TagOffice365

Automated Investigation & Response

The Automated Investigation & Response feature under Threat management in Security & Compliance admin portal is a pritty new and amazing feature in Office 365.

To use this feature you need to have “Office 365 Advanced Threat Protection Plan 2” licenses witch you can purchase standalone or it`s included in the Office 365 E5 license and yes – you need to be a “Global Administrator” or “Security Administrator” to configure the service. Once configured you can also use “Security Reader” or “Security Operator” to see whats happening.

Have a look here to see all capabilities within “Advanced threat protections”.

So over to Automated Investigation & Response (AIR) – have a look at this screenshot

As we see her we have two detection on-going which waiting on user action. The first one in the picture is automatically found by the system and the second one is a email which I reported through the “Message Report” add-in for Outlook which are deployed to all users (Both Outlook and Outlook Web).

In the overview of the case (the one i reported) we see what`s going on with the message, the Trigger alert, what threats  who where found, how many emails are “infected” and which users that have the infected email in their mailbox (could be a mass-phishing attack)

When we navigate to the Email tab we see what section of the email that are found malicious and in this case the Advanced Threat Protection has matched the URL to a malicious URL

Moving to the Action tab – we are given several a big tool belt meaning that we can do a soft delete from the users mailboxes (in this case only one user, but if this malicious email was delivered to 100 users we can in one click remove the email from the users mailboxes) and block the URL in Safe Links.

So this was very short on how to easily use AIR in your tenant if you have the right license.

Get started with MFA – part one

You problably heard about multifactor authentication by now, but have you enabled it in your environment?  

If not! Please do so at once! I will in this short blogpost give you the direction to get started with MFA in Azure AD. 

So let`s just jump right into it.  

First things first – protect your admin accounts!  

With admin accounts i mean a account who has a additional role assigned other then beeing a regular user and to mitigate these users we will enable a Conditional Access who is requires MFA for all administrator accounts 

So navigate to Azure Active Directory in portal.azure.com 

Dive into “Security” -> “Conditional Access”  

Click the “Baseline policy: Require MFA for Admins (Preview) and choose to use it immidiatly 

So now you have successfully enabled MFA for all your admins! Great work 😊 

To make it easier for yourself you can now change the MFA verification from the default SMS to Authenticator app by visiting https://aka.ms/mfasetup and add the Authenticator app as a preffered method. 

Next up is to enable it for all your users and that i will cover in the next blog post – Stay tuned for “Get started with MFA – Part two” 🙂

Reset folder language to match Outlook Web Access language

So in the recent time i have been working with a customer to integrate Exchange Online mailboxes into a customer support application witch are using POP. The application throwed a error message:

02:47:34.513 Trc 21628 [MsgIn-2] <pop-client1> Mailbox account 'yourmailbox@domain.no'[https://outlook.office365.com/EWS/Exchange.asmx:443]: opening mail folder 'INBOX'
02:47:34.748 Std 21627 [MsgIn-2] <pop-client1> No INBOX Folder found on Corporate Email Server

This indicates that the software witch is polling emails need the inbox folder to be “Inbox” and not “innboks” (witch is Inbox in norwegian). So we need to change the default folders to match the language set in OWA.

  1. Logon to your account on outlook.office.com
  2. Head into to the Gear icon next to your profile picture in the top-right corner and in the bottom select: Your app settings-> Mail

3. Select General in the left pane and then click on: Region and timezone.

4. In language, set your language for OWA and check the checkbox witch also renames the default folders to match the selected language and hit the save button.

Keep private Teams private in Microsoft Teams

As of 23. of march 2018 all private teams will be searchable for all users.
Users can then apply for group membership.
If you have groups in your organization that you still want to keep completly private then the Office 365 unified group should be hidden from the Global Address List (GAL).

