Office 365 Cloud App Discovery

In today’s security environment it is really no longer possible for human beings to manage security, it typically needs to be out sourced to software. Signature based security is too slow to keep up with constantly changing attacks and the best way is to look for anomalies in behaviour patterns.

Office 365 Cloud App Security is service that is included in E5 licenses but also available as a separate stand alone purchase (called Microsoft Cloud App Security in the store). Unfortunately, you can’t add Office 365 Cloud App Security to Business plans only Enterprise plans.

Basically, Office 365 Cloud App Security allows you to configure policies that trigger alerts for specific activity as well as suspending accounts exhibiting suspicious activity. Let’s see how.

To get to Office 365 Cloud App Security you need to navigate to the Security & Compliance Center as an Office 365 administrator. Open the Alerts heading on the left and select Manage advanced alerts from the options that appear.

On the right you will see a check box to Turn on Office 365 Cloud App Security.

Once this has been selected you will be able to select the button to Go to Office 365 App Security.

On this page you may see a number of policies in place already. Here, I’m going add a new policy. To get to this page again I select the Control option from the menu across the top of the page and then Policies from the items that appear.

To add a policy I now select the Create Policy button on the right as shown above, and then Activity policy from the items that appear. You may have less items in this list, it depends on what licenses you have in place for your tenant.

For the Policy Template option I am going to select from a list of pre existing templates and use the Logon from a risky IP address which is described as:

Alert when a user logs on to your sanctioned apps from a risky IP address. By default, the Risky IP address category contains addresses that have IP address tags of Anonymous proxy, TOR or Botnet. You can add more IP addresses to this category in the IP address ranges settings page.

You can see the list of existing policy templates above and of course, you can create your own custom one.

Once I have selected the policy I scroll down to the actual rules which appear in the Create filters for the policy section as shown above.

Basically you’ll see in this case that the rule looks at whether an IP is “risky” and the activity equals logon.

You can of course edit or define your own rules here if you want.

If you are wondering where the “risky” IP range is defined you’ll find these sorts of things in the upper left under the COG icon as shown above. In this case, look under the IP address ranges.

Once you save the settings you’ll be returned to the Policies page where you should now see the new policy as shown above.

To test this policy, I’m going to fire up a Tor browser and login to Office 365.

As expected, in a very short space of time (note it isn’t immediate. It may take a moment or two to appear) I get an alert and can view these by selecting the Alert option from the menu across the top of the page.

If I then click to open one of these alerts and select the General option in the middle of the page I get more information as shown above. You’ll see on the right that the IP category = “Risky” and this is because of a match to Tor and Anonymous proxy.

If I now select the User option in the middle of the page I get further information as to which user triggered this as shown above.

Likewise if I select the IP address option I get information about the networking in detail.

From here you can take actions on the alerts such as dismissing or digging deeper into the logs.

My advice would therefore be to enable all the default policy templates for your tenant as I have done for mine as shown above.

You’ll notice that I also have some custom policies in place as well. One of these is to provide an alert for repeated failed login attempts by a user.

Another policy is the one above that monitors logins by global administrators. You’ll see that I also restrict that policy to only apply when I am not on a corporate (i.e. office LAN) IP address.

My advice with custom policies is to start simply and broadly and tighten the rules up over time. There is nothing worse than setting a policy and getting deluged with alerts, so take it slow and increase restrictions over time to ensure you don’t overload yourself with false positives.

As I dig deeper into what is possible more I’m sure I’ll be adding additional policies to keep my tenant secure and provide a level of monitoring that no human could do. However, in today’s environment of increased attached I’d really recommend you look at adding Office 365 Cloud App Security to your tenant for enhanced protection.

Location of chat history in Microsoft Teams

I have a Microsoft Team in my tenant called “Patrons”. In there is a channel called “Social”. In this area CIAOPS Patrons chat about things such a cryptocurrency as you can see.

As an administrator what I want to do is find out how I can view information that is shared by others in this chat location. In short, how do I see chat history in Microsoft Teams?

