Forum Widgets
Latest Discussions
How to create Playbook and automation rules for M365 Defender for Identity, Endpoint, Cloud Apps, an
How to create Playbook and automation rules for M365 Defender for Identity, Endpoint, Cloud Apps, and Data as we wanted to do some automation around it to let SOAR work on the alerts which are on "Low", "Medium" severity alerts? For example: if we have many alerts those should be verified by that respective automation rule and take the appropriate actions like close those alerts or mark as no action needed.VinodS2020Jan 23, 2025Brass Contributor1.5KViews0likes2CommentsFile Plan/Retention Labels cannot be deleted OR found in content explorer
When we try to delete a Purview Records Management > File Plan label (or Data Lifecycle Management > Retention label), we get the following error: "You can't delete this record label because it's currently applied to items in your organization. You can use content explorer to determine which items have this label applied." (see attached image). When we go to content explorer to find the label (in this example, Bank Reconciliations), it doesn't appear to exist (see attached image). We also reviewed our Label policies and Retention policies, and the given labels are not associated with any policy that we can see. So, in result, we cannot clean up File Plan labels since we can't find and remove the association between them and policies / items. Has anyone encountered this error when deleting file plan retention labels, but then unable to find anything the label is associated with?chagedorn49Jan 22, 2025Copper Contributor4Views0likes0Commentscannot download content search result
I'm having a difficult time downloading content search results from the Compliance Portal I tried to download using with ClickOnce enabled but i still get the following error; Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item. I did some research which pointed me to trying to reload the site in IE but it's not working since reloading the page in IE rendered the site blank. I reached out to MS Support and they said it's a Windows issue, M365 related. I tried to download using other browsers which I managed to download, however when I tried to run it, the following error appears; Deployment and application do not have matching security zones. I tried using other laptops and the result is still the same. I dont understand why downloading a simple file can be so difficult and frustrating.ViktorMalumJan 21, 2025Copper Contributor329Views0likes6CommentsUser app registration - exploitable for BEC?
Hello. Recently dealt with a case of BEC. I'm not trained in forensics, but doing my best. Appears the hacker used an application called eM Client for their attack, getting access to a user's mailbox and hijacking a thread. I can see the login from two weeks ago (the incident was only noticed a couple days ago, however) - from a European country that SHOULD have been blocked by Conditional Access. Come to find out, the tenant conditional access was unassigned from everyone. We're not sure how - we re-enabled it, and audited changes, but the only change that appears was us re-enabling it. Which I thought indicates it was never configured right, except we've got a ticket documenting a change to Conditional Access a couple days after the hack that ALSO does not appear in the logs. So... it's likely it was changed, yet I have no record of that change (atleast, not through Entra > Monitoring > Auditing). If anyone knows any other ways of checking this, please advise - but I can't seem to even access our Diagnostic settings, the page tells me I need an Azure Active Directory subscription (I'm on Entra ID P1, which includes AAD.... this might be related to being global admin, and not Security Admin - we don't use that role in this relationship) ANYWAY, my amateur forensic skills have found that the attacker used an app called eM Client to get access. I'm not sure yet how they obtained the password, and got past MFA... But quick research shows this application (esp it's pro version) is known for use in BEC. The app was registered in Entra, and granted certain read permissions in Entra ID for shared mailboxes, presumably to find a decent thread to hijack. I'm not 100% sure yet there was any actual exploit done using this app, but it's popularity amongst hackers implies it does SOMETHING useful (i think remember that it authenticates using Exchange Web Services instead of Exchange Online, or something similar? Will update when I have the chance to check). We're in the process of improving our Secure Score, and this incident makes me think user's ability to register apps should be locked down. Checked Secure Score for this, and while there ARE recommendations around apps, disabling user app registration is NOT one of them. Just curious about people's thoughts. I just barely understand App Registration in Entra, but if this is a known attack vector, I would think disabling app registration would be a security recommendation?underQualifriedJan 20, 2025Copper Contributor251Views0likes7CommentsAll the locations where you can find Sensitivity labels
Here are the locations where you can find the sensitivity label of a document (if there are any that I've missed, please feel free to add it here) Sensitivity Label Button in the Document: In Office applications such as Word, Excel, and PowerPoint, you can find the Sensitivity label button on the Home tab. This button allows users to apply or view sensitivity labels directly within the document interface. (Sensitivity label app on the upper right) (the bottom left will show the label applied to the document) Document Properties > Advanced Properties Sensitivity labels can also be found in the document properties. To access this, go to File > Info > Properties > Advanced Properties. Here, you can see detailed metadata, including any applied sensitivity labels. Sensitivity Label Column in SharePoint: In SharePoint, sensitivity labels are displayed in a dedicated column. This allows users to quickly see the sensitivity level of documents stored within SharePoint libraries Windows File Explorer: Sensitivity labels can be extended to Windows File Explorer, allowing users to apply and view labels directly from their file management interface. Mobile Applications: Office mobile apps for iOS and Android also support sensitivity labels, enabling users to apply and view labels on the go. Microsoft Purview Compliance Portal: Administrators can manage and view sensitivity labels applied across the organization through the Microsoft Purview Compliance Portal. This portal is only accessible to IT admins who has the right Purview role.vicwingsingJan 20, 2025Brass Contributor1.9KViews0likes3CommentsCannot login to Service Trust Portal
