Security




10 tips to improve your administrative accounts posture in Azure AD

General Introduction As I speak to more and more customers about the matter, I notice that a lot of companies have a questionable security posture regarding their administrative accounts. For example, many admins are using their “daily-runner” account as privileged administrators for their tenants, or synchronizing their domain admins to privileged roles in Azure AD. In general, a lot of admin accounts aren’t getting the care they deserve. Losing privileged…

A vulnerability assessment solution should be enabled on your virtual machines – Azure

General introduction This is one of the more common alerts that may come up when you activate Defender for Cloud. This message comes up when a vulnerability assessment solution is not found in at least one virtual machine in your environment. What happens behind the curtains? Azure virtual machine servers are constantly checked for infrastructure security misconfigurations by Defender for Cloud, which offers advice on how to fix them. Through integrated Vulnerability…

Temporary Access Pass sign in was blocked due to User Credential Policy

General introduction Temporary Access Pass is a time-limited passcode that allows users to register passwordless methods or recover access to their accounts without knowing their password. It is enabled via an authentication method policy that you can configure in Azure Active Directory. Apart from being time-limited, the TAP can also be configured for one-time use only. This can either be configured on the authentication methods policy so that every TAP…

How to enable and disable Security Defaults

General introduction Security Defaults are one of the ways to establish a fundamental identity security baseline for your tenant. Security defaults are a set of security settings to help you protect your organization from the most common security threats. They can be enabled on a tenant with just one click. Well, two, if you count the save button. These settings are aimed at small and medium businesses that might not have…

How to configure passwordless in Azure AD connected environments

General Introduction As we all know, passwords are a weak link in our identity processes. But, contrary to what we believe, your password length is not the main enemy when talking about Azure AD, as long as your passwords are not simple. Instead, the main enemy is that passwords can be easily gathered and reused from phishing attacks or breaches.  The most common attacks, for example, phishing, password spray and…

What are Conditional Access Policies in Azure AD

What are Conditional Access Policies? Conditional Access Policies (CAPs) are identity-driven policies that govern user access to resources based on certain conditions. We can summarize them as if statements that govern what will be requested, enforced or blocked. As identity has become a key focus for security efforts, it’s essential to manage it in the best way possible. All policies “think” at the user level and are enforced after a user has completed the first…

What’s SMS Authentication and how to enable it in Azure AD

What’s Text Message Authentication SMS-based authentication allows users to log in without needing to remember their username and password. After enabling the feature for an account, users can enter their phone number at the login prompt instead of their username. They will then receive an authentication code via text message that they can use to complete the login.  This service is often mistaken for SMS-based Multi-factor Authentication, but they are…

What is Microsoft Purview Customer Key?

Microsoft Pureview Customer Key (or Customer Key for short) is an encryption service mainly aimed at resolving regulatory issues with the adoption of Microsoft 365. This is the product you need in the Microsoft Cloud environment if you have a regulatory requirement to have ownership and control over the keys used to encrypt data at rest. Microsoft 365 already provides volume-level encryption through Bitlocker and Distributed Key Manager (DKM), but…

Add or remove a user from a Conditional Access Policy (CAP) – Azure AD

What are Conditional Access Policies? Conditional Access Policies (CAPs) are identity-driven policies that govern user access to resources. We can summarize them as if statements that govern what will be requested, enforced or blocked. In most organizations, the CAPs govern the enforcement of MFA, the block of logins using legacy protocols, and requiring a compliant device to access company resources. All policies “think” at the user level. It is advisable…

Enable file monitoring for Office 365 in Defender for Cloud Apps – DCA

Before enabling file monitoring in Defender for Cloud Apps, be sure to have the appropriate licensing assigned. To follow these steps, you’ll need the following: Please note that you’ll have to create a file policy as soon as you enable the feature. If you don’t create a file policy in the first seven days, the feature will be disabled. First, log into the Defender for Cloud Apps portal: Defender for…

