Issues with Sensitivity Labels and "Specific email addresses or domains" - Not working
Hello! We have enabled Sensitivity Labels in our tenant. The access control settings for the label states that a specific domain gets the permission "Co-Author". When we enable the Sensitivity label on a document and sent it towards the approved domain, it results in an error message when authenticating to open the document: "Selected user account does not exist in tenant 'Veni AS' and cannot access the application in that tenant. The account needs to be added as an external user in the tenant first. Please use a different account." After doing some research I did some changes to the external domain within the Cross-tenant settings. The external domain now has the following settings: Inbound access: Allow access on external users and groups, within B2B Collaboration Allow access on external users and groups, within B2B direct connect Trust multifactor authentication from Microsoft Entra tenants, within Trust settings. Outbound access: Allow access on users and groups, within B2B Collaboration Allow access on users and groups, within B2B direct connect External Identities: Block access for external users and groups. (Inherited from default) After doing this change, I no longer get the same error message as above when authenticating to open the labeled document. Now I get the following error message: "You are not signed in to office with an account that has permission to open this document. You may sign in a new account into Office that has permission or request permission from the content owner" I have this working from another tenant to the same external domain and I have cross-checked the settings. Any idea on how to proceed, or if it is any obvious change I need to make in order to get this to work? All feedback appreciated! :-)Microsoft Purview Encryption on Third Party Apps
Hello Community, I’m working with a desktop-based correspondence management system (CMS) application and would like to apply encryption to the documents that are being created, handled, or stored by this application. Specifically, I’m looking to use Microsoft Purview Information Protection to classify and encrypt these documents. Could someone please guide me on: The steps or best practices to integrate Microsoft Purview labels (with encryption) into a third-party or in-house desktop application? Whether Microsoft Purview SDK or API can be used in such scenarios, and if so, what the implementation flow looks like? Any prerequisites or limitations I should be aware of (e.g., licensing, file formats, offline handling)? How to ensure persistent encryption when files are exported from the application (e.g., to network drives or shared folders)?Understanding DNS: A Nonprofit's Guide to Website Security and Accessibility
At the heart of this post is Kairos IMS, an innovative Impact Management System designed to empower human-serving nonprofits and social impact organizations. Co-developed by the Urban League of Broward County and our trusted technology partner, Impactful, Kairos IMS reduces administrative burdens, enhances holistic care, and enables organizations to leverage data for increased agility and seamless service delivery. In this blog series, we’ll take a closer look at the powerful technologies that fuel Kairos IMS, from Azure services to security frameworks, offering insight into how modern infrastructure supports mission-driven impact. Click here to learn more. What is DNS? DNS, or Domain Name System, is often referred to as the internet's "phonebook." Think of it this way: when you want to visit a website, like www.example.org, you type in the domain name. However, computers don’t understand domain names—they communicate using numbers, called IP addresses, like 192.168.1.1. DNS acts as the translator, converting the user-friendly domain name into the machine-friendly IP address, ensuring you land on the correct website. For example, if you type in your nonprofit’s domain, let’s say www.mycharity.org, the DNS system takes that name, finds the matching IP address, and directs the internet to deliver your website to the user. Without DNS, navigating the web would mean memorizing strings of numbers for every site you wanted to visit—something no one wants to do! Why DNS Matters for Nonprofits A reliable DNS is essential for nonprofits for several reasons: 1. Website Accessibility Your website is often the first point of contact for donors, volunteers, and the communities you serve. If your DNS isn’t functioning correctly, it can lead to downtime, making your site inaccessible. This can result in lost donations, missed opportunities, and frustration for users trying to learn more about your mission. 2. Security A secure DNS setup helps protect your website from cyber threats like phishing attacks or DNS hijacking, where bad actors redirect users to malicious websites. A compromised DNS can damage your nonprofit’s reputation and erode trust among your supporters. 