User Profile
lfkentwell
Brass Contributor
Joined Aug 15, 2019
User Widgets
Recent Discussions
Accessing anothe uses OneDrive via Admin console.
Recently I was able to access some users OneDrive using the steps in the link below: https://docs.microsoft.com/en-us/office365/admin/add-users/get-access-to-and-back-up-a-former-user-s-data?view=o365-worldwide#use-the-old-admin-center-to-access-a-former-users-onedrive-documents This worked fine and I was authorized to be in the admin console and have a couple of roles assigned to me. What I later read was an article that said you need to be a Global Administrator to do this. I am not a global admin. So I checked what Roles I had which are: Compliance administrator Security administrator Compliance data administrator So I then looked up these roles and the default role group assignments in each of those below but cannot determine what is giving me the permission to access other users OneDrive via that published process. Can anyone help me understand what is giving me this capability because I am concerned there are a large number of various "admins" who may also be able to do this which is not good. https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/permissions-in-the-security-and-compliance-center1.5KViews0likes0CommentsAuthentication steps
Can anyone point me to some info on the authentication steps for Azure AD and MFA. Basically trying to determine during the login process the person first enters their username and password and submits. They are then prompted through the chosen method to accept a MFA prompt. My question is does the MFA prompt sent before or after the username and password is validated as correct. For example if I see in the Azure AD sign ins a login that failed due to MFA not being accepted. Can I assume that the username and password was already validated as being correct and it moved onto MFA which failed or are they all validated at the same time?1.2KViews0likes3CommentsMissing details in the Sign-in Log
I am seeing large gaps in info in the Azure AD sign-ins log. Specifically the Application, Application ID and Client App. A very large umber of these appear to be Edge browsers including versions 14.14393, 16.16299 and 16.1629 however also see these missing info for browsers IE 11.0, IE 7.0, Chrome 74.3.3729, 75.0.3770, 78.0.3904, 71.0.357 and 66.0.3359 Also seeing Rich Client v1.0.2053.20161104 and Rich Client v2.3.0.1501 I suspect these are maybe using Basic Auth which I plan to shut down but some of these are modern clients, why aren't they using modern auth? Is the use of basic auth why there field in the sign-in log empty?10KViews0likes1CommentLync.exe failing MFA
Recently we implemented MFA and all the sudden i get loads of failed logins with Browser identified as Lync.exe with the failure "User did not pass the MFA challenge (non interactive)." Clearly Lync is the old version of Skype for Business. If this is failing wouldn't the person be having issues with their Lync not working? I would have thought so but no one is complaining.4.6KViews1like8CommentsStrange new logins.
Recently in AzureAD logs I have started to see attempted logins to various users across my organisation. They all seem to have similar conditions such as: 1. Even though they are physically in Australia the logins occur from IP's in the UK e.g some IP's seen are 185.59.221.83 (Hounslow, Greater London, GB) and 109.70.144.22 (Needham Market, Suffolk, GB) 2. They are all showing in device info as "Azure AD registered" 3. Application identified as "Universal Store Native Client" 4. Resource identified as "Windows Store for Business" Sometime they also have the following: 1. Same IP as the traffic for Application identified as "Universal Store Native Client" but 2. Application identified as "Microsoft Application Command Service" 3. Resource identified as "Microsoft Activity Feed Service" Now I can understand if maybe these are some kind of background services attempting to access MS resources and are suing the Login for the Office tenancy but why are they coming from an IP in the UK when I know the person is in Australia at the time. Is Windows tunneling certain traffic? What is going on????19KViews0likes3CommentsNot seeing all activity
While doing some reading I came across the below article about viewing label activity https://docs.microsoft.com/en-us/microsoft-365/compliance/data-classification-activity-explorer The article says you can see a number of activities listed as: File created File modified File renamed File copied to cloud File accessed by unallowed app File printed File copied to removable media File copied to network share File read file copied to clipboard Label applied Label changed (upgraded, downgraded, or removed) My problem is when I go to the Label activity explorer I only have two options (Label Activities and Label changes). I don't see all the other useful activities such "File copied to removable media". I have the necessary license, Office 365 (E5), applied to the accounts. I've done testing by copying a labeled file to a USB and get no activity. I think I have all the right permissions but maybe there is a role or permission within the Security and Compliance portal I need? Can anyone help shed some light on this?Issues with sub labels
