User Profile
Ru
MVP
Joined Aug 24, 2017
User Widgets
Recent Discussions
"This form can't be shared because it violates our Terms of Use" error when sharing externally
Hi everyone, Created a form with ten pre-interview questions for our IT department's next recruitment project. When I change the 'Send and collect responses' option from 'Only people in my organization can respond' to 'Anyone with the link can respond', I get an error "This form can't be shared because it violates our Terms of Use." There are no specifics on what violates the terms; can only assume it's a generic error. Office 365 Business Premium tenant with external collaboration on in Admin Center > Settings > Services & Add-Ins. Thanks! RuairidhRe: Ninja Cat Giveaway: Episode 9 | Attack disruption
Hey HeikeRitter! Attack disruption is there to "hit the pause button" on an active attack detected by M365D, buying time for responders or hopefully even stopping damage entirely. The types of automation you we expect are device isolation (potentially stopping a device with ransomware from connecting to other devices) and account suspension (potentially stopping an attacker logging into a BEC-impacted identity). The confidence it's not a false positive - and therefore why it can be automated - is driven by the correlation of signals across the different M365D pillars. For example, MDE alone raising an alert raises your interest; but correlation to other alerts (in the form of an incident) from MDI, MDO, etc is what really confirms the need to disrupt the chain of events. The compelling thing about attack disruption in M365D is it's out-the-box nature. Organizations with greater resources may already have SIEM/SOAR with custom developed response playbooks, but this lowers the cost (resources, knowledge, staffing) for defenders by acting on their behalf.Re: MDI Sensor vs Standalone Sensor - Updated Guidance
Hey EliOfek, Do you have current data on the % sensors that are standalone? I am trying to discourage all customers from doing this, but some have concerns about allowing any internet traffic to DCs. It would be useful to get a steer about the roadmap of this, supportability, etc. Thanks!Exchange Online and Azure AD Connect
Hi everyone, We are planning to implement Azure AD Connect in a Password Hash Synchronization with Seamless Sign On scenario, hosted on Azure B1ms Windows Server 2016 AD DC connect to on-prem AD via S2S VPN. My company of around 100 users have had O365 for several years and the on-prem and AAD environments are totally separate for now. One thing that has come up in my research is with Azure AD Connect in place, on-prem AD must be the source of all objects, attributes, and changes - makes sense. Where there is confusion is Exchange Online attributes. Several older threads on Tech Community and other forums state you cannot change EXO attributes, in an AAD Connect environment, without on-prem Exchange installed or at least its schema changes. On review, the only EXO attributes we would change that aren't in the default AD schema are mailbox delegation (SendAs, AccessRights, etc) and email addresses (multiple SMTP addresses). Other attributes that show in EXO such as Job Title, Address, and Tel Numbers are all available in the default schema via AD Users & Computers, so my presumption is they're not of concern. Can anyone shed some light on this and confirm how we'd manage things like multiple SMTP addresses without the Exchange scheme in our on-prem AD? Does this differ depending on where the object is managed (cloud only vs hybrid) or user mailbox vs shared? Thank you, RuairidhRe: [Announcement] Azure Defender integration with MDE for Windows Server 2019
Appreciate the update. I'll monitor this for some new deployments I have coming up. Earlier this week when piloting a Windows Server 2019 onboarding using Microsoft Defender for cloud, it took about three days. I will see how the wider rollout goes. Thanks!Re: [Announcement] Azure Defender integration with MDE for Windows Server 2019
HeyStanislavBelov Is there a way of improving the visibility into the timing of the onboarding process? Turning it on and just waiting for an unknown period of time isn't a great experience; particularly in scenarios where MDE is being rolled out in anger to respond to security incidents.Re: 365 Training
Hey Marc. There are free learning paths from Microsoft for a lot of 365 things, from Exchange to Teams. A good starting point is their MS-100 exam criteria. Even if you don't sit the exam, the learning material is all fundamental stuff you'll need for 365 administration. https://docs.microsoft.com/en-us/learn/certifications/exams/ms-100 Towards the bottom of that page, you'll find a list of Learning Paths covering things like Azure AD (the backbone of managing users, devices, and apps). You can also get a free M365 E5 licensense as a developer for labbing stuff out from here: https://developer.microsoft.com/en-us/microsoft-365/dev-program If reading through the Microsoft Learning Paths isn't your thing, there are good video training for the MS-100 on sites like Pluralsight which will also have a free trial. Then when you've completed the MS-100 path, onto MS-101 🙂 Also might be worth checking out the following (paid) eBooks for some real technical depth on M365: Office 365 for IT Pros (general Office 365): https://gumroad.com/l/O365IT Microsoft 365 Security for IT Pros (security-specific): https://gumroad.com/l/mdGbpUndo Automatic Investigation Remediations
According to the documentation, you can undo automatic investigation remediations for things such as Task Scheduler entries and quarantine. This is particularly useful for getting buy-in to enabling fully automated remediation, rather than approval based. In my environment, there is no option for undo in the flyout pane for either a single historic action centre entry or multiple. Specifically, I am trying to undo the removal of a scheduled task. Are there prerequisites for this, or am I missing something else? Devices are Windows 10 2004, hybrid Azure AD joined, using MDAV as the engine, and still onboarded to MDE.Re: Windows Defender Full Scan renders devices unusable for 6-7 hours (while scan is running)
You probably do not need to schedule a recurring full scan. That should be reserved for when you have reason to investigate a specific device. With MDE and EDR, you are unlikely to get much value from it. If you do need to do it, I usually set ScanAvgCPULoadFactor to nearer 25% (not an exact science), but it's going to take hours for little return if real time threat protection is active anyway.Re: Confused about Microsoft Defender on Different Subscriptions
Windows Defender Antivirus is free and included with all Windows 10. Windows Defender for Endpoint (formerly Defender ATP) is part of Windows 10 Enterprise, M365 E5, E5 Security, or standalone licensing. It's an EDR solution - think of it as what takes place after traditional antivirus, for less obvious attacks or post-incident investigation and response. In M365 Business Premium, you get Defender Antivirus for Windows 10 on Intune managed devices. I haven't checked recently, but there was an announcement that threats etc. discovered on Business Premium licensed devices would report back to the M365 Admin Centre (it never used to do this).
