Recent Discussions
Blocking Personal Outlook and Gmail Accounts on Corporate Device
Hello Community, In my organization, we use the Microsoft 365 environment. We have a hybrid infrastructure, but we aim to deploy as many policies as possible through Microsoft 365 (Intune, Purview, Defender, etc.). One of our goals is to limit the use of corporate devices for personal purposes. We use Outlook as our corporate email service, and we would like to block employees from signing into their personal email accounts (either via web or desktop application). Additionally, we would like to block access to other email services, such as Gmail, both via web and desktop apps. Could you provide guidance on how to achieve this? I would greatly appreciate any help or suggestions. Thank you very much! Juan Rojas1.2KViews0likes4CommentsHere's how I prepared for the Microsoft Security, Compliance, and Identity Fundamentals exam SC-900!
Dear Microsoft 365 / Azure Security Friends, What I always have to tell myself when I read Fundamentals, never underestimate an exam like this. Such exams are always a kilometer long but only 1 centimeter deep. That means a lot of topics are asked, but not how to install or configure it. What does that mean exactly? For example, a question might be structured like this: You need to capture signals from an on-premises Active Directory with a cloud solution, what do you use? The answer is Microsoft Defender for Identity. On the exam there are single choice questions and multiple choice questions (minimum 2 answers). No case studies or sliding scale questions. Now to my preparations for the exam: 1. First of all, I looked at the Exam Topics to get a first impression of the scope of topics. https://docs.microsoft.com/en-us/learn/certifications/exams/sc-900 Please take a close look at the skills assessed: https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4Mr81 2. So that I can prepare for an exam I need a test environment (this is indispensable for me). You can sign up for a free trial here. https://www.microsoft.com/en-us/microsoft-365/business/compare-all-microsoft-365-business-products I chose the "Microsoft 365 Business Premium" plan for my testing. 3. Now it goes to the Microsoft Learn content. These learn paths (as you can see below, all 4) I have worked through completely and "mapped"/reconfigured as much as possible in my test environment. https://docs.microsoft.com/en-us/learn/paths/describe-concepts-of-security-compliance-identity/ https://docs.microsoft.com/en-us/learn/paths/describe-capabilities-of-microsoft-identity-access/ https://docs.microsoft.com/en-us/learn/paths/describe-capabilities-of-microsoft-security-solutions/ https://docs.microsoft.com/en-us/learn/paths/describe-capabilities-of-microsoft-compliance-solutions/ 4. Register for the exam early. This creates some pressure and you stay motivated. https://docs.microsoft.com/en-us/learn/certifications/exams/sc-900 5. Thomas Maurer's exam preparation information is super helpful! https://www.thomasmaurer.ch/2021/04/sc-900-study-guide-microsoft-security-compliance-and-identity-fundamentals/ 6. What you should also definitely watch is the YouTube of John Savill, really super informative! https://youtu.be/Bz-8jM3jg-8 I know you've probably read and heard this many times: read the exam questions slowly and accurately. Well, that was the key to success for me. It's the details that make the difference between success and failure. One final tip: When you have learned something new, try to explain what you have learned to another person (whether or not they know your subject). If you can explain it in your own words, you understand the subject. That is exactly how I do it, except that I do not explain it to another person, but record a video for YouTube! I hope this information helps you and that you successfully pass the exam. I wish you success! Kind regards, Tom Wechsler4.4KViews3likes4CommentsMicrosoft Security Fun Friday Week 2! This week's game- Security Crossword.
