Now more than ever, being able to work remotely is of critical importance. Ensuring that employees have the right tools to work from home or in isolation, is a real concern for business owners.
Why do we recommend Dropbox Business instead of OneDrive and SharePoint?
This is a question we’re asked occasionally and it’s something we’ve given a lot of consideration. Why do we deploy Dropbox Business for our customers? We’re a Microsoft Gold Partner, it’d make sense for us to go with OneDrive and SharePoint, right?
Ultimately it comes down to reliability and user experience. We can still roll out and secure Dropbox Business using Microsoft identities and security tools while providing a simple, reliable experience to our customers.
Here’s an overview of why we deploy Dropbox Business over OneDrive & SharePoint:
Download the full article here
Reliability
Generally speaking, the Dropbox client just works.
This is extremely important to us. A Dropbox keynote speaker once commented: “Dropbox doesn’t just keep files in sync, it keeps teams in sync.” It’s marketing talk, but it makes sense.
When the tool that keeps your team in sync doesn’t work reliably, not only can you lose trust in it, but you can lose trust in your team. You’ll never know if the reason the files aren’t there is because the syncing isn’t working, or because your team members haven’t done their job. And when it does come back online, are all the changes and files there? Are there conflicts? How will we know without checking each affected device and team member? It may seem trivial, but in our experience, the emotional impact of an unreliable sync client is a very real thing.
Ease of Use
Dropbox eases the digital transformation curve for users who are familiar with working via Windows Explorer or Mac Finder. Users can take advantage of the improved mobility, security and external collaboration features at their own pace.
The New Dropbox Desktop App is good
The new Dropbox Desktop App actually works quite well. It has a familiar file explorer/finder layout with additional enhancements that make it easier for employees to collaborate and comment on files and turn folders into productive workspaces called Dropbox Spaces.
Single Sign-on is simple to use
Single Sign-on allows users to use their Office 365 account to log into multiple services. If a user is signed into their computer with Office 365, they can sign into the Dropbox App or website without needing to re-enter their credentials. Granted, this is also the case for OneDrive and SharePoint, but we are often asked about how seamless Dropbox’s integration is.
Simple sharing
Dropbox has an easy sharing interface, in the browser, on the desktop and using mobile apps.
On the desktop, users can right-click on folders, click Share and send off an invitation to collaborate on the file or folder.
In the browser, users can mouse over a file or folder, click Share and do the same.
In mobile apps, users can tap the menu icon under each file or folder to share with anyone.
Office 365 and GSuite support
Dropbox supports both Microsoft’s Office Online and Google GSuite web apps to allow for the creation and editing of documents from anywhere. Users who work on files via the browser in Office 365 or GSuite will see little difference when switching to Dropbox Business.
Microsoft Cloud App Security
Microsoft Cloud App Security provides an additional level of alerting and data protection policy over Dropbox Business. This is especially handy for detecting malicious insider activity such as mass deletes and downloads. Using Cloud App Security we can guard against scenarios where employees accidentally or intentionally delete or download company data.
Built-in security policies
The built-in security policies are also quite good for Dropbox Business. Unlike the basic Office 365 plans, Dropbox actually notifies you if someone accesses your account from a new browser, or connects a new device to your account.
It’s also very simple to lock down sharing as required for certain files and folders. It’s easy to ensure that certain files and folders cannot be shared outside the company, or shared with anyone at all.
Want more information? For a comprehensive White Paper on why we choose Dropbox Business, fill out the form below.
//gcits.com.au/wp-content/uploads/GCITSlogowordpress.png00Elliot Munro//gcits.com.au/wp-content/uploads/GCITSlogowordpress.pngElliot Munro2020-03-20 09:30:422020-03-20 17:16:52Should I use Dropbox Business or SharePoint and OneDrive?
We’ve been providing Dropbox Business as a core part of our Managed Services for a few years now, and have received great feedback from customers for its simplicity and reliability.
Our customers get a seamless solution with Dropbox Business and Microsoft 365, with single sign on through Azure Active Directory, advanced protection via Microsoft Cloud App Security and an excellent integration with Office Online.
We’re thrilled to announce that we have completed the customer satisfaction and training requirements to become the first Dropbox Business Elite Partner in Australia and New Zealand. And we’re pretty happy with the smash cake too.
//gcits.com.au/wp-content/uploads/GCITSlogowordpress.png00Elliot Munro//gcits.com.au/wp-content/uploads/GCITSlogowordpress.pngElliot Munro2018-11-26 15:50:412019-04-03 00:43:29GCITS are the first Dropbox Elite Partners in Australia and New Zealand
This update will bring extra document management capabilities from SharePoint into Microsoft Teams.
