Setting an alert for file download in Office 365

A very common request I see is people wanting to know when users have downloaded a file from SharePoint Online to their desktop. You can configure an alert to let you know when this does happen. However, I will provide a word of caution here. Remember, that alerting on this state could generate quite a number of alerts and finding the needle in that haystack can be a challenge. Thus, if you want to set these types of alerts, you should put as many filters on monitoring these activities so you don’t end up with a screen full of alerts and become overwhelmed.

You’ll firstly need to navigate to the Security & Compliance center in the Office 365 web portal. You will also need to have the rights to do this.

Here you’ll need to expand the Alerts section on the left and then select the Alert Policies option from the items that appear.

On the right, you should see a list of the existing policies for the tenant.

Select the New alert policy button.

You’ll now be prompted to enter a Name for your policy, a Description, Severity and Category.

When complete, select the Next button at the bottom of the page.

On the next screen select the down arrow to the right of the Select an activity option to display a list of activities as shown above

Scroll down the list until you locate the Downloaded file option, which is under the File and folder activities heading, and select this.

Below this you can select the Add condition button to filter your alert. This allows you to focus the alert to:

a specific IP Address (i.e. where the user is located) and/or

a specific user account and/or

a specific filename and/or

a specific site collection URL and/or

a specific file extension.

You want to take full advantage of these conditions to reduce the number of alerts you’ll receive. Thus, if you are only worried about a single user or perhaps a certain, put those conditions in now.

When complete, select the Next button at the bottom of the window.

Now enter the email addresses of anyone you wish to receive notifications and ensure the Send email notifications option is set.

if you are expecting to receive lots of notifications (which is a bad idea) you may also wish to set the Daily notification limit.

Select the Next button at the bottom of the screen to continue.

Review the settings, make any changes and then select the Finish button. Generally, you will want to ensure the rule is enabled and turned on immediately.

You should now see that your policy appears in the list as shown above, and that it is enabled.

You can edit the policy simply by selecting it from this list.

Now, when a file is downloaded you should receive an email notification as shown above (assuming you have enabled email notifications of course).

You can get more details about the alert by selecting the Investigate button in the email.

Doing so will take you back to the Security & Compliance center and display the alert as shown above.

If you select the View activity list link you will get more details on the activity that triggered the alert.

When I do this I can see the time and date, activity, users, item, IP address and so on in a list as shown above, many of which are also hyper linked so you can get more detail.

Select the Item hyperlink, you will see the above screen and in this case see that the item downloaded was a PowerPoint file for the Marketing site collection.

You can return to this list of Alerts and see this item as shown above. Throughout this process please appreciate that alerts make take a few minutes to appear in emails, notifications and lists, so be patient.

You can select the alert item to drill back into the activity of you need to at any time.

You can also change the status of the alert to help your determine what items have been resolved. Simply change the status to suit and then Save the alert. You can always view alerts by changing the filtering options on the overview page.

There are many different types of alert policies you can set here and you therefore need to judicious in how you configure these. Too many alerts is just as bad as too few alerts so ensure you make them as specific as you can to avoid overload.

You can of course always create alert and leave them disabled until you need them activated.

Remember, there are only a few system alerts configured by default in most tenants. If you want more than these, then you need to go in and configure what you need.

Final discount to my new Microsoft 365 Security course

security-protection-anti-virus-software-60504 (1)

If you missed the first discount round and you want deep dive training into Office 365 security, with video demonstrations, included PowerShell configuration scripts, reference material and more then don’t hesitate. I’m offering one last round of discounts before I completely finish my course.

Use the coupon code LASTCALL at check for:

Microsoft 365 Security

or this direct URL that includes the discount:

https://www.ciaopsacademy.com/p/o365-security/?product_id=715774&coupon_code=LASTCALL

That will give you access to the complete course immediately, plus any coming additions for only US$249. There are already over 40 lessons in the course that you can take advantage of and I have lots more to add but that won’t take me long.

Remember, this is the last round of discounts I’ll do. After this the price reverts to the standard price of US$399.

So, if you want to learn more about the security options for Microsoft and Office 365 then sign up today to advantage of the discount while it lasts.

Locate all Office 365 Site Collection Administrators

One of the other things you probably need to check in your tenant is exactly who is a Site Collection administrator in your SharePoint sites in Office 365.

Site Collection administrators have full access to that SharePoint site and can only be removed by another Site Collection administrator. Also, they generally don’t appear inside the permission settings inside a site. So, knowing who has full rights to your SharePoint sites is a good thing I feel.

