Unable to find the security alert in M365 Defender referenced in an email alert.
This happens a lot. I get these emails from Office365Alerts notifying our team that "A medium-severity alert has been triggered". At the bottom of the email is a link to "View alert details". When I click that, the site shows an error: "Can't find it. Either what you are looking for doesn't exist or you need to use a different search string." So, then I go to the Alerts view and filter to show everything (at least I think I am) but there's nothing related to this particular alert (unusual volume of file sharing). Where did it go? EDIT: Including a screenshot of another email I got today. The result of clicking the 'View alert details' is again the same.
Delist Portal not working
Greetings, I'm trying to delist my server's IP address using https://sender.office.com/, but all I get is the following error when I try to submit the form: Step 1: Our messaging service has experienced a temporary issue, please resubmit your information below. https://i.imgur.com/OQfKDzu.png I've been trying to resubmit, but it never works. Don't know where to issue a bug report. Best regards, DouglasEnabled Enhanced Filtering, but EOP still uses my on-prem IP as the source when checking SPF
Last week, I enabled the Enhanced Filtering option in the Security Center, giving it 2 IP addresses that are the public addresses of my on-prem exchange server and spam filter. My understanding is that it should ignore those IPs when determining the source of external mail, and use the next external hop up the chain as the source for mail filtering purposes. When I send a test message from an external address, I do see the header added by Enhanced Filtering, indicating that it detected the real source server: X-MS-Exchange-SkipListedInternetSender: ip=[209.85.166.170];domain=mail-il1-f170.google.com But the header showing the SPF check shows a failure, because it's using my on-prem IP instead of the IP listed in that SkipListedInternetSender header: Received-SPF: Fail (protection.outlook.com: domain of OTHERDOMAIN.XYZ does not designate MYON.PREM.SERVER.IP as permitted sender) Has anyone else here enabled Enhanced Filtering successfully? Does EOP use the skiplist sender as the source IP for DKIM and SPF checks for you? What would cause the behavior I'm seeing?
MFA and Security Defaults
Hello All, I am struggling to find a clear answer, so I am hoping you can assist. When Security Default is turned on in 365, does this have any impact on 'Enabling', 'Enforcing' or 'Disabling' MFA for any of the users? I have read that 'Security Defaults' requires users to have MFA: Requiring users to do multi-factor authentication when necessary. But if I change a user to 'Enforced' or even 'Disabled', does this have any impact to the user, or does 'Security Defaults' override these settings?
USB security key MFA prompt does not work on any app like Teams or Outlook, only via webbrowser
I have this issue on every computer or device I use. I use MFA and I'm a Global Admin. I ONLY have USB keys as my security method and have 3 added. If I'm using Chrome, Edge, any browser and get prompted for MFA, I simply insert the key, tap it, enter my pin, tap the key again and it works. However, for any desktop application, such as Teams, Outlook, etc, whenever it prompts me to log in, if I pick USB Security Key it just freezes and displays the loading progress bar at the top over and over. It does this on every computer I try, Mac, Windows, etc. The only option to ever authenticate is to go in, add the Microsoft Authenticator app as a MFA option, and then use that, then remove it as an option which is obviously not ideal. I have never been able to get USB security to work outside of a browser. If I access the same Teams, Outlook, etc from ANY web browser and get prompted, it works every single time. Please see screenshot above for what I'm referring to. The moment I click "Windows Hello or USB Security key" those blue dots just bounce across the top of the screen forever, it never proceeds past here. This is Teams when I'm trying to log in that's doing this. If I manually go to Teams on the web it will work fine. I can come back 4 hours from now and this screen will still be showing the same thing. As mentioned, ALL devices have this issue, it does not work on any computer, PC or Mac so it must be something with Microsoft 365. If it helps at all, I use Conditional Access and not security defaults.
Ediscovery with specific query error code on 5 of 19 mailboxes
Hello, I am doing a specific query for Ediscovery content against 19 mailboxes that are on Litigation Hold. 5 of the 19 mailboxes return an error with this specific query and the error message is: The search on the following locations failed (CS008-009) If I remove those five mailboxes from this search no error. My hunch is that this error means that those five mailboxes did not return a match for the query specified. I created a simple query that I know would produce a match and ran it against those five mailboxes and it worked. I just need confirmation that the error code CS008-009 means no results found...
Set Spam Filter Settings
Hi, I've been researching online but cannot seem to figure out how to do this. I've gone through the admin portal spam settings but can't seem to figure out how to do what I want. There is an RFP email that comes through from a company which we paid in order to be listed as a vendor in their guide. Unfortunately, the e-mail doesn't come from their address, but the actual e-mail of the person making the request. So I can't create a simple filter in Outlook to make the domain safe. The e-mail always has the same subject and similar body (with the only thing changing being the prospective customer's information). Office 365 always filters these as spam and they go to the junk e-mail. This prevents me from creating any rules to catch it as it comes in. How can I adjust the spam filter in Office 365 to stop marking these as spam? The subject always starts with the same 3 words so I was thinking there should be a way to set a rule in the admin portal to stop marking these as spam.