I have setup my labels etc and everything is working fine. However when I create a sub label of one of my "top level" labels I can no longer select that "top level" label. E.g. 1. I created a label of "Confidential" and set all the settings etc 2. Then I create a sub label and call it "Confidential - Do Not Forward" and setup all those settings 3. Now when I'm in a document or an email I can see the Confidential and if I click that I see the Confidential - Do Not Forward label. 4. The problem is I cannot apply the top level Confidential label now, only the Confidential - Do Not Forward sub label. Why?Filtering Security Graph API in power automate
I am using the Microsoft Graph Security connector to get alerts in Power Automate. I am trying to filter the results to just MCAS alerts however there doesn't appear to be a field that just has MCAS that I can filter on. I first tried filtering on "category" field which starts with MCAS and then the "vendorInformation" field that has a sub field called "provider" field that has MCAS however these don't work when using the eq operator. Is there a "like" or "contains" option??? If there are no "like" or "contains" style options any suggestions on how to achieve the desired outcome? "category": "MCAS_ALERT_ANUBIS_DETECTION_VELOCITY", "vendorInformation": { "provider": "MCAS", { "id": "XXXXXX", "azureTenantId": "XXXXX", "azureSubscriptionId": null, "riskScore": null, "tags": [], "activityGroupName": null, "assignedTo": null, "category": "MCAS_ALERT_ANUBIS_DETECTION_VELOCITY", "closedDateTime": null, "comments": [], "confidence": null, "createdDateTime": "2020-03-15T00:02:08.093Z", "description": "The user XXXX XXXX (XXXX.XXXX@XXXX.com.au) perform failed sign in activities from remote locations that are considered an impossible travel activity. The user performed failed sign in activities from 2001:8004:c81:d661:d894:8a4e:6434:6fa2 in Australia and 183.89.211.22 in Thailand within 140 minutes.", "detectionIds": [], "eventDateTime": "2020-03-14T21:36:35Z", "feedback": null, "lastModifiedDateTime": "2020-03-15T00:02:08.6554137Z", "recommendedActions": [], "severity": "medium", "sourceMaterials": [ "https://XXXX.portal.cloudappsecurity.com/#/policy/?id=eq(XXXX)", "https://XXXX.portal.cloudappsecurity.com/#/alerts/XXXX" ], "status": "unknown", "title": "Impossible travel activity", "vendorInformation": { "provider": "MCAS", "providerVersion": null, "subProvider": null, "vendor": "Microsoft" }, "cloudAppStates": [ { "destinationServiceIp": null, "destinationServiceName": "Microsoft Exchange Online", "riskScore": null }, { "destinationServiceIp": null, "destinationServiceName": "Office 365", "riskScore": null } ], "fileStates": [], "hostStates": [], "historyStates": [], "malwareStates": [], "networkConnections": [], "processes": [], "registryKeyStates": [], "triggers": [], "userStates": [ { "aadUserId": "XXXX", "accountName": "XXXX.XXXX", "domainName": "XXXX.com.au", "emailRole": "unknown", "isVpn": null, "logonDateTime": null, "logonId": null, "logonIp": null, "logonLocation": null, "logonType": null, "onPremisesSecurityIdentifier": null, "riskScore": null, "userAccountType": null, "userPrincipalName": "XXXX.XXXX@XXXX.com.au" } ], "vulnerabilityStates": [] },Spike in impossible travel false positives
I've noted recently a spike in impossible travel alerts in my MCAS. When looking at the activity all the activity appears in my home country (AU) but dotted throughout is activity from other MS DC IP's in other countries causing an impossible travel alert. When I look at the type of activity that is triggering this it appears to be audit activity not user activity. nearly all the activities show as "Run command: task MailItemsAccessed;" Googling this it looks like this is a legit activity to generate an audit log of activity on a mail file. My problem is they are being run across random and multiple data centers. How can I ensure these are not run across O\S data centers so they stop generating false positive alerts? Do I need to maybe whitelist IP's? Here is a redacted sample of one of the activities: { "OrganizationId": "REDACTED", "CreationTime": "2020-01-19T00:00:00.0000000Z", "RecordType": 50, "Operation": "MailItemsAccessed", "Workload": "Exchange", "UserType": 0, "UserKey": "REDACTED", "Version": 1, "OriginatingServer": "REDACTED (XXX.XXX.XXX.XXX)\r\n", "InternalLogonType": 0, "UserId": "REDACTED@REDACTED.com.au", "OrganizationName": "REDACTED.onmicrosoft.com", "ClientInfoString": "Client=MSExchangeRPC", "ClientIPAddress": "[XXX.XXX.XXX.XXX]:17147", "MailboxOwnerSid": "REDACTED", "MailboxOwnerUPN": "REDACTED@REDACTED.com.au", "Id": "REDACTED", "ExternalAccess": false, "ResultStatus": "Succeeded", "LogonUserSid": "REDACTED", "MailboxGuid": "REDACTED", "LogonType": 0, "SessionId": "REDACTED", "OperationProperties": [ { "Name": "MailAccessType", "Value": "Bind" }, { "Name": "IsThrottled", "Value": "False" } ], "OperationCount": 1, "Folders": [ { "Id": "REDACTED", "Path": "\\Deleted Items", "FolderItems": [ { "InternetMessageId": "<REDACTED.ausprd01.prod.outlook.com>" } ] } ] }2.7KViews0likes1CommentExchange online SPF
