User Profile
vas_ppabp_90
Brass Contributor
Joined 6 years ago
User Widgets
Recent Discussions
O365 MFA, SSO, Token Lifetimes
Hi All, Thought I would ask the question here about the various methods and to confirm token lifetimes. So just the background, earlier this year we had enabled per user MFA Office Admin center -> Users -> Multifactor Authentication a long with Trusted IPs, app passwords disabled and have not enabled the option Allow users to remember multi-factor authentication on devices they trust. This method was always meant to be temporary as we are working towards moving over to CA policies. Recently have seen a few things. With applications that support seamless SSO and OpenID connect, have realised that the token won't be kept active for longer than when the browser is closed as long as the Keep me signed in option does not show unless in safe browsing mode. Along with that our remote workers which connect via Direct Access via a split tunnel with a pac file that dictates the connections to remote services i.e. user is coming from Trusted IP as the MS services are set to go directly out, so they are prompted for 2FA also. So with the current setup how can we increase the request token for those instances, so ideally the user isn't having to OAuth every 8-12 hours or when closing and opening the browser. Any feedback will be greatConditional Access Policy - Persistent Browser Session exemptions
Hi, We are looking at introducing Conditional Access policies with Persistent Browser sessions enabled. Part of this particular access policy is to have it assigned to "All cloud apps". On a side note, we are also using Intune as our device management platform. The conditional access policy will eventually be assigned to all staff (Once UAT completed) - which may seem a little problematic. We are currently looking into a particular use case in which we wouldn't want to be prompted for MFA and that would be when using Microsoft Intune and Microsoft Intune Enrollment. i.e. User A attempts to log into Apple Remote Management - fails as unable to pass through any MFA prompts. Workaround is to have the CA policy take advantage of Trusted locations with the company's external IPs listed. In the current landscape, what happens if the user requires the device to be shipped to them. What method on top of the persistent browser session CA policy would work? If we exclude the above two applications, the persistent browser session will share the same state and any exclusions will not be supported, rendering this an invalid session control. It may very well be something obvious that I have overlooked, but really could use some assistance with this one. Thanks again.DLP PCI Scanned documents - Hand Written information
Hi There, Figured I would post this here for any method of capturing this particular information. Background: We currently have inbound/oubound PCI DSS information moderated, subject to not being PCI emails will be released. Limitation: We have come across, that particular attachments which have handwritten (scanned) PCI information do not get processed by any of these rules. So this is where I post the question - Any success in implementing such policy or workaround? Thanks, BillRe: Conditional Access Policy - Persistent Browser Session exemptions
JanBakkerOrphaned Its a question about having a conditional access policy targeted to all cloud apps with persistent browsing enabled - how would we deal with excluding applications that we don't have MFA to be prompted for? Additional CA policy? Group Exclusions?Calendar invites - iCalendar weird formatting
Hi All, We have a HR Learning Management System that schedules and sends calendar invitations, it would appear that these invites are iCalendar (vcalendar) requests - formatting seems to be on the one line with not line breaks, etc etc. Example of Calendar invite along with formatting: Name: Testing Event Calendar invites. Description: This Text should be abolve the link https://teams.microsoft.com/meetingidhere This text sould be below the meeting link Type: Event Languages: English (GB) Update: 25-May-2020 15:27 i.e.: Message headers below Content-Type: text/calendar; method=REQUEST; charset=UTF-8 BEGIN:VCALENDAR PRODID:-////Outlook 11.0 MIMEDIR//EN VERSION:2.0 METHOD:REQUEST BEGIN:VEVENT ATTENDEE;ROLE=3DREQ-PARTICIPANT;RSVP=3DTRUE:MAILTO: ORGANIZER:MAILTO: DTSTART:20200826T015321Z DTEND:20200902T015345Z LOCATION: TRANSP:OPAQUE SEQUENCE:0 UID:CHG0030063 DTSTAMP:20200826T015437Z DESCRIPTION: SUMMARY: PRIORITY:3 STATUS:CONFIRMED CLASS:PUBLIC X-ALT-DESC;FMTTYPE=3Dtext/html:\n<HTML>\n<HEAD>\n END:VEVENT END:VCALENDAR Was hoping on looking on ways to have formatting corrected in transit, any ideas on ways I can get these working? Thanks</HEAD></HTML>Autodiscover - Pointing to cloud