Unfortunately, your password contains a word, phrase or pattern that makes it easily guessable. – Azure AD

Suppose you or a user reset a password, and one of the following errors comes up. In that case, it means that either you are using a guessable password or that somebody in your organization has enabled Password Protection in your environment, and you are using a banned word. If you are a user, please try a more complex password to circumvent the error. Substituting @ with A, 1 with I, and…

This application contains sensitive information and can only be accessed from devices or client applications that meet management compliance policy – Azure AD

This error message results from the application of a Conditional Access Policy on your tenant that blocks users from accessing cloud resources using a non-compliant device. The compliance state of a device is evaluated by Intune. To check which compliance policies you have active in your environment, head to: Compliance Policies | Intune To resolve the issue, either fix the device’s compliance state or exclude the user from the Conditional…

This application contains sensitive information and can only be accessed from domain joined devices – Azure AD

General information This error message results from the application of a Conditional Access Policy on your tenant that blocks users from accessing cloud resources without a hybrid-joined device. A Hybrid-joined device is an AD-joined client which gets synchronized to Azure AD via Azure Active Directory Connect (AD Connect). Another version of this error is:Try signing in another wayTo access your service, app, or website, you may need to sign in…

Restrict access to Azure Management apps – Azure AD

If we want to restrict access to the Azure management services for non-privileged users, we can now create a Conditional Access Policy that allows us to do so. To create a Conditional Access Policy, we’ll need Azure Active Directory Plan 1 or higher, which is either bought standalone, or can be found most notably inside Microsoft 365 Business Premium, or the Microsoft 365 Enterprise plans (E3, E5) On the other…

Additional Context and Number Matching User Guide – MFA

General introduction In this article I want to illustrate how I would notify my users of the upcoming activation of Additional Context and Number Matching in their MFA requests. If you are looking for a guide on how to enable Additional Context and Number Matching, follow the guide linked below. Feel free to use the message below as your own. The images are taken from the Microsoft Docs. ───────────────────────────────────────────────────────── User…

Find stale Enterprise Applications – Azure AD

If you just blocked users from registering applications, or you are just analyzing your Enterprise applications, you may find that there is a lot of work ahead of you. First, you may want to find if there are applications with no user assigned. Then you may wonder if there are applications without sign-ins in the last 30 days. To ease your work, you may find it useful to query all…

Microsoft Secure Score not updating

The Microsoft Secure score is a useful page to get an idea of the general improvement areas you should monitor and approach in your tenant. When you make a change to reflect one of the improvement actions, you might have to wait up to 48 hours to get the points in the portal. If you have waited the 48 hours (generally, it’s 24 hours, but the job might fail), check…

Secure Teams, a step by step hardening guide

This is a brief and introductory guide on what you may want to configure and change in a basic hardened Teams environment. Please consider that these are just general recommendations, and what works for a company may not be the best for another one. This is especially true when it comes to setting up collaboration services. Keep in mind that your Teams security is only as good as your identity…

Unblock at-risk user – Azure AD

If a user can’t access your tenant and forwards the following message to you, here are the steps on how you can solve it. Your account is blocked We’ve detected suspicious activity on your account. Sorry, the organization you are trying to access restricts at-risk users. Please contact your admin. The unblock is done by either resetting the user password or clearing the user risk once you have assessed that…

How to check which Conditional Access Policy is blocking a user log-in – Azure AD

General Introduction If you have Conditional Access Policies in place to block certain log-ins, you might get that a user will contact you because their sign-in request is being blocked. Probably both you and the user don’t know which policy is making the log-in fail, since it’s not specified in the error message. The usual error message is something along the lines of: “Your sign-in was successful, but does not…