The current Microsoft Teams files experience
The document storage and collaboration functionality in Microsoft Teams is built on SharePoint. Every Microsoft Team is also an Office 365 Group, and each team has a group-connected SharePoint site which stores all the files shared amongst the team.
You can already reach this site from the files tab of your Microsoft Teams channels, however the experience within Teams is a bit limited.
An updated Document Library experience in Microsoft Teams
This update brings the full functionality of a SharePoint Document Library into Microsoft Teams. With the ability to add and manage custom columns, sort and filter files with custom views, trigger workflows and much more.
Sync files from Microsoft Teams with your PC or Mac
This is the standout feature in this update. The ability to sync files with a PC or Mac will be available from within Microsoft teams. At Ignite this year, Microsoft demonstrated the new interface during the Content Collaboration in the Modern Workplace – BRK2451 session.
This screen capture demonstrates custom columns, views and formatting, as well as the new sync button within Microsoft Teams.
//gcits.com.au/wp-content/uploads/GCITSlogowordpress.png00Elliot Munro//gcits.com.au/wp-content/uploads/GCITSlogowordpress.pngElliot Munro2018-10-30 13:46:062019-02-21 13:23:30A new SharePoint-powered files experience is coming to Microsoft Teams
Office 365 Advanced Threat protection and Office 365 threat intelligence logs can now be integrated into your SIEM solution.
Threats discovered by these services can be made available on the audit.general workload of the Office 365 Management APIs.
What are the Office 365 Management APIs?
The Office 365 Management APIs are essentially the API version of the Office 365 Unified Audit Log
To get your Office 365 ATP info into your SIEM, you’ll need to have the Unified Audit Log enabled for your tenant. Unfortunately, it’s not enabled by default.
How to enable the Office 365 Unified Audit Log
The Office 365 Unified Audit Log is an important and useful tool which can help you secure your Microsoft Cloud environment. If you’re a Microsoft Partner, we have a longer article on enabling this for your customers’ tenants here, but to enable it for a single tenant, you have two options.
Enable the Office 365 Unified Audit Log via the Security and Compliance Center
You can log into the Security and Compliance Center at protection.office.com as a global or security administrator.
You’ll find the setting under Search and Investigation, Audit Log Search.
If the audit log isn’t enabled, click Start recording user and admin activities
Enable the Office 365 Unified Audit Log via Powershell
Connect your SIEM to the Office 365 Management APIs
Once the audit log is enabled, threats discovered by Office 365 ATP and Threat Intelligence will be available on the audit.general endpoint of the Office 365 Management API. For more information on setting this up, see the official Microsoft documentation here.
//gcits.com.au/wp-content/uploads/GCITSlogowordpress.png00Elliot Munro//gcits.com.au/wp-content/uploads/GCITSlogowordpress.pngElliot Munro2018-10-30 12:48:312019-02-21 13:23:31Office 365 ATP can now be integrated into your SIEM
You’ve been able to open shared calendars in Outlook for iOS and Outlook for Android for a little while now, however this update makes it a lot easier.
How did Shared Calendars on Outlook for Mobile previously work?
The person who owned the calendar would send you a sharing invite
You accept the invite from within the Outlook mobile app
The shared calendar is added to your phone.
With this update to Outlook for iOS, you can now open calendars that are already shared with you.
How to open a shared calendar in Outlook for iOS
Switch to your calendars in Outlook for iOS
Open the the left menu
Tap the add calendar button
Tap Add Shared Calendars
Search for the person or group whose calendar you already have permission to access, then tap the add button next to their name
The calendar will appear in your list
Can you open Shared Calendars on Outlook for Android too?
Yep, this feature is also available for Outlook for Android.
//gcits.com.au/wp-content/uploads/GCITSlogowordpress.png00Elliot Munro//gcits.com.au/wp-content/uploads/GCITSlogowordpress.pngElliot Munro2018-10-25 23:09:342019-02-21 13:23:31Open a shared calendar in Outlook for iOS
Org-Wide Teams in Microsoft Teams let you create a single Microsoft Team that includes all internal users in your organisation. However, Microsoft recommends that you make some changes to the team’s settings to cut down on excess noise and notifications.
What is an Org-Wide Microsoft Team?
An Org-Wide team in Microsoft Teams is just a team that includes everybody in your organisation. Its member list will automatically update as users come and go, and while it currently supports up to 1000 users, there are plans to increase this limit.
How do you create an Org-Wide Microsoft Team?
Creating an org-wide team is quite simple, just choose the Org-Wide team option from the drop-down when creating a new team at https://teams.microsoft.com
What are some best practices for Org-Wide Microsoft Teams?
