Posts Tagged ‘365’

Recently had a user who when outside the office could not connect to 365. Per below her Outlook would just sit on “Trying to Connect”

 

They used OAuth for Outlook and 2fa which means when outside of a “trusted IP” the box should come up asking for the 2fa code , however this prompt was not coming up ever after restart (usually fixes a stuck Oauth box ) .

Fix

Go into credential manager and delete all the ADAL for the user , then restart Outlook

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

 

Recently I tried to setup a 365 Send connector to relay it through another third party Mimecast ( https://community.mimecast.com/docs/DOC-1623 ) . Mimecast confirmed they had enabled the Tenant domains to relay through Mimecast.

 

The send connector was Failing as the last Step, however I was receiving the email. After numerous calls with office 365 support they came back with the reply “We don’t support technical help with Third Party SMTP Servers”

Checking the headers on the email that came through showed the validator wasn’t even relaying through Mimecast.

Enabling the Send Connector and trying again resolved the issue , however it’s a flawed design , because after enabling it during the validation if any user tries to send out and it doesn’t work they will produce an NDR

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

With an account that has full access to the Shared Mailbox , login to Webmail and Choose “Open Another Mailbox”

Enter the Shared Maibox and Click OK

Next Click on the settings Icon and Choose “Publish Calendar”

 

Next Change the Details Below


Next Send the External party the HTML or ICS file

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Had a ticket regarding 3 different sent emails to 3 different third parties which were getting duplicated into an IT mailbox on Office 365.

I double checked the “rules” under Mail flow to make sure there were no BCC rules for the users sending which there were not.

In MailTrace the emails came up as Status “Expanded”. This means the email has been sent to a group, however the original email was sent to a Single External Email address?

Why was the external email being displayed as a group in 365?

Turns Out the Outbound Spam Preferences had been turned on! And for whatever reason, these items were triggering the BCC of suspicious messages! 

 

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

 

 

Recently we swapped a users UPN on a local domain controller ( which syncs to 365 via AAdconnect) to another domain and SMTP alias, all worked well however she could not login to Skype for Business.

Resetting Windows Credentials, Caches and registry items still would not fix this.

Most of the time this is due to the SIP Address not being correct. Little did we know this user had Lync before migrating to 365 so they had a SIP address in the attribute editor

Changing this resolved the issue

 

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

When they initially onboarded, there was no filtering or security in any form:

Running a simple audit against Azure AD>Sign-ins showed the extent, even more when you export a CSV.

2000+ failed attempts within 24 hours:

Step 1) Sort or filter the CSV to find common trends (specific user account/IP/Country:

In this case, the client doesn’t have staff in China, nor should anyone be accessing from there

Step 2) Create a Blacklist – AzureAD>Conditional Access.

  • Create a Named location – in this case I named it ‘Blacklist’

 

 

  • Add any IPs to the blacklist

 

  • Create a policy – Name accordingly

 

  • Filter by a test account if appropriate, same for specific apps (don’t filter all apps if the admin account is included!! This can lock you out of the portal if you make a mistake!)

  • Set the blacklist location

  • Block the blacklist (or if you’re creating a whitelist, just allow instead of reject)

  • Enable the policy, then click the ‘What If’ button and test

 

 

Make sure it works as intended!

 

 

End result:

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)
What are the benefits of adding a Manager to a user in AD?
 
Build Organisation Charts on the fly
If you build the right structure of Managers and subordinates, in Outlook 2013 and up when you click on the user, you can see the Organization Chart of the company ( rather than building a separate one )  under Organization

In Office 365 Managers get Notifications of User deletions as well as access to the users OneDrive

When an office 365 account is deleted or the Ad Sync Item is removed ( Either by deleting the object or removing the AD Sync group from the user ) it has 30 days before it gets deleted ( Emails and Files )

The manager get notified of this at 30 days , then again at 7 days

https://docs.microsoft.com/en-us/onedrive/retention-and-deletion

Creation of a Team Calendar

Outlook will automatically add Team Members ( who have the same Manager ) calendars to each outlook, as well as the managers

https://support.microsoft.com/en-au/help/3163350/outlook-doesn-t-display-your-manager-s-team-calendars
 
This functionality can be disabled if needed 

Expand : User Configuration – Policies – Administrative Templates – Microsoft Outlook 2010 or/and 2013 or 2016– Outlook Options – Preferences – Calendar Options – Schedule View

And Set policy Prevent Reporting Line Group Calendar from appearing .

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: +1 (from 1 vote)
 
Tenant Level Checking 
  • Check 2FA is enabled for all staff
  • Correct Licensing ( no extra licenses not applied ) 

  • Azure AD if used setup for Password Sync , make sure Passwords cannot be changed in 365 if they don’t have Azure AD p1

  • 365 has email Filtering Inbound and Outbound
  • DKIM/SPF and DMARC Records ( Vali for Dmarc )
  • 365 Backup and Continuity ( Mimecast and Veeam ) 

  • Technical Contact is correct and Notifications are set for service outage

  • Tenant Location is in right Global Datacenter
  • Check Litigation hold:  Get-mailbox -Filter {(RecipientTypeDetails -eq ‘UserMailbox’) -and (LitigationHoldEnabled -eq $False)} | fl name, LitigationHoldEnabled

  • Check Mailbox auditing:  Get-mailbox -Filter {(RecipientTypeDetails -eq ‘UserMailbox’) -and (AuditEnabled -eq $False)} | fl name, AuditEnabled
    Check Auditing is enabled (both should come back ‘true’)
    get-AdminAuditLogConfig | fl AdminAuditlogenabled,UnifiedAuditLogIngestionEnabled