User blocked due to risk on home tenant – Azure AD

General Introduction If you just enabled Azure AD Identity Protection for your entire tenant, you might get some complaints from guest users, saying that their sign-in was blocked.If you got a similar issue, but the user is not a guest but a member of your organization, follow this guide:https://azvise.com/2022/05/25/unblock-at-risk-user-azure-ad/ You cannot remediate the user risk of a guest. If you try to look for a guest user in Identity Protection | Risky…

Enable idle session timeout for Microsoft 365

In the last few days, Microsoft implemented a timeout feature for the Microsoft 365 portal and the Office web apps. The aim is to disconnect a user if no activity is received. This will go on to become a global setting: “Idle session timeout for Microsoft 365 web apps will eventually replace current idle timeout settings in Outlook Web App (OWA) and SharePoint Online (SPO)”. This feature is not tab…

Outlook requires app password for connecting to Exchange Online

Even if most people use modern authentication for connecting with Exchange Online, some users still have to use app passwords to enable connections from Outlook. For tenants created after August 2017, modern authentication is enabled by default, but some admins have it turned off. To enable modern authentication for Exchange Online, follow these steps: Click on Modern authentication | Microsoft.com or go to admin.microsoft.com, then Settings, Org Settings, Modern authentication.Select…

Apple Mail not working after disabling Legacy Authentication – Exchange Online

If just enabled a Conditional Access Policy blocking legacy authentication to Exchange Online, enabled Security Defaults, or Microsoft disabled it for your tenant, you might see some Apple Mail clients not connecting anymore. This issue is happening because the profile might be still configured to use Exchange ActiveSync to connect to Exchange Online, and EAS (along with other legacy protocols) will be retired in October 2022. Apple supports an automatic…

Scan now is greyed-out in Azure Information Protection – AIP

If you just installed the Azure Information Protection on-premises scanner and you are trying to start your first Content Scan Job, you might get that the button “Scan now” is greyed out. Before attempting to troubleshoot, check that you selected the job below. If you did, try restarting the service “Azure Information Protection Scanner” on the SQL server and refreshing the Azure Content scan job page. If you still cannot…

Automatically apply Sensitivity Labels to files and libraries – Microsoft Pureview

There are a couple of ways to enable an automatic classification of files in SharePoint. The first one, more complete from a customization point of view, is to use a File Policy in Defender for Cloud Apps. The second one (the newer and less recommended one, to be fully released Q3/Q4 2022) is to use a Default Sensitivity Label in SharePoint Online. If you are looking at how to enable…

Enable Unified Audit Logs – Office 365

Unified Audit Log is one of the essential features for tracking down every action done across the tenant. The logs are kept for 90 days by default, but you can extend them using special addons. If you want to check whether the logging is enabled on your tenant, connect to Exchange Online with PowerShell. Once connected, you can check the status. If you get “True” as a result, the logging…

Add / remove the requirement to apply a sensitivity label to documents and emails – Microsoft Information Protection

When you select “Require users to apply a label to their email and documents” inside a label policy in Microsoft Information Protection, users will be required to classify the documents they create/modify. To add this requirement, access the compliance portal and select a label policy you created. https://compliance.microsoft.com/informationprotection?viewid=sensitivitylabelpolicies Then click “Edit policy” and go straight into “Settings”. Select “Require users to apply a label to their emails and documents”, then save the label policy.…

Project Freta

Project Freta is a newly announced offer from Microsoft, which aims at discovering any malware or rootkit running on Linux systems, by conducting memory forensic analysis automatically. The analysis is conducted at no cost and is very easy to extrapolate the data, democratizing the forensic process. Project Freta was designed and built with survivor bias at its core. It is a security project designed from first principles to drive the…

Microsoft Assessment and Planning (MAP) Toolkit – Minimum user requirements to run a scan

To scan the servers / PCs using the MAP Toolkit, you will need an AD user with administrative privileges on all the components to scan. This will be enough if you need a report of what’s installed on a series of servers/clients, their roles, and all “local” related queries, or basic AD queries. For Exchange related queries, you will need an Exchange Admin or Domain Admin.Please refer to the following…