If you have a lot of users in your organisation, these types of teams could quickly become very noisy and distracting.
To reduce excess notifications and noise, Microsoft have some best practice recommendations.
Only let team owners post on the General channel
You do this under Manage team
Click Settings, then Member permissions, then select Only owners can post messages.
Disable @mentions for the whole team
You’ll probably want to disable @mentions for the whole team, since that can send a notification to up to a thousand people at once.
You can do this do this under Settings, @mentions, Show members the option to @team or @[team name].
Automatically favorite important channels
Switch to the channels tab and tick Auto-favorite on the channels you would like to show up by default.
Also note that while the video above states that the feature is still in development, it has since been marked as launched.
//gcits.com.au/wp-content/uploads/GCITSlogowordpress.png00Elliot Munro//gcits.com.au/wp-content/uploads/GCITSlogowordpress.pngElliot Munro2018-10-22 10:13:072019-02-21 13:23:32Org-Wide teams in Microsoft Teams
Some companies will block access to Outlook on the web entirely because they don’t want users to be able to download their company data externally. This new feature strikes a middle ground, so users can still access Outlook on the web, but admins can use conditional access to restrict downloads from Outlook on the web on personal or unmanaged devices.
What is Conditional Access?
Conditional access lets you define different security measures which take effect depending on how users are trying to access your company data. For example a risky sign in according to Azure Active Directory might prompt for MFA, while a sign in from inside your company network on a trusted device won’t. An unmanaged or non-compliant device might not be able to access certain apps, while compliant devices can.
How to set up Conditional Access for Outlook on the web
Add the policy via Azure Active Directory Conditional Access
In this example, we are setting up a conditional access policy for non-compliant devices which prevents users from being able to download attachments via the browser.
Valid values for the -ConditionalAccessPolicy parameter are:
Off: No conditional access policy is applied to Outlook on the web. This is the default value.
ReadOnly: Users can’t download attachments to their local computer, and can’t enable Offline Mode on non-compliant computers. They can still view attachments in the browser.
ReadOnlyPlusAttachmentsBlocked: All restrictions from ReadOnly apply, but users can’t view attachments in the browser.
Wait a few hours for the policy to apply. Once it takes effect, the previously selected users on non-compliant devices will not be able to download attachments via Outlook on the web.
What is the user experience?
The ReadOnly policy will ensure that users on non-compliant devices can’t download email attachments through Outlook on the web to their local device. They can only access them via the file viewers in the browser.
If you use the ReadOnlyPlusAttachmentsBlocked value, users will not be able to access attachments via the browser at all.
What license do I need for Conditional Access for Outlook on the web?
Conditional Access requires a subscription with Azure AD P1 or P2.
//gcits.com.au/wp-content/uploads/GCITSlogowordpress.png00Elliot Munro//gcits.com.au/wp-content/uploads/GCITSlogowordpress.pngElliot Munro2018-10-21 21:03:392019-02-21 13:23:33Outlook on the web - Conditional Access
A compromised administrator account or an admin becoming a disgruntled ex-employee is a source of serious risk to a business. This is because traditionally admins can do whatever they want, whenever they want. To address this issue, Microsoft have developed Privileged Access Management.
What is Privileged Access Management?
Privileged Access Management works on the principle of zero standing access. That means that admins don’t have the ability to perform potentially damaging actions all of the time.
When they need to perform a task that may expose sensitive data or has potential to cause a lot of damage, they will be given just enough access to complete the task. And even then, only for a specific time and only following an audited approval process.
You can define which tasks require a privileged access request via the admin portal.
When admins want to perform one of these tasks, they can raise their requests for access via the portal or via Powershell.
A sample Powershell request to perform tasks requiring privileged access approval looks like this:
New-ElevatedAccessRequest -Task 'Exchange\New-JournalRule' -Reason 'Setting Journal per request.' -DurationHours 4
Requests can be automatically or manually approved, and requestors are notified of the approval outcome via email. All privileged access requests and approval process information is recorded for internal reviews and auditors.
Privileged Access Management License requirements
Privileged access management requires Microsoft 365 E5, Office 365 E5 or the standalone Advanced Compliance SKU.
The new Azure Active Directory controls relate to how well your securing identities in your organization.
Enabling self-service password reset to empower users and reduce help desk costs
You can login to Azure AD to enable self service password reset for all, or just selected, users. You can choose the authentication measures (eg. phone number and alternate email) that users can use to reset their passwords. The policy can require that users register these details on next login, and also define a time period for users to reconfirm their info.
