Azure Information Protection
38 TopicsTrack Sensitivity Label Downgrades and Removals with Audit Log Data
The Purview Insider Risk Management solution can do all sorts of clever things, like tracking sensitivity label downgrades and removals as an indicator that a user might be preparing to exfiltrate data. The same kind of checking can be done by using the events captured in the audit log when people remove or change sensitivity labels. All in a few lines of PowerShell… https://office365itpros.com/2024/11/20/sensitivity-label-downgrades/39Views0likes0CommentsI lost my Admin privileges in Microsoft 365
So, I'm working in a corporate company and we had services purchased like Azure, PowerBI etc. that we were paying for a long time. And until today I was logging in with the Admin email to the 365 admin portal with my admin account. but today when I try that Email has lost it's admin privileges. And so to recover that account I tried directly connecting through the phone call which also had to go through an automated voice assistant. And even after finally connected with the call. the only way they were about to provide a help was to telling them what is the current admin account's email address. which is like the reason why we called them because we have a security breach and don't know who did that. And I had all my previous admin accounts with credentials and all payment details etc. but I had to talk to some guy for like 20 minutes that just repeating the same thing like tell me the current admin email so w can help you further. Like if I know that why would I even call them. And I have all the details of my previous info but how can I know what the email that the attacker has used in just one day.184Views0likes1CommentConnect-Aipservice is not working
Hello everyone, Please is anyone able to connect to the aip service using powershell version 5.5 and above? Even after installing and importing the aip service module, the connect-aipservice failed to work with all its parameters. However, creating and publishing sensitivity label policy is working. Thanks.780Views0likes6CommentsHow to Handle an Unwanted Sensitivity Label
Sometimes sensitivity labels defined for use within a Microsoft 365 tenant turn out to be unnecessary. The question then is what to do with these unwanted sensitivity labels. The answer is to pause for thought, gather information, and then make an informed decision, all of which we discuss here. https://practical365.com/how-to-handle-an-unwanted-sensitivity-label/179Views0likes0CommentsAccount Hacked
Hello Community, My account has been hacked, copied and/or duplicated with some other account as I was originally Sids1 with this email for more than 6 months now and this has changed somehow. It's very concerning to me since I also found some other person named Siddhartha when I was logging into my account. I reported that to the Microsoft Account Team but have not received any replies yet. Please suggest anything that can be done to catch this hacker who is stealing my identity to and fro. Best Regards Siddhartha SharmaSolved659Views1like3CommentsC# application with MIP SDK fails creating the FileEngine
Hi! I have a C# application which tries to create a FileEngine to unprotect AIP protected files. The application runs in Azure. Network connectivity is available. The MIP SDK logs look like this: Info 2024-06-05 11:49:15.652 common/api_utils.h:195 w3wp (6324) "Start calling success callback for API: protection_profile_load_async" mipns::TryExecuteSuccessCallback::<lambda_aa4c0887fcc47f487d59891ccfa0eff4>::operator () 5396 Info 2024-06-05 11:49:15.652 common/api_utils.h:197 w3wp (6324) "Ended calling success callback for API: protection_profile_load_async" mipns::TryExecuteSuccessCallback::<lambda_aa4c0887fcc47f487d59891ccfa0eff4>::operator () 5396 Info 2024-06-05 11:49:15.652 policy_profile_impl.cpp:522 w3wp (6324) "Starting API call: profile_add_engine_async scenarioId=55a8c9cb-bbe6-40bb-992f-10b54066f182" mipns::ProfileImpl::AddEngineAsync 1048 Info 2024-06-05 11:49:15.652 policy_profile_impl.cpp:522 w3wp (6324) "Ended API call: profile_add_engine_async" mipns::ProfileImpl::AddEngineAsync 1048 Info 2024-06-05 11:49:15.652 policy_profile_impl.cpp:522 w3wp (6324) "Starting API task: profile_add_engine_async" mipns::ProfileImpl::AddEngineAsync 1700 Info 2024-06-05 11:49:15.652 policy_profile_impl.cpp:522 w3wp (6324) "Starting API task: profile_add_engine_async scenarioId=55a8c9cb-bbe6-40bb-992f-10b54066f182" mipns::ProfileImpl::AddEngineAsync 1700 Info 2024-06-05 11:49:15.652 policy_profile_impl.cpp:244 w3wp (6324) "Starting to add policy engine with engine id: 09342290-3990-4ef9-bdeb-611113bcccee" `anonymous-namespace'::CreateEngineAsync 1700 Warning 2024-06-05 11:49:15.652 policy_engine_manager_impl.cpp:275 w3wp (6324) "Inconsistent label & sensitivity policy detected. Removing both from cache if it exists." mipns::PolicyEngineManagerImpl::DeletePolicyFromStorage 1700 Info 2024-06-05 11:49:15.652 policy_engine_manager_impl.cpp:358 w3wp (6324) "Loading new policy engine (requires fetch): 09342290-3990-4ef9-bdeb-611113bcccee" mipns::PolicyEngineManagerImpl::LoadNewEngineAsync 1700 Warning 2024-06-05 11:49:15.652 policy_engine_manager_impl.cpp:361 w3wp (6324) "New PolicyEngine was created without an identity. Dynamic content marking will be partially disabled, and URL redirect caching will be fully disabled." mipns::PolicyEngineManagerImpl::LoadNewEngineAsync 1700 Info 2024-06-05 11:49:15.652 auth_request_transformer.cpp:155 w3wp (6324) "Requesting auth token from app. Resource: 'https://syncservice.o365syncservice.com/', Authority: 'https://login.windows.net/common', Scope: '', Claims: ''" mipns::AuthRequestTransformer::GetAuthToken 1700 Info 2024-06-05 11:49:15.917 auth_request_transformer.cpp:169 w3wp (6324) "Authentication response time (seconds): 0.264937" mipns::AuthRequestTransformer::GetAuthToken 1700 Info 2024-06-05 11:49:15.932 http_director_impl.cpp:141 w3wp (6324) "Sending HTTP request: ID: {C3D930DE-50B3-40A8-8C44-0ED22007A6FB}, Type: GET, Url: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies?supportedMaxVersion=1.0.50.0, Body Size: 0, Headers['ClientInfo'] = 'mip_ver=1.14.128;os_name=win;os_ver=10-0-20348;runtime=msvc-1929;arch=x86', Headers['Capabilities'] = 'BestEffortEntityMatch,BestEffortCCSIMatch,SchematizedDataContentType', Headers['Content-Type'] = 'application/xml;charset=utf-8', Headers['Authorization'] = 'UOID:2d3ea670-a6d7-4a66-85fe-0bcc9b5f563a;Tenant:tenant id;Audience:https://syncservice.o365syncservice.com/;Roles:UnifiedPolicy.Tenant.Read;" mipns::HttpDirectorImpl::DoSendHttp 1700 Info 2024-06-05 11:49:16.104 http_client_base.cpp:44 w3wp (6324) "HTTP response time (seconds): 0.185885 ID: {C3D930DE-50B3-40A8-8C44-0ED22007A6FB}" mipns::HttpClientBase::SendAsync::<lambda_b2b0e837acbc3dca3dadb2856c35cf30>::operator () 5756 Info 2024-06-05 11:49:16.120 oneds_helper.cpp:532 w3wp (6324) "OneDsHelper::WriteTelemetryEvent(policy_sync_acquire_policy)" mipns::OneDSHelper::WriteTelemetryEvent 5756 Info 2024-06-05 11:49:16.120 diagnostic_utils.cpp:80 w3wp (6324) "Send Telemetry. Event Name : [policy_sync_acquire_policy] App.ApplicationId: [application id], Pii: [None] App.ApplicationName: [AR_COSI_TEST_AIP], Pii: [None] App.ApplicationVersion: [1.0.0], Pii: [None] App.SessionId: [], Pii: [None] Engine.SessionId: [], Pii: [None] Event.CorrelationId: [3f4d9f3a-a5a1-40fc-bbdb-049f4d40889f], Pii: [None] Event.CorrelationIdDescription: [HttpDirector], Pii: [None] Event.Duration: [0.187074], Pii: [None] Event.ErrorType: [NetworkError], Pii: [None] Event.Failed.File: [src\core\api_impl\http\http_director_impl.cpp], Pii: [None] Event.Failed.Func: [mipns::HttpTelemetryHelper::NotifyOperationComplete], Pii: [None] Event.Failed.Line: [374], Pii: [None] Event.Failed.Message: [No HTTP response. Failed with: [NetworkError: 'HTTP connection failure Inner exception: [http_exception: 'WinHttpSendRequest: 12029: A connection with the server could not be established'], NetworkError.Category=NoConnection, HttpRequest.SanitizedUrl=https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies, HttpRequest.Id={C3D930DE-50B3-40A8-8C44-0ED22007A6FB}']], Pii: [None] Event.ParentCorrelationId: [948d1c35-91a9-47be-af1f-6d6a241125e5], Pii: [None] Event.ParentCorrelationIdDescription: [PolicyProfile], Pii: [None] Event.UniqueId: [eacab4b6-2048-4cf0-8d5c-cba215bcb6a0], Pii: [None] EventInfo.Level: [10], Pii: [None] EventInfo.PrivTags: [33554432], Pii: [None] MIP.Version: [1.14.128], Pii: [None] Request.CorrelationId: [{C3D930DE-50B3-40A8-8C44-0ED22007A6FB}], Pii: [None] Request.IsAsynchronous: [true], Pii: [None] Request.RequestBodySize: [0], Pii: [None] Request.TokenTenantId: [tenant id], Pii: [None] Request.Url: [https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies], Pii: [None] iKey: [ce9aa5fb5a414ecebb15af10715bd8ff-831d197e-fc97-4df6-b998-c8c13a0fc3ce-6768], Pii: [None] " mipns::WriteTelemetryEventToLog 5756 Info 2024-06-05 11:49:16.120 http_director_impl.cpp:38 w3wp (6324) "Received HTTP response: " `anonymous-namespace'::LogHttpOperationDetails 5756 Error 2024-06-05 11:49:16.120 http_director_impl.cpp:42 w3wp (6324) "HTTP operation {C3D930DE-50B3-40A8-8C44-0ED22007A6FB} failed: Failed with: [NetworkError: 'HTTP connection failure Inner exception: [http_exception: 'WinHttpSendRequest: 12029: A connection with the server could not be established'], NetworkError.Category=NoConnection, HttpRequest.SanitizedUrl=https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies, HttpRequest.Id={C3D930DE-50B3-40A8-8C44-0ED22007A6FB}']" `anonymous-namespace'::LogHttpOperationDetails 5756 This error does not occur on every tenant! Does anyone have a clue why this error occurs?387Views0likes0CommentsPowerShell cmdlets not available within a script unless it is run as administrator
I wonder if somebody can help with this issue. Essentially I want to be able to connect to Exchange Online and the Security and Compliance PowerShell from within a script run as a regular user, not administrator. If I drop these commands into my un-elevated PS window they will connect successfully and give me back some info on the two commands. If I drop the same commands into a PS1 file and execute it in an elevated PS console they also run successfully. Connect-IPPSSession Get-Command Get-DlpCompliancePolicy Connect-ExchangeOnline Get-Command Get-Mailbox If I run Get-ConnectionInformation in the script I can see the two connections are there - ConnectionId : 745f6176-5d1f-46ec-a786-b8e84f273791 State : Connected Id : 1 Name : ExchangeOnlineProtection_1 UserPrincipalName : ********* ConnectionUri : https://eur01b.ps.compliance.protection.outlook.com AzureAdAuthorizationEndpointUri : https://login.microsoftonline.com/organizations TokenExpiryTimeUTC : 20/04/2024 10:01:24 +00:00 CertificateAuthentication : False ModuleName : C:\Users\*******\AppData\Local\Temp\tmpEXO_5lnrtren.etr ModulePrefix : Organization : DelegatedOrganization : AppId : PageSize : 1000 TenantID : 081cc50b-e5a5-4e76-b6b7-d7c274899193 TokenStatus : Active ConnectionUsedForInbuiltCmdlets : False IsEopSession : True ConnectionId : 3d3547ec-f35e-4dc3-ba50-ed2f93ef0c35 State : Connected Id : 2 Name : ExchangeOnline_2 UserPrincipalName : ******* ConnectionUri : https://outlook.office365.com AzureAdAuthorizationEndpointUri : https://login.microsoftonline.com/organizations TokenExpiryTimeUTC : 20/04/2024 11:50:29 +00:00 CertificateAuthentication : False ModuleName : C:\Users\*******\AppData\Local\Temp\tmpEXO_a2axh3gk.iwh ModulePrefix : Organization : DelegatedOrganization : AppId : PageSize : 1000 TenantID : 081cc50b-e5a5-4e76-b6b7-d7c274899193 TokenStatus : Active ConnectionUsedForInbuiltCmdlets : True IsEopSession : False If I run Get-Module I can see the modules I understand are necessary - Name : ExchangeOnlineManagement Path : C:\Program Files\WindowsPowerShell\Modules\ExchangeOnlineManagement\3.4.0\netFramework\ExchangeOnli neManagement.psm1 Description : This is a General Availability (GA) release of the Exchange Online Powershell V3 module. Exchange Online cmdlets in this module are REST-backed and do not require Basic Authentication to be enabled in WinRM. REST-based connections in Windows require the PowerShellGet module, and by dependency, the PackageManagement module. Please check the documentation here - https://aka.ms/exov3-module. For issues related to the module, contact Microsoft support. Guid : b5eced50-afa4-455b-847a-d8fb64140a22 Version : 3.4.0 ModuleBase : C:\Program Files\WindowsPowerShell\Modules\ExchangeOnlineManagement\3.4.0 ModuleType : Script PrivateData : {PSData} AccessMode : ReadWrite ExportedAliases : {} ExportedCmdlets : {[Add-VivaModuleFeaturePolicy, Add-VivaModuleFeaturePolicy], [Get-ConnectionInformation, Get-ConnectionInformation], [Get-DefaultTenantBriefingConfig, Get-DefaultTenantBriefingConfig], [Get-DefaultTenantMyAnalyticsFeatureConfig, Get-DefaultTenantMyAnalyticsFeatureConfig]...