Hey Tech Community! We're back with Week 2 of our Security Fun Friday. The first to complete and post a screenshot in the comments of today's Security-themed Crossword Puzzle will earn our new "Microsoft Security Star" Badge to add to their profile! This badge will only be given out during these Fun Friday games or by being an outstanding member of the community, so it will be very exclusive! Also just like last week, if you have any ideas of other fun games that you would like to see in the future, please comment below. Good luck and happy solving!Solved66Views0likes3CommentsAll the locations where you can find Sensitivity labels
Here are the locations where you can find the sensitivity label of a document (if there are any that I've missed, please feel free to add it here) Sensitivity Label Button in the Document: In Office applications such as Word, Excel, and PowerPoint, you can find the Sensitivity label button on the Home tab. This button allows users to apply or view sensitivity labels directly within the document interface. (Sensitivity label app on the upper right) (the bottom left will show the label applied to the document) Document Properties > Advanced Properties Sensitivity labels can also be found in the document properties. To access this, go to File > Info > Properties > Advanced Properties. Here, you can see detailed metadata, including any applied sensitivity labels. Sensitivity Label Column in SharePoint: In SharePoint, sensitivity labels are displayed in a dedicated column. This allows users to quickly see the sensitivity level of documents stored within SharePoint libraries Windows File Explorer: Sensitivity labels can be extended to Windows File Explorer, allowing users to apply and view labels directly from their file management interface. Mobile Applications: Office mobile apps for iOS and Android also support sensitivity labels, enabling users to apply and view labels on the go. Microsoft Purview Compliance Portal: Administrators can manage and view sensitivity labels applied across the organization through the Microsoft Purview Compliance Portal. This portal is only accessible to IT admins who has the right Purview role.Entra Private Access - Private DNS
Hello Everyone We are using the trial period of Entra Private access and Entra Internet Access using Global Secure Access client. We recently got the Private DNS feature within Quick Access under Global Secure Access. The moment, we added our on-premise domain suffix to create a line of sight to the DC's, access to other private apps, some of which are actually cloud web apps stopped working. The cloud app web portals won't open, RDP to servers were not working. Intermittently, we could open the portal or RDP to the server, but everything had just died down. After leaving it for more than 8 hours, the issues were still not going away, so we removed the quick access app and disabled private DNS, issue was resolved after that. Any ideas why ? Also, is there a way we could allow our on-premise user accounts to change their passwords when it expires or get those password expired notifications as we did when we used Cisco VPN. We have Azure hybrid-joined machines with GSA running in them, but users don't get password expiry notifications, nor can they change the password on the local Laptop as it can't talk to the DC's. We created an app with Kerberos port 88, LDAP 389 and 464, still password change doesn't work. Users are logging in to the Laptops with cached passwords.1.3KViews0likes4CommentsFile Plan/Retention Labels cannot be deleted OR found in content explorer
When we try to delete a Purview Records Management > File Plan label (or Data Lifecycle Management > Retention label), we get the following error: "You can't delete this record label because it's currently applied to items in your organization. You can use content explorer to determine which items have this label applied." (see attached image). When we go to content explorer to find the label (in this example, Bank Reconciliations), it doesn't appear to exist (see attached image). We also reviewed our Label policies and Retention policies, and the given labels are not associated with any policy that we can see. So, in result, we cannot clean up File Plan labels since we can't find and remove the association between them and policies / items. Has anyone encountered this error when deleting file plan retention labels, but then unable to find anything the label is associated with?Using gMSA with ATP results in many 2947 events
We have an ATP deployment with several domains and different Trusts. We have 3 different credentials in use, 2 x 'ordinary' service accounts and 1 x gMSA. On the DCs in the domain where the gMSA is hosted the "Directory Service" event logs are full of 2947 events ("An attempt to fetch the password of a group managed service account failed.") for the gMSA. The source computers for these events are computers in other domains with the ATP sensor installed. Is there any way of filtering which credentials are used by the sensors in a given domain? The deluge of 2947 events is making it difficult to find useful information in the logs of the affected DCs.12KViews0likes13CommentsFile plan reference Id
How do I reuse a file plan reference Id in Records Management? I have created a file plan reference Id but want to use it with a different label so I have removed it from the original label. All the fields on the Editing File plan descriptors screen are dropdown fields with values but the Reference Id is just a dropdown with the only option as "Add a new file plan descriptor reference Id." It doesn't allow me to enter anything in the field and if I try to add a new one that is the same as the one I created it gives me an error and says it already exists. Shouldn't the ones I have created and not used be in the dropdown? See attached for details.1.1KViews1like1CommentIntroducing Microsoft Security Fun Fridays! This week's game- Word Search.