As an example, let’s say I want to find the term ‘kodak’ in these chats. You’ll see from the above that it is part of a link that was pasted into the chat.

All the chat history from Microsoft Teams is saved into a mailbox with the name of the Team. So I’m looking for a mailbox called “Patrons”.

Easiest way is to fire up trusty PowerShell and run:

get-mailbox

and as you can see from the results above, I only see user mailboxes.

but if I run:

get-mailbox –groupmailbox

I see all the shared mailboxes in my tenant.

As you can see I find one called “Patrons” as shown above.

To get the details I run:

get-mailbox –groupmailbox patrons@ciaops365.com

and you can see that I again get all the information but just for that mailbox. So this is the one that is linked to my Microsoft Team.

If I now run:

get-mailbox –groupmailbox patrons@ciaops365.com | get-mailboxstatistics | select-object identity, itemsinfolder, foldersize

I basically get a report of what is inside that Teams mailbox. In there I can see a folder:

\conversation history\team chat

this is indeed where the chats are located. You can see there is currently 344 items of 4.38 MB in size.

Now I can actually add this mailbox to my Outlook Web Access and view the contents as you can see above. However, I can’t get the folder \Conversation History\Team Chat because it is hidden and probably has other permissions associated with it.

I can’t add this shared mailbox to Outlook 2016 on my desktop as you can see above.

So now if I try to view/change the permissions on the mailbox using:

get-mailbox –groupmailbox patrons@ciaops365.com | get-mailfolderpermission

I get the message that the mailbox doesn’t exist.

If I now try:

get-mailfolderpermission –identity patrons@ciaops.com:\inbox

I again get the message that the mailbox doesn’t exist.

If I use that same command on another ‘standard’ shared mailbox the command works. So I know my command does work, it just doesn’t work with a Microsoft Teams mailbox.

Again, just changing mailbox identity confirms that the command can’t even see the mailbox.

The way to actually see what the contents of the Teams chats are is to use the Content Discovery component of the Security & Compliance center in Office 365 which you’ll find under the Search & Investigation heading on left hand side. You need to be an administrator with appropriate rights to access this area.

You start by creating a new Content Search by pressing the + icon as shown above.

Give the new Content Search a title and select the locations where you wish to search. In this case I’ll simply look through all email data.

Next, I enter what I want to search for. Here, I’m only looking for the word ‘kodak’.

After I finish my configuration, the search commences and I need to wait a few moments while it searches all the nominated locations and generates the results.

When the process is complete I select the Preview search results hyperlink on the right as shown above.

Another window opens and I can locate the item I’m after as the type is ‘IM’ as shown above. When I select that item on the left I see the full context on the right. I confirm that the search does display the link that is the Microsoft Team chat.

If I elect to download the item, it does so as an .EML file which I can open in any mail client as shown above. This indicates that each chat message appears to be a separate email in a sub folder in a shared mailbox in Exchange Online effectively.

So I went back in and changed the content search terms to make it broader to encompass more chats.

I ran the search and exported the data from the Security & Compliance center into a .PST file and then imported that into Outlook.

Thus, as you can see above, I can now view all the chats that match my search criteria as an administrator.

The problem with this is, from a pure ‘overwatch’ point of view, it is a very manual process to get to the information and secondly you can only look at things you specify in your content search. It would be nice to have the ability for an administrator to export the whole chat content from a Microsoft Teams channel into a single document that could then be viewed.

However, at the end of the day, rest assure that your Microsoft Teams chats are being saved and you can access them if you need to. Hopefully, the above has shown you how to do exactly that.

Pitching Microsoft 365

Pitching Microsoft 365 from Robert Crane

Here is a recording of a presentation I recently gave that focused on how to successfully pitch Microsoft 365.

In short, you need to build on the benefits provided by Office 365, then standardise the business on Windows 10 and finally bring all devices under management using the Enterprise Mobility Suite (EMS).

