SharePoint Dev Weekly – Episode 64

SharePoint Dev Weekly – Episode 64

Am a keen follower of Microsoft's SharePoint Blog and proud to provide this direct from the Microsoft Tech Community:

episode-64-promo.png

In this session of SharePoint Dev Weekly, hosts – Vesa Juvonen (Microsoft), Waldek Mastykarz (Rencore), discuss the latest news and topics around SharePoint development.  Vesa and Waldek are joined by Thomas Gölles  team lead responsible for modern workplace solutions at Solvion (MVP) in Austria. 

 

In addition to drawing attention to the latest advancements being delivered by the SharePoint Community and Microsoft, Vesa, Waldek and Thomy’s discussion this week focused on:  Increasing cloud adoption across Europe, personal Bots, concierge Bots, Teams and custom customer Graphs to extend the Microsoft Graph. 

 

This episode was recorded on Monday, December 16, 2019.

 

The above is kindly provided by the Microsoft Tech Community!

Troubleshooting Office Client Policy Service (OCPS)

Troubleshooting Office Client Policy Service (OCPS)

The Office cloud policy service (OCPS) is a cloud-based service that enables you to apply policy settings for Office 365 ProPlus on a user’s device.  The policy settings roam to whichever device the user signs into and uses Office 365 ProPlus.  As end users become increasingly mobile, IT Pros need a single approach to secure Office 365 ProPlus for traditional on-premises domain devices, Azure AD registered devices, Azure AD Joined, and Hybrid Azure AD joined devices.  OCPS applies to all scenarios above without the need to download and replicate any content such as Administrative Template files (ADMX/ADML) on-premises.  The goal of this blog is to provide some transparency of how the service works to help IT Pros during their validation phase and to encourage transition from classic domain-based policy to OCPS service for Office 365 ProPlus.

 

Requirements of OCPS

1. At least Version 1808 (August 2018) of Office 365 ProPlus
2. User accounts created in or synchronized to Azure Active Directory (AAD). The user must be signed into Office 365 ProPlus with an AAD based account.
3. Security groups created in or synchronized to Azure Active Directory (AAD), with the appropriate users added to those groups.
4. To create a policy configuration, you must be assigned one of the following roles in Azure Active Directory (AAD): Global Administrator, Security Administrator, or Office Apps Admin.
5. Connectivity to addresses below. Microsoft recommends proxy bypasswhitelist for these URLs
*.manage.microsoft.com, *.officeconfig.msocdn.com, config.office.com over 443

 

Steps to perform proof of concept and validation
1. Create a test user, ours will be “Gottlieb Daimler”, gdaimler@contoso.com.
2. Create security group “OCPS Service Validation” and add user to group within Active Directory Users and Computers.
3. Allow AAD Connect to synchronize user and group to Azure AD. (lunch break 🙂 or force synchronization via commands below)

(optional) From AAD Connect Server and elevated PowerShell, run the following commands:
PS C:WINDOWSsystem32>import-module adsync
PS C:WINDOWSsystem32>Set-ADSyncScheduler -NextSyncCyclePolicyType Delta
PS C:WINDOWSsystem32>Start-ADSyncSyncCycle

Browse Azure AD portal and explore Users – All Users, select Gottlieb Daimler and then Groups. Verify that group “OCPS Service Validation” has been assigned and source says, “Windows Server AD”. This confirms user and group were synced into Azure AD successfully and we can proceed to next steps.
4.  Create your first OCPS policy and select “Create” button:

Create1.png

5. Complete input fields, when selecting assigned security group input “OCPS” and service should filter results to “OCPS Service Validation” group.  Next, define a policy.  For the demo, I chose policy “VBA Macro Notification Settings”, “Enabled” where VBA Macro Notification Settings are set to “Disable all with notification”.   Once selections have been made “Create” or “Save”.

Create4.png

Create3.png

6. From Policy Management, we can now see our policy exists.

Create2.png

So, we’ve got a policy, we’ve assigned it to a security group containing our test user, our next step is to validate. My test machine happens to be classic on-premises domain joined machine. My user, Gottlieb Daimler, is signed in with his normal Active Directory credentials which is displayed in upper right hand corner of Word.