You can find the script to display all your SharePoint sites and Site Collection administrators inside those sites in my GitHub repository here:

https://github.com/directorcia/Office365/blob/master/o365-spo-admins.ps1

The interesting thing I discovered when I ran the script was that I have a number of site with no Site Collection administrator (most likely deleted sites it seems) and a number of sites I didn’t have access to (again, seems to have something to do with becoming orphaned during deletion). So, I have some further work to do now to clean all this up.

The script won’t fix or deal with any errors, but it will tell you about them and you can go investigate further.

Run it and see what it turns up for you!

Determining Office Add ins

After posting how to protect your Office tenant from malicious add-ins recently:

Thwarting the Office 365 Ransomware cloud

I was asked whether you could determine what add-ins users had already authorised? Thanks to PowerShell the answer is always “Yes”.

You need to ensure that you are connected to Exchange Online first and then you can run:

$mailboxes = get-mailbox –resultsize unlimited

foreach ($mailbox in $mailboxes) {
write-host “Mailbox =”,$mailbox.primarysmtpaddress
get-app -mailbox $mailbox.primarysmtpaddress | Select-Object displayname,enabled,appversion | Format-Table
}

This will basically spit out something that looks like:

So you can easily see what is already configured for each mailbox.

I have uploaded the file to my GitHub repository here:

https://github.com/directorcia/Office365/blob/master/o365-exo-addins.ps1

if you want it.

Thwarting the Office 365 Ransomware cloud

The above video is an interesting presentation around a ‘new variant of ransomware’ (to quote the video). In essence, what it does is trick the user to installing a malicious plug-in in for their Office 365 environment. That malicious plug can then effectively run riot across everything the user has access to, including shared files. The video shows how this control can be used to encrypt the users emails even though they are ‘in the cloud’. This is simply because the user has been tricked to giving the malicious application full access to their environment.

Is there a way to prevent or mitigate this risk? First the bad news. Generally, every Office 365 out of the box allows all users to add these types of add-ins to their environment. Typically, the ability is designed to allow legitimate Outlook plugins like Boomerang or Harmon.ie to be added to help the user be more productive. However, that also means malicious add-ins can also be easily added just as the video demonstrates. So, it is definitely a security issue to pay attention to.

You can verify whether this option is enabled in your Office 365 tenant by firstly connecting to Exchange Online PowerShell and then running the following command:

get-MsolCompanyInformation | fl DisplayName,UsersPermissionToUserConsentToAppEnabled

If the result comes back as True then you are potentially vulnerable to this style of attack.

However, if you run this command:

set-MsolCompanysettings -UsersPermissionToUserConsentToAppEnabled $false

You can disable the ability for users to authorise plug-ins. They can still add plug-ins to their environment but they cannot authorise applications that ask for permissions to their environment.

Thus, add ins like the Exchange Message Header Analyzer are fine as they simply report on email headers but something like Harmon.ie, which requests access to resources will be blocked.

So above you can see the user has added the Harmon.ie add in to their environment. To use it, they need to select the Connect to Office 365 button highlighted.

Normally the user would see the above Permission Request dialog, click Accept and the add-in would have access.

However, after disabling the ability for users to consent for apps this will appear as:

As you can see the user isn’t permitted to provide permissions, it can only be done by an administrator. This is going to prevent the user randomly installing add-ins as well as protecting them from potentially malicious apps.

Of course, the downside for administrators is the fact that they will have to consent to user added apps manually but that is small price to pay for better security I would suggest. As I like to say ‘Got access denied when you doing something silly? GOOD! That means the security is doing it’s job!”

My own experience is that users rarely add legitimate applications and if there is a need for them to be added they can be pushed out from the Office 365 Admin Center by an administrator and then authorised as needed on a per user basis. Alternatively, the required apps can be pushed out and authorised by users and then the tenant can be locked down.

However, in my opinion, out of the box, most Office 365 tenants should have this default ability blocked as shown to thwart the ‘new Ransomware cloud’ threat.

Preventing Malware downloads from Office 365

If you are unfortunate enough to somehow get malware in your Office 365 tenant you may not appreciate that by default you can still download this, even though it gets detected as shown above.

Best practice would be to use the PowerShell command:

Set-SPOTenant –DisallowInfectedFileDownload $true

to prevent users from having the option to download the infected file. Basically, it removes the Download button as shown above. Doing this will apply the setting across all SharePoint Sites, including OneDrive for Business, Teams and stand alone site collections.

From the Microsoft documentation:

If the Set-SPOTenant cmdlet has the DisallowInfectedFileDownload parameter set to:

true (recommended), this happens:

All actions, except Delete, are blocked for detected files.
People cannot open, move, copy, or share detected files.
People see a visual cue that indicates that a file has been identified as malicious. No one can download the file.

false, this happens:

All actions, except Delete and Download, are blocked for detected files.
People cannot open, move, copy, or share detected files.
People see a visual cue that indicates a file has been identified as malicious, but they can choose to accept the risk and download the file anyway.

