こんにちは、Teamsチームの吉野です。
本日はチャネルにメールで投稿する際に安全度を増す(?)ための設定を案内します。
チャネルを右クリックすると以下のようにメールアドレスを取得できます。
このメールアドレスはチームのメンバー以外でも送信することが可能です。
システムからのメールなど便利な面はあるのですがセキュリティを気にされることもあるかと思います。
詳細設定をクリックすると制限することが可能になります。
チームのメンバーやドメインを限定することにより、
なお、管理センターからは管理者がメール機能そのものの禁止やドメインの許可設定が行えます。
(各チャネルの設定よりも優先されます)
Hello All,
I will assume that you have set the permissions on your Site Collections correctly, but if that still leaves the security team uncomfortable we can always look to perform several other steps using Conditional Access and SharePoint admin.
The Microsoft team approaches this by classifying 3 types of sites Baseline, Sensitive, and Highly regulated each one escalating from the previous (Well actually there is a 4th which is public with minimal security). Here are those levels
| Protection level | Policies | More information |
| Baseline | Require MFA when sign-in risk is medium or high | Include SharePoint Online in the assignments of cloud apps. |
| Block clients that don't support modern authentication | Include SharePoint Online in the assignments of cloud apps. | |
| Define app protection policies | Be sure all recommended apps are included in the list of apps. Be sure to update the policy for each platform (iOS, Android, Windows). | |
| Require compliant PCs | Include SharePoint Online in list of cloud apps. | |
| Use app enforced restrictions in SharePoint Online | Add this new policy. This tells Azure AD to use the settings specified in SharePoint Online. This rule applies to all users but only affects access to sites included in SharePoint Online access policies. | |
| Sensitive | Require MFA when sign-in risk is low, medium or high | Include SharePoint Online in the assignments of cloud apps. |
| Require compliant PCs and mobile devices | Include SharePoint Online in the list of cloud apps. | |
| SharePoint Online access control policy: Allow browser-only access to specific SharePoint sites from unmanaged devices | This prevents edit and download of files. User PowerShell to specify sites. | |
| Highly regulated | Always requrie MFA | Include SharePoint Online in the assignments of cloud apps. |
| SharePoint Online access control policy: Block access to specific SharePoint sites from unmanaged devices | Use PowerShell to specify sites. |
And of course you need to setup the Site-Scoped limited access policies for SharePoint Online and OneDrive for Business. These policies utilize the device-based policies for SharePoint and OneDrive (Released Mar 2017) to help administrators ensure data on corporate resources is not leaked onto unmanaged devices such as non-domain joined or non-compliant devices. This is done by limiting access to content to the browser, preventing files from being taken offline or synchronized with OneDrive on unmanaged devices.
There are two things you need to do to configure these Site level policies
1. Tenant-level device-based policy must be configured to Full Access
2. Run the following script for each Site Collection you want to enforce the policy on
Connect-SPOService -Url
$Site = Get-SPOSite -Identity
Set-SPOSite -Identity $Site.Url -ConditionalAccessPolicy AllowLimitedAccess
You can also use the following values for the parameter 'ConditionalAccessPolicy': AllowFullAccess, AllowLimitedAccess, BlockAccess
While it might seem counterintuitive to allow external sharing, this approach provides more control over file sharing compared to sending files in email. SharePoint Online and Outlook work together to provide secure collaboration on files.
Now if a user connects to a Site Collection via an unmanaged/non-compliant device they will see a banner like this:
Note:
If access is limited or blocked to unmanaged devices, this impacts external users too, though you can can exempt them from this policy by running the following cmdlet:
Set-SPOTenant -ApplyAppEnforcedRestrictionsToAdHocRecipients $false
If you cannot see the Device Security Tab you need to enable MDM (See above for what this means) follow this article to enable and go thru settings
Pax
Some new links:
Docs BC (DEV): https://docs.microsoft.com/en-us/dynamics365/business-central/dev-itpro/
Docs BC (APP): https://docs.microsoft.com/en-us/dynamics365/business-central/
D365 BC for Partners (Blog): https://community.dynamics.com/business/b/businesscentraldevitpro/
D365 BC for Partners (Yammer): https://www.yammer.com/dynamicsnavdev#/home
BC DEV tools issues: https://github.com/Microsoft/AL/issues/
BC Event issues: https://github.com/Microsoft/ALAppExtensions/issues/
BC Ideas: https://experience.dynamics.com/ideas/list/?forum=e288ef32-82ed-e611-8101-5065f38b21f1
Create common environment/tenant: https://demos.microsoft.com/environments
Create trial BC under common account: https://trials.dynamics.com/Dynamics365/Signup/
P.S.
“Cumulative Update 01 for Microsoft Dynamics 365 Business Central has been released”
Hey… this news on the new site.
D365 BC for Partners (Blog): https://community.dynamics.com/business/b/businesscentraldevitpro/
Had some questions come up from the community to check the Log Analytics agent version.
