administrative account that has rights. Expand the menu on the left of the screen until you see Monitoring & health and shown above.

Under this option you will find the menu item Diagnostic settings as shown above, which you select. This will display your diagnostic settings on the right. Here you can see that I am currently sending logs to a Log Analytics workspace, which is linked to Microsoft Sentinel for analysis. If you aren’t already sending your logs to a Log Analytics workspace you can set one up via the Add diagnostic setting hyperlink. I will assume here you already have something set up.

Select the Edit settings hyperlink and under Edit settings column on the right, as shown above.

Scroll down the categories of logs listed and ensure they are all select so the logging data will be sent to Microsoft Sentinel via the Log Analytics workspace.

If you have already enabled this logging I suggest you go back in and check that all categories are selected as Microsoft has now added some additional items:

– EnrichedOffice365Auditlogs

– MicrosoftGraphActivityLogs

– RemoteNetworkHealthLogs

which I had to enable.

When you have completed your category selections press the Save button in the menu bar at the top of the window to update your preferences.

This now means that you’ll have even more data in your Sentinel environment to help keep you secure.

Centralised Microsoft 365 Add in deployments with PowerShell

Almost 4 years ago I wrote this article:

Centralised Office 365 Add in deployments with PowerShell

Upon review, it seems that the Finedtime addin is no longer available. I have therefore updated the script:

https://github.com/directorcia/Office365/blob/master/o365-addin-deploy.ps1

to remove this and prevent errors.

If you have any Office addins that you believe should be deployed as a ‘standard’ to all users in a tenant, please let me know and I’ll look at adding them to the script.

blockMsolPowerShell blocks all users if set to true

One of the options in the EntraID Authorization policy in the Default user permissions section is a setting blockMsolPowerShell which means when you dig into it:

Specifies whether the user-based access to the legacy service endpoint used by MSOL PowerShell is blocked or not.

Using my script:

https://github.com/directorcia/Office365/blob/master/graph-idauthpolicy-get.ps1

you can see whether this is enabled, which it is as shown above.

With this setting blockMsolPowerShell set to True, then all user access to the msolservice PowerShell commands are blocked as shown above. This applies to users, ordinary and administrators (even Global Administrators, which is the result I tested in the above screenshot). The user can connect to the service BUT they can’t run an msol commands as shown above.

Now given that the msolservice module will be deprecated on March 30, 2024 there shouldn’t be any issue disabling this for ALL users. However, you may want to make sure you test any Outlook add-ins or other third party apps you have in place that might have a dependency on the old msolservice module. The easiest way to achieve this is probably to simply disable the settings and see if problems arise. If they do, just make sure you know how to revert the setting back. I think is going to be the fastest way to determine if and what any dependencies you may have.

I would suggest that unless you have a dependency it should be disabled to improve the security of your environment.

Microsoft 365 Backup restore process

In a previous article:

Setting Microsoft 365 Backup policies

I determined that I liked the simplicity of setting up backups with Microsoft 365 Backup but the negative was a lack of reporting or alerting on the execution of these jobs.

I’m sorry to say that I also find the restoration process for Microsoft 365 lacking for a number of reasons.

1. The main reason is, at the moment, there is not really a granular restore option.

2. The restore option is typically all over the top of what is there already, effectively replacing it or restoring everything to a different location and then you have to manually copy the data across.

3. Selecting which actual backup to restore from I also found cumbersome.

4. I found the restoration of Exchange online mailboxes the most tricky to restore a select amount of data. You have to filter what you looking for via a few options. You kind of have to know what you want prior, you can’t just browse.

5. When the restore process actually runs you get no real indication of what it is actually doing, you simply have to wait for it to finish. My 1.28TB test SharePoint site took around 45 minutes to copy to a new location.

This may be me but when I did a restore of a OneDrive for Business to another location, the destination into which it copied the data is blank!

I did this more than once and got the same result. I couldn’t find any new SharePoint sites in my environment or sub folders. As such I am still trying to find out where the data actually restored to, as it does say it is completed!

The good thing is the restore process is pretty straight forward. A wizard takes you through the process as shown above.

For example, if you want to restore a OneDrive for Business you select the item from a list.

You then need to select a time and date to restore from. This is somewhat cumbersome and would be much better if you could simply browse through the available backups. For now you need to select the date and time you want.

I’m not sure what “standard restore” means when you confirm the restore point as shown above.

When you select the destination you’ll see that it typically everything over the top or everything to another location and then you need to manually copy what you need and delete the rest.

You confirm the restore.

and you select Done.

Then at the bottom of the page are the restore tasks as shown above.

Even with the restore in progress, you’ll see you don’t any information of progress or completion time. You’ll also note that the Destination will be available on restore,

but it wasn’t again unfortunately.

I found the mailbox restore process quite cumbersome.

If you want to do selected content as shown above you need to select a time frame

and that time frame is 14 days maximum.

Then you need to add filters from the four options shown above.

Then you have to find any matches and more me, most of the time I didn’t find any in my test environment, which was frustrating.

Remember, Microsoft 365 Backup is still in preview and will continue to improve and develop. However, as it stands now I don’t feel this is a viable alternative for people who do wish to restore their Microsoft 365 environment in a granular manner. I think as a disaster recovery tool, that is, back up everything and restore everything, over the top if needed, it would be fine.