Hey Tech Community! I want to introduce to you a fun new initiative I am starting on the Microsoft Security Community: The first to complete and post a screenshot in the comments of today's Security-themed Word Search will earn our brand new exclusive "Microsoft Security Star" Badge to add to their profile! This badge will only be given out during these fun game posts or by being an outstanding member of the community (more details to come). Also, if you have any ideas of other fun games that you would like to see, please comment below. Good luck and happy hunting!127Views3likes6CommentsSecure Score "this account is sensitive and cannot be delegated"
Hi In Microsoft Secure Score when selecting the recommended action Ensure that all privileged accounts have the configuration flag "this account is sensitive and cannot be delegated" and in the Exposed entities tab I only see computer accounts. In the Implementation instructions they only mention user accounts. How do I complete this recommended action and get rid of the computer accounts detected?1.8KViews0likes27CommentsQuarantine Administrator - more rights needed?
Hi everyone, i tried to deploy the new Quarantine Admin to the Admin users of our Office 365 admins. After mail enabling the user object in Exchange on prem (which is needed btw) the user can access the quarantine without error message. But no mail is shown. Logging in as a global admin (myself) i can see many mails. I followed this doc: https://docs.microsoft.com/de-de/microsoft-365/security/office-365-security/manage-quarantined-messages-and-files Can anyone please advise. ThanksSolved37KViews0likes5CommentsEasiest way to view remediated risk detections?
I'm looking in Lighthouse at a series of risky logins that are remediated. The thing is, this tenant previously experienced a breach that got remediated, so I'm trying to be extra cautious. When I click "View in Entra", it brings up no risk detections. If I navigate to Protection > Risky Activities > Risky Sign-Ins I get nothing. Switching to all statuses, I still get nothing. Same thing happens if I got to Risk Detections, nothing. Short of bringing up each user, and checking every single login to try to find what was risky, is there a way I can see these once the statuses are remediated? It seems like I SHOULD able to... But here are the different ways I've tried filtering Risk detections: Risky Sign-Ins Trying to understand the users popping in Lighthouse, but they don't appear with any of these filters (or the defaults).... Anyone able to advise? THanksSolved36Views0likes2CommentsIs it possible to use Azure AD without internet
Hello Experts Mine is more of a business user kind of question and not from a technical question. We want to use some Access and Identity management system for our company (about 50 users and using mostly windows 10). Recently we were audited for some compliance and the auditor recommended a Active Directory services where we could control the users (active/inactive) and have info on what softwares have been installed on that machine. They also recommended we can use Azure AD. We tried with the Free version and it works when the PC/laptop is connected to internet. When its not connected, the users are not able to logon. Before investing or investigating further I want to check if it is possible to have Azure AD work without internet, ie can the users login to their machines even if it not connected to internet. Any help is appreciated.Solved49KViews1like8CommentsAuthenticator not displaying numbers on MacOS
I'm have an issue with MFA on a Mac (all the latest versions). We have conditional access policies in place, so once a day I'm prompted for MFA (I work off-site) and the Office app (e.g. Outlook, Teams) will create the pop-up window that 'should' display a number that I then match on my phone. My phone see's the push notification, but the Mac never creates the numbers in the first place. The pop-up is there, just no number. The workaround is: Answer 'its not me' on the phone On the Mac, select 'I can't use Authenticator right now' Tell the Mac to send a new request This time it creates the number and I can authenticate on the phone. It only appears to happen for the installed Office applications i.e. if I'm accessing applications/admin-centre via the browser, then the pop-up is within the browser and everything works first time. Is this a known issue?151Views1like2CommentsIngesting Purview compliance DLP logs to Splunk