Depending on how you are setup, the SCOM Integration makes this easy with Holman's blog for the agent management pack.
If you have admin right in Operations Manager console then you can check this directly from SCOM server:
If you are an admin in SCOM, you can check from MS
$Server = "DC01.yourlabnamehere.net"
(Get-SCOMAgent -Name $ServerName).Version
Alternatively, from server registry:
(Get-ItemProperty "HKLM:SOFTWAREMicrosoftMicrosoft Operations Manager3.0setup")
# Just the Agent version variable
(Get-ItemProperty "HKLM:SOFTWAREMicrosoftMicrosoft Operations Manager3.0setup").AgentVersion
Kusto query
// Servers and Versions
Heartbeat
| project Computer,Version
// Specific version
Heartbeat
| where Version == "8.0.10918.0"
| project Computer,Version
// Summarize by Version
Heartbeat
| summarize by Version
If you're visual
From the Portal > Log Analytics > workspace > Workspace Summary > Agent Health
Scroll right to agent version
Monitor
Monitor > Overview > Agent Health Assessment
Scroll right to agent version
The time has come for me to change blog platforms. I have tried to clone over many of my more popular or relevant posts to keep for future reference. I don't plan to do any more blog posting on this site. If you don't see your favorite but want to make sure it doesn't get lost, leave a comment on my new site. Speaking of which, here is where you can find any of my future ConfigMgr/SCCM blogs:
https://learnconfigmgrintune.wordpress.com/
Check out the attached list of technical webinars for next week, to help you build your technical depth. Through these live, instructor-led webinars, you will receive interactive guidance with real-time Q&A capabilities - all at no cost to Microsoft Partner Network members!
Technical-Webinars_11-26-thru-11-30
To find additional dates and times for the webinars and consultations above, as well as the full suite of webinars and consultations available, visit aka.ms/TechnicalJourney.
As Intune Service Administrators at Microsoft, we often get a lot of inactive and stale Intune records due to the nature of test device enrollments. We want to keep our Intune environment and reports current by cleaning up these stale devices. With Intune device cleanup, we have the ability to configure the automatic cleanup rule which cleans up devices that are inactive, orphaned, or obsolete and have not checked in recently. The rule allows us to choose between 90 and 270 days to automatically remove inactive/obsolete device records from Intune.
To get started, go to the Devices blade in Intune portal and navigate to "Device cleanup rules". Here you will be able to enable the cleanup rule to delete devices that haven't checked in for {X} days; the minimum is 90 days and the maximum is 270 days. At Microsoft, we have configured it as 90 days as we would like to keep device count as realistic as possible with the amount of test devices that get enrolled. Once this rule is enabled, Intune will automatically remove devices that haven’t checked in for the number of days you set.
What happens behind the scene for Device Cleanup rules?
After the Intune Service Admins enable the rule, Intune services run a background job every few hours to remove all applicable devices from the Intune portal and they won't show up in any Intune blade or device list anymore. This device removal is only applicable to Intune portal and devices do not get removed from Azure AD. Azure AD tenant admin has to perform the device cleanup task in Azure AD portal to remove the stale record permanently.
What device types get affected from this device cleanup?
All enrolled devices including MDM, EAS/MDM, MDM/SCCM (Co Management) devices will be removed. This includes registered devices and also approval pending devices.
Does this device cleanup rule perform device wipe or retire?
No, this automatic rule only removes the devices from the Intune portal which are orphaned devices. It means these device are no longer checking in with the service for the last x days chosen by the admin before getting removed from the Intune portal.
Is it possible to have devices removed by the device cleanup rule to come back in some scenarios?
Yes it is possible that some devices can come back in the Intune portal as there is service criteria to auto-recover the cleaned up devices if they check-in to the Intune service recently. The purpose of this behavior is to recover devices owned by somebody that took a long leave (e.g. Extended vacation, sabbatical, maternity leaves). The grace period for the device to show up in the Intune portal again is before the device cert expires, which is 180 days. If you do not want devices to be able to check back in, consider filtering for stale devices and doing a bulk delete from the All devices view instead.
Microsoft is pleased to announce the final release of the security configuration baseline settings for Windows 10 October 2018 Update (a.k.a., version 1809, “Redstone 5” or “RS5”), and for Windows Server 2019.
For now, download the content here: Windows-10-1809-Security-Baseline-FINAL. It will be posted to the Security Compliance Toolkit download site very soon.
The downloadable attachment to this blog post includes importable GPOs, a PowerShell script for applying the GPOs to local policy, custom ADMX files for Group Policy settings, documentation in spreadsheet form and as a set of Policy Analyzer files. In this release, we have changed the documentation layout in a few ways:
Highlights of the differences from past baselines, which are listed in BaselineDiffs-to-v1809-RS5-FINAL.xlsx:
We received and have been evaluating recommendations for more extensive changes to the baselines that we are continuing to evaluate for future releases.