Thus, in summary, for now, I think Microsoft 365 Backup could work as a disaster recovery service but for granular, item level restore – no so much. However, it is still very early days for this product, so keep your eye on what develops. I know I will.

Secure more with Secure Score in M365 online course

The live course Secure more with Secure Score in Microsoft 365 over the past four weeks has now completed. All materials, including recordings of each session are now available on demand.

I think this course does provide a good overview of suitable best practices across the Microsoft 365 environment. You’ll get the most from this course if you are a CIAOPS Patron, thanks to all the Patron script that are part of the subscription. As CIAOPS Patron you’ll also get a sizable discount via a coupon code discount.

The aim of this training is to help configure security best practices inside your Microsoft 365 environment. You’ll learn what settings you should enable and why you should have these enabled. The sessions will also take you through common examples of configuring these settings and the impact they will have on your users. The course covers identities using EntraID, securing emails, devices as well as data using information protection services all included in Microsoft 365.

Watch out for more online courses from CIAOPS coming soon.

I’ve moved sec-test

show a man moving a lot of files that are contaminated and need special care to move them

It was bound to happen sooner or later, my security testing PowerShell script called sec-test.ps1 is being detected as malware on local machines.

Thus, I have relocated it from more common Office365 repo into the less common examples repo here;

https://github.com/directorcia/examples/blob/main/sec-test.ps1

which contains a range of security testing files that typically get detected as malicious and is generally not recommended to sync locally.

Thus, you can sync the Office365 repo down to your desktop to do all the Microsoft 365 PowerShell connecting and use the utilities there without something in there being detected as malware.

Defender for Office 365 Anti-phishing policies can protect externals as well!

My experience with most Microsoft 365 environments I see is that they fail to make use of all the features that are provided. None more so when it comes to security. For example, most people don’t seem to appreciate that the Defender for Office 365 (which is part of Business Premium) provides impersonation protection for internal AND external email addresses! It just needs to be configured. The details are here:

Impersonation settings in anti-phishing policies in Microsoft Defender for Office 365

and as it says there:

You can use protected users to add internal and external sender email addresses to protect from impersonation.

but it is important to note:

User impersonation protection does not work if the sender and recipient have previously communicated via email. If the sender and recipient have never communicated via email, the message can be identified as an impersonation attempt.

This means, you want to get the configuration of important external email addresses in place as soon as possible so any impersonation against those users can be evaluated. It is too late to do after an internal user is communicating with a scam (impersonated) domain.

You will also see that you can also configure protection for external domains, rather than just specific email addresses, for impersonation evaluation.This means that if the users inside the tenant deal with an important business that has its own email email, that is NOT part of that tenant, you can enter that domain in here. Makes a lot sense when you are working with a business regularly that is doing stuff like invoicing, e-commerce or the like (honestly anything at all really).

Let’s say that I work with a business who’s domain is ciaops.com. By enabling this impersonation protection early, if users in the tenant receive email from c1aops.com then it is far more likely to be detected because the system is looking of for spoofing of that custom external domain I entered in the policy.

Thus, if you have Microsoft Defender for Office 365 in your environment (and you do if you have Microsoft 365 Business Premium), then you can provide an extra level of protection by configuring the Anti-Phishing policy for impersonation settings for both your important internal AND external usera and domains (i.e. people and businesses you work with regularly). You should do that as early as possible to provide the maximum protection the policy can provide. They key is that someone has to add in the unique email addresses or domains into the policy, they are not added automatically, even internal email address. They ALL have to be added to the policy.

You can protect up to 350 unique email addresses and 50 unique domains, which is probably more that enough to cover everything a smaller business would need for internal and external users. Unfortunately, I rarely see this great capability enabled. It’s available if you have Microsoft Defender for Office 365 so go configure it and reduce the risk to the users in the tenant. Easy!

CIAOPS Summer School is open for enrolments

In early 2024 I’ll be running a course entitled “Secure more with Secure Score in Microsoft 365”. Training will held virtually over four consecutive weeks. Each session will be two (2) hours and run from 9am Sydney time.The dates are:

Thursday January 4th 2024

Thursday January 11th 2024

Thursday January 18th 2024

Thursday January 25th 2024

The sessions will be recorded and other materials from the sessions (checklists, etc) will be available to attendees afterwards.

This event will be conducted remotely via Microsoft Teams.

The price for this event will be:

Gold Enterprise Patron = $48.67

Gold Patron = $97.34 inc GST

Silver Patron = $194.68 inc GST

Bronze Patron = $389.35 inc GST

Non Patron = $599 inc GST

You can learn more about the CIAOPS Patron community at www.ciaopspatron.com.

I hope that you’ll join me in January for this event as I believe it provides some much needed training in a very important aspect of managing and securing Microsoft 365. If you are serious about security for Microsoft 365, then you need a plan and this training will aim to give you just that plus some experience to boot!

You can enrol now in this course ready for January using this link:

https://www.ciaopsacademy.com/p/secure-more-with-secure-score-in-microsoft-3651

As always, if you have any questions about this training please email me on – director@ciaops.com.

I hope to see you there.