We are in the process of enabling Microsoft purview MIP DLP for a large-scale enterprise, and there is a requirement to push MIP DLP related alerts, incidents and data to Splunk SIEM. Could not find any specific documentation for the same. researched on this and found below solutions however not sure which could work to fit in our requirement: Splunk add on for Microsoft security is available: The Splunk Add-on for Microsoft Security is now available - Microsoft Community Hub but this does not talk about Purview DLP logs. This add-on is available for Splunk but only says MIP can be integrated however does not talk about DLP logs: Microsoft Graph Security API Add-On for Splunk | Splunkbase As per few articles we can also ingest Defender logs to Azure event hub then event hub can be connected to splunk. Above mentioned steps do not explain much about Ingestion of MIP DLP raw data or incidents. If anyone has done it in the past I will appreciate any input.- 47Views0likes3Comments
Extremely Slow Performance Since Defender Was Pushed on Us
Compliance, Security, Protection, and Defender are all extremely slow, with responses from screen to screen ranging from 30 seconds to multiple minutes between clicking items and waiting for Microsoft cloud to return results. I have a GB link and speed test well over 600 Mbps so it's not on my end. It appears the cutover in late January to this new "Defender" platform has been extremely detrimental to the Office portal response times in these portals. What is being done to resolve this?Compliance Center DLP Policy Tips
Greetings! We are in the middle of implementing the Compliance Center DLP solution using a variety of the advanced rules. We really love the idea of Policy Tips providing guidance to users on what they should do with their sensitive data. Our model is that we are allowed to send sensitive data to intended and verified recipients as long as it is encrypted. So we have some rules that look for HIPAA and PII and inform the user that they should encrypt before sending. The selling point for us was the ability to provide users an override to the policy in cases where encryption wasn't necessary. It is less common, but makes up about 10% of our use-case. Minus the normal bumps and issues, we are mostly happy with the way the system works! Users can override, encrypt, and we get good visibility on why users are sending data unencrypted if they do, so we can retrain or tune the system. Our issue is, of course, the wonkyness of the PolicyTips and how it checks for certain conditions and may or may not clear when a condition is met/not-met. Issue: A user composes an email headed out of our company that contains sensitive data. The system catches this and throws a Policy Tip requiring they encrypt or override. They say, "oh ya! Thanks for reminding me" and hit that encrypt button. This doesn't clear the Policy Tip or the block condition and they cannot send the email, even though it is encrypted. What I've Tried: I added the exception onto the rules to exempt if the Message Type is: Permission Controlled. I tried Message Type: Encrypted, but it doesn't work correctly at all. With this setup, everything works except the Policy Tip, which get stuck. Example: blue box is original PolicyTip. Red box is button encryption. Current Work-Around: The users hate it, because the button is way easier than the subject tags. Our current work-around is to "Clear the Policy Tip" by 1) Remove encryption by clicking link in PolicyTip, 2) Remove Recipient using same method inside Policy Tip. This resets the Policy Tip, so then the user can push the Encrypt button first, then add recipients, without redrafting the whole email. Help!! What sort of logic do I need to make the Encrypt button clear out the Policy Tips? Or is this just it? Workaround city! Thanks for reading and I'd love any help or guidance. Trust me, I've read every docs.microsoft article I can find about Policy Tips and DLP. But I'll take some more if you have them if they are relevant.1.1KViews1like1CommentHow to create Playbook and automation rules for M365 Defender for Identity, Endpoint, Cloud Apps, an
How to create Playbook and automation rules for M365 Defender for Identity, Endpoint, Cloud Apps, and Data as we wanted to do some automation around it to let SOAR work on the alerts which are on "Low", "Medium" severity alerts? For example: if we have many alerts those should be verified by that respective automation rule and take the appropriate actions like close those alerts or mark as no action needed.1.5KViews0likes2Comments
Events
Are you confident who the people in your organization are interacting with online? Identity verification is fundamental in protecting your organization from impersonation. Attend this session and wal...
Tuesday, Feb 18, 2025, 08:00 AM PSTOnline
1like
42Attendees
0Comments
Recent Blogs
- In the rapidly evolving landscape of GenAI usage by companies, ensuring the security and integrity of interactions is paramount. A key aspect is managing the different conversational roles—namely...Feb 10, 2025216Views0likes0Comments
- 2 MIN READWhen Complexity Meets Transformation Imagine overseeing both a merger and a divestiture concurrently while also restructuring the internal domain for thousands of users, all without interrupting da...Feb 07, 202593Views3likes0Comments