Run this Powershell command to hide it from GAL:

“Set-UnifiedGroup -Id “Groupname”-HiddenFromAddressListsEnabled $True”

Change language – Office 365 Mailbox

To change the Language for a Office 365 mailbox (Exchange Online), run the following commands:

$O365Session = New-PSSession –ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell -Credential $O365Cred -Authentication Basic -AllowRedirection

Import-PSSession $O365Session

Set-MailboxRegionalConfiguration -Identity “USER” -Language nb-no -LocalizeDefaultFolderName

For full list of cultureinfo classes (Languages) see:
https://msdn.microsoft.com/en-us/library/system.globalization.cultureinfo(VS.71).aspx

Convert from user mailbox to shared mailbox

From time to time i run into a little problem with the Office 365 Admin Center when trying to convert user mailboxes into shared mailboxes.
when this occours i usualy just use Powershell to convert the mailbox into shared mailbox.

To do this you have to connect your Powershell to the Office 365 tenant and run a oneliner for converting the mailbox.

Here is how to connect to Office 365:
Import-Module MSOnline
$O365Cred = Get-Credential “adminuser@YOURTENANT.onmicrosoft.com”
$O365Session = New-PSSession –ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell -Credential $O365Cred -Authentication Basic -AllowRedirection
Import-PSSession $O365Session
Connect-MsolService -Credential $O365Cred

When connected then use this single line to convert the mailbox:
Set-Mailbox “Your@mailbox.no” -Type shared

 

Installing modules is easy – Azure and Office365

This little post is to get you up and running with Azure PowerShell so that you can manage your Azure subscriptions and Office365 tenants in 10 minutes after booting up an fresh install of Windows 10.

I have tested this in the following Windows builds:
10586 (1511 build – Windows 10)
10586(TP4 build – Windows Server 2016)
14328 (insider build – Windows 10)

Simply start PowerShell in Elevated mode (right click on PowerShell and start in Admin mode.

type these 3 lines – one at a time.

“Install-Module AzureRM -force:$true”
“Install-Module Azure -force:$true”
“Install-Module MSOnline -force:$true”

When the installation is finished you need to set the execution policy to “Unrestricted” to be able to connect to Office365 tenants.

“Set-ExecutionPolicy Unrestricted”

You are good to go! 🙂
Good luck playing around with Azure and Office365

 

 

Managing Office 365 and Exchange Online with Windows PowerShell

Connect to Office 365 PowerShell
Connect to Exchange Online PowerShell
Connect to Office 365 Compliance Center PowerShell
Connecting to Skype for Business Online by using Windows PowerShell
Set up the SharePoint Online Management Shell Windows PowerShell environment

Sorurce: https://support.office.com/en-gb/article/Managing-Office-365-and-Exchange-Online-with-Windows-PowerShell-06a743bb-ceb6-49a9-a61d-db4ffdf54fa6?ui=en-US&rs=en-GB&ad=GB

SMTP Relay in Office365

When sending email from i.e. Visma or other 3. party applications you need a SMTP server. Some times you can use the local ISP SMTP server, but then you need to add that SMTP server to yours domain SPF record. You might don`t wnat to do this.

 

Here is the solution:

Log in to the tennant, and start Exchange management console.

Create a connector filtering on the public IP address beeing used for the server that hosts Visma.

In Visma add a SMTP server using your MX record for that tennant (i.e. itstyring-no.mail.protection.outlook.com​ ) and port 25.

 

This connector will relay email with from addresses containing a valid domain for that tennant.

OneDrive for Business – ​The server you are trying to access is using an authentication protocol not supported by this version of Office.

OneDrive for Business – ​The server you are trying to access is using an authentication protocol not supported by this version of Office.

We ran into this error and found the following fix at community.office365.com

1.Accessed Control Panel > Selected the Microsoft Office Subscription > right clicked > change > Selected Online Repair
2.Removed all the stored credentials in the credentials manager (control panel > credentials manager)
3. Restarted the computer
4. Deleted the folder’s below:
C:\Users\username\AppData\Local\Microsoft\Office\Spw
C:\Users\username\AppData\Local\Microsoft\Office\16.0\OfficeFileCache
5. Sign in Word (opened blank document > file > account > signed out and signed in office 365 account)
6. Started OneDrive for Business. ( from the search bar typed OneDrive for Business> clicked on the app > sync a different library instead >pasted the url of the team site “Public documents” > sync now​

Source:
https://community.office365.com/en-us/f/154/t/410059

© 2019 IdefixWiki

Theme by Anders NorénUp ↑