Outlook on the web – Conditional Access

, , ,

Some companies will block access to Outlook on the web entirely because they don’t want users to be able to download their company data externally. This new feature strikes a middle ground, so users can still access Outlook on the web,  but admins can use conditional access to restrict downloads from Outlook on the web on personal or unmanaged devices.

What is Conditional Access?

Conditional access lets you define different security measures which take effect depending on how users are trying to access your company data. For example a risky sign in according to Azure Active Directory might prompt for MFA, while a sign in from inside your company network on a trusted device won’t. An unmanaged or non-compliant device might not be able to access certain apps, while compliant devices can.

How to set up Conditional Access for Outlook on the web

Add the policy via Azure Active Directory Conditional Access

In this example, we are setting up a conditional access policy for non-compliant devices which prevents users from being able to download attachments via the browser.

  1. Log in to portal.azure.com and open Azure Active Directory
  2. Click Conditional Access and create a new policy
  3. Under Users and groups, choose people or groups to apply the policy to.
  4. Click Cloud apps, choose Select apps, then search for and select Office 365 Exchange OnlineSelect Exchange Online Cloud App For Conditional Access
  5. Under Session, select Use app enforced restrictionsUse App Enforced Restrictions On Conditional Access

Configure the OWAMailboxPolicy via Powershell

  1. Connect to Exchange Online via Powershell
  2. Run the following cmdlet to get the name(s) of your current OWA Mailbox Policies.
    Get-OwaMailboxPolicy | ft Name

    Get-OwaMailboxPolicy Powershell for Conditional Access

  3. Run the following cmdlet to set the Conditional Access policy option on your OWA Mailbox policy to ReadOnly.
    Set-OwaMailboxPolicy -Identity OwaMailboxPolicy-Default -ConditionalAccessPolicy ReadOnly

    Setting OWAMailboxPolicy ViaPowerShell for Conditional Access

Valid values for the -ConditionalAccessPolicy parameter are:

  • Off: No conditional access policy is applied to Outlook on the web. This is the default value.
  • ReadOnly: Users can’t download attachments to their local computer, and can’t enable Offline Mode on non-compliant computers. They can still view attachments in the browser.
  • ReadOnlyPlusAttachmentsBlocked: All restrictions from ReadOnly apply, but users can’t view attachments in the browser.

Wait a few hours for the policy to apply. Once it takes effect, the previously selected users on non-compliant devices will not be able to download attachments via Outlook on the web.

What is the user experience?

The ReadOnly policy will ensure that users on non-compliant devices can’t download email attachments through Outlook on the web to their local device. They can only access them via the file viewers in the browser.

ReadOnly Outlook On The Web Conditional Access

If you use the ReadOnlyPlusAttachmentsBlocked value, users will not be able to access attachments via the browser at all.

What license do I need for Conditional Access for Outlook on the web?

Conditional Access requires a subscription with Azure AD P1 or P2.

Privileged access management in Office 365

, , ,

A compromised administrator account or an admin becoming a disgruntled ex-employee is a source of serious risk to a business. This is because traditionally admins can do whatever they want, whenever they want. To address this issue, Microsoft have developed Privileged Access Management.

What is Privileged Access Management?

Privileged Access Management works on the principle of zero standing access. That means that admins don’t have the ability to perform potentially damaging actions all of the time.

When they need to perform a task that may expose sensitive data or has potential to cause a lot of damage, they will be given just enough access to complete the task. And even then, only for a specific time and only following an audited approval process.

You can define which tasks require a privileged access request via the admin portal.

Create Privileged Access Policy

When admins want to perform one of these tasks, they can raise their requests for access via the portal or via Powershell.

A sample Powershell request to perform tasks requiring privileged access approval looks like this:

New-ElevatedAccessRequest -Task 'Exchange\New-JournalRule' -Reason 'Setting Journal per request.' -DurationHours 4

Privileged Access PowerShell RequestRequests can be automatically or manually approved, and requestors are notified of the approval outcome via email. All privileged access requests and approval process information is recorded for internal reviews and auditors.Privileged Access Request Email

Privileged Access Management License requirements

Privileged access management requires Microsoft 365 E5, Office 365 E5 or the standalone Advanced Compliance SKU.

 

Microsoft Secure Score support for new controls

, ,

Microsoft Secure Score has added new controls to support Microsoft Cloud App security and Azure Active Directory.

What is Microsoft Secure Score?

Microsoft Secure Score

Microsoft Secure Score is a solution that rates how well you’re leveraging security controls for Office 365, Microsoft 365 and Windows 10.

You can check your secure score, and see how you compare against similar businesses at https://securescore.microsoft.com.

New Azure Active Directory Secure Score controls

The new Azure Active Directory controls relate to how well your securing identities in your organization.

Enabling self-service password reset to empower users and reduce help desk costs

You can login to Azure AD to enable self service password reset for all, or just selected, users. You can choose the authentication measures (eg. phone number and alternate email) that users can use to reset their passwords. The policy can require that users register these details on next login, and also define a time period for users to reconfirm their info.

Require just in time access for global administrators using Privileged Identity Management

Privileged Identity Management works on the principal of zero standing access. In practice it means that by default, admins don’t have the ability to perform actions which expose sensitive data, or potentially cause harm. When an admin needs to perform one of these types of actions, they follow a set approval process and provide a justification. This process is audited, and upon approval, the admin is only granted access for a limited period of time. Privileged Identity Management can be enabled in the admin portal, provided you have a plan which includes Azure AD P2.

