Security Admin Center Tenant Allow/Block List Not Able to Block IPv4?
While using the Security Admin Center Tenant Allow/Block List we have been able to block specific email addresses and IPv6 IP addresses but are unable to block IPv4 IP addresses. We have tried both using the console and the CLI but have turned up unsuccessful both times when it comes to IPv4. A large majority of the phishing attempts that we encounter come from IPv4 addresses but we have been unable to block any of these. Will there ever be functionality for IPv4 within the Tenant Allow/Block list or is the only option to use conditional access policies? Also why is this enterprise tool only functional with IPv6 and without documentation stating that it does not work for IPv4?Ensure users installing Outlook add-ins is not allowed affecting integrated apps/add-ins
I'm working on the usual chasing Microsoft Secure Score, one that we have that gives points and takes them away on a weekly basis is this one below. We don't have the three items unchecked in User Roles to accommodate this recommendation. So I figure it is a bugged recommendation. Ensure users installing Outlook add-ins is not allowed However it would be nice to permanently make it so. However, we have another area in M365 Admin that has integrated apps configured for a handful of third party add-ins and of course the Teams Add-In for Outlook. Would this be affected by turning on the above recommendation? Or is this just if the end user goes to add one on their own? Thank you.
Unable to find the security alert in M365 Defender referenced in an email alert.
This happens a lot. I get these emails from Office365Alerts notifying our team that "A medium-severity alert has been triggered". At the bottom of the email is a link to "View alert details". When I click that, the site shows an error: "Can't find it.Either what you are looking for doesn't exist or you need to use a different search string." So, then I go to the Alerts view and filter to show everything (at least I think I am) but there's nothing related to this particular alert (unusual volume of file sharing). Where did it go? EDIT: Including a screenshot of another email I got today. The result of clicking the 'View alert details' is again the same.
Alert: Email sending limit exceeded
Hello everyone, Between for 3 days I had a situation where a script was sending 60 mails per minute, and had these type of alerts, but after I've fixed this 3 days ago, I am still receiving these warnings. From mail flow, for example last 24 hours, have only around 30 email sent from the affected email. Don't know what could be, if it's expected or if there's something more. If you need more info let me know please.
USB security key MFA prompt does not work on any app like Teams or Outlook, only via webbrowser
I have this issue on every computer or device I use. I use MFA and I'm a Global Admin. I ONLY have USB keys as my security method and have 3 added. If I'm using Chrome, Edge, any browser and get prompted for MFA, I simply insert the key, tap it, enter my pin, tap the key again and it works. However, for any desktop application, such as Teams, Outlook, etc, whenever it prompts me to log in, if I pick USB Security Key it just freezes and displays the loading progress bar at the top over and over. It does this on every computer I try, Mac, Windows, etc. The only option to ever authenticate is to go in, add the Microsoft Authenticator app as a MFA option, and then use that, then remove it as an option which is obviously not ideal. I have never been able to get USB security to work outside of a browser. If I access the same Teams, Outlook, etc from ANY web browser and get prompted, it works every single time. Please see screenshot above for what I'm referring to. The moment I click "Windows Hello or USB Security key" those blue dots just bounce across the top of the screen forever, it never proceeds past here. This is Teams when I'm trying to log in that's doing this. If I manually go to Teams on the web it will work fine. I can come back 4 hours from now and this screen will still be showing the same thing. As mentioned, ALL devices have this issue, it does not work on any computer, PC or Mac so it must be something with Microsoft 365. If it helps at all, I use Conditional Access and not security defaults.
Microsoft Security Recommendation issues and Impersonation
Within the numerous dashboards for Microsoft, we see impersonation protection as failed/not compliant, or not enabled in our environment. This is a 2-part question: 1. Does it work well? Why do we see impersonated emails in our environment despite having the users set up for it? We have seen 3 in the last week for our CEO even though he is on the list. 2. Despite having it on and our owned domains added, the environment still shows we don't have it setup. Also, it gives us a limit of 350 users, are we supposed to check each person one by one? Why negatively impact security scores when you are only supposed to set this up for VIPs? Why not allow it to be on for all users? EDIT: This is what it advises even though you are limited to 350 users.Ensure that all users have an assigned anti-phishing policy with ‘Enable domains to protect’, ‘Include domains I own’and ‘Include custom domains’options enabled, by either updating your existing policies or creating new ones.
passcode expiry on personal devices
My work has enabled enforcement of minimum password security requirements for personal mobile devices accessing work email. Unfortunately, this imposes a requirement to frequently change the device pin code which is annoying everyone. Our IT admin wants to remove this requirement while still enforcing a minimum requirement that devices must have a pin code but doesn't know where to find the relevant setting in Azure AD. We don't have any devices enrolled in Intune as that requires a P2 licence which we don't have. Any guidance that I could pass on would be appreciated.Old "activity alerts" broken?
A couple of years ago, we created notification alerts to be notified if a user creates a rule in their mailbox. We did this because this is a common action taken by malicious/unauthorized actors and although it yielded some noise, it did serve a purpose. Starting yesterday at 4/29, we started receiving alerts from various mailboxes that were all false alarms, no rules created, not suspect access checking logs like this: --- Subject: Notification for the alert '[RULE NAME REDACTED]' fromemail address removed for privacy reasons We detected activity related to one of your alerts| You're getting this message because there's activity in your Microsoft 365 organization that matches the alert 'RULE NAME REDACTED'. Activity: Send User:email address removed for privacy reasons Client IP address:xxx.xxx.xxx.xxx Time of activity (UTC): 4/30/2024 12:29:46 AM What's Next? Search the audit log for this user Search the audit log for this activity Search the audit log for other activities that would trigger this alert NOTE: There might be more activity related to this alert since you received this email. Search the audit log to show all recent activity. Need help searching the audit log? Check out Search the audit log in the Microsoft Purview compliance portal Thanks, The Microsoft 365 team --- Sadly the links they presented are all out-of-date and don't go anywhere useful. So I went to check on the status of the rule atActivity alerts - Microsoft Defenderand then got a screen like attached. I know that message about "We are working on a better experience for you to manage and view security and compliance alerts" has been there for years but "Client Error" "request failed with status code 400" is new. I can click through the error and click rule, but I can only enable or disabled it. I can't adjust or have visibility into the rule. We haven't changed anything with this since 2021 when the alert rule was created. We remain on a E3/P1 license and can see there are other means in other parts of the admin interface (not here) to create an alert for the creation of forwarded e-mail rules; but hat's not useful, with the fraud we've encountered/documented with vendors/clients, often there are internal rules created in the mailbox to hide content from the account-holder. Has anyone else encountered this, we're getting a handful of these alerts per day. I opened a ticket with Microsoft via the admin console 36 hours ago and haven't heard anything (based on previous experience, maybe next week?) I'm checking to see if something changed with permission requirements for this, but hadn't found anything. Also, I checked permissions, this is the account that created the rule in 2021.MFA alerts for when a alternative phone number is added
Hi, i need to be able to find a way when someones adds a alternative phone number to MFA it sends an alert via email that would go into a shared mailbox but haven't been able to find a way to get the MFA alerts for alternative phone numbers. can someone help please?
