Recently, there has been much talk and gnashing of teeth over what to do about the recent LastPass breach. There is plenty of chatter about wanting to make a change and much discussion about what to actually change to.

As a LastPass customer I’m starting the process of evaluation myself and a handy tool I found to help in the decision process is Microsoft Defender for Cloud Apps (i.e. the old MCAS).

If you go into the Discover menu, you’ll find a Cloud app catalog option as shown above.

Enter the name of app you wish to search for and hit Enter.

That should give you a page load of information like that shown above, which you can drill into if you want more details.

Of course, this information should only be part of your evaluation but it does provide a lot in one place for you to reference.

Defender for Office 365 automated investigations

A while ago I wrote an article:

Improved security is a shared responsibility

in which I encouraged the use of the Report message add in to Outlook.

What you may not realise about this add-in is that not only does it provide a centralised method to manage submissions per:

Providing feedback on user reported messages

but user reported messages also trigger an automated investigation:

What alert policies trigger automated investigations?

A security administrator can also manually trigger an investigation by using the Threat Explorer per:

Example: A security administrator triggers an investigation from Threat Explorer

If you want to better understand what Automated investigation and response (AIR) is and does, have look at:

AIR in Microsoft Defender for Office 365

This triggering of an automated investigation by simply using the Report message add in is another simple way to leverage the security tools that Defender for Office 365 provides and reduce administration workload.

CIAOPS Need to Know Microsoft 365 Webinar – January

laptop-eyes-technology-computer

Join me for the free monthly CIAOPS Need to Know webinar. Along with all the Microsoft Cloud news we’ll be taking a look at Defender for Business.

Shortly after registering you should receive an automated email from Microsoft Teams confirming your registration, including all the event details as well as a calendar invite.

You can register for the regular monthly webinar here:

January Webinar Registrations

(If you are having issues with the above link copy and paste – https://bit.ly/n2k2301

The details are:

CIAOPS Need to Know Webinar – January 2023
Friday 27th of January 2023
11.00am – 12.00am Sydney Time

All sessions are recorded and posted to the CIAOPS Academy.

The CIAOPS Need to Know Webinars are free to attend but if you want to receive the recording of the session you need to sign up as a CIAOPS patron which you can do here:

http://www.ciaopspatron.com

or purchase them individually at:

http://www.ciaopsacademy.com/

Also feel free at any stage to email me directly via director@ciaops.com with your webinar topic suggestions.

I’d also appreciate you sharing information about this webinar with anyone you feel may benefit from the session and I look forward to seeing you there.

Defender EASM adds billable assets blade

I’ve talked about the value of Defender EASM before:

Go get Defender EASM

I now notice that there is a Billable assets option on the menu as shown above. Given that the costs for Defender EASM are based assets:

https://azure.microsoft.com/en-us/pricing/details/defender-external-attack-surface-management/

knowing exactly what those costs are is great.

As you can see in my environment I have about 29 billable assets equating to a grand total of:

29 x $0.0.17 per day = $0.49per day = $15.28 per month

As I maintain, Defender EASM is cheap for value it provides and now you can more easily track costs. (Don’t forget you also get a free 30 day trial!)

Need to Know podcast–Episode 292

The editorial for this episode is an always controversial topic on backing up Microsoft/Office 365. I am going to highlight some of the facts that, unlike what some say, Microsoft does indeed backup customer data and you’ll find all the links in the show notes.

This is the last episode before Christmas so thanks to all listeners for their support and I wish everyone a happy and safe time over the holidays. No break here, and I’ll be back with the latest news and updates again soon.

You can listen directly to this episode at:

https://ciaops.podbean.com/e/episode-292-microsoft-365-backup/

Subscribe via iTunes at:

https://itunes.apple.com/au/podcast/ciaops-need-to-know-podcasts/id406891445?mt=2

The podcast is also available on Stitcher at:

http://www.stitcher.com/podcast/ciaops/need-to-know-podcast?refid=stpr

Don’t forget to give the show a rating as well as send me any feedback or suggestions you may have for the show.

This episode was recorded using Microsoft Teams and produced with Camtasia 2022.

Brought to you by www.ciaopspatron.com

Resources

@directorcia

@directorcia@twit.social

Join my shared channel

CIAOPS merch store

Become a CIAOPS Patron

CIAOPS Blog

YouTube edition of this podcast

Use Access policies to require multiple administrative approvals

Introducing enhanced company branding for sign-in experiences in Azure AD

Office 365 company branding requirements have changed

New Admin Center Unifies Azure AD with Other Identity and Access Products

New Layout Options for OneNote on Windows are coming soon

Introducing Microsoft Teams Premium

Announcing new removable storage management features on Windows

Microsoft Defender for Cloud Apps data protection series: Understand your data types

Microsoft Security Product Reviews: Give product feedback & get rewarded!

Backup

Revisiting some facts around Microsoft 365 backup

Do you need to backup Office 365?

Microsoft policy on backup (Sept 2022)

“Additionally, each service has established a set of standards for storing and backing up data, and securely deleting data upon request from the customer.”

The Essential 8 Security guidelines

Search essential 8

External email indicator needs refinement

A while back I wrote about how you can enable

Native external sender notifications in Exchange Online

which is a great security enhancement. However, now I’m beginning to see some push back from SMB customers.

Why? Well, if you take a look at my inbox you can probably see why:

Most of my emails comes from external contacts, and only one is internal. That means I see the word ‘External’ a hell of a lot in my inbox. Many point out that this ‘External’ tag chews up a lot of precious screen real estate as it appears as a prefix in the From field during email preview..

The challenge is that if you disable the external sender notification you also lose the warning “The sender user@domain.com is from outside your organization’, which is very handy.

It would be handy if we had a bit more customisation for the ‘External’ tag in the Set-ExternalInOutlook command, that would perhaps allow the tag to be disabled in the email preview but retain the warning line when an email item is full opened. I think that would work much better for SMB and many others also.

Hopefully, someone can let the appropriate people at Microsoft know that SMB users in particular are beginning to request this very important security feature be disabled to save screen real estate. That is a very bad thing I would suggest given the importance of email security, especially in SMB. However, I think Microsoft does need to look at this ‘External’ tag in light of the SMB experience, where there are more external than internal senders and screen real estate is at a premium.

Office 365 company branding requirements have changed

*** Update ***

The issue with my tenant not displaying company branding as it used to was due to a bug in the interface. Microsoft have now rectified that and I have access to company branding as I once used to.

It seems that the requirements to configure Office 365 company branding have changed. The official documentation is here:

https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/customize-branding#license-requirements

which says:

License requirements

Adding custom branding requires one of the following licenses:

Azure AD Premium 1
Azure AD Premium 2
Office 365 (for Office apps)

However, I definitely know this wasn’t the case until very recently, because a tenant I have without Azure AD P1 or P2 that allowed company branding configuration and now does not. So, something has indeed changed recently and I can find no acknowledgement or documentation of that. The existing branding of the tenant remains unchanged but I can no longer make changes.

If you don’t have Azure AD P1 or P2 in your environment you can always sign up for a 30 day trial and make changes. However, after that 30 days ends you’ll need to buy a full Azure AD P1 or P2 license it seems, if you wish to modify the company branding it seems.

I would have thought that in a world where we want to make tenants more secure using something like branding to help reduce the risk of phishing attacks tricking users into putting their details into false portals, the ability to brand a tenant would be available to all licenses.

Hopefully, this is simply an over sight by Microsoft and the ability is returned. However, for now it appears they are fully enforcing the licensing when it comes to company branding and requiring an Azure AD P1 or P2 licenced user to make changes.