Require just in time access for global administrators using Privileged Identity Management
Privileged Identity Management works on the principal of zero standing access. In practice it means that by default, admins don’t have the ability to perform actions which expose sensitive data, or potentially cause harm. When an admin needs to perform one of these types of actions, they follow a set approval process and provide a justification. This process is audited, and upon approval, the admin is only granted access for a limited period of time. Privileged Identity Management can be enabled in the admin portal, provided you have a plan which includes Azure AD P2.
Turning on password hash sync
If you’re running a hybrid organisation, you can setup password hash sync. This will ensure that users can have the same password for Office 365 and Azure AD services that they use on-premise.
At Microsoft Ignite this year it was reported that only 2% of all admins in Office 365/Azure AD had multifactor authentication enabled. This control is scored quite high as multi-factor authentication makes your accounts 99.9% less likely to be compromised.
Every Office 365/Azure AD tenant gets a free conditional access baseline policy which requires MFA for all privileged roles in Office 365 and Azure AD. This policy will soon be enabled by default, however you can login here and require it be enabled immediately.
Disable stale accounts
Microsoft recommends that you disable any accounts that haven’t been used for the last 30 days. While there may be legitimate circumstances where an account is unused for 30 days, these accounts can also be targets for attackers who are looking to find ways to access your data without being noticed. See here for a list of inactive users in your organisation.
Have less than 5 global admins
You should designate less than 5 global admins in your organisation, even if they are all protected by MFA. The more admin users you have, the more likely it is that one of them is breached or ends up in the hands of a malicious insider. Admin roles in Office 365 should be assigned with the least privilege required for the admin to perform their tasks. Microsoft recommends that you do have at least 2 global admins however, to ensure you can recover from a breached account or rogue insider.
Don’t expire passwords
Setting passwords to expire encourages bad security practices when users store them unsafely or set insecure passwords with patterns. It’s best practice to require users to set stronger passwords which never expire.
What is Microsoft Cloud App Security
Microsoft Cloud App Security gives you a framework to secure your Microsoft and non-Microsoft cloud apps. You can use it to setup policies which alert on suspicious logins or behaviours are across apps like Office 365, Dropbox, Box, Salesforce and many more.
Microsoft Cloud App Security is available in Microsoft 365 E5 and in Office 365 E5 (as Office 365 Cloud App Security). We recommend you purchase it stand alone if you don’t have an E5 plan.
Here are the new Secure Score controls for Cloud App Security:
Reviewing permissions and blocking risky OAuth applications
You can visit the App Permissions page for third party apps in Cloud App Security to see which permissions have been granted to access your company’s Office 365 data. Here, you can revoke permissions and prevent users from authorising these apps to access company info.
Reviewing anomaly detection policies
Anomaly detection policies use machine learning to detect suspicious activities amongst your users. They help you understand if users are logging in from locations that they normally don’t log in from, using anonymous IP addresses, and have multiple failed login attempts. Review them here.
Discover risky and non-compliant Shadow IT applications
Upload your firewall and proxy logs and use the cloud discovery dashboard to discover which applications are in use within your company. Cloud App Security has a rating system that can help determine the risk level of each application. Create a report here.
Creating custom activity policies to discover risky behaviour
In Cloud App Security you can create custom policies as well as take advantage of some of the built-in defaults. These policies can detect and alert when there are suspicious activities like mass downloads or deletions across your Microsoft and third party cloud apps.
//gcits.com.au/wp-content/uploads/GCITSlogowordpress.png00Elliot Munro//gcits.com.au/wp-content/uploads/GCITSlogowordpress.pngElliot Munro2018-10-21 15:57:462019-02-21 13:23:35Microsoft Secure Score support for new controls
The popular Encrypt-Only policy for Office 365 Message Encryption can now be enabled automatically as part of a DLP (Data Loss Prevention) policy.
What is the Office 365 Encrypt-Only policy?
The Encrypt-only policy is useful because it encrypts the message and prevents it from being intercepted or scanned by other mail systems. To read the messages, recipients need to sign in via a Microsoft, Google, Yahoo or Office 365 account. If they don’t have any of those accounts, they can request a one time password to access and read the email.
It’s called Encrypt-only because other encryption options in Office 365 also enforce policies that prevent a message from being forwarded or printed. The Encrypt-Only policy just encrypts the message and prevents it from being accessed by anyone who shouldn’t.
Enabling Encrypt-Only via a DLP policy
If you are using Office 365 Message Encryption already, you can set up a DLP policy that will enable Encrypt-Only on email messages that match a certain DLP trigger. These policies are configurable in the Security and Compliance Center at https://protection.office.com.
Here is a policy that is set to trigger on emails containing Australian Financial Information:
The action for this policy is to apply the Encrypt-only message encryption policy:
This feature is available now for organisations with Microsoft 365 E3 and E5, Office 365 E3 and E5 or as part of the standalone Azure Information Protection SKUs.