We have replaced the collection of .cmd batch files for applying the baselines to local policy with a single PowerShell script that takes one of these five command-line switches to indicate which baseline you want to apply:
.BaselineLocalInstall.ps1 -Win10DomainJoined - for Windows 10 v1809, domain-joined
.BaselineLocalInstall.ps1 -Win10NonDomainJoined - for Windows 10 v1809, non-domain-joined
.BaselineLocalInstall.ps1 -WS2019Member - for Windows Server 2019, domain-joined
.BaselineLocalInstall.ps1 -WS2019NonDomainJoined - for Windows Server 2019, non-domain-joined
.BaselineLocalInstall.ps1 -WS2019DomainController - for Windows Server 2019, domain controller
A couple of important notes about using the BaselineLocalInstall.ps1 script:
Windows 10 v1809 has greatly expanded its manageability using Mobile Device Management (MDM). The Intune team is preparing documentation about the Microsoft Windows MDM security baseline and how to use Intune to implement the baseline, and will publish it very soon. We will post information to this blog when that happens.
SharePoint 2019 delivers an updated modern look and feel for lists and libraries and enabled by default.
Modern: Classic:
However, if the classic experience is required for your farm, the modern experience can be disabled.
From the user perspective, switching from modern and classic is a simple click.
For example, users will see 
all lists and libraries. Once in classic mode, you will then see 
to return to modern mode.
Admins can manage the default experience for list and libraries at the site collection, web or library level.
#Site Collection Level
Add-PSSnapin microsoft.sharepoint.powershell -ea 0
$site = Get-SPSite http://spwfe
#Disable modern Lists and libraies at the Site Collection Level
$featureguid = new-object System.Guid "E3540C7D-6BEA-403C-A224-1A12EAFEE4C4"
$site.Features.Add($featureguid, $true)
#Re-enable the moden expirence at the site collection Level.
$featureguid = new-object System.Guid "E3540C7D-6BEA-403C-A224-1A12EAFEE4C4"
$site.Features.Remove($featureguid, $true)
#Web Level
Add-PSSnapin microsoft.sharepoint.powershell -ea 0
$site = Get-SPWeb http://spwfe
#Disable modern Lists and libraies at the Web Level.
$featureguid = new-object System.Guid "52E14B6F-B1BB-4969-B89B-C4FAA56745EF"
$site.Features.Add($featureguid, $true)
#Re-enable the moden expirence at the Web Level
$featureguid = new-object System.Guid "52E14B6F-B1BB-4969-B89B-C4FAA56745EF"
$site.Features.Remove($featureguid, $true)
Add-PSSnapin microsoft.sharepoint.powershell -ea 0
$web = Get-SPWeb http://spwfe
$list = $web.Lists["Documents"]
#Classic setting
$list.ListExperienceOptions = "ClassicExperience"
$list.Update()
#Modern setting
$list.ListExperienceOptions = "NewExperience"
$list.Update()
#User Default
$list.ListExperienceOptions = "Auto"
$list.Update()
I hope you found this tip useful, and if you are interested in the SPO equivalent, see the following articles.
Switch the default experience for lists or document libraries from new or classic
以下当てはまるものありませんか?
上記一つでも当てはまったそこのあなた!
ハイブリッド・クラウド時代の次世代型データ保護製品として、
シンプル・低コスト・短時間で導入/運用可能なRubrikソリューションを本セミナーでご紹介させてください。
[概要]
■日程:2018/12/5 (水) 14:30~17:00(14:15 受付開始)
■場所:マイクロソフト 品川グランドセントラルタワー 30 階 30C-13
■参加:無料(※同業者様のご参加をお断りさせて頂く場合があります。あらかじめご了承ください。)
■定員:20名様
株式会社コミュニティネットワークセンター様の事例登壇あり。
(質疑応答、個別相談会)
[Agenda]
■14:30-15:10 マイクロソフトのクラウドサービス「Azure」 IaaS最前線
クラウドの利用やクラウドへの移行を検討されている方を対象に、マイクロソフトのクラウドサービスであ
る「Azure」で何ができるのか、どのようなメリットがあるのか、何が安心なのか、オンプレと比較して何
が優れているのかを最新情報を含めて解説します。
日本マイクロソフト株式会社
エバンジェリスト
田中達彦
■15:10-15:40 ついに来た!「ルーブリック」が変えるクラウド時代のデータ保護
これまでのシステム毎に構築されてきたバックアップやDRでは、爆発的に増えるデータへの対応やクラ
ウドの活用、そしてSDDCなど新たなテクノロジーへの対応に限界を感じていないでしょうか?データの
扱いはどうあるべきなのでしょう? 今世界中で大きく注目され、遂に日本へ本格参入した新たな
データ保護ソリューション「ルーブリック」を是非ご確認ください。
ルーブリック・ジャパン株式会社
セールス・エンジニア
吉田 幸春
(休憩)
■15:50-16:20 ルーブリック製品デモ
誰でも簡単にできるルーブリックを使ったバックアップ・リストアとクラウドの活用についてご紹介し
ます。
ルーブリック・ジャパン株式会社
セールス・エンジニア
藤田達也
■16:20-16:50 お客様導入事例登壇
実際にご利用いただいているお客様に事例のご登壇をいただきます。今回は株式会社コミュニティネットワークセンター様にお話いただきます。
株式会社 コミュニティ ネットワークセンター
技術本部 サーバグループ
ニコライ ボヤジエフ 氏
▼本セミナーの参加登録はこちら
Following on from my earlier post https://blogs.technet.microsoft.com/jeremyknight/2018/10/01/introducing-the-exchange-online-fiddler-extension/ we have now made significant improvements to the extension and have just made version 1.0.50 available.