  •  Search Log – Need to fix filters
    Search-UnifiedAuditLog -StartDate 1/1/2018 -EndDate 8/8/2018 -Filter {(Activity eq ‘UserLoginFailed’)} | Format-List userIds, creationdate

  • Retention Policy – Get-RetentionPolicy ( Make sure there’s a Tenant Retention Policy if the license admits one ) 
     
  • Check No Retention Policy Hold ( Otherwise archive won’t work )  :Get-Mailbox -ResultSize unlimited | Where-Object {$_.RetentionHoldEnabled -eq $true} | Format-Table Name,RetentionPolicy,RetentionHoldEnabled -Auto 8.2)
  • Deleted items retention – Get-Mailbox * | Where-Object {$_.Retaindeleteditemsfor -lt 30} | Format-Table name ( Increase Deleted Items from 14 days to 30 days)

  • Run the Secure Score in O365 – https://securescore.microsoft.com/ ( https://support.office.com/en-us/article/how-to-check-office-365-service-health-932ad3ad-533c-418a-b938-6e44e8bc33b0 ? )

  • Check modern auth is enabled on Exchange Online Get-OrganizationConfig | Format-Table Name,OAuth* -Auto
  • Check and Report on any Email Forwarders -> https://gcits.com/knowledge-base/find-external-forwarding-mailboxes-office-365-customer-tenants-powershell/
  • Check for any flow’s setup – You will need to create a flow in Microsoft Flow under the Domain account to search out flows and check them out – disabling any that forward email or alert a domain admin

  • Check Oauth – Audit your Oath applications on the domain you didn’t have the first step locked down via: https://aad.portal.azure.com/#blade/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/AppAppsPreview this is as close as you can get to the M365 Microsoft Cloud App Security portal. and revoke anything that shouldn’t be there
    Get-MsolCompanyInformation | Select DisplayName, UsersPermissionToUserConsentToAppEnabled
  • Check Spam Policy ( https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/recommended-settings-for-eop-and-office365-atp?view=o365-worldwide
    • Image links to remote sites = OFF
    • Numeric IP addresses = ON
    • URL redirect to other port = ON
    • URL to .biz or .info websites = ON
    • Empty messages = ON
    • Javascript or VBScript in HTML = ON
    • Frame or iFrame tags in HTML = ON
    • Object tags in HTML = ON
    • Embed tags in HTML = ON
    • Form tags in HTML = ON
    • Web bugs in HTML = ON
    • Apply sensitive word list = ON
    • SPF record hard fail = ON
    • Conditional sender ID hard fail = ON
    • NDR backscatter = ON
  • Check to see if basic auth in O365 has been disabled
  • Make sure there is a onmicrosoft.com administrator account documented incase anything wrong with adconnect sync

Tenant Level Changing
## RUNNING BELOW COMMANDS WILL APPLY CHANGES TO PRODUCTION ENVIRONMENT ##
  • Set ligation Hold For All Mailboxes : Get-mailbox -Filter {(RecipientTypeDetails -eq ‘UserMailbox’)} | ForEach {Set-Mailbox $_.Identity LitigationHoldEnabled $true }

  • Set mailbox auditting For All Mailboxes : Get-mailbox -Filter {(RecipientTypeDetails -eq ‘UserMailbox’)} | ForEach {Set-Mailbox $_.Identity -AuditEnabled $true}

  • Disable users being able to installed 3rd party Plugins : set-MsolCompanysettings -UsersPermissionToUserConsentToAppEnabled $false

# If authentication policy column is empty that means not authentication policy is applied and basic auth is allowed

get-user -ResultSize unlimited -RecipientTypeDetails usermailbox | get-user | where{($_.AuthenticationPolicy -eq $null) | select UserPrincipalName,authenticationpolicy

# create new policy to disable basic auth

New-AuthenticationPolicy -Name “Disable Basic Auth”

# assign new auth policy to all mailboxes

get-user -RecipientTypeDetails usermailbox | set-User -AuthenticationPolicy “Disable Basic Auth” -StsRefreshTokensValidFrom $([System.DateTime]::UtcNow)

# Set default auth policy for org. i.e. this policy will be applied to any mailbox without a policy assigned. Assigned policy will take precedence over the default.

Set-OrganizationConfig -DefaultAuthenticationPolicy <PolicyIdentity>

 

NOTES: 

– App Password will stop working

– Recreation of account is required for iOS Mail App, or changing any application accounts from App Password to Modern Auth (just to be safe).

 

Ref: 

https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/disable-basic-authentication-in-exchange-online

Disabling Basic Authentication on Exchange Online

 

 

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Recently when a user tried to look at his Online Archive in Webmail the folder was missing. In Outlook 2016 ( NOT Outlook 2013 as this doesn’t support archive very well ) the folders were listed.

The issue is due to the folder count in Online Archives. The folder limit 10,000 and the current folder count was 15,000

Kindly refer to the below article for more information.

https://support.microsoft.com/en-us/help/2849181/some-folders-are-not-visible-in-outlook-on-the-web

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Recently had a user who’s accepted meeting requests were going straight to their Deleted items instead of being displayed in their Inbox

  • Checked in Mail and Calendars settings in Outlook which all were the default
  • Checked Delegate Permissions for the user
  • Check the Rules inside of Outlook Nothing there

Closing all Outlook windows and trying this again , the accepted meeting request still went the deleted items in Webmail which showed this was server side not Outlook/Client Side.  

Turns out there was a specific Webmail Server side Inbox rule/filter doing this which was not displayed in the Outlook Client. Disabling this resolved the issue

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)