We may request cookies to be set on your device. We use cookies to let us know when you visit our websites, how you interact with us, to enrich your user experience, and to customize your relationship with our website.
Click on the different category headings to find out more. You can also change some of your preferences. Note that blocking some types of cookies may impact your experience on our websites and the services we are able to offer.
Essential Website Cookies
These cookies are strictly necessary to provide you with services available through our website and to use some of its features.
Because these cookies are strictly necessary to deliver the website, refuseing them will have impact how our site functions. You always can block or delete cookies by changing your browser settings and force blocking all cookies on this website. But this will always prompt you to accept/refuse cookies when revisiting our site.
We fully respect if you want to refuse cookies but to avoid asking you again and again kindly allow us to store a cookie for that. You are free to opt out any time or opt in for other cookies to get a better experience. If you refuse cookies we will remove all set cookies in our domain.
We provide you with a list of stored cookies on your computer in our domain so you can check what we stored. Due to security reasons we are not able to show or modify cookies from other domains. You can check these in your browser security settings.
Google Analytics Cookies
These cookies collect information that is used either in aggregate form to help us understand how our website is being used or how effective our marketing campaigns are, or to help us customize our website and application for you in order to enhance your experience.
If you do not want that we track your visit to our site you can disable tracking in your browser here:
Other external services
We also use different external services like Google Webfonts, Google Maps, and external Video providers. Since these providers may collect personal data like your IP address we allow you to block them here. Please be aware that this might heavily reduce the functionality and appearance of our site. Changes will take effect once you reload the page.
Google Webfont Settings:
Google Map Settings:
Google reCaptcha Settings:
Vimeo and Youtube video embeds:
Other cookies
The following cookies are also needed - You can choose if you want to allow them:
Should I use Dropbox Business or SharePoint and OneDrive?
Office 365Now more than ever, being able to work remotely is of critical importance. Ensuring that employees have the right tools to work from home or in isolation, is a real concern for business owners.
Why do we recommend Dropbox Business instead of OneDrive and SharePoint?
This is a question we’re asked occasionally and it’s something we’ve given a lot of consideration. Why do we deploy Dropbox Business for our customers? We’re a Microsoft Gold Partner, it’d make sense for us to go with OneDrive and SharePoint, right?
Ultimately it comes down to reliability and user experience. We can still roll out and secure Dropbox Business using Microsoft identities and security tools while providing a simple, reliable experience to our customers.
Here’s an overview of why we deploy Dropbox Business over OneDrive & SharePoint:
Download the full article here
Reliability
Generally speaking, the Dropbox client just works.
This is extremely important to us. A Dropbox keynote speaker once commented: “Dropbox doesn’t just keep files in sync, it keeps teams in sync.” It’s marketing talk, but it makes sense.
When the tool that keeps your team in sync doesn’t work reliably, not only can you lose trust in it, but you can lose trust in your team. You’ll never know if the reason the files aren’t there is because the syncing isn’t working, or because your team members haven’t done their job. And when it does come back online, are all the changes and files there? Are there conflicts? How will we know without checking each affected device and team member? It may seem trivial, but in our experience, the emotional impact of an unreliable sync client is a very real thing.
Ease of Use
Dropbox eases the digital transformation curve for users who are familiar with working via Windows Explorer or Mac Finder. Users can take advantage of the improved mobility, security and external collaboration features at their own pace.
The New Dropbox Desktop App is good
The new Dropbox Desktop App actually works quite well. It has a familiar file explorer/finder layout with additional enhancements that make it easier for employees to collaborate and comment on files and turn folders into productive workspaces called Dropbox Spaces.
Single Sign-on is simple to use
Single Sign-on allows users to use their Office 365 account to log into multiple services. If a user is signed into their computer with Office 365, they can sign into the Dropbox App or website without needing to re-enter their credentials. Granted, this is also the case for OneDrive and SharePoint, but we are often asked about how seamless Dropbox’s integration is.
Simple sharing
Dropbox has an easy sharing interface, in the browser, on the desktop and using mobile apps.
Office 365 and GSuite support
Dropbox supports both Microsoft’s Office Online and Google GSuite web apps to allow for the creation and editing of documents from anywhere. Users who work on files via the browser in Office 365 or GSuite will see little difference when switching to Dropbox Business.
Microsoft Cloud App Security
Microsoft Cloud App Security provides an additional level of alerting and data protection policy over Dropbox Business. This is especially handy for detecting malicious insider activity such as mass deletes and downloads. Using Cloud App Security we can guard against scenarios where employees accidentally or intentionally delete or download company data.