Hi, I'm trying to get some certificates from the service trust portal, but I keep getting "Service Trust Portal no longer support Microsoft Account (MSA) access." I'm using an account registered on Azure and I checked the Azure Active Directory, and the user exists (seeing it's the owner of the account). What am I missing here?2.9KViews1like5CommentsSecure Score Improvement Recommended actions information sheet
Hello All I am starting a project to Improve our Secure score following the "Recommended Actions" section in the M365 Defender portal. Now each action comes with its own set of General information and remediation options. Rather than get the actions on each of the 208 recommendations by clicking through all the tabs and recording every step required to complete the recommendation , does anyone know if Microsoft has an Excel sheet with all the relevant Secure Score Improvement actions/information in one place? Will make running this project so much easier! Thanks in advance ! Kind Regards ChristoChristo De LangeJan 17, 2025Brass Contributor1.7KViews1like2CommentsNew Blog Post | Migrating from Windows Information Protection to Microsoft Purview
By Edwin Chan Introduction In July 2022 we announced the sunsetting here: Announcing the sunset of Windows Information Protection (WIP) - Microsoft Community Hub of Windows Information Protection (WIP). The last version of windows to ship with WIP will be Win11 24H2, it will be the first version to not include WIP. However, the decryption capabilities will remain. Why are we doing this? Windows Information Protection, previously known as Enterprise Data Protection (EDP), was originally released to help organizations protect enterprise apps and data against accidental data leaks without interfering with the employee experience on Windows. Over time, many of you have expressed a need for a data protection solution that works across heterogenous platforms, and that allows you to extend the same sensitive data protection controls on endpoints that you have for the various SaaS apps and services you rely upon every day. To address these needs, Microsoft has built Microsoft Purview Data Loss Prevention (DLP), which is deeply integrated with Microsoft Purview Information Protection to help your organization discover, classify, and protect sensitive information as it is used or shared. What scenarios are in scope? WIP provided customers with the following key capabilities: Extend data protection to managed and unmanaged devices Protect enterprise data at rest when it's stored on a protected device Restrict which apps, removable drives, printers, network shares, and sites are allowed or restricted from copying, accessing, and storing sensitive data Classify data based upon the app or site where it was created, copied, or downloaded. Granular controls to designate different levels of data access restrictions Remote wipe sensitive data at rest How does deprecation impact WIP users? WIP as an offering is no longer under active feature development. The sunset process will follow the standard Windows client feature lifecycle, which shows which existing features and capabilities are supported and for what timelines. This was announced in July here. Following this deprecation announcement, the Microsoft Endpoint Manager team announced ending support for WIP without enrollment scenario by EOY 2022, which only impacts unmanaged devices. The announcement by the Microsoft Endpoint Manager team is here. Please visit the Microsoft Endpoint Manager announcement for the latest on the decommissioning of MEM’s support for the ‘unenrolled’ scenario. How should you respond to the deprecation notice? If you are using WIP without enrollment, Microsoft will be communicating with you directly about the impact to your devices and the timelines for that impact. Please keep an eye on the message center for the latest updates. Microsoft Endpoint Manager will continue to support WIP with enrollment (managed devices) scenarios for the duration of the OS lifecycle (until 2026) and will continue to offer options to enroll both corporate and personal devices for management (and subsequently to receive WIP policy). How do I start planning for this change? Refer to this chart for a breakdown of WIP capabilities and how they map to Purview: Read the full post here: Migrating from Windows Information Protection to Microsoft Purview776Views1like0CommentsGlobal Administrator MFA recovery not possible
Since Microsoft automatically enforced MFA on administrator role in Azure you can end up in the situation where it is no longer possible to recover your tenant. If your only account on that tenant is with Global Administrator role and you accidentally loose your MFA, the only way is to call Microsoft support. Support on the phone is automated where any question regarding Azure is redirected to visit Azure portal. If your only user cannot login then Azure portal is not accessible.RobertasSimJan 14, 2025Copper Contributor14Views1like0CommentsHow Can I Remove Password from Windows 11 PC?
I have a home pc that changed the password two week ago. Unfortunately, I forgot to save the password like I did in the past. Now, I can't login the PC and unable to get to the Windows 11 desktop. Is there any way to remove password from Windows 11 without losing data? I tried Ophcrack password recovery tool but it does not work on a Windows 11 PC.SolvedYarisyoyoJan 13, 2025Iron Contributor629KViews1like14Comments
Resources
Tags
- Cloud Security981 Topics
- security758 Topics
- microsoft information protection516 Topics
- azure496 Topics
- information protection and governance481 Topics
- microsoft 365413 Topics
- compliance389 Topics
- microsoft sentinel335 Topics
- azure active directory240 Topics
- data loss prevention211 Topics