Create5.png

Traditional Group Policy uses Client-Side Extensions in Windows to apply policy every 90 minutes.  IT Pros can force policy by using command line “gpupdate /force” and inspectverify registry as well as application behavior prior to broad deployment.  OCPS checks for policy upon initial Office application launch, calls into cloud service endpoints listed above, determines policy applicability based on group membership and priority assignment and registry keys are populated. 

 

Specifically, there are two locations of interest in registry.

1. HKEY_CURRENT_USERSoftwareMicrosoftOffice16.0CommonCloudPolicy
This will contain information about FetchInterval, 90 minutes is default, as well as record of Last Fetch Time and Last Payload Hash.

2. HKEY_CURRENT_USERSoftwarePoliciesMicrosoftCloud. This key will contain path to registry keys representing the policy assignment. For example, ours will be HKEY_CURRENT_USERSoftwarePoliciesMicrosoftCloudOffice16.0wordsecurity
Vbawarnings = 2 (DWORD)

 

IT Pros can achieve the same behavior of gpupdate by simply deleting the key HKEY_CURRENT_USERSoftwareMicrosoftOffice16.0CommonCloudPolicy, close Office application and relaunch to fetch policy.  I typically use tools like Process Monitor to help trustverify operations of this type with filters such as “Path” contains “CloudPolicy” or where Operation is “RegSetValue” etc.  Opening a Word document containing a Macro displaying warning with notification as expected.

Proof.png

FAQ:
How does conflict resolution work if the same policy is set via traditional domain-based policy as well as OCPS?
OCPS takes priority if there are any conflicts with traditional domain-based policies.

 

Currently policies are limited to user settings. Are there plans on adding machine settings?
Yes. This has been accepted and currently is in our backlog. We hope to have this available next year.

 

Group Policy provides a view of all policies on the device or for the specified user. Does OCPS support this?
Currently OCPS does not provide a list of all Office policies applied to a specific user or device. This is on our backlog and we hope to have this available next year.

 

Will OCPS support other platforms such as MacOS, Android and iOS?
Yes, OCPS in the future will also support additional platforms such as MacOS, Android and iOS. We will create additional blog postings per platform once features are generally available.

 

The Author

This blog post is brought to you by Dave Guenthner, a Senior Premier Field Engineer and “ProPlus Ranger” at Microsoft. Feel free to share your questions and feedback in the comments below.

Building dynamic, lean & universal packages for Office 365 ProPlus

Building dynamic, lean & universal packages for Office 365 ProPlus

As an admin, you might have been tasked with the deployment of Office 365 ProPlus to your organization. But such a deployment is more than just Office. After the initial migration to ProPlus, you might have to provide ways for your users to acquire automated installs of additional Language Packs, Proofing Tools, products like Visio and Project or other components.
This blog post will walk your through a concept of building dynamic, lean & universal packages for Office 365 ProPlus, greatly reducing long-term maintenance costs and effort needed in managed environments.
Grab a coffee, it’s a long post. Let’s roll.
 

The challenge

When you plan your upgrade to Office 365 ProPlus, the actual upgrade from a legacy version to the always-current Office 365 ProPlus is front and center. But looking beyond the initial deployment, there are other scenarios you’ll need to cover as an admin. After you upgraded your users, they might need one of the following components going forward:
 
  • Additional Language Packs
  • Proofing Tools
  • Visio
  • Project

So in managed environments each of the above would require a dedicated installation package in order to allow an automated and controlled way to e.g. install additional languages for a user. Usually, for each of the above components, an admin would combine the necessary source files (~2.5 gigabyte), a copy of the Office Deployment Tool (ODT) together with a configuration file into a package.

But, especially in larger organizations, you often do not run a single installation of Office 365 ProPlus. You might have a mix of update channels (often SAC and SAC-T) and maybe you are currently transitioning from 32 bit to 64 bit, and for quite some time you will have to support both architectures.

So at the end, we would not have one package per component, but rather four, covering each possible permutation of SAC/SAC-T and x86/x64.
The end result would be:

 

  • High number of packages, the four listed components would result in 16 or more packages.
  • High bandwidth consumption, as a client might get the full 2.5 GB package pushed down before install
  • High maintenance costs to keep embedded source files current.
  • High user impact, if you haven’t kept the source files current and installing a component will perform a downgrade, just to perform an update to the current version soon after.
  • Low user satisfaction when having to pick the matching package out of a bunch of options.