Built-in security policies
The built-in security policies are also quite good for Dropbox Business. Unlike the basic Office 365 plans, Dropbox actually notifies you if someone accesses your account from a new browser, or connects a new device to your account.
It’s also very simple to lock down sharing as required for certain files and folders. It’s easy to ensure that certain files and folders cannot be shared outside the company, or shared with anyone at all.
Want more information? For a comprehensive White Paper on why we choose Dropbox Business, fill out the form below.
GCITS are the first Dropbox Elite Partners in Australia and New Zealand
NewsWe’ve been providing Dropbox Business as a core part of our Managed Services for a few years now, and have received great feedback from customers for its simplicity and reliability.
Our customers get a seamless solution with Dropbox Business and Microsoft 365, with single sign on through Azure Active Directory, advanced protection via Microsoft Cloud App Security and an excellent integration with Office Online.
We’re thrilled to announce that we have completed the customer satisfaction and training requirements to become the first Dropbox Business Elite Partner in Australia and New Zealand. And we’re pretty happy with the smash cake too.
A new SharePoint-powered files experience is coming to Microsoft Teams
Microsoft 365, Microsoft Teams, Office 365, SharePointThis update will bring extra document management capabilities from SharePoint into Microsoft Teams.
The current Microsoft Teams files experience
The document storage and collaboration functionality in Microsoft Teams is built on SharePoint. Every Microsoft Team is also an Office 365 Group, and each team has a group-connected SharePoint site which stores all the files shared amongst the team.
You can already reach this site from the files tab of your Microsoft Teams channels, however the experience within Teams is a bit limited.
An updated Document Library experience in Microsoft Teams
This update brings the full functionality of a SharePoint Document Library into Microsoft Teams. With the ability to add and manage custom columns, sort and filter files with custom views, trigger workflows and much more.
Sync files from Microsoft Teams with your PC or Mac
This is the standout feature in this update. The ability to sync files with a PC or Mac will be available from within Microsoft teams. At Ignite this year, Microsoft demonstrated the new interface during the Content Collaboration in the Modern Workplace – BRK2451 session.
This screen capture demonstrates custom columns, views and formatting, as well as the new sync button within Microsoft Teams.
The roadmap update for this feature listed a general availability date of Q3 of calendar year 2018, so it should be rolling out any minute now.
For more info on this feature, see the Content Collaboration in the Modern Workplace session from Microsoft Ignite.
Office 365 ATP can now be integrated into your SIEM
Exchange, Malware and Security Threats, Microsoft 365, Office 365Office 365 Advanced Threat protection and Office 365 threat intelligence logs can now be integrated into your SIEM solution.
Threats discovered by these services can be made available on the audit.general workload of the Office 365 Management APIs.
What are the Office 365 Management APIs?
The Office 365 Management APIs are essentially the API version of the Office 365 Unified Audit Log
To get your Office 365 ATP info into your SIEM, you’ll need to have the Unified Audit Log enabled for your tenant. Unfortunately, it’s not enabled by default.
How to enable the Office 365 Unified Audit Log
The Office 365 Unified Audit Log is an important and useful tool which can help you secure your Microsoft Cloud environment. If you’re a Microsoft Partner, we have a longer article on enabling this for your customers’ tenants here, but to enable it for a single tenant, you have two options.
Enable the Office 365 Unified Audit Log via the Security and Compliance Center
Enable the Office 365 Unified Audit Log via Powershell
Connect your SIEM to the Office 365 Management APIs
Once the audit log is enabled, threats discovered by Office 365 ATP and Threat Intelligence will be available on the audit.general endpoint of the Office 365 Management API. For more information on setting this up, see the official Microsoft documentation here.
Open a shared calendar in Outlook for iOS
Office 365, Office 365 Roadmap Updates, OutlookYou’ve been able to open shared calendars in Outlook for iOS and Outlook for Android for a little while now, however this update makes it a lot easier.
How did Shared Calendars on Outlook for Mobile previously work?
With this update to Outlook for iOS, you can now open calendars that are already shared with you.
How to open a shared calendar in Outlook for iOS
Can you open Shared Calendars on Outlook for Android too?
Yep, this feature is also available for Outlook for Android.
Org-Wide teams in Microsoft Teams
Microsoft 365, Microsoft Teams, Office 365, Office 365 Roadmap UpdatesOrg-Wide Teams in Microsoft Teams let you create a single Microsoft Team that includes all internal users in your organisation. However, Microsoft recommends that you make some changes to the team’s settings to cut down on excess noise and notifications.
What is an Org-Wide Microsoft Team?
An Org-Wide team in Microsoft Teams is just a team that includes everybody in your organisation. Its member list will automatically update as users come and go, and while it currently supports up to 1000 users, there are plans to increase this limit.