Hi All, I raise this question as currently looking at methods to re-point our autodiscover records to O365. So, we currently have a Exchange Hybrid setup On-premise DNS pointing to our exchange servers autodiscover -> A -> exchange server And SRV record _autodiscover._tcp.company.pri SRV service location: priority = 0 weight = 0 port = 443 svr hostname = autodiscover.company.pri autodiscover.company.pri internet address = 10.x.x.x From memory the SRV record was transitioned from a Exchange 2010 deployment of past days and also to sort out the infamous Outlook Error “The name of the security certificate is invalid or does not match the name of the site.” As the A record is created - they will be used prior the SRV record. So our current scenario; - All mailboxes have been migrated to the cloud. - On premise exchange servers used management and old application relays. What is stopping us from re-pointing our autodiscover records to cloud? That's why I ask this question - and pose the following steps 1) Move public DNS to autodiscover.outlook.com 2) Set-ClientAccessServer -AutoDiscoverServiceInternalUri $null or essentially point the internal -AutoDiscoverServiceInternalUri to https://autodiscover.outlook.com/ 3) Delete internal A (autodiscover) 4) Create new internal CNAME record pointing to autodiscover.outlook.com Here is my confusion - will the SRV record still be required?Re: Methods to disable basic authentication - Services not being used Protocols/Services
VasilMichev Those protocols are only at the exchange levels, we have already implemented CA policies for elevated privilege accounts, which don't have any further services assigned. Auth policy has me on the fence at this stage as the underlying attempt is blocked at the pre-auth layer, I would still like to review failed attempts as this is a requirement. So will most likely be leaning towards disabling at the cas level. The other CA policy implemented is currently set on reporting, along with a workbook created in order to pull down the insights - so we can work towards disabling the other basic auth protocols.Methods to disable basic authentication - Services not being used Protocols/Services
Hi All, I guess one of the most common (and often successful) attacks we see is a simple brute force/password spray against weak accounts - especially shared mailboxes. From that particular access, the most common next step attackers will take is to send out spam/phishing emails from the compromised account. Even with Modern Authentication and MFA enabled, I guess we are still open to types of attacks. Obviously basic authentication is enabled by default, and basic auth does not support MFA to begin with And essentially means that you can get in with nothing more than a username and password. With the thought of having MFA not enabled just yet, switching completely to modern authentication and disabling basic is a major security improvement in itself. For example, credentials in a modern auth compatible app are not stored on the client device, and when the connection state changes the client is required to re-authenticate. So it currently has got me thinking, even with enabling MFA for all of our users, its still half the job complete - so I guess I boast the question to the greater community in regards to the best way to approach disabling the less secure protocols (IMAP/POP/SMTP AUTH) MS Best practice would suggest to turn off any services which you are not using. So I do boast the question and we really want to make this roll out a streamlined as possible with the disabling of IMAP/POP/SMTP AUTH firstly, we still have a few other services that users are grumpy about the disabling of. So what method works best? 1. Disabling IMAP/POP/SMTP auth via Set-CasMailbox - although mailboxplans do not accept disabling SMTP auth at that level. 2. Creating a Authentication Policy and disable the protocols. 3. Using CA disabling all legacy authentication protocols. Happy to suggestions - or open to anyone's recommendations when going through the above.Recoverable Items - Quota and removal
Hi All, Just thought I would raise this issue on here, currently a little stuck on getting an issue resolved with one of our mailboxes. Subject to a high number of emails being deleted, found that the recoverable items folder have reached the quota ~100GB. As a result had followed the steps within the below link - And various other steps. https://docs.microsoft.com/en-us/microsoft-365/compliance/delete-items-in-the-recoverable-items-folder-of-mailboxes-on-hold?view=o365-worldwide We do have a org wide retention policy in place, the mailbox has since been excluded and removed from in place holds with the below confirmation PS C:\> Get-Mailbox -Identity 'mailbox' | select *holds* InPlaceHolds ------------ {-mbx6da0bb6e223342288ec43643129edb2b} As a result any further items attempting to delete, will just reappear into the deleted items folder. At this point stuck on my next point of attack