3. Improved User Experience A fast DNS ensures that your website loads quickly. Slow load times can frustrate users and may even discourage potential donors or partners from exploring your site further. Common DNS Issues Nonprofits Face—and How to Fix Them Let’s look at some common DNS-related problems and their solutions: 1. Website Downtime Issue: Your website suddenly goes offline, and users cannot access it. Solution: This could be due to an expired domain or issues with your DNS provider. Make sure your domain name is renewed promptly and work with a reputable DNS provider that offers high reliability and uptime guarantees. 2. Misconfigured DNS Records Issue: Users report being redirected to the wrong website or encountering errors. Solution: Double-check your DNS records, particularly the A records (which map your domain to your IP address) and CNAME records (used for subdomains). Tools like DNSChecker.org can help you verify your configurations. 3. Slow Load Times Issue: Your website loads slowly, frustrating potential donors. Solution: Invest in a DNS provider with a global network of servers. This ensures faster resolution times, especially for users accessing your site from different parts of the world. 4. Security Threats Issue: You suspect your DNS may have been hijacked or compromised. Solution: Implement DNSSEC (DNS Security Extensions) to add an extra layer of protection. Additionally, enable two-factor authentication on your DNS management account to prevent unauthorized changes. Tips for Nonprofits to Manage Their DNS Effectively Managing your DNS may sound intimidating, but with the right approach, it can be straightforward. Here are some tips to help your nonprofit succeed: Choose a Reliable DNS Provider: Look for providers with strong uptime records, robust security features, and excellent customer support. Regularly Monitor Your DNS Settings: Periodically check your DNS records to ensure everything is configured correctly and no unauthorized changes have been made. Educate Your Team: Make sure your staff or volunteers understand the basics of DNS and know who to contact in case of an issue. Enable Automatic Renewals: Avoid domain expiration by enabling automatic renewals for your domain registration. Backup Your Settings: Keep a record of your DNS settings so you can quickly restore them if needed. Conclusion In today’s digital age, having a reliable and secure DNS is crucial for nonprofits. It ensures your website remains accessible, secure, and user-friendly, helping you better serve your community and achieve your mission. By understanding how DNS works and addressing issues proactively, your nonprofit can create a strong online presence and build trust among your supporters. Remember, you don’t have to be a tech expert to manage your DNS effectively. With the right resources and support, you can empower your organization to navigate the world of DNS with confidence.Modifying Outlook Email Encryption Options
I'm trying to modify our existing Outlook email encryption options a bit, and I cannot find where this is located anymore on the admin side of things. How/where do I find the admin portal that manages this list?: I'm accessing this list by opening a new email > options > Encrypt
SSAS 2022 Connections fail following restart
I'm using an application which has SSAS 2022 OLAP cubes at the back end. We are having an issue that whenever we restart the server or the service, the connections to the SQL Server that is the data source break. I suspect this is a consequence of SSAS CU1 behaviour where the connection string is encrypted, but - because they get encrypted - there's no way to identify what the change is. SSAS is on the same instance as the SQL Server. Before a restart, i've tried adjusting a few connection properties, notably Impersonation set to Service Account Trust Server Certifcate to True Encryption for data to Optional The connection works fine with these settings. However, post reboot I get a connection error whenver I try toprocess any objects: Errors in the back-end database access module. No provider was specified for the data source. We are using MSOLEDB19 so should be fine, but it seems that post reboot the encrypted connection is somehow misconfiguring. Appreciate any guidance on what could be happening here? I can't avoid restarting the server as org policy demands servers are rebooted every fortnight.Building Secure Software from the Ground Up: Why It Matters for Nonprofits
What Is the Secure Software Development Lifecycle (SSDLC)? The Secure Software Development Lifecycle (SSDLC) integrates security into every phase of the traditional Software Development Lifecycle (SDLC). Instead of treating security as a final step before software deployment, SSDLC ensures that security measures are embedded from day one. This approach reduces vulnerabilities and strengthens nonprofit organizations against cyber threats. Key Phases of SSDLC and Why They Matter Planning & Requirements Identify security risks before development begins: This involves understanding potential threats and vulnerabilities that could affect the software. Define compliance needs: Ensure that the software meets regulatory requirements such as GDPR, HIPAA, and donor data protection. Design Use secure architecture principles to mitigate risks: Design the software with security in mind, incorporating principles that reduce potential