Improvements in this new version include:
The update is available now at: https://github.com/jprknight/EXOFiddlerExtension/releases.
For any questions see: https://github.com/jprknight/EXOFiddlerExtension/wiki.
For any issues see: https://github.com/jprknight/EXOFiddlerExtension/issues.
Happy troubleshooting!
執筆者: John Macintyre (Partner Group Program Manager, Azure SQL Data Warehouse)
このポストは、2018 年 11 月 7 日に投稿された Azure SQL Data Warehouse introduces new productivity and security capabilities の翻訳です。
Azure SQL Data Warehouse は、長年他社を凌ぐトップ クラスのパフォーマンスを発揮してきており、TPC-H (英語) や TPC-DS (英語) などの第三者ベンチマークでも圧倒的な成績を収めています。これは、Anheuser Busch InBev (英語)、Thomson Reuters (英語)、ThyssenKrupp (英語) などの Fortune 1000 企業の 50% 以上が、新しい分析ソリューションに Azure を採用していることからも明白です。
2018 年 4 月にリリースした SQL Data Warehouse Gen2 では、クエリ パフォーマンスと並列処理を大幅に強化しました。さらに今回、膨大に増え続けるデータ量とそれを分析するワークロードの負荷に対応する新機能を追加し、ワークロード管理機能の強化、行レベル セキュリティ (英語) の追加、運用エクスペリエンスの改善を実施しました。
SQL Data Warehouse は、重要度の高い処理が優先的にシステム リソースにアクセスできるようにクエリを最適化するワークロード管理機能を備えています。この機能を使用すると、複数のワークロードを 1 つの SQL Data Warehouse データベースで効率よく実行できるため、ソリューションごとにデータ ウェアハウスを運用する必要がなくなります。これにより、デプロイ済みのリソースをさらに制御、活用、最適化できるようになります。この機能は、今年中にすべての SQL Data Warehouse にて無料でご利用いただけるようになります。
SQL Data Warehouse は行レベル セキュリティ (RLS、英語) をネイティブにサポートしており、厳格なセキュリティ ポリシーを設定してきめ細かいアクセス制御を実装できます。今後は、データ ウェアハウスの再設計や再デプロイを行わなくても、セキュリティ ポリシーの変更やクエリ パフォーマンスに影響しない行レベル セキュリティの適用などが可能になります。データベース階層にきめ細かいセキュリティを実装し、Azure Active Directory とネイティブに統合することで、セキュリティ ポリシーを一元的に調整し、セキュリティ モデル全体の管理と制御を簡素化します。
SQL Data Warehouse は、仮想ネットワーク サービス エンドポイント (英語)、脅威検出、透過的なデータ暗号化などと組み合わせることができ、さらに 40 以上の国と地域や業界独自のコンプライアンス要件に準拠しているため、最高レベルのセキュリティとコンプライアンスを追加コストなしで実現できます。
SQL Data Warehouse は、データ ウェアハウス管理者や開発者に最適なエクスペリエンスを提供するために、より高度なインサイトや自動化および管理のための最新ツールを活用できるようにしています。今回の最新機能では、先進的なデータ ウェアハウスを Azure で簡単にすばやく構築することができます。
SQL Data Warehouse 用 Visual Studio でプレビューを開始した、SQL Server Data Tool (SSDT、英語) は、非常に優れた開発エクスペリエンスを提供するツールです。バージョン管理のサポートが統合されており、継続的インテグレーションによるテストの自動化や変更済みスクリプトのワンクリックでのデプロイが可能です。データ ウェアハウスを実装する開発者は、ビジネス要件の進化に合わせてコーディングし、すばやくデプロイできます。また、堅牢な品質管理も継承されているため、運用環境に実装したシステムが差し戻されるといったことも防げます。
また、インテリジェント インサイト機能の拡張 (英語) により、複製したテーブルの情報に加え、適応型キャッシュや tempdb を活用するためのデータベース スキーマ最適化に関する詳細情報を提示できるようになりました。また、Azure Advisor と Azure Monitor が包括的な管理エクスペリエンスに統合されているため、データ ウェアハウス管理者はパフォーマンスに関するインサイトをシームレスに把握し、ソリューションを調整してすばやくパフォーマンスを強化できます。
SQL Server では、過去の実行時間に関するクエリ パフォーマンスのトラブルシューティングに、クエリ ストアが広く使用されてきました。今回、この機能を SQL Data Warehouse にも実装しました。これにより、プラットフォームで実行されているクエリ ワークロードを確認し、関連するクエリ プランと実行時間の統計を分析して、生産性に影響するパフォーマンス関連の問題を識別できるようになります。
データ ウェアハウスを最新状態に維持しデータ ソースの変化に対応するためには、更新とトランザクションのサポートが不可欠です。しかし、実行時間の長いトランザクションを中断すると、データベースの復旧処理に時間がかかることがあります。データベースの可用性を高めるために、SQL Data Warehouse に高速データベース復旧 (ADR、英語) を実装しました。ADR を使用すると、SQL Data Warehouse のデータベースの可用性が向上すると同時に、サービスの一時停止と再開を大幅に高速化することができます。
高度なトラブルシューティングを行う場合、ワンクリックで Azure Monitor の診断ログを統合できるため、実行済みや待機状態などクエリの使用状況に関するデータを取得して分析用にアーカイブすることも可能です。これらのログは、従来の SQL Data Warehouse の動的管理ビューの拡張版であるため、これまでと同じように確実に操作できます。
Azure SQL Data Warehouse は Azure Databricks、Azure Data Factory、Power BI とネイティブに統合されているため、最新のデータ ウェアハウス機能、高度な分析機能、リアルタイムの分析シナリオ (英語) などに対応した分析ソリューションを新規に開発する際に役立ちます。このたび、Azure Data Lake Storage Gen2 を SQL Data Warehouse に統合し、一般提供を開始します。これは、ミッション クリティカルな分析と AI ワークロードに最適化された唯一のクラウド規模のデータ レイクです。
マイクロソフト製およびサードパーティ製の 25 種類以上のデータ統合ツールや BI ツールを使用して、分析ソリューションを構築することができます。マイクロソフトは各ベンダーと提携しながら、従来のオンプレミスのデータ ウェアハウスを Azure で刷新できるよう、手順の合理化を進めています。このようなエコシステム全体での取り組みにより、既存のインフラストラクチャを利用して強力な分析ソリューションを構築し、より短期間で価値を創出できるようにしています。
Ноябрь-декабрь насыщен мероприятиями для ИТ-профессионалов. Присоединяйтесь, зовите коллег!