} ExportedFunctions : {[Connect-ExchangeOnline, Connect-ExchangeOnline], [Connect-IPPSSession, Connect-IPPSSession], [Disconnect-ExchangeOnline, Disconnect-ExchangeOnline]} ExportedVariables : {} NestedModules : {Microsoft.Exchange.Management.RestApiClient, Microsoft.Exchange.Management.ExoPowershellGalleryModule} Name : Microsoft.PowerShell.Management Path : C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Management\Microsoft.PowerS hell.Management.psd1 Description : Guid : eefcb906-b326-4e99-9f54-8b4bb6ef3c6d Version : 3.1.0.0 ModuleBase : C:\Windows\System32\WindowsPowerShell\v1.0 ModuleType : Manifest PrivateData : AccessMode : ReadWrite ExportedAliases : {[gcb, gcb], [gin, gin], [gtz, gtz], [scb, scb]...} ExportedCmdlets : {[Add-Computer, Add-Computer], [Add-Content, Add-Content], [Checkpoint-Computer, Checkpoint-Computer], [Clear-Content, Clear-Content]...} ExportedFunctions : {} ExportedVariables : {} NestedModules : {Microsoft.PowerShell.Commands.Management.dll} Name : Microsoft.PowerShell.Utility Path : C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShel l.Utility.psd1 Description : Guid : 1da87e53-152b-403e-98dc-74d7b4d63d59 Version : 3.1.0.0 ModuleBase : C:\Windows\System32\WindowsPowerShell\v1.0 ModuleType : Manifest PrivateData : AccessMode : ReadWrite ExportedAliases : {[CFS, CFS], [fhx, fhx]} ExportedCmdlets : {[Add-Member, Add-Member], [Add-Type, Add-Type], [Clear-Variable, Clear-Variable], [Compare-Object, Compare-Object]...} ExportedFunctions : {[ConvertFrom-SddlString, ConvertFrom-SddlString], [Format-Hex, Format-Hex], [Get-FileHash, Get-FileHash], [Import-PowerShellDataFile, Import-PowerShellDataFile]...} ExportedVariables : {} NestedModules : {Microsoft.PowerShell.Commands.Utility.dll, Microsoft.PowerShell.Utility} Name : PSReadLine Path : C:\Program Files\WindowsPowerShell\Modules\PSReadLine\2.0.0\PSReadLine.psm1 Description : Great command line editing in the PowerShell console host Guid : 5714753b-2afd-4492-a5fd-01d9e2cff8b5 Version : 2.0.0 ModuleBase : C:\Program Files\WindowsPowerShell\Modules\PSReadLine\2.0.0 ModuleType : Script PrivateData : AccessMode : ReadWrite ExportedAliases : {} ExportedCmdlets : {[Get-PSReadLineKeyHandler, Get-PSReadLineKeyHandler], [Get-PSReadLineOption, Get-PSReadLineOption], [Remove-PSReadLineKeyHandler, Remove-PSReadLineKeyHandler], [Set-PSReadLineKeyHandler, Set-PSReadLineKeyHandler]...} ExportedFunctions : {[PSConsoleHostReadLine, PSConsoleHostReadLine]} ExportedVariables : {} NestedModules : {Microsoft.PowerShell.PSReadLine} Name : tmpEXO_5lnrtren.etr Path : C:\Users\******\AppData\Local\Temp\tmpEXO_5lnrtren.etr\tmpEXO_5lnrtren.etr.psm1 Description : This is a Powershell module generated by using the AutoGEN infra. Guid : 2c604488-886e-4090-ac70-2b9a3130c449 Version : 1.0 ModuleBase : C:\Users\********\AppData\Local\Temp\tmpEXO_5lnrtren.etr ModuleType : Script PrivateData : {PSData} AccessMode : ReadWrite ExportedAliases : {} ExportedCmdlets : {} ExportedFunctions : {[Add-ComplianceCaseMember, Add-ComplianceCaseMember], [Add-eDiscoveryCaseAdmin, Add-eDiscoveryCaseAdmin], [Add-RoleGroupMember, Add-RoleGroupMember], [Cancel-DlpEdmSession, Cancel-DlpEdmSession]...