Last week, I was working with a large government customer in a consolidated tenant (read: all agencies in a single, centrally-managed tenant). One of the questions that was presented was how to search and filter the audit log for entries relating to the following categories:
- Files shared by an agency or department’s users
- Files accessed in an agency’s SharePoint site collection
To that end, I based together this script. … [ Continue reading ]
One of the issues that some of my larger customers have been dealing with is the lack of tooling and planning around moving legacy Exchange Online In-Place eDiscovery & Holds to the new(ish) Security & Compliance Center. Our direction has been to either let them age out or manually recreate them the Security & Compliance Center.… [ Continue reading ]
UPDATE: I have posted the script to check against haveibeenpwned.com at the bottom in the TechNet Gallery. https://gallery.technet.microsoft.com/PwnCheck-HaveIBeenPwned-d65cf5f1
Yesterday, I participated in an escalation for a customer where one or more users had been successfully phished and had given up their credentials. … [ Continue reading ]
I had a customer recently raise some questions about how to provide further enhancements and protections around their OneDrive for Business deployments. Suppose this scenario exists:
- Users are site collection administrators over their OneDrive for Business sites (default configuration)
- Retention policies are configured, but may only be configured to provide a very minimal amount of data protection (such as 90 days from creation or last modification of data) due to organizational legal compliance
- No retention policies are in effect for the target data (as all the data we’re concerned with is technically older than 90 day creation or last modified date)
- Malicious or disgruntled user deletes OneDrive data
- Deletes data in OneDrive
- Empties recycle bin
- Empties second stage recycle bin
At this point, for any data older than 90 days, it is lost.… [ Continue reading ]
If you’ve ever asked anyone how to do virtually anything, the answer is usually “It depends.” Just as there is no wrong way to eat a Reese’s Peanut Butter Cup and more than one way to skin a cat, so it frequently is with technological tasks. … [ Continue reading ]
Earlier this week, I had a request for assistance with delegating reporting features in Exchange Online to non-administrative users. This is a frequent topic of discussion when it comes to compliance and security officers validating that systems are not being misused by unauthorized persons.… [ Continue reading ]
Today, we’re going to explore two relatively new sharing controls in SharePoint Online (and, by extension, OneDrive for Business). The two options we’re going to look at are located inside the SharePoint Admin Center (https://<tenant>-admin.sharepoint.com) under Sharing:
To test both of these functions out (as well as how other users are affected), I’m going to work with 3 test users and two security groups.… [ Continue reading ]
I was so excited to see this notification in the TechNet Gallery today when I logged in:
Thanks to everyone for making this one of the most downloaded OneDrive tools in the Gallery! As a thanks for your support, feel free to download it as many times as you like!… [ Continue reading ]
It’s Two-fer Friday. I don’t know if it was a thing, but it is now.
Based on received feedback, I have updated the AAD Connect Advanced Permissions tool to check for the Active Directory schema version in addition to the Exchange schema. … [ Continue reading ]
A few weeks ago, I put out a series of posts on creating and using custom sensitive information types (https://www.undocumented-features.com/tag/sensitive-information-types/). The blog, posts, however, focus on using the DLP configuration options available in the Security & Compliance Center.
Rules created via the DLP wizard in the Security & Compliance Center have the benefit of being able to be applied globally across your organization and its content sources. … [ Continue reading ]
So, of course, as soon as I finish up posting a few entries (here and here), we go and release a new UI to help you get it done on your own!
You can do most of the effort of creating a data classification here, although if you want to use any of our built in functions (such as credit card Luhn check), you’ll need to export/modify/import, use the sensitive information type package that I created (referenced earlier) or use one of our native DLP classifications.… [ Continue reading ]
Over the course of your Office 365 administration duties, you may be called to locate data matching particular data patterns (such as matching a particular regular expression or a Sensitive Information Type), either for eDiscovery or data classification purposes. The good news is you can actually do that. … [ Continue reading ]
UPDATE: The TechNet Gallery link for this post has been updated.
So, this is an entry that has been long in the making. I have had several customers over the last few years give feedback about our Data Loss Prevention’s (DLP) matching requirements, mostly around how they require too much corroborating evidence (in the form of patterns or keywords) to meet their organization’s very restrictive policies.… [ Continue reading ]
With the advent of scammers, spammers, phishers, and other types of baddies, and the complementary rise in anti-malware, anti-spam, domain and sender verification techniques, we’re in a perpetual cat-and-mouse game. I’ve had several customers over the past few weeks ask me about best practices for configuring some of the Advanced Threat Protection (ATP) features.… [ Continue reading ]
In Part 1 of this blog series, I went through the setup of the Splunk Add-On for Microsoft Cloud Services, which you can use to extract, query, and analyze data provided by the Office 365 Management Activity API. In this particular post, we’re going to explore the Microsoft Office 365 Reporting Add-On for Splunk, which you can use to review message trace data from Office 365.… [ Continue reading ]
I’ve had a number of customers ask me about configuring their monitoring systems to Office 365. So, rather than repeating the same information and re-issuing the same links (most of which contain outdated information), I’m going to put together a series on how to connect a few systems to Office 365. … [ Continue reading ]
In my previous post, I discussed using the new Attack Simulator for crafting phishing campaigns against your users. If you haven’t tried it out yet, I’d heartily recommend it. It’s more fun than a barrel of monkeys.
For this post, we’re going to shift into slightly more traditional attack strategies. … [ Continue reading ]
Over the last few weeks, we’ve released some great new features for Office 365 Advanced Threat Protection users. The Attack Simulator has three core components, each of which I’ll cover in a series:
- Spear Phishing (Credential Harvest)
- Brute Force Password (Dictionary Attack)
- Password Spray Attack
For this post, I want to focus on the Spear Phishing campaign.… [ Continue reading ]
A few users reported bugs with logging that I have updated. There was also an unreported bug when searching the XML generated by Get-ADSyncServerConfiguration for the connector’s AD user, which I have also resolved.
You can get the updated tool at https://gallery.technet.microsoft.com/AD-Advanced-Permissions-49723f74.… [ Continue reading ]
Update: We now have some public documentation available for this as well, so be sure to check there, too! https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-deployment-plans
Imagine this scenario: You’ve been running Active Directory Federation Services (AD FS) since before it was cool, and you’re tired of maintaining that highly available infrastructure (at least 4 servers) and the whole federation thing and its myriad of quirks and drawbacks and headaches (such as alt-id (which is still supported in Pass-through authentication with some caveats, listed below), claims rules, certificates, and the fun of trying to change UPN suffixes from one federated UPN to another).… [ Continue reading ]