User Profile
Chuck99
Brass Contributor
Joined 7 years ago
User Widgets
Recent Discussions
Protecting Breakglass account with 3rd party MFA?
Hi, As recommended by Microsoft, we have configured our tenant to enforce a Conditional Access policy for all our Global admin accounts BUT for an account that we will use only in case of a situation where other global admin accounts would not be able to sign-in. As recommended, this "breakglass" account is a cloud account, its UPN is using the onmicrosoft.com domain and it is excluded from all Conditional access policies, especially the one that enforces MFA for global admins. I'm trying to find some ways to protect this brreakglass account and for now, all I've done is configuring Azure AD logs export to Azure Log Analytics and use Log Analytics to query the Azure AD sign-in logs every 5 minutes to see if the breakglass account signed-in. If this happens, an alert is send by email and SMS to the IT admins so that they can react quickly if the account has been compromised. Of course, We've configured a complex password as well that is known by almost no one. What I would like to do now is to configure another MFA solution for this account. By that I mean that evert standard user would use the Azure MFA based on the Conditional Access but I would integrate as well a 3rd party MFA solution to be used specifically by the breakglass account. I don't know if this is possible. If not, what else should I do to better secure this sensitive account? Any idea is welcomed! ThanksGet-DLPDetailReport not showing SPO
Hello, We are trying to get the DLP logs from O365 to discover the sensitive data that is in Office 365, including Exchange Online, Sharepoint Online and OneDrive. For that, I am connecting to Exchange Online Powershell using Connect-EXOPSession and I run the Get-DLPDetailReport cmdlet. Over the last few days, I am getting over 5000 entries but they are all coming from the EXCH source (Exchange Online) except 3 logs that are coming from ODB (OneDrive). Nothing from the SPO source (Sharepoint Online) which makes no sense to me since we have many files that have sensitivity information in them. For the test, we saved many files that have SIN numbers, credit car number and other sensitivity information types in them. To make sure that they would be indexed (since DLP logs seems to be based on the Sharepoint index), We opened and edited these files many times. Many days have passed but still, I have no logs from SPO in the DLP logs. I'm not a Sharepoint expert and I was wondering if there could be anything that would cause this issue like Sharepoint permissions that could be to restrictive for the DLP to discover the sensitivity information in the files stores in SPO? Or maybe some SPO sites that would be excluded from being indexed? Any idea will be more than welcome! Thanks! CharlesAIP UL Scanner database schema issue (DB pre-created)
Hello everyone, Trying to install and configure the AIP UL Scanner in preview for a client. However, because of internal security policies, it was not possible to let the Install-AIPScanner cmdlet create the SQL database itself. We had to ask the DBA to create the AIP Scanner DB prior to the Scanner installation. We followed the instructions found here: https://docs.microsoft.com/en-us/azure/information-protection/deploy-aip-scanner#restriction-you-cannot-be-granted-sysadmin-or-databases-must-be-created-and-configured-manually Then I followed the standard AIP Scanner installation and configurations steps. Service was installed (with a SQL error that was expected since it is documented), we also completed the Azure App Registration configuration and ran the Set-AIPAuthentication cmdlet with success. After starting the AIP scanner service, I was expecting the Scanner to show up in the Azure AIP Scanner Nodes list. It did not. I then ran Start-AIPScan locally hoping that the service would report itseft to Azure but received the following error: >> TerminatingError(Start-AIPScan): "Invalid database schema. Run the Update-AIPScanner cmdlet to upgrade your database." Start-AIPScan : Invalid database schema. Run the Update-AIPScanner cmdlet to upgrade your database. This was a surprise to me but since this approach (pre-creating the SQL DB) is not so well documented (especially for the UL client in preview), I thought I should try to run the Update-AIPScanner cmdlet and see how it goes from there. The result was not better. Here's the error I got: >> TerminatingError(Update-AIPScanner): "An error occurred during deployment plan generation. Deployment cannot continue." Update-AIPScanner : An error occurred during deployment plan generation. Deployment cannot continue. I did search the web for these errors and cannot find anything at all. Would anybody have an idea of what I'm doing wrong? Anybody that pre-created the SQL DB before running the AIPScanner UL client installation? Thanks.Cannot block emails with specific label using MailFlow rules (OWA only)
Hi, We have configured a mailflow rules in Exchange Online that will block any email that is labeled with a specific sensitivity label and that is sent outside the organization from being delivered. The mailflow rule actually look in the email "msip_labels" header and looks for the specific label information (ex: MSIP_Label_f777f457-ef2d-434d-81b5-0f4123455469_Enabled=true;). When found in the header, the email is blocked and a notification is sent to the sender. This work perfectly for emails sent from Outlook. Now that we can apply labels with Outlook on the Web (OWA), I was expecting the mailflow rule to work as well as with the Outlook client. It does not. I cannot understand why this is not working. We are applying the same label to the email in OWA as we do in Outlook. We can see in the message header that the "msip_labels" is there with the same MSIP_Label_f777f457-ef2d-434d-81b5-0f4123455469_Enabled=True; information. The only difference is that the word "True" has a capital "T" when sent from OWA (lowercase "t" when sent from Outlook) but the mailflow rule are not case sensitive anyway. Still, we did change the transport rule to also have a capital "T" but it doesn't change the result. When looking in the Message Trace of Exchange Online, the outgoing message from OWA is never analysed by the mailflow rule. I know that this feature (sensitivity labels in Office on the web) is still in preview but I was wondering if any of you had that issue or would have an idea of what could cause the issue. Thank you for your help! .SolvedAdd protection to a sensitivity label - What happens to already labeled files?