 

While the initial upgrade to Office 365 ProPlus is a one-time activity, the above scenarios will be applicable over a longer period as users might need additional components days, weeks or even years after the initial deployment.
So, how do we build packages which are less costly to maintain over a long time frame and avoid the above downsides?

 

The solution: Dynamic, lean and universal packages

Good news: There is a way to resolve all of the above issues by implementing self-adjusting, small and universal package. I will give you the “meat and potatoes” of the concept before we dive into sample scenarios:
Build dynamic packages where you don’t hard-code anything. Leverage features of the Office Deployment Tool (ODT) to allow the packages to self-adjust to the requirements:
  • Use Version=MatchInstalled to prevent unexpected updates and stay in control of the version installed on a client. No hard-coding of a build number (which gets outdated quickly) required.
  • Use Language=MatchInstalled to instruct e.g. Visio or Project to install with the very same languages which are already installed for Office. No need to list them or build a script which injects the required languages.

 

Build lean packages by removing the source files from the packages. This has multiple benefits:

  • Package size is much smaller, from 2.5 GB down to less than 10 megabytes for the ODT and its configuration file.
  • Instead of pushing a 2.5 GB install package to clients, we allow clients to pull what it needs on demand from Office CDN which saves bandwidth:
    • When adding Project to an existing Office 365 ProPlus install, we need to download less than 50 megabytes as Office shared components are already installed.
    • Visio installs are typically between 100-200 megabytes, based and the number of languages as the templates/stencils are a substantial part of the download.
    • Installing Proofing Tools is typically between 30-50 megabytes versus a full Language Pack is somewhere between 200 to 300 megabyte.
  • A 2nd install scenario is often less frequent, which lowers the burden on the internet traffic ultimately reducing the impact.
  • You don’t have to update the source files every time when Microsoft releases new features, security and quality fixes.
 
Build universal packages by not hard-coding things like the architecture or update channel. ODT will dynamically match the existing install ; so your packages work across all update channels and architectures. Instead of having e.g. four packages to install Visio, you will have a single, universal package which will work across all permutations of update channels and architectures.
  • Leaving out OfficeClientEdition makes your package universal for mixed x86/x64 environments.
  • Leaving out Channel makes your package universal across update channels, even ones you don’t support :smile:.

 

How to and benefit of building dynamic, lean & universal packages

The idea behind this concept is to not hard-coding everything in the configuration file, but rather leverage the cleverness of the Office Deployment Tool (ODT) as much as possible. Let’s have a look at a “classic” package, built to add Project to an existing install of Office 365 ProPlus. We have the source files (~2.5 gigabyte in size) and a configuration file which explicitly states what we want to achieve:
Lean5-Pic1.jpg
<Configuration>
<Add OfficeClientEdition=”64″ Channel=”Broad”>
<Product ID=”ProjectProRetail”>
<Language ID=”en-us” />
</Product>
</Add>
<Display Level=”None” />
</Configuration>
 
When applying  the concepts of dynamic, lean, universal packages, the result would look like this:
 Lean5-Pic2.jpg<Configuration>
<Add Version=”MatchInstalled”>
<Product ID=”ProjectProRetail”>
<Language ID=”MatchInstalled” TargetProduct=”O365ProPlusRetail” />
</Product>
</Add>
<Display Level=”None” />
</Configuration>

 

So what have we changed and what are the benefits of doing so?

  • Removed OfficeClientEdition-attribute, as the ODT will automatically match the installed version.
    • Benefit: Configuration file now work for both x86 and x64 scenarios.
  • Remove Channel, same reason, ODT will automatically match the already assigned update channel.
    • Benefit I: Package works for all update channels (Monthly, Semi-Annual, SAC-T, you name it)
    • Benefit II: It will also work for update channels you don’t offer as central IT. Some users are running Monthly, some are on Insider builds? Don’t worry, it just works!
  • Added Version=MatchInstalled which will ensure that ODT will install the exact same version which is already installed.
    • Benefit: You are in control of versions deployed, no unexpected updates.
  • Added Language ID=”MatchInstalled”  and TargetProduct  designed to match the currently installed language(s), replacing a hard-coded list of languages to install.
    • Benefit I: User will have the same languages in Project as already installed for Office.
    • Benefit II: No need to re-request Language Pack installs.
    • Benefit III: Will also work for rarely used languages which you as central IT admin don’t offer, leading to happier users.
  • Removed the source files, the ODT will fetch the correct set of source files from the Office CDN just-in-time.
    • Benefit I: Package never gets old. No maintenance of source files needed.
    • Benefit II: Download is ~50 megabyte instead of pushing 2.5 GB around.