risks. Implement encryption, authentication, and access control measures: Ensure that data is protected through encryption, and that only authorized users can access the system. Development Follow secure coding best practices: Prevent vulnerabilities like SQL injection, cross-site scripting (XSS), and unauthorized access by adhering to secure coding standards. Use automated security scanning tools: Detect issues early in the development process by employing tools that automatically scan for security vulnerabilities. Testing Conduct penetration testing, security audits, and code reviews: Uncover weaknesses by thoroughly testing the software's security. Simulate cyberattacks to test software resilience: Ensure the software can withstand real-world attacks by simulating various cyber threats. Deployment & Maintenance Monitor for security threats and apply regular updates: Continuously watch for potential security issues and keep the software up-to-date with the latest patches. Conduct incident response drills: Prepare for potential breaches by regularly practicing how to respond to security incidents. How Nonprofits Can Implement SSDLC with the Right Tools Understanding SSDLC is one thing—putting it into practice effectively is another. Many nonprofits lack dedicated cybersecurity teams or technical expertise, making it difficult to integrate security throughout the development process. This is where Microsoft’s Security Development Lifecycle (SDL) comes in. Leveraging Microsoft’s Security Development Lifecycle (SDL) Practices Microsoft’s Security Development Lifecycle (SDL) is a structured approach that aligns with SSDLC principles, providing security best practices and tools to help organizations—including nonprofits—develop secure applications. Some of the key SDL practices that nonprofits should incorporate include: 🔹 Perform Security Design Review and Threat Modeling – Nonprofits often handle sensitive data, such as donor information and beneficiary details. Conducting thorough security design reviews and identifying potential security risks early in the development cycle through threat modeling helps protect this sensitive information and ensures compliance with regulations. 🔹 Require Use of Proven Security Features, Languages, and Frameworks – Nonprofits may have limited resources, so it's crucial to use reliable security features, programming languages, and frameworks that are known to minimize vulnerabilities. This ensures that the software is built on a secure foundation without requiring extensive custom security solutions. 🔹 Perform Security Testing – Regularly run comprehensive security tests, including penetration tests and vulnerability assessments, to identify and address security flaws. This practice is essential for nonprofits to maintain the trust of their donors and beneficiaries by ensuring that their data is secure. 🔹 Implement Security Monitoring and Response – Continuously monitor for security threats and have a robust incident response plan in place to address potential breaches. Nonprofits need to be prepared to quickly detect and effectively manage any security incidents to minimize the impact on their operations and stakeholders. 🔹 Provide Security Training – Educate and train staff on security best practices and the importance of maintaining a secure development lifecycle. Nonprofits often rely on volunteers and staff who may not have extensive technical backgrounds, so ongoing security training is crucial to prevent security breaches and ensure everyone understands their role in maintaining security. This list showcases some of the essential SDL practices that can greatly benefit nonprofits. For a comprehensive overview, please view the following resources: Microsoft Security Development Lifecycle Practices. Learn how Microsoft supports secure software development as part of a cybersecurity solution - Training | Microsoft Learn Microsoft Tools That Support Secure Development To help nonprofits implement SSDLC and SDL, Microsoft offers several security-focused tools that integrate directly into the software development process. ✔ Microsoft Defender for DevOps – Protects code repositories and CI/CD pipelines from security threats, ensuring security is embedded throughout the development lifecycle. ✔ Azure DevOps Security Tools – Integrates security checks into DevOps workflows with automated scanning for vulnerabilities in code, dependencies, and containerized applications. ✔ Microsoft Defender for Cloud – Provides real-time security monitoring, threat detection, and compliance management for cloud-based applications. This helps nonprofits maintain continuous security visibility across Azure and hybrid environments. ✔ Azure Key Vault – Secures application secrets, encryption keys, and certificates, preventing unauthorized access to sensitive credentials used in nonprofit applications. ✔ Azure Web Application Firewall (WAF) – Helps protect nonprofit web applications from common threats like SQL injection, cross-site scripting (XSS), and bot attacks by filtering and monitoring traffic. ✔ Azure Policy – Automates security compliance checks within Azure environments, ensuring nonprofit applications and services follow