Hi, Lets say that we have already labeled several files with a basic sensitivity label does not apply encryption/protection. Then after labeling all these files for the last few weeks, we go back to the Office 365 SCC console and modify this sensitivity label to apply encryption. What will happen with the files that were already labeled before this change? When will these files be protected and by how will th? Thanks for clarifying.SolvedAIP Scanner for Unified Labels possible?
Hi, We are deploying AIP with Unified Labels (UL). From what I read from an old post (few months ago), AIP scanner still only works with classic labels and not UL. Is this the case? If it is, is there an ETA? Is there any other alternative to automatically classify on-premises files that are on network shares? Thanks!SolvedRe: Lync.exe failing MFA
Hi We also have legacy auth in the AAD sign-ins for lync.exe for one of our client ad for almost all their users. S4b is on-prem (not sure if in hybrid mode yet) + Mailboxes in Exchange Online (hybrid mode with a few service mailboxes on the on-prem Exchange server) + ADFS for authentication. We want to enable MFA using Conditional access policies but we first need to get rid of these legacy authentications from lync.exe. Anybody can confirm that going through the following procedure will enable Modern Auth for lync.exe without impacting the services? https://docs.microsoft.com/en-us/microsoft-365/enterprise/configure-skype-for-business-for-hybrid-modern-authentication?view=o365-worldwide Anything else to consider? Thank you for you help.3.3KViews0likes2CommentsRe: Add protection to a sensitivity label - What happens to already labeled files?
Pål Winther I did test this again and didn't face any issue. Protection was gone once the HC label was removed. However, I had installed the AIP client before doing the test (initially did the label change with the Office ProPlus integrated Sensitivity label support). Also, I did the test from a local drive instead of the OneDrive client "folder". So I have no clear conclusion for now and I don't have the time to do more tests for this week as I am overloaded of work. I might look at this again next week.2.5KViews1like1CommentRe: Add protection to a sensitivity label - What happens to already labeled files?
Pål Winther Hi again. I did change using the Sensitivity menu that was newly integrated in the Office apps. No AIP UL client is installed on the computer. I closed the file, opened it again and the label was General (no protection on this label) but the RMS restriction was still there. I'll test that again later to see if it reacts the same way. I have a doubt about the validity of the first test because I was working on a file from my OneDrive client and I know that this does not work so well with protection. I'll give an update about the results a little bit later. Thank you for your help.2.5KViews0likes3CommentsRe: Add protection to a sensitivity label - What happens to already labeled files?
Pål Winther TY for that information which makes a lot of sense. On another note, I did change the label of a file from a label with protection (Highly Confidential - All employees) to a General label without protection. Even though the General was now applied to the file, the RMS protection behind seems to stay. I had to go in the protection settings (In Excel: File - Info - Protect Workbook - Restrict) to remove the protection. Is that by design? Thanks2.5KViews0likes5CommentsRe: Setting a default sensitivity label on a SharePoint Site or Document Library
Hi Anisha Gupta I'm not getting it. My understanding is that the Sensitivity labels and Sensitivity Label policies allows you to define a default label based on the users to which you apply the policy. Not based on the location of the files. So I don't understand how this would work for case #2 and case #3. I believe that you could use MCAS to apply the specific labels to all files and folders that are in a a selected library using the governance options. Charles8.7KViews0likes0CommentsRe: DNS reconnnaissance tests cannot be seen during the 8-day Learning Period
Hi Tali Ash That's exactly right. I don't see the DNS activity in the source computer timeline. When I search for the source computer from where I did the DNS reconnaissance tests (pointing nslookup to the DC on which the ATP sensor is installed), I see other activities like logins or even SMB activities but not the DNS activities. Same thing if I run other reconnaissance commands like "net user /domain" or "net group "domain admins" /domain". I'll send you a private message with our tenant info. Thank you very much for your help with this.1.5KViews1like4CommentsDNS reconnnaissance tests cannot be seen during the 8-day Learning Period
Hello, We are implementing Azure ATP and we have deployed sensors on our DCs. We want to test that the solution work by doing some network-mapping DNS reconnaissance activity (with nslookup) described in the lab testing documentation available here: https://docs.microsoft.com/en-us/azure-advanced-threat-protection/atp-playbook-reconnaissance#network-mapping-reconnaissance-dns Unfortunately, we cannot see these activities on the Timeline page during the 8-day learning period as explained in the documentation. However, from what I read in the same documentation, we should be able to see the activities in the "Logical Activities timeline". However, we are not getting this information. I did the same test in another tenant and the result is the same. I even looked in the local ATP sensor log files that is in the DC and there's no information about these events. Am I missing something or is there an issue with this? Also, is there a way to change the learning period for some of the alerts to possibly reduce the duration? PS: we are getting some other activities in the Timeline page (activities that doesn't require a learning period) Thanks1.8KViews0likes6CommentsRe: Microsoft Defender ATP [Attack Simulation & Investigation] Demos
Ammar Hasayen thank for the info! However, we are facing an issue when running the Simulation #1 when opening the docm file in Word. AMSI is getting in the way. We did "unblock" the file from the properties of the document and even allowed all macros from the Trust Center. Any idea how to pass that AMSI security message and finalize the simulation? Thanks! Charles3.5KViews0likes1Comment
Recent Blog Articles
No content to show