 

Another example: Adding Language Packs and Proofing Tools the dynamic, lean & universal way

Let’s have a brief look at other scenarios as well, like adding Language Packs and Proofing Tools. The classic configuration file to install the German Language Pack might look like this:
 
<Configuration>
<Add OfficeClientEdition=”64″ Channel=”Broad”>
<Product ID=”LanguagePack”>
<Language ID=”de-de” />
</Product>
</Add>
<Display Level=”None” />
</Configuration>
If you’re running SAC as well as SAC-T and have a x86/x64 mixed environment, you would need three additional files to cover the remaining permutations of configurations. Or you just go the dynamic, lean and universal way:
 
<Configuration>
<Add Version=”MatchInstalled”>
<Product ID=”LanguagePack”>
<Language ID=”de-de” />
</Product>
</Add>
<Display Level=”None” />
</Configuration>
 
This single configuration file will work across x86/x64 and all update channels (Insider Fast, Monthly Targeted, Monthly, SAC-T, SAC, and so on). So if you want to offer 5 additional languages in your environment, just build 5 of these “config file + ODT” packages and you’re good to go. For Proofing Tools you just change the ProductID to “ProofingTools”.
 

Prerequisites

I hope this new concept helps you to build dynamic, lean and universal packages and reduce the overall effort of managing Office 365 client Apps.
There are some prerequisites you must meet to make this concept work in your environment:
  • Use Office Deployment Tool 16.0.11615.33602 or newer to enable Version=MatchInstalled to work.
  • The ODT must be able to locate the matching source files on the Office CDN.
  • Ensure that the context your using for running the install can traverse the proxy. Check out our Office 365 ProPlus Deployment and Proxy Server Guidance  for a deep-dive on this.
  • Make sure, that the account (user or SYSTEM) used to install the apps is able to connect to the internet.

 

The Author

This blog post is brought to you by , a ProPlus Ranger and senior ProPlus deployment expert at Microsoft. Feel free to share your questions and feedback in the comments below.
Announcing Updates to the M365 Attack Simulator

Announcing Updates to the M365 Attack Simulator

Overview

The Microsoft 365 Attack Simulation team is pleased to announce the release of several new features in our phish simulation tool. This includes:

  • an attachment-based phishing attack
  • the ability to filter your simulation user targets by directory metadata like title, city, and department
  • the inclusion of IP addresses and client data in the simulation detail report
  • Simulation phish message simulations are included in your user phish submission reports 

Attachment Attack

We know that phishing attacks that use attachments are very popular and an effective way for attackers to get malicious code to run on your endpoints. Teaching your users to be wary of attachments can reduce your overall risk. To help you educate your users of this risk, we’ve added a new type of simulation attack called Spear Phishing (Attachment) to the catalog.

 

To launch an attachment attack, navigate to the home page of the Attack simulator:

 

clipboard_image_0.png

 

Then, click Launch Attack and walk through the wizard:

 

First, give the attachment attack campaign a relevant, distinctive name.

clipboard_image_1.png

 

Second, select users from your directory that you wish to target with the attachment attack.

clipboard_image_2.png

 

Third, configure the attack with the sender, the name and type of the attachment, and the subject line of the email.

clipboard_image_3.png

 

Fourth, enter a custom email template, or use one from the existing library. Remember that the point of the attachment attack is to get the user to open the attachment, so don’t necessarily include a credential harvesting link, but do reference the attachment in the body of the email.

clipboard_image_4.png

 

Lastly, confirm that you are ready to send the simulation off.

clipboard_image_5.png

 

Within minutes, your users will receive the phishing email and will be able to see the attachment. This attachment does NOT contain any malicious content or executable code. Instead, it relies on a hidden image file which makes a call back to Microsoft’s servers to indicate that the user has opened the file.

clipboard_image_6.png

 

Here, you see the user has opened the file, which contains similar content to what you would see on the final page of a credential harvesting simulation. The user’s name is populated, along with some educational messaging about the dangers of phishing.

clipboard_image_7.png

 

If you have enabled the Outlook Reporting add-in for your organization, note that the user should go ahead and report this message as phishing.

clipboard_image_8.png

 

Once they select report phishing, the user will be asked to confirm the report. Note below that we’re including these reported messages in your report phish message pipeline via the Outlook reporting add-in so you can now track which of your users correctly reported this message as part of the simulation.

clipboard_image_9.png

 

After the users have performed their actions, the simulation administrator can then review the final output of the campaign in the Attack Simulator portal.