Будет интересно!
Hello all, my name is Seth Price and I am a Configuration Manager PFE. I recently had a customer with a large network environment and they wanted to enable Configuration Manager Peer Cache to help with network bandwidth optimization. They were looking for some reporting options to help determine where peer cache could benefit network utilization and what clients would be appropriate in these locations to enable as peer sources. This post provides custom report options to help identify peer cache source candidates and report on systems that are already configured as peer cache sources.
Background information
Peer Cache is a feature in Configuration Manager which expands on the capabilities of Branch Cache to optimize network utilization for content delivery. Peer Cache can be used to manage deployment of content to clients in remote locations.
https://docs.microsoft.com/en-us/sccm/core/plan-design/hierarchy/client-peer-cache
In a large network environment, it may be difficult to identify and track both subnets where Peer Cache could provide a benefit, and the best client options for enabling Peer Cache content sources in that subnet. Some of the considerations in this decision would include:
Enabling Peer Cache on subnet:
Enabling a client as a Peer Cache source
This would exclude systems types you may not want to use as a content source such as laptops, notebooks, hand helds and All in One systems.
Here are a few examples of creating custom reports to assist customers with managing Peer Cache.
***Report requirements***
Hardware inventory will need to be configured to collect the following WMI classes:
Required to get the CCM cache size on systems
*Note – Instructions for configuring requirements including system discovery and hardware inventory are at the end of this post.
Download the .rdl files for both custom reports here:
https://github.com/setprice2245/Peer-Cache
Report 1
PE Peer Cache Candidate Dashboard
This report lists the AD sites and the number of subnets associated with each site. Expanding the site and specific subnet will provide details on the client count in that site and the number of Peer Cache content source candidates.
The details of the client in that site are listed and color coded for Peer Cache candidate status.
Green = (Peer Cache is already enabled)
Blue = (System meets to criteria to be recommended as a Peer Cache candidate)
Gray = (System does NOT meet criteria for Peer Cache candidate)
In this report the client system must meet the following criteria to be displayed in BLUE for Peer Cache capable.
Note- The data used for candidate criteria is based on hardware inventory. Based on hardware inventory configuration this data may or may not be current (Default hardware inventory is 7 days)
Note: The attached report will not list Server operating systems but I do have them enabled for display in the example report screenshot.
Report 2
PE Peer Cache Enabled Clients
This report lists all systems that have the Peer Cache client enabled and system details such as chassis type, free system drive space, CCM cache size, client status, Client version, OS name, AD site, and default gateway
Configuring system discovery and hardware inventory requirements
Then start a system discovery
Under Administration > Client Settings > Modify the Default Client Setting
Edit Hardware inventory and click Set Classes…
Add System Enclosure (Win32_SystemEnclosure) class = Chassis Types as shown below
For the next classes, select Set Classes…, then select Add.