How do you create an Org-Wide Microsoft Team?
Creating an org-wide team is quite simple, just choose the Org-Wide team option from the drop-down when creating a new team at https://teams.microsoft.com
What are some best practices for Org-Wide Microsoft Teams?
If you have a lot of users in your organisation, these types of teams could quickly become very noisy and distracting.
To reduce excess notifications and noise, Microsoft have some best practice recommendations.
Only let team owners post on the General channel
Disable @mentions for the whole team
You’ll probably want to disable @mentions for the whole team, since that can send a notification to up to a thousand people at once.
Automatically favorite important channels
Switch to the channels tab and tick Auto-favorite on the channels you would like to show up by default.
Also note that while the video above states that the feature is still in development, it has since been marked as launched.
Outlook on the web – Conditional Access
Azure Active Directory, Exchange, Office 365, Office 365 Roadmap UpdatesSome companies will block access to Outlook on the web entirely because they don’t want users to be able to download their company data externally. This new feature strikes a middle ground, so users can still access Outlook on the web, but admins can use conditional access to restrict downloads from Outlook on the web on personal or unmanaged devices.
What is Conditional Access?
Conditional access lets you define different security measures which take effect depending on how users are trying to access your company data. For example a risky sign in according to Azure Active Directory might prompt for MFA, while a sign in from inside your company network on a trusted device won’t. An unmanaged or non-compliant device might not be able to access certain apps, while compliant devices can.
How to set up Conditional Access for Outlook on the web
Add the policy via Azure Active Directory Conditional Access
In this example, we are setting up a conditional access policy for non-compliant devices which prevents users from being able to download attachments via the browser.
Configure the OWAMailboxPolicy via Powershell
Valid values for the -ConditionalAccessPolicy parameter are:
Wait a few hours for the policy to apply. Once it takes effect, the previously selected users on non-compliant devices will not be able to download attachments via Outlook on the web.
What is the user experience?
The ReadOnly policy will ensure that users on non-compliant devices can’t download email attachments through Outlook on the web to their local device. They can only access them via the file viewers in the browser.
If you use the ReadOnlyPlusAttachmentsBlocked value, users will not be able to access attachments via the browser at all.
What license do I need for Conditional Access for Outlook on the web?
Conditional Access requires a subscription with Azure AD P1 or P2.
Privileged access management in Office 365
Azure Active Directory, Exchange, Office 365, Office 365 Roadmap UpdatesA compromised administrator account or an admin becoming a disgruntled ex-employee is a source of serious risk to a business. This is because traditionally admins can do whatever they want, whenever they want. To address this issue, Microsoft have developed Privileged Access Management.
What is Privileged Access Management?
Privileged Access Management works on the principle of zero standing access. That means that admins don’t have the ability to perform potentially damaging actions all of the time.
When they need to perform a task that may expose sensitive data or has potential to cause a lot of damage, they will be given just enough access to complete the task. And even then, only for a specific time and only following an audited approval process.
You can define which tasks require a privileged access request via the admin portal.
When admins want to perform one of these tasks, they can raise their requests for access via the portal or via Powershell.
A sample Powershell request to perform tasks requiring privileged access approval looks like this:
Privileged Access Management License requirements
Privileged access management requires Microsoft 365 E5, Office 365 E5 or the standalone Advanced Compliance SKU.
Microsoft Secure Score support for new controls
Azure Active Directory, Microsoft Cloud App Security, Office 365 Roadmap UpdatesMicrosoft Secure Score has added new controls to support Microsoft Cloud App security and Azure Active Directory.
What is Microsoft Secure Score?
Microsoft Secure Score is a solution that rates how well you’re leveraging security controls for Office 365, Microsoft 365 and Windows 10.
You can check your secure score, and see how you compare against similar businesses at https://securescore.microsoft.com.
New Azure Active Directory Secure Score controls
The new Azure Active Directory controls relate to how well your securing identities in your organization.
Enabling self-service password reset to empower users and reduce help desk costs
You can login to Azure AD to enable self service password reset for all, or just selected, users. You can choose the authentication measures (eg. phone number and alternate email) that users can use to reset their passwords. The policy can require that users register these details on next login, and also define a time period for users to reconfirm their info.
Require just in time access for global administrators using Privileged Identity Management
Privileged Identity Management works on the principal of zero standing access. In practice it means that by default, admins don’t have the ability to perform actions which expose sensitive data, or potentially cause harm. When an admin needs to perform one of these types of actions, they follow a set approval process and provide a justification. This process is audited, and upon approval, the admin is only granted access for a limited period of time. Privileged Identity Management can be enabled in the admin portal, provided you have a plan which includes Azure AD P2.