Turning on password hash sync

If you’re running a hybrid organisation, you can setup password hash sync. This will ensure that users can have the same password for Office 365 and Azure AD services that they use on-premise.

Enable user risk policies

Companies with Azure AD P2 can enable policies that can block access or prompt a user for MFA when a risky sign-in is detected. A risky sign in could be a login from an unexpected location or from a device infected with malware.

Some other important Azure AD controls include:

Require MFA for admins (and also users)

At Microsoft Ignite this year it was reported that only 2% of all admins in Office 365/Azure AD had multifactor authentication enabled. This control is scored quite high as multi-factor authentication makes your accounts 99.9% less likely to be compromised.

Every Office 365/Azure AD tenant gets a free conditional access baseline policy which requires MFA for all privileged roles in Office 365 and Azure AD. This policy will soon be enabled by default, however you can login here and require it be enabled immediately.

Disable stale accounts

Microsoft recommends that you disable any accounts that haven’t been used for the last 30 days. While there may be legitimate circumstances where an account is unused for 30 days, these accounts can also be targets for attackers who are looking to find ways to access your data without being noticed. See here for a list of inactive users in your organisation.

Have less than 5 global admins

You should designate less than 5 global admins in your organisation, even if they are all protected by MFA. The more admin users you have, the more likely it is that one of them is breached or ends up in the hands of a malicious insider. Admin roles in Office 365 should be assigned with the least privilege required for the admin to perform their tasks. Microsoft recommends that you do have at least 2 global admins however, to ensure you can recover from a breached account or rogue insider.

Don’t expire passwords

Setting passwords to expire encourages bad security practices when users store them unsafely or set insecure passwords with patterns. It’s best practice to require users to set stronger passwords which never expire.

What is Microsoft Cloud App Security

Microsoft Cloud App Security gives you a framework to secure your Microsoft and non-Microsoft cloud apps. You can use it to setup policies which alert on suspicious logins or behaviours are across apps like Office 365, Dropbox, Box, Salesforce and many more.

Microsoft Cloud App Security is available in Microsoft 365 E5 and in Office 365 E5 (as Office 365 Cloud App Security). We recommend you purchase it stand alone if you don’t have an E5 plan.

Microsoft Cloud App Security

Here are the new Secure Score controls for Cloud App Security:

Reviewing permissions and blocking risky OAuth applications

You can visit the App Permissions page for third party apps in Cloud App Security to see which permissions have been granted to access your company’s Office 365 data. Here, you can revoke permissions and prevent users from authorising these apps to access company info.

Reviewing anomaly detection policies

Anomaly detection policies use machine learning to detect suspicious activities amongst your users. They help you understand if users are logging in from locations that they normally don’t log in from, using anonymous IP addresses, and have multiple failed login attempts. Review them here.

Discover risky and non-compliant Shadow IT applications

Upload your firewall and proxy logs and use the cloud discovery dashboard to discover which applications are in use within your company. Cloud App Security has a rating system that can help determine the risk level of each application. Create a report here.

Creating custom activity policies to discover risky behaviour

In Cloud App Security you can create custom policies as well as take advantage of some of the built-in defaults. These policies can detect and alert when there are suspicious activities like mass downloads or deletions across your Microsoft and third party cloud apps.

Automating video creation with Azure Functions, Azure Media Services and Microsoft Flow

,

So this is my first video post about a Microsoft 365 roadmap update.

If you follow me on LinkedIn, you might have noticed I’ve been doing a bunch of different updates lately for the Microsoft 365 roadmap. I do this because it’s fun to see all the things that are changing and being added to the platform.

The way that those updates work is that I have an Azure function checking the roadmap API every few hours and comparing it against a version I have in a Cosmos DB database. When it finds a new or a changed feature on the roadmap, it creates a picture using an API from Imgix and starts a Microsoft Flow approval process asking for my notes. Once approved, the image and those notes are pushed on to Buffer which posts the update on my social media.

I wanted to see if I could do the same thing with video so I’ve extended that solution a bit.

Now, when I’m prompted to add notes to a roadmap update I’m also prompted to add a video to a newly generated OneDrive folder. When I add the video of me discussing the update and approve the Microsoft Flow request, another Azure Function takes the video from OneDrive and sends that over to Azure Media Services. It’s then encoded to a smaller size and  automatically transcribed. It then sends me the generated subtitles, which I can correct on my phone and then approve. Once corrected, the subtitles and the encoded video are sent over to a service called Cloudinary, which has a cool video editing API.

I’ve made a bunch of different transitions and animated logos depending on which service the update is tagged with, so that each video is a little bit customised. Finally, another function makes the video via the Cloudinary API.

The cool thing about this solution is that it’s written entirely in Powershell. I’m using Azure Functions here because they make it easy to build these automated solutions using a language that I’m familiar with. So the end result is I can create a nicely formatted social media video with hardcoded subtitles from my phone. See an example of this above.

The other thing that I can do with my phone, is sign in using the Microsoft Authenticator app with passwordless sign in. Which is what this update’s about.

It’s actually really easy to setup, you can follow the instructions on this post and help your users reach a more secure, password-less future.

How to add branding to Office 365 login screens

, ,

You can customise your Office 365 login screens via a service called Azure Active Directory (or Azure AD).

Microsoft Azure continues to transition to the new portal at portal.azure.com, and Azure AD is one of the last services to make the leap. Now that it’s in Preview on the new portal, we’ve made an updated video on how to easily brand your Office 365 login screens.