Office 365 Cloud Self Service Password Resets

One thing that many may not realise with Office 365 is that you can enable users to reset their own passwords.

There are some conditions here when enabling this. If your environment does not have Azure AD Connect synchronizing users from on-premises to the cloud (i.e. what is known as ‘cloud only’ users) then you need no additions. If however, you do have a synchronized environment you will need to purchase Azure AD Premium, configure password write back and assign licenses to each user you wish to have self service password resets enabled for. This is because with an synchronized environment, the on premises domain controller is the source of all user details and from here it is hashed, encrypted and sync’ed to Office 365. Thus, if a user does change their password, using this cloud process, in a matter of moments that change is overwritten with what is on premises thanks to the synchronization configuration. However, Azure AD Premium provides two way password sync (on-prem to cloud and cloud to on prem). Thus, with Azure AD Premium in place, when a user resets their password in the cloud it gets sync’ed back to on premises. Without Azure AD Premium it doesn’t.

To enable self service password resets navigate to the Azure portal for that tenant using an Office 365 global administrator account.

You navigate there from the Office 365 Admin center by selecting Azure AD under the Admin centers option as shown above.

Locate the option Azure Active Directory from the list of options in the Azure portal on the left and select that.

From the blade that appears select Password Reset as shown above.

The Properties option allows you to enable password resets for selected or all users. Don’t forget to press the Save button at the top when you have made your selection.

The Authentication methods allows you to determine how users will verify their identity when requesting their password to be reset.

They can be required for one or two forms of identity and there are four methods available – email, mobile phone, office phone and security questions.

In the case of security questions, you can select from 3 – 5 to be part of the registration process and 3 – 5 as being required to verify identity.

When you go to select security questions you are able to select a number of pre-defined or custom questions as well as mix of both as shown above.

Again, make sure that you Save your selections before continuing.

The Registration option allows you to force users to have to register their recovery options at next login or complete them manually.

The Notifications option allows you to set whether users are notified via email when their password is reset and whether all administrators are notified when any administrator resets their password.

The Customization option allow you to set a custom link users can refer to if they need further assistance with this process.

With all these options in place, and with users being forced to set their recovery options, the next time they login successfully they will see the above message prompting them to commence the recovery process.

Users should select Next to continue.

Users will now see the list of verification options that you set for them to complete. They need to work through all of these individually.

For example, with the mobile phone option, they enter their number and receive a code to verify.

With an email address verification they will receive a code that they need to verify.

Once the user has completed all the verification methods they will proceed to their Office 365 portal as normal.

When a user needs to reset their password they can select the link Can’t access your account? at the bottom of the login area.

They then be prompted to select a personal or work account. Normally, they will then select a work account to proceed.

To verify that the process requesting the password reset is not an automated bot, the user will need to complete a captcha as shown above.

They will then be taken to a screen where they can select from the methods available to verify their identity. These were set up previously by each individual user and should be unique for that user.

Once the user successfully completes the verification process they will be request to reset their password,

which when complete, will allow them to access their Office 365 account again.

The main benefit of enabling user self service password resets in Office 365 is that it allows users to manage their own passwords immediately and without having to contact an administrator to complete the reset. It is important that you ensure that you have enough verification methods for your environment and all users complete the registration process.

Again remember, that out of the box, Office 365 self service password resets work with cloud only identities. If you are using synchronized identities you will need to purchase Azure AD Premium and configure password write back to your on premises environment.

Azure VM host machines are being updated

All those VMs that you use in Azure have to run on a host. At the moment, the majority of these hosts are running Windows Server 2012 R2. With Server 2016 now being available that include a range of additional features and functionality Microsoft is going to up updating the host machines in its datacenters to Server 2016 over the coming months.

This video will give you some good guidance on what to expect during the process for you VMs currently hosted in Azure. Chances are it will mean a reboot of your VMs but you’ll get plenty of notice beforehand and it is something that you should undertake manually anyway to complete the migration process.