} ExportedVariables : {[HelpFileNames, System.Management.Automation.PSVariable]} NestedModules : {} Name : tmpEXO_a2axh3gk.iwh Path : C:\Users\*******\AppData\Local\Temp\tmpEXO_a2axh3gk.iwh\tmpEXO_a2axh3gk.iwh.psm1 Description : This is a Powershell module generated by using the AutoGEN infra. Guid : e84305bc-e9b9-45bd-bb9f-d38a411419b2 Version : 1.0 ModuleBase : C:\Users\********\AppData\Local\Temp\tmpEXO_a2axh3gk.iwh ModuleType : Script PrivateData : {PSData} AccessMode : ReadWrite ExportedAliases : {} ExportedCmdlets : {} ExportedFunctions : {[Add-AvailabilityAddressSpace, Add-AvailabilityAddressSpace], [Add-DistributionGroupMember, Add-DistributionGroupMember], [Add-MailboxFolderPermission, Add-MailboxFolderPermission], [Add-MailboxLocation, Add-MailboxLocation]...} ExportedVariables : {[HelpFileNames, System.Management.Automation.PSVariable]} NestedModules : {} And once the script exits, I can then do 'Get-Command Get-Mailbox' and get a good response. So the connection is clearly working, the script just cannot seem to access the functions/cmdlets while it is running. This is Twilight Zone stuff right!? I do not know if it's relevant, but we use AppLocker. So in my unelevated PS session I am in ConstrainedLanguage mode, but the script is excluded from AppLocker so executes in FullLanguage mode. I feel like I'm missing something fundamental about how PS sessions or scopes operate within a script run as admin vs a regular user, or is there a bug in Connect-ExchangeOnline, but no amount of Google searching has saved my mind yet! Thanks797Views0likes2CommentsUnable to create a centralised email address containing ”.admin” when ending in @outlook.com
Seeking some guidance how it would be possible to create a centralised email address containing xxxx”.admin” to an @outlook.com email address? The “.admin” address will be used as the front desk / home base for (non-personal) incoming emails and enquires, as well as a central calendar account.369Views0likes0CommentsExclude Microsoft first party applications in Azure conditional access policy
We have app built on Microsoft Graph resource and we have a conditional access policy that targets all cloud apps. when users sign into this app using Chrome browser on iOS they get error and prompt to use Edge. We do not want users to change the browser and tried to exclude Microsoft Graph from CA policy using all options including API but fails with the below error. Policy contains invalid applications: unsupported firstpartyapplication. Is there a way to exclude Microsoft Graph from the policy?3.4KViews2likes3CommentsEnable Sensitivity Labels for Containers - Learn Article Query
We have a QA and Production 365 tenant and are looking to enable sensitivity labels for containers. Checking the both tenants using: $Setting = Get-MgBetaDirectorySetting | where { $_.DisplayName -eq "Group.Unified"} $Setting.Values I can see that these labels have been enabled in QA and that Production shows that the labels are not yet enabled. Unfortunately, QA was enabled some time in the past. Rather than jumping straight into Production, I'd like to disable labels in QA and then reenable them. This will allow me to check the validity of the MSFT learn commands shown on :Assign sensitivity labels to groups - Microsoft Entra ID | Microsoft Learn The following article Use sensitivity labels with Microsoft Teams, Microsoft 365 Groups, and SharePoint sites | Microsoft Learnhas a section on how to disable labels for containers. However, it doesn't make sense to me. It states'to disable the feature, in step 5, specify$setting["EnableMIPLabels"] = "False"'. I can't see how applying this command to step 5 does anything. Step 5 is about checking whether a change has been made, not making the change. Step 4 is where the setting change is made (set EnableMIPLabels to True). To me, the command to run would be: $params = @{ Values = @( @{ Name = "EnableMIPLabels" Value = "False" } ) } Update-MgBetaDirectorySetting -DirectorySettingId $Setting.Id -BodyParameter $params What are people thoughts. I'm calling the process into questions as Step 3 also doesn't work as the article suggests. If I run$grpUnifiedSetting = Get-MgBetaDirectorySetting -Search DisplayName:"Group.Unified" in QA, where I know the setting is enabled, nothing happens. The article says if nothing happens, then labels haven't been enabled, which I know is incorrect. (for me the above command doesn't do anything, only set a variable to contain a value.375Views0likes0Comments