Click Connect
Under WMI namespace type Rootccmsoftmgmtagent and select Recursive as shown below.
*Note – You may need to run the Config Mgr console as administrator to have access.
Select CacheConfig and select OK
Back in hardware inventory classes, find CacheConfig (CacheConfig) and select the Size class as shown.
After we have added the new hardware inventory classes to the default client settings policy, we need to run a machine policy evaluation on a clliented system, then run a hardware inventory to update the database.
Next, we can browse to our report server website and import the .rdl files included in this post.
*Note- Make sure to edit the report and change the data source to your database.
Thank you for reading this post, you should now be able to run both custom reports. Please provide feedback if the reports are useful or if you would like to see additional data in either of the reports.
The Email Phishing Protection Guide is a multi-part blog series written to walk you through the setup of many security focused features you may already own in Microsoft Windows, Microsoft Office 365, and Microsoft Azure. By implementing some or all of these items, an organization will increase their security posture against phishing email attacks designed to steal user identities. This guide is written for system administrators with skills ranging from beginner to expert.
Introduction: Email Phishing Protection Guide - Enhancing Your Organization's Security Posture
Part 1: Customize the Office 365 Logon Portal
Part 2: Training Users with the Office 365 Attack Simulator
Part 3: Deploy Multi Factor Authentication (MFA)
Part 5: Define Country and Region Logon Restrictions for Office 365 and Azure Services
Part 6: Deploy Outlook Plug-in to Report Suspicious Emails
Part 7: Deploy ATP Anti-Phishing Policies
Part 8: Deploy ATP Safe Link Policies
Part 9: Deploy ATP Safe Attachment Policies
Part 11: Monitor Phishing and SPAM Attacks in Office 365
Part 12: Discover Who is Attacking Your Office 365 User Identities
Part 13: Update Your User Identity Password Strategy
Part 14: Prevent Brute Force and Spray Attacks in Office 365
Part 15: Implement the Microsoft Azure AD Password Protection Service (for On-Premises too!)
Part 16: Disable Office 365 Legacy Email Authentication Protocols
Part 17: Control Application Consent Registrations in Microsoft Office 365 and Microsoft Azure
Part 18: Increase Security with Microsoft Secure Score
Part 19: Email Phishing Protection Security Checklist
Part 20: Recommended Security and Anti-Phishing Training from Microsoft Ignite 2018
Part 18: Increase Security with Microsoft Secure Score
While this blog series has provided a large amount of configuration options to consider implementing in your organization this is definitely not a complete list. In fact, the list of recommendations and possible configuration options will always continue to grow! So how do you evaluate all of the existing and yet to be released settings so your security posture continues to be elevated? The answer is by using Microsoft Secure Score!
Microsoft Secure Score is a feature offered to every tenant in Office 365 as a window to evaluate and improve the overall cloud security posture of your organization. In a practically limitless realm of features, products, and opportunity in Microsoft Office 365 and Azure, Microsoft has designed this first of its kind scoring system to help you make adjustments in your cloud environment be more secure. The score represents a weighted value of how the security related features in your organization are configured according to Microsoft Best Practices.
Microsoft Secure Score provides valuable insights into your cloud environment so that you know what is going on. What I often recommend to customers is that it be used to drive awareness in the correct configuration options for each of the products they are subscribed to. With literally thousands of configuration options, how would any administrator know about all the potential configurations, what the best practices are and then how to configure them? Microsoft Secure Score takes care of this in an easy to use, rich graphical format that displays everything I would need to know as an administrator. I also recommend that customers use it for a self-assessment of their security posture.
There is a Secure Score API that can be used to import the available data in a SIEM or other type of dashboard. Information about the API is located at: https://aka.ms/ScureScore_APIBlog
If you want to quickly raise your Microsoft Secure Score and greatly increase the security posture of your organization, the number one thing you should do is enable Multi-Factor Authentication (MFA) for your administrator/privileged accounts. If you don't take any other action from Microsoft Secure Score, do this! This is the first item to do in both the Microsoft Secure Score and Identity Secure Score.
Microsoft Secure Score
Below is information about how to access the Microsoft Secure Score area and a highlight of several of the features available in the site. This is not an exhaustive list of features available, but rather just a few items to get you started. Additional information about Microsoft Secure Score is located here.
Microsoft Identity Secure Score
The Microsoft Secure Score area above includes information available in this next section called the Identity Secure Score. You can evaluate the Identity Score in detail using the steps below. More information on Identity Secure Score is available here.
I find there is much confusion around this topic, so I'll try to clear it up here.
First off, non-imported profiles are well… not imported. They were not created by Profile Sync / AD Import / Sync with External Identity Manager. We also refer to these as "unmanaged", or "stub" profiles because they typically only contain the minimum amount of user data -- usually just the users account name.
Note: in this article, I will use the terms profile import / profile sync interchangeably. For our purposes here, it does not matter whether AD Import or FIM Sync is used to get profiles into SharePoint.