The video has lots of great info, so if you have VMs running in Azure, consider this a heads up for upcoming host maintenance for your machines.

Office 365 supervision policies

One of the really great things about Office 365 is it’s compliance features. Here’s one you may not know about.

Navigate to the Security and Compliance center after logging into your tenant as an administrator with appropriate rights. From the menu on the left select Data Governance.

Then from the menu that appear select Supervision.

You’ll need to create a new policy which you’ll start by giving a Name and a Description.

Next, select which users in your tenant you want to supervise. That is, which users communications do you wish to monitor.

Next, select the monitoring direction, here I selected Inbound and Outbound. I also elected to Add a condition but you’ll also see there are lot of monitoring choices here form the pull down menu.

I decided that I want to monitor my users for the use of the word ‘bananna’ because I really want to know what the monkey’s are doing with my banannas. Yes, I spelt it in a special ‘unique’ way so I can trigger this condition deliberately for demos.

Next, I decided what level of communications I want to review. The default here is 10% and you’ll need to be careful about overloading yourself with too much to monitor. I set this to 100% in this case so I will always get a result (again for demo reasons).

Next, I enter the users who will review the material. Basically, these people will get access to the material to review which I’ll come to soon.

You review your settings and Finish to save and enforce the policy.

What Office 365 now does is effectively create a private shared mailbox that the reviewers can attach to and into which the material to review will be sent. They simply attach to this mailbox as they would any other shared mailbox. The details of this mailbox will be provided once the policy has been enabled.

As you can see, my reviewer can now attach to the supervisory shared mailbox and view any contents there. As you can see there is already a need to review an email that mentions the search term ‘bananna’. Those damm monkeys!

As I mentioned, Office 365 really has some great tool to monitor communication in your business. Take a look inside the Security and Compliance center to see options are available to you.

June webinar resources

CIAOPS Need to Know Webinar – June 2017 from Robert Crane

We’ve now crossed the Rubicon of 12 months of CIAOPS Need to Know webinars with the June episode. You can now download the slides from:

https://www.slideshare.net/directorcia/ciaops-need-to-know-webinar-june-2017

If you are not a CIAOPS patron you want to view or download a full copy of the video from the session you can do so here:

http://www.ciaopsacademy.com/p/june-2017-need-to-know-webinar/

I covered as much as I could on Rights Management and had some issues with buttons on the screen when sending emails but I hope that didn’t detract too much from the information presented. But, as always, there is so much more I could have done, so if you have questions let me know. Thanks everyone for attending

you can also now get access to all webinars via:

http://ciaops-academy.teachable.com/courses/need-to-know-webinars

for a nominal fee.

See you next month.

CIAOPS Need to Know Webinar–June 2017

laptop-eyes-technology-computer

We are half way through 2017 already! Wow, where did the time go? Good news is that the CIAOPS Need to Know webinar is back again with a focus on some little known functionality in Office 365. For June, aside from the usual news and update we are doing to do a deep dive into information rights management (IRM) in Office 365. IRM provides you the ability to protect your document no matter where they are shared on the Internet. It allows you to effectively embed permissions inside your documents. This is a great way to protect your intellectual property and you’ll see how to do this if you attend the webinar.

You can register for free at:

June Webinar Registrations

The details are:

CIAOPS Need to Know Webinar – June 2017
Thursday 22nd of June 2017
11am – 12am Sydney Time

All sessions are recorded and posted to the CIAOPS Academy.

There of course will also be open Q and A so make sure you bring your questions for me and I’ll do my best to answer them.

The CIAOPS Need to Know Webinars are free to attend but if you want to receive the recording of the session you need to sign up as a CIAOPS patron (for only USD$10 per month) which you can do here:

https://www.patreon.com/ciaops

or purchase them individually at:

http://www.ciaopsacademy.com/

Also feel free at any stage to email me directly via director@ciaops.com with your webinar topic suggestions.

I’d also appreciate you sharing information about this webinar with anyone you feel may benefit from the session.