I may be missing something basic here but can someone explain if I used the recommended spf include statement (v=spf1 include:spf.protection.outlook.com -all( (see here: https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/set-up-spf-in-office-365-to-help-prevent-spoofing) for all exchange online deployment because its not specific to my domain rather generic to outlook.com wouldn't that mean that any other exchange online customer could spoof my domain? If they are also coming from that host being a exchange online user just like me Does that make sense?1.4KViews0likes1CommentRe: Using regex to match a sting in a replace function
Damien_Rosario thanks for the input. After literally wasting half a day trying to get regex to work i found one entry in Google that appears to indicate regex is not supported natively. Can't imagine why its not but there you go. Thanks for your suggestion I was able to get it to work within Flow using splits and concatenates its just 8 steps long which seem crazy when it could be done in one replace if only regex was supported.Using regex to match a sting in a replace function
Hoping someone can help me with an issue. I have some text that comes from an RSS feed that I post to Yammer using Flow. The source randomly includes text between square brackets. The text is different but it's always between squire brackets e.g. Reconsider your need to travel [/consular-services/travel-advice-explained] due... I want to simply remove the text in the square brackets along with the brackets. If I use a replace and "hard" code the string to remove (string2 in the replace function) it works fine e.g. the expression that works is below. replace(variables('String'),'[/consular-services/travel-advice-explained] ','New Text') However if I try to use a regex that looks for anything between square brackets in place of the "hard" coded string it fails. I know your going to say i need to escape the square brackets I am aware of this and tried a few different combinations. I even tested the expressions on various regex test tools and the expression matches but not in Flow. examples of regex strings i tried are below. They all work in the various regex testing tools and websites but Flow doesn't work. \[([^\]\[\r\n]*)\] \[(.*?)\] (\[(?:\[??[^\[]*?\])) \[([^]]+)\] Is there a special way to use a regex in a replace expression? Are regex even supported in a replace expression? Am I missing something?Re: Lync.exe failing MFA
Thijs Lecomte that kind of makes sense. Looking at the S4B in the task manager the running the process for S4B appears to be Lync.exe However you say S4B supports modern auth but when i look at AzureAD logs it fails MFA as non interactive. The entry says "User did not pass the MFA challenge (non interactive)." So based on this I would expect S4B to not work yet it does. Kind of contradictory.4.2KViews0likes1CommentRe: Info about Leaked Credentials alert
Gerson Levitz thanks i;ve seen that before. I am specifially trying to find out where Microsoft found these credentials e.g. in a paste or on a dump. This is so I can work out how the credentials where compromised. For example if a breach dump for a specific website breach dump was published so I can tell users to not use their company credentials on personal websites.5.4KViews0likes0CommentsRe: Random MFA prompts from Universal Store Native Client
Steve Hernou I have the same problem. I provided log sample to the MS Australia security lead today hoping with an insider we can get answers. In my case we block the UK in Conditional Access which is where all this traffic is originating from so we are safe but it's a frigging nuisance with all the MCAS alerts coming through.29KViews0likes8CommentsInfo about Leaked Credentials alert
Is there any way to get more information about Leaked Credentials alerts that have been triggered. I've seen one or two accounts on occasion but when I go to all my dark web and intelligence sources these accounts do not appear in any breaches, pastes, forums, classifieds for say etc. Nothing. Can Microsoft share the details of where they picked these up as a valid set of credentials? I think this would be very useful to help companies backtrack to root cause and fix the leak.Microsoft Azure PowerShell conditional access
I have conditional access implemented and normally every login is forced to perform MFA by my CA rules. However there are some background scripts and other functions that MFA breaks when run that I need to exclude from CA. I have created a blanket exception rule in CA that is applied to the account to exempt from MFA and that works. What I want to do now is tighten down that CA rule to IP and application. The problem I have is when I look at the sign in logs the application listed is "Microsoft Azure PowerShell" however when I try to apply the CA rule to this application it is not in the list. Do I need to create it or is it found as something else?1.3KViews0likes0Comments
Recent Blog Articles
No content to show