Security

Add OneNote Fileextensions to the Exchange Online Malware Filter

Andres Bohren
Hi All, I've heard from OneNote Phishing in the last few Months. That seems to be a new way of Attack. Sadly i don't know the exact details of that Attack. What came to my mind was to block OneNote Attachments in the Malware Filter. Microsoft: Besserer Schutz vor riskantem OneNote-Phishing geplant https://www.heise.de/news/Microsoft-Besserer-Schutz-vor-riskantem-OneNote-Phishing-geplant-7543318.html Also Microsoft want's to improve here according to the M 365 Roadmap https://www.microsoft.com/de-ch/microsoft-365/roadmap?filters=&searchterms=122277 I've checked the OneNote file Extensions on my Computer

Conditional Access Templates (Preview)

Andres Bohren
Hi All, Did you notice that you can download Conditional Access Templates. The Templates are documented in the Conditional Access Doumentation below Conditional Access templates (Preview) https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-policy-common In Conditional Access Management select "New policy from template" Now you have a diffrent range of Policys and can download the JSON Back in Conditional Access select "Upload policy file" Select your JSON File and choose between "Off", "On", "Report only" After that your Policy is created

Exchange Online Search and Purge with PowerShell and Threat Explorer

Andres Bohren
Hi All, In this Article i'll show you how you can "Search and Purge" Emails in Exchange Online. With Compliance Search you can search for Mails and purge (Soft- or HardDelete) them afterwards. That's usually the case for Phishing or Spam Incidents. Your search can cover a maximum of 50’000 Mailboxes A new Compliance Search will create an Alert by default. First of all you need to have the correct Permissions https://security.

February 2023 Exchange Server Security Updates

Andres Bohren
Hi All, Last Night the February 2023 Exchange Server Security Updates have been released. Released: February 2023 Exchange Server Security Updates https://techcommunity.microsoft.com/t5/exchange-team-blog/released-february-2023-exchange-server-security-updates/ba-p/3741058 Description of the security update for Microsoft Exchange Server 2019, 2016, and 2013: February 14, 2023 (KB5023038) https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-february-14-2023-kb5023038-2e60d338-dda3-46ed-aed1-4a8bbee87d23 Security Update For Exchange Server 2016 CU23 SU6 (KB5023038) https://www.microsoft.com/en-us/download/details.aspx?id=104999 The downloaded exe File extracts then starts the Installation in a elevated Promt After the Security Update is installed, it is a good idea to restart the Server.

New Microsoft 365 Defender RBAC (Preview)

Andres Bohren
Hi All, I've stumbled accross the new Microsoft 365 Defender Role-based access control (RBAC). It is still in Preview but i gave it a go.For now you can create the RBAC Roles only in the M365 Defender Portal. But Graph Integration is at least on the Roadmap. Centrally manage permissions with the Microsoft 365 Defender role-based access control (RBAC) model https://techcommunity.microsoft.com/t5/microsoft-365-defender-blog/centrally-manage-permissions-with-the-microsoft-365-defender/bc-p/3717432 Microsoft 365 Defender role-based access control (RBAC) https://learn.microsoft.com/en-us/microsoft-365/security/defender/manage-rbac?view=o365-worldwide Let's have a look.

Document AzureAD Conditional Access Policies

Andres Bohren
Hi All, I had the "pleasure" again this week to Document the Azure AD Policies. Making several Screenshots in the Azure AD Portal seemed not the best way. MSGraph: List Conditional Access policies https://learn.microsoft.com/en-us/graph/api/conditionalaccessroot-list-policies?view=graph-rest-1.0&tabs=http So tried to use the Microsoft Graph Explorer https://aka.ms/ge You need the Permission: Policy.Read.All https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies While using the JSON could be one way. It's not very good if you have to Document it in a Word Document right.

Analyze AzureAD SignIn Logs with PowerShell

Andres Bohren
Hi All, I recently had a case where i needed to access the AzureAD Signin Logs with PowerShell. I've started at the Azure AD Signin Logs and filtered by UPN https://aad.portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/SignIns Next step was Graph Explorer where i found the needed Permissions ############################################################################### # Graph Explorer ############################################################################### #Go to https://aka.ms/ge https://graph.microsoft.com/v1.0/auditLogs/signIns https://graph.microsoft.com/v1.0/auditLogs/signIns?&$filter=startsWith(userPrincipalName,'a.bohren@icewolf.ch') Let's connect with these Permissions (they need Admin Consent and i already have that) #Import-Module and Connect to Microsoft Graph

Migrate MFA and SSPR Authentication Methods

Andres Bohren
Hi All, In January 2024, the legacy multifactor authentication and self-service password reset policies will be deprecated and you'll manage all authentication methods here in the authentication methods policy. Use this control to manage your migration from the legacy policies to the new unified policy. How to migrate MFA and SSPR policy settings to the Authentication methods policy for Azure AD (preview) https://learn.microsoft.com/en-us/azure/active-directory/authentication/how-to-authentication-methods-manage First review current Policies: MFA policy SSPR policy (if used) Authentication methods policy (if used) Enable "

Exchange Online legacy TLS Endpoints for POP3 IMAP and SMTP

Andres Bohren
Hi All, New opt-in endpoint for POP3/IMAP4 clients that need legacy TLS https://techcommunity.microsoft.com/t5/exchange-team-blog/new-opt-in-endpoint-for-pop3-imap4-clients-that-need-legacy-tls/ba-p/3710395 Exchange Online ended support for TLS1.0 and TLS1.1 in October 2020. This year, we plan to disable these older TLS versions for POP3/IMAP4 clients to secure our customers and meet compliance requirements. However, we know that there is still significant usage of POP3/IMAP4 clients that don’t support TLS 1.2, so we’ve created an opt-in endpoint for these clients so they can use TLS1.

DNS Certification Authority Authorization (CAA)

Andres Bohren
Hi All, Do you know the Certification Authority Authorization (CAA) DNS Records? With these Records you can control what CA can issue Certificates for your domain. DNS Certification Authority Authorization https://en.wikipedia.org/wiki/DNS_Certification_Authority_Authorization CAA implementation mandatory for all certificate authorities by September 2017. RFC 8659 DNS Certification Authority Authorization (CAA) Resource Record https://www.rfc-editor.org/rfc/rfc8659 That Record means no CA is allowed to issue Certificates and Wildcard Certifcates for that Domain domain.tld. IN CAA 0 issue "