There are a few ways to create user profiles that are "unmanaged". I will list them here from most common to least:
There's not much really. The main ticket generator that we see is that someone will notice that a certain users profile shows up in people search results, or in the organization chart, or somewhere else unexpectedly. They may be considered "unexpected" for one of several reasons:
A second scenario we see is that a profile that belongs to a valid user will not be getting any updates from Active Directory. For example, their title changes in AD, but stays the same in their user profile. This will happen if their profile is "unmanaged". Since it's not being Synched, it won't get any updates from AD.
Depends on what your goal is for these profiles. You're typically going to have one of these two objectives:
If you intended these user profiles to be imported, but they weren't (and therefore were created as "stub" profiles) then you need to start by determining why they were not imported We also refer to this condition as being "out of scope" for the import. There are only a few reasons:
Seriously, don't assume, go check. You can use the following PowerShell to look up a given user and output their Distinguished Name (DN):
$accountName = "josh"
$prop = ([adsisearcher]"samAccountName=$($accountName)").FindOne().Properties
$prop.displayname
$prop.distinguishedname
The output will look something like this:
Josh Roark
CN=Josh Roark,OU=Admins,OU=MyUsers,DC=joroar,DC=local
The part of the DN starting with "OU" indicates the container this user exists in. You need to select that container ("Admins"). Selecting its parent container ("MyUsers") by default, will also select any child containers and will also result in the user being imported.
Note: It is not necessary to delete these "stub" profiles first. If a profile was first created as a "stub" / "unmanaged" / "non-imported" profile, but then later profile import / sync pulls that user in, the existing profile will be updated by the sync, and will become a "managed" profile from that point forward.
If you don't want these profiles around, then you need to take some action to get rid of them.
Number one, you should not be looking to profile import / sync to fix this for you. Remember, these profiles were not imported, so the profile sync process does not manage them at all. In general, if profile sync did not create the profile, it can't delete it either.
Get a list of non-imported profiles. This is rather easy. Just run PowerShell like this:
$upa = Get-spserviceapplication | ?{$_.typename -match "profile"}
Set-SPProfileServiceApplication $upa -GetNonImportedObjects $true | out-file c:tempNonImportedProfiles.txt
Then go have a look at the NonImportedProfiles.txt file.
The GetNonImportedObjects flag will only return unmanaged / "stub" profiles. If a user account is in this list, it means they were most certainly not imported, so if there's any question as to whether or not a certain user has been imported by AD Import / Sync, these results should be definitive.
If the contents of NonImportedProfiles.txt looks like the list of user profiles you'd like to remove, then you can run this:
$upa = Get-spserviceapplication | ?{$_.typename -match "profile"}
Set-SPProfileServiceApplication $upa -PurgeNonImportedObjects $true
Please note that this is all or nothing. The PurgeNonImportedObjects command will mark all of the profiles for deletion that GetNonImportedObjects returned. If there are legitimate user profiles returned by GetNonImportedObjects, then you should see the "Turn them into managed profiles…" section above for ideas on how to get them imported.
PurgeNonImportedObjects does not immediately delete the non-imported profiles. It just marks them for deletion (bdeleted = 1 in the UserProfile_Full table of the Profile database). Once they have been marked for deletion, it is the responsibility of the "My Site Cleanup Job" timer job to remove them, which is no different for "managed" profiles that have been marked for deletion by profile import / sync.
The Email Phishing Protection Guide is a multi-part blog series written to walk you through the setup of many security focused features you may already own in Microsoft Windows, Microsoft Office 365, and Microsoft Azure. By implementing some or all of these items, an organization will increase their security posture against phishing email attacks designed to steal user identities. This guide is written for system administrators with skills ranging from beginner to expert.
Introduction: Email Phishing Protection Guide - Enhancing Your Organization's Security Posture
Part 1: Customize the Office 365 Logon Portal
Part 2: Training Users with the Office 365 Attack Simulator
Part 3: Deploy Multi Factor Authentication (MFA)
Part 5: Define Country and Region Logon Restrictions for Office 365 and Azure Services
Part 6: Deploy Outlook Plug-in to Report Suspicious Emails
Part 7: Deploy ATP Anti-Phishing Policies
Part 8: Deploy ATP Safe Link Policies
Part 9: Deploy ATP Safe Attachment Policies
Part 11: Monitor Phishing and SPAM Attacks in Office 365
Part 12: Discover Who is Attacking Your Office 365 User Identities
Part 13: Update Your User Identity Password Strategy
Part 14: Prevent Brute Force and Spray Attacks in Office 365
Part 15: Implement the Microsoft Azure AD Password Protection Service (for On-Premises too!)