Turning on password hash sync
If you’re running a hybrid organisation, you can setup password hash sync. This will ensure that users can have the same password for Office 365 and Azure AD services that they use on-premise.
Enable user risk policies
Companies with Azure AD P2 can enable policies that can block access or prompt a user for MFA when a risky sign-in is detected. A risky sign in could be a login from an unexpected location or from a device infected with malware.
Some other important Azure AD controls include:
Require MFA for admins (and also users)
At Microsoft Ignite this year it was reported that only 2% of all admins in Office 365/Azure AD had multifactor authentication enabled. This control is scored quite high as multi-factor authentication makes your accounts 99.9% less likely to be compromised.
Every Office 365/Azure AD tenant gets a free conditional access baseline policy which requires MFA for all privileged roles in Office 365 and Azure AD. This policy will soon be enabled by default, however you can login here and require it be enabled immediately.
Disable stale accounts
Microsoft recommends that you disable any accounts that haven’t been used for the last 30 days. While there may be legitimate circumstances where an account is unused for 30 days, these accounts can also be targets for attackers who are looking to find ways to access your data without being noticed. See here for a list of inactive users in your organisation.
Have less than 5 global admins
You should designate less than 5 global admins in your organisation, even if they are all protected by MFA. The more admin users you have, the more likely it is that one of them is breached or ends up in the hands of a malicious insider. Admin roles in Office 365 should be assigned with the least privilege required for the admin to perform their tasks. Microsoft recommends that you do have at least 2 global admins however, to ensure you can recover from a breached account or rogue insider.
Don’t expire passwords
Setting passwords to expire encourages bad security practices when users store them unsafely or set insecure passwords with patterns. It’s best practice to require users to set stronger passwords which never expire.
What is Microsoft Cloud App Security
Microsoft Cloud App Security gives you a framework to secure your Microsoft and non-Microsoft cloud apps. You can use it to setup policies which alert on suspicious logins or behaviours are across apps like Office 365, Dropbox, Box, Salesforce and many more.
Microsoft Cloud App Security is available in Microsoft 365 E5 and in Office 365 E5 (as Office 365 Cloud App Security). We recommend you purchase it stand alone if you don’t have an E5 plan.
Here are the new Secure Score controls for Cloud App Security:
Reviewing permissions and blocking risky OAuth applications
You can visit the App Permissions page for third party apps in Cloud App Security to see which permissions have been granted to access your company’s Office 365 data. Here, you can revoke permissions and prevent users from authorising these apps to access company info.
Reviewing anomaly detection policies
Anomaly detection policies use machine learning to detect suspicious activities amongst your users. They help you understand if users are logging in from locations that they normally don’t log in from, using anonymous IP addresses, and have multiple failed login attempts. Review them here.
Discover risky and non-compliant Shadow IT applications
Upload your firewall and proxy logs and use the cloud discovery dashboard to discover which applications are in use within your company. Cloud App Security has a rating system that can help determine the risk level of each application. Create a report here.
Creating custom activity policies to discover risky behaviour
In Cloud App Security you can create custom policies as well as take advantage of some of the built-in defaults. These policies can detect and alert when there are suspicious activities like mass downloads or deletions across your Microsoft and third party cloud apps.
Office 365 Message Encryption: Encrypt-Only template available in Office 365 Unified DLP
Exchange, Office 365, Office 365 Roadmap UpdatesThe popular Encrypt-Only policy for Office 365 Message Encryption can now be enabled automatically as part of a DLP (Data Loss Prevention) policy.
What is the Office 365 Encrypt-Only policy?
The Encrypt-only policy is useful because it encrypts the message and prevents it from being intercepted or scanned by other mail systems. To read the messages, recipients need to sign in via a Microsoft, Google, Yahoo or Office 365 account. If they don’t have any of those accounts, they can request a one time password to access and read the email.
It’s called Encrypt-only because other encryption options in Office 365 also enforce policies that prevent a message from being forwarded or printed. The Encrypt-Only policy just encrypts the message and prevents it from being accessed by anyone who shouldn’t.
Enabling Encrypt-Only via a DLP policy
If you are using Office 365 Message Encryption already, you can set up a DLP policy that will enable Encrypt-Only on email messages that match a certain DLP trigger. These policies are configurable in the Security and Compliance Center at https://protection.office.com.
Here is a policy that is set to trigger on emails containing Australian Financial Information:
The action for this policy is to apply the Encrypt-only message encryption policy:
This feature is available now for organisations with Microsoft 365 E3 and E5, Office 365 E3 and E5 or as part of the standalone Azure Information Protection SKUs.