best security practices throughout their lifecycle. Bringing It All Together For nonprofits, cybersecurity isn’t just an IT issue—it’s a mission-critical priority. A data breach can compromise donor trust, expose sensitive beneficiary information, and disrupt critical operations. By integrating Microsoft’s SDL practices and security tools into the Secure Software Development Lifecycle (SSDLC), nonprofits can: ✅ Proactively reduce cybersecurity risks before they become major threats. ✅ Protect donor and beneficiary data from unauthorized access. ✅ Ensure compliance with data privacy regulations. ✅ Strengthen trust with stakeholders who rely on them. By leveraging Microsoft’s security tools, nonprofits can build safer, more resilient applications—even without large security teams. This blog discusses building applications and incorporating security from the very beginning phases of development. If you are a nonprofit with applications that you may not have the budget to rebuild from the ground up, you can learn about modernizing and upgrading the security for your legacy applications here: Modernizing Legacy Applications in your Nonprofit | Microsoft Community Hub
Compliance licenses at tenant level
Hi, We are a small organization of about 200 employees, and we have following requirements. DLP policies configuration at Exchange, OneDrive, SharePoint BYOD security Users should not be able to send files outside the org And so on as we evaluate We already have M365 Business Premium. However, after researching we figured out that M365 Business premium will alone not solve our requirements. May be compliance license will. We want to apply security policies at tenant level in our organization but definitely do not want every user to get licenses as this will be expensive for us and there is no requirement at all for our users. The question is, Is there a way to solve the above scenario?Meraki VPN L2TP with Preshared key via Intune
Hey everyone, I'm trying to deploy Meraki VPN L2TP with Preshared key via Intune. I have previously tried to deploy the rasphone.pbk file using PS Script to "$env:APPDATA\Microsoft\Network\Connections\Pbk\rasphone.pbk". The file was deployed successfully but Preshared key is not being copied. The next method I used was to create a VPN profile using PS script. I used the script below but EncryptionLevel Optional is being returned as error. # Add the VPN connection Add-VpnConnection ` -Name "MY VPN" ` -ServerAddress "myvpn.com" ` -TunnelType L2tp ` -L2tpPsk "myPSK" ` -AuthenticationMethod Pap ` -EncryptionLevel Optional ` -Force ` -AllUserConnection $True # Path to the rasphone.pbk file for all user connections $pbkPath = "C:\ProgramData\Microsoft\Network\Connections\Pbk\rasphone.pbk" # Ensure the file exists if (Test-Path -Path $pbkPath) { # Read the contents of the file $pbkContent = Get-Content -Path $pbkPath -Raw # Modify the contents to enforce PAP (128) and require username and password $pbkContent = $pbkContent -replace "(?msi)^(\[$([regex]::Escape("MY VPN"))\].*?^Authentication=).*$", '${1}128' # Write the modified contents back to the file $pbkContent | Set-Content -Path $pbkPath } else { Write-Error "The rasphone.pbk file does not exist at the specified path: $pbkPath" } Error: WARNING: The currently selected encryption level requires EAP or MS-CHAPv2 logon security methods. Data encryption will not occur for Pap or Chap. The requirements are to use PAP and rasphone.pbk should be created under "$env:APPDATA\Microsoft\Network\Connections\Pbk\rasphone.pbk" and preshared key should be copied. So that I can connect to VPN settings via taskbar bottom right by entering username and password. Can someone assist to modify the script or provide any alternate solution?
Using Email Encryption: Remote tenants not able to authenticate / open encrypted messages
We are using automation plus a flow rule to force encrypted emails via flow rules that apply Office 365 Message Encryption and Rights Protection with the "Encrypt Only" policy. However, when we send to people who are on remote tenants, we run into an unusual problem. Some tenants "just work", while other tenants hard fail with a notice that says the following: Selected user account does not exist in tenant 'Tenant Name' and cannot access the application 'UUID Here' in that tenant. The account needs to be added as an external user in the tenant first. Please use a different account. Unfortunately, there's no option to bypass this for those recipients and no way to force one time password authentication options where they have to request a OTP and then use that. It enforces the use of MS365 Tenant auth rather than OTP, which is unusual and problematic because while *certain* remote tenants "just work" others do not. I'm confused as to where to look next. Is there a way to force OTP-only in the outgoing encryption for a message with transport rules on the Outlook 365 admin panel? Alternatively, is there a way to automatically permit external tenant accounts/recipients to just work? Please feel free to ask any questions necessary to solve this on our end, it's a core component of one of our information sending systems to partners and it's not working as intended.