 

clipboard_image_10.png

 

Directory Filtering

Another quality of life feature we have added is the ability to perform an filtered search of your directory based on metadata like Title, Department, and City. This allows the simulation administrator to refine target groups based on existing directory data instead of having to manually select those users, leverage CSVs, or create custom directory groups. We encourage organizations to target high risk segments of their user population with more frequent simulations to further reduce your risk of getting phished.

clipboard_image_11.png

 

Advanced Reporting Updates

The final feature we’ve made available is the inclusion of detailed client information in the detail report of any given campaign, including username, action performed, datetime stamp, IP address, and client type information. This will allow you to better understand where your users are performing the risky actions.

clipboard_image_12.png

 

Outlook Reporting Add-In Integration

We’re also including simulation phish messages in the normal reporting pipeline so that you can now track which of your users has correctly reported phish messages as part of the simulation exercise.  This can be found by navigating to Threat Management–>Explorer–>View Submissions–>User Submissions.

clipboard_image_13.png

Wrapping it up

So, there you have it – a whirlwind tour though the new updates to Office 365 ATP’s Attack Simulator. We’d like to encourage you to start taking advantage of the new functionality by the following the link (https://protection.office.com/attacksimulator) and we look forward to your feedback! More information on Attack Simulator can be found in the Attack Simulator documentation on Microsoft Docs.

Announcing Updates to the M365 Attack Simulator

Announcing Updates to the M365 Attack Simulator

Overview

The Microsoft 365 Attack Simulation team is pleased to announce the release of several new features in our phish simulation tool. This includes:

  • an attachment-based phishing attack
  • the ability to filter your simulation user targets by directory metadata like title, city, and department
  • the inclusion of IP addresses and client data in the simulation detail report
  • Simulation phish message simulations are included in your user phish submission reports 

Attachment Attack

We know that phishing attacks that use attachments are very popular and an effective way for attackers to get malicious code to run on your endpoints. Teaching your users to be wary of attachments can reduce your overall risk. To help you educate your users of this risk, we’ve added a new type of simulation attack called Spear Phishing (Attachment) to the catalog.

 

To launch an attachment attack, navigate to the home page of the Attack simulator:

 

clipboard_image_0.png

 

Then, click Launch Attack and walk through the wizard:

 

First, give the attachment attack campaign a relevant, distinctive name.

clipboard_image_1.png

 

Second, select users from your directory that you wish to target with the attachment attack.

clipboard_image_2.png

 

Third, configure the attack with the sender, the name and type of the attachment, and the subject line of the email.

clipboard_image_3.png

 

Fourth, enter a custom email template, or use one from the existing library. Remember that the point of the attachment attack is to get the user to open the attachment, so don’t necessarily include a credential harvesting link, but do reference the attachment in the body of the email.

clipboard_image_4.png

 

Lastly, confirm that you are ready to send the simulation off.

clipboard_image_5.png

 

Within minutes, your users will receive the phishing email and will be able to see the attachment. This attachment does NOT contain any malicious content or executable code. Instead, it relies on a hidden image file which makes a call back to Microsoft’s servers to indicate that the user has opened the file.

clipboard_image_6.png

 

Here, you see the user has opened the file, which contains similar content to what you would see on the final page of a credential harvesting simulation. The user’s name is populated, along with some educational messaging about the dangers of phishing.

clipboard_image_7.png

 

If you have enabled the Outlook Reporting add-in for your organization, note that the user should go ahead and report this message as phishing.

clipboard_image_8.png

 

Once they select report phishing, the user will be asked to confirm the report. Note below that we’re including these reported messages in your report phish message pipeline via the Outlook reporting add-in so you can now track which of your users correctly reported this message as part of the simulation.

clipboard_image_9.png

 

After the users have performed their actions, the simulation administrator can then review the final output of the campaign in the Attack Simulator portal.