Part 16: Disable Office 365 Legacy Email Authentication Protocols
Part 17: Control Application Consent Registrations in Microsoft Office 365 and Microsoft Azure
Part 18: Increase Security with Microsoft Secure Score
Part 19: Email Phishing Protection Security Checklist
Part 20: Recommended Security and Anti-Phishing Training from Microsoft Ignite 2018
Part 19: Email Phishing Protection Security Checklist
Now that you have read about the many features in Microsoft Office 365 and Microsoft Azure to secure your environment, it is now time to implement these items. So how do you do it? What is the most important item you can implement now that will be the least user impacting? Below, I have outlined an implementation plan example based on the topics in this guide.
As you review this guide and the implementation plan below, remember that in the world of security there is no finish line to reach a completely secure environment. This is a constantly evolving field where attack vectors are constantly changing. At Microsoft, the guiding principle of our security strategy is to "assume breach" where a team of more than 3,500 global security professionals identity and mitigate any attack on the Microsoft cloud environment. As outlined in this guide, you can raise the security posture of your organization even higher by adjusting settings in products you may already own in the Microsoft cloud.
Today
Two Weeks
30 Days
90 Days
The Email Phishing Protection Guide is a multi-part blog series written to walk you through the setup of many security focused features you may already own in Microsoft Windows, Microsoft Office 365, and Microsoft Azure. By implementing some or all of these items, an organization will increase their security posture against phishing email attacks designed to steal user identities. This guide is written for system administrators with skills ranging from beginner to expert.
Introduction: Email Phishing Protection Guide - Enhancing Your Organization's Security Posture
Part 1: Customize the Office 365 Logon Portal
Part 2: Training Users with the Office 365 Attack Simulator
Part 3: Deploy Multi Factor Authentication (MFA)
Part 5: Define Country and Region Logon Restrictions for Office 365 and Azure Services
Part 6: Deploy Outlook Plug-in to Report Suspicious Emails
Part 7: Deploy ATP Anti-Phishing Policies
Part 8: Deploy ATP Safe Link Policies
Part 9: Deploy ATP Safe Attachment Policies
Part 11: Monitor Phishing and SPAM Attacks in Office 365
Part 12: Discover Who is Attacking Your Office 365 User Identities
Part 13: Update Your User Identity Password Strategy
Part 14: Prevent Brute Force and Spray Attacks in Office 365
Part 15: Implement the Microsoft Azure AD Password Protection Service (for On-Premises too!)
Part 16: Disable Office 365 Legacy Email Authentication Protocols
Part 17: Control Application Consent Registrations in Microsoft Office 365 and Microsoft Azure
Part 18: Increase Security with Microsoft Secure Score
Part 19: Email Phishing Protection Security Checklist
Part 20: Recommended Security and Anti-Phishing Training from Microsoft Ignite 2018
Part 20: Recommended Security and Anti-Phishing Training at Microsoft Ignite 2018
While I have written many blogs in this Email Phishing Protection Guide about topics to help secure your environment, you may want to learn more. I encourage anyone looking for more information to search documentation available on https://docs.microsoft.com AND to watch recorded conference sessions on just about any topic or product from Microsoft.
I find that information presented at the many conferences Microsoft hosts or attends is some of the best information available. Instead of just learning about product features and implementation steps in the documentation, there is often a large amount of valuable information also presented at these conferences. I reviewed the catalog of more than 1200 sessions presented at Microsoft Ignite 2018 in Orlando, FL with a focus to learn more about the latest anti-phishing and security products and recommendations Microsoft offers. Below is that list, separated into two sections - Phishing Protection and Security.
I have listed the session code, title, link to the session in the Microsoft Ignite website, and finally the link to watch the session directly on YouTube. Yes, I have watched each one and highly recommend them. These are only the sessions I found in my review but remember that there are over 1200 sessions available to watch. All the Microsoft Ignite sessions are in this YouTube channel.
Microsoft Ignite 2018 Sessions:
Hello Networking Enthusiasts - Tomorrow, the US will celebrate Thanksgiving and since we're so close to a holiday we decided to keep this week's blog fairly simple and answer some common questions and information we've seen over the last few months.
If you have follow-up questions you'd like answered (or more details on what's below), hit us up on Twitter @ Microsoft SDN!
Q. Network traffic from Live Migrations takes valuable CPU cycles from my tenant VMs. How can I reduce the impact of a live migration for tenants, increase the number of live migrations I can perform, and/or increase the speed of the live migrations?
Answer from RDMA PM, Dan Cuomo:
Although not the default option, SMB can be selected as the live migration mechanism. If selected, SMB can use RDMA under the hood (in this context, known as SMBDirect), which avoids the need to process the GB's (yes, Gigabytes not bits) of network traffic produced from the live migration (e.g VM Memory or VHDX Storage).
RDMA by-passes the host operating system and removes the processing burden of the live migrations. Since host networking is most commonly constrained by host CPU spreading (remember your VMs are competing for access to the same cores processing network traffic), RDMA eases the effect of the live migration on VMs on the same host as they can now continue to focus on the VMs CPU scheduling needs.
The net effect is an increase to the number of live migrations you can perform at once because the CPU is no longer the bottleneck for the network or affecting your tenant VMs.
