Configuration

Sensitive Information Types–now with more sensitivity!

UPDATE: The TechNet Gallery link for this post has been updated.

So, this is an entry that has been long in the making.  I have had several customers over the last few years give feedback about our Data Loss Prevention’s (DLP) matching requirements, mostly around how they require too much corroborating evidence (in the form of patterns or keywords) to meet their organization’s very restrictive policies.… [ Continue reading ]

Configuration

ATP: Safe Attachments, Safe Links, and Anti-Phishing Policies or “All the policies you can shake a stick at”


With the advent of scammers, spammers, phishers, and other types of baddies, and the complementary rise in anti-malware, anti-spam, domain and sender verification techniques, we’re in a perpetual cat-and-mouse game.  I’ve had several customers over the past few weeks ask me about best practices for configuring some of the Advanced Threat Protection (ATP) features.… [ Continue reading ]

Configuration

Connecting Splunk to Office 365 – Part 1: Add-On for Microsoft Cloud Services

I’ve had a number of customers ask me about configuring their monitoring systems to Office 365.  So, rather than repeating the same information and re-issuing the same links (most of which contain outdated information), I’m going to put together a series on how to connect a few systems to Office 365. … [ Continue reading ]

Identity

Let’s Go Phishing – Spear Phishing, That Is

Over the last few weeks, we’ve released some great new features for Office 365 Advanced Threat Protection users.  The Attack Simulator has three core components, each of which I’ll cover in a series:

  • Spear Phishing (Credential Harvest)
  • Brute Force Password (Dictionary Attack)
  • Password Spray Attack

For this post, I want to focus on the Spear Phishing campaign.… [ Continue reading ]

Configuration

Change from AD FS authentication to Pass-Through Authentication with Seamless SSO

Update: We now have some public documentation available for this as well, so be sure to check there, too! https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-deployment-plans

Imagine this scenario: You’ve been running Active Directory Federation Services (AD FS) since before it was cool, and you’re tired of maintaining that highly available infrastructure (at least 4 servers) and the whole federation thing and its myriad of quirks and drawbacks and headaches (such as alt-id (which is still supported in Pass-through authentication with some caveats, listed below), claims rules, certificates, and the fun of trying to change UPN suffixes from one federated UPN to another).… [ Continue reading ]

Configuration

Update to the AAD Connect Advanced Permissions tool

Two updates for the tool in a week?  Yes! It is so!

At the behest of my good friend Darryl and one of his customer’s needs, I have updated the the AAD Connect Advanced Permissions tool with the following:

  • Allow the underscore (“_”) character to be used in an OU name path
  • Allow CN= to be used as part of the OU filter name path, since some organizations may want to try to scope permissions specifically to CN=Users.
[ Continue reading ]
Configuration

Update to the AAD Connect Advanced Permissions tool

On the recommendation of my good friend Darryl, I’ve added some things to my AAD Connect permissions tool:

  • Better logging of errors.  When running the tool for a large organization that had $ characters in its service account names, the tool would report successful but not leave any log files or indicators where things may have happened. 
[ Continue reading ]
Configuration

Update to the Office 365 Proxy PAC Tool

I have updated the Office 365 Proxy PAC tool to allow selection of the US Department of Defense XML feed for proxy bypass configurations.

You can see previous updates for the tool:

Update to the Office 365 Proxy PAC tool

Updates to Office 365 Proxy PAC Generator

And of course, the updated tool is available on the TechNet Gallery, with a couple of other bugfixes that some people reported (invalid characters/smart quotes appeared in some versions of the file, which have been corrected): https://gallery.technet.microsoft.com/Office-365-Proxy-Pac-60fb28f7[ Continue reading ]

Information

Creating and Managing Security and Compliance Filters in the Real World [Part 2]

Picking up where I left off on part 1 of this post, I wanted go into what it would take to refine some roles for managing eDiscovery for larger organizations.

In this scenario, we’re going to:

  • Remove users from any existing eDiscovery roles or groups
  • Create a security group to hold users that will perform eDiscovery searches
  • Create a custom role group that has the appropriate eDiscovery roles and add the security group as a member
  • Verify

If you didn’t read the previous blog post on this topic, I’d encourage you to go back and do so, since I’m going to continue using the same users and compliance filters.… [ Continue reading ]

Configuration

Block direct delivery to @onmicrosoft.com addresses in a hybrid environment

UPDATE: [11/20/2018] I had an error in the transport rule configuration in the last example, as well as a note that a TR would NDR external traffic.  I have this post accordingly.

We’re all familiar with how Office 365 tenants work–when you spin up a new Office 365 tenant, you get a managed domain (tenant.onmicrosoft.com). … [ Continue reading ]

Configuration

Office 365 Secure Score Script

In light of the discovery that a recent comprise involved administrator credentials that were not protected with multi-factor authentication, I thought revisiting http://securescore.office.com might be a good idea.

For the uninitiated, Secure Score is a tool that we provide to examine some configuration items and give guidance on others in respect to creating a more secure operating environment for your Office 365 tenant. … [ Continue reading ]

Configuration

Use AAD Connect to disable accounts with expired on-premises passwords

This week, I received an email from a colleague asking if there was a way to work around the default behavior described in https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnectsync-implement-password-synchronization:

Password expiration policy

If a user is in the scope of password synchronization, the cloud account password is set to Never Expire.[ Continue reading ]