 

clipboard_image_10.png

 

Directory Filtering

Another quality of life feature we have added is the ability to perform an filtered search of your directory based on metadata like Title, Department, and City. This allows the simulation administrator to refine target groups based on existing directory data instead of having to manually select those users, leverage CSVs, or create custom directory groups. We encourage organizations to target high risk segments of their user population with more frequent simulations to further reduce your risk of getting phished.

clipboard_image_11.png

 

Advanced Reporting Updates

The final feature we’ve made available is the inclusion of detailed client information in the detail report of any given campaign, including username, action performed, datetime stamp, IP address, and client type information. This will allow you to better understand where your users are performing the risky actions.

clipboard_image_12.png

 

Outlook Reporting Add-In Integration

We’re also including simulation phish messages in the normal reporting pipeline so that you can now track which of your users has correctly reported phish messages as part of the simulation exercise.  This can be found by navigating to Threat Management–>Explorer–>View Submissions–>User Submissions.

clipboard_image_13.png

Wrapping it up

So, there you have it – a whirlwind tour though the new updates to Office 365 ATP’s Attack Simulator. We’d like to encourage you to start taking advantage of the new functionality by the following the link (https://protection.office.com/attacksimulator) and we look forward to your feedback! More information on Attack Simulator can be found in the Attack Simulator documentation on Microsoft Docs.

Introducing the integrated Microsoft Threat Protection solution (public preview)

Introducing the integrated Microsoft Threat Protection solution (public preview)

 

Every day, attackers compromise endpoints, identities, and email to infiltrate and quickly expand their foothold in an organization. Customers need protection across these attack vectors to defend against evolving threats. Microsoft Threat Protection is an integrated solution that’s built on our best-in-class Microsoft 365 security suite: Microsoft Defender Advanced Threat Protection (ATP) for endpoints, Office 365 ATP for email and collaboration tools, Azure ATP for identity-based threats, and Microsoft Cloud App Security (MCAS) for SaaS applications.  

 

Within the suite we’ve been expanding our threat detection and automated investigation and response capabilities, as well as adding cross-product visibility, with additions such as automated incident response in Office 365 ATP, integration of MCAS and Microsoft Defender ATP for deep insight into cloud app usage, integration of Azure ATP with Microsoft Defender ATP, and more.  

 

Starting today, across the threat landscape security teams can correlate alerts to focus on what matters most, automate investigation and response and self-heal affected assets, and simplify hunting for indicators of attack unique to an organization. They can also use Microsoft Threat Protection to centrally view all detections, impacted assets, automated actions taken, and related evidence. 

 

Move from alerts to incidents

We are introducing the concept of “incidents, previously available only for endpoints. These incidents correlate alerts across threat vectors to determine the full scope of the threat across Microsoft 365 products.

 

For example, we can correlate the following attack sequence: Office 365 ATP observes a malicious email attachment. That attachment contains a weaponized Word document that is opened on the endpoint and observed by Microsoft Defender ATP. The attack then launches queries to the domain controller in search of user accounts to abuse, which is observed by Azure ATP. And, finally, corporate data is exfiltrated to a personal OneDrive account, which is observed by Microsoft Cloud App Security.   

 

MTP1.png

All related alerts across the suite products presented as a single incident (alerts view) 

 MTP2.png

Cross-product incident (Incident overview) 

 

Automate threat response

Critical threat information is shared in real time between Microsoft Threat Protection products to help stop the progression of an attack. The central Microsoft Threat Protection logic orchestrates and triggers actions on the individual products. This includes blocking malicious entities and initiating automatic investigation and remediation. 

 

For example, if a malicious file is detected on an endpoint protected by Microsoft Defender ATP, it will instruct Office 365 ATP to scan and remove the file from all e-mail messages. The file will be blocked on sight by the entire Microsoft 365 security suite. 

 

Self-heal compromised devices, user identities, and mailboxes

Leveraging the capabilities of the suite products, the integrated solution uses AI-powered automatic actions and playbooks to return all impacted assets to a secure state. Within the portal security teams can use the Action Center to centrally view results of all automated investigations and self-healing actions and approve or undo specific