Allow up to 30 minutes for your changes to spread to all Office 365 datacenters.

The recommended best practice is then to turn this on for all tenants as it is not on by default.

Early access to my new online Microsoft 365 Security course

I’m working hard to complete an online course focused on Microsoft 365 Security. What I have decided to do is provide early discounted access to the course while I am still building it. If you sign up at the discounted rate you continue to get full access to all the course the modules without any additional payment.

The course will eventually sell for US$399 but while I’m still building it you can sign up for only US$99. This means that you’ll continue to get full access to everything I add to the course going forward as I build it out.

There are however already a number of modules in there you can take advantage of and I’m working hard to add more every day. Already in there are modules around enabling audit logging as well as Office 365 ATP and Data Loss Prevention.

To take advantage of this limited offer use the coupon code EARLYBIRD at check out for the course or this direct URL with the discount already applied:

https://www.ciaopsacademy.com/p/o365-security/?product_id=715774&coupon_code=EARLYBIRD

Remember this offer can’t last so sign up now.

Azure AD and SharePoint Online user differences

I’ve been developing scripts to work with OneDrive for Business when I fell into a bit of a rabbit hole that lead me to an interesting revelation.

Part of the challenge with working with OneDrive for Business in Office 365 is that not all users have one, even though they are licenses for it. The reason for this is simply that a user’s OneDrive for Business isn’t generally provisioned for them until they start using it. Thus, in my demo tenant there are probably users who haven’t as yet been through the process of having a OneDrive provisioned. No issues.

Secondly, when you share information with external users in SharePoint and Teams you may also find an AD account but that user hasn’t as yet access SharePoint resources for some reason. Maybe, they haven’t accepted the sharing request and so on. Again, no big deal.

So I created a script that goes through each active Azure AD user in the Office 365 tenant and check to see whether there is a corresponding SharePoint Online user. To do this I used the following commands:

get-spouser

and

get-azureaduser

So I trained these commands on the OneDrive for Business URL which is typically:

https://tenantname-my.sharepoint.com

As you can see from the above report, the green lines indicates matches to accounts in my Azure AD and in my OneDrive for Business. The green tenant users, with a custom domain typically have their own OneDrive for Business. The green External users, distinguished by an account that includes #EXT# are typically accounts outside the tenant that have been shared information with and accepted that sharing request.

Now the red tenant users, typically haven’t had their OneDrive for Business provisioned yet and the red external users typically haven’t accepted the sharing request that has been sent them as yet. All understood.

Here’s where the rabbit hole opened up. Ok, I thought, now what happens if I do the reverse? That is, check my SharePoint users against my Azure AD users? So off I went to create a script.

The script came back with the results you see above. All the the yellow accounts are SharePoint users that don’t have a match Azure AD account. Quite a few eh? When I first saw this I panicked a bit, because many of the accounts I didn’t recognize. What was going on here I wondered? Had I been compromised?

In a perfect world, there would be a one to one mapping between Azure AD accounts and SharePoint account. However, things aren’t that perfect, so in my demo tenant, I had created lots and lots of accounts over the years and many had become ‘orphaned’ leaving behind information in SharePoint. Many were just so old I forgotten that I created them and then later deleted the Azure AD account.

Is this a problem? Not really I don’t think, because without an Azure AD account to login to, these ‘orphaned’ resources aren’t much use. Still, if they aren’t needed then they really should be deleted to my mind.

Interestingly, some of these ‘orphaned’ SharePoint users actually still had their own OneDrive for Business that clearly wasn’t being displayed anywhere else. Once I took control of these ‘orphaned’ sites by making myself a Site Collection Administrator I could see what they actually contained. When I was happy it wasn’t needed or in use I deleted these, again using PowerShell.

So what did my trip down the rabbit hole teach me? Firstly, I learned that Azure AD and SharePoint user accounts don’t always line up. Next, I learned that you can end up with ‘orphaned’ SharePoint users and resources that you may want to clean up using PowerShell. I don’t believe these represent any security issues but if they aren’t necessary then they probably should be deleted. However, be careful of system accounts which shouldn’t be removed. Just get rid of those you recognise as no longer being required.

The biggest thing that my exploration taught me is the value of PowerShell to get behind the standard interface of Office 365 and see what is really going on. It gives you much better control and for me it helps me understand much better how everything works.

If you want the scripts that I used to do these comparisons then I suggest you sign up to my Patron community – www.ciaopspatron.com where you’ll find these and whole lot more Office 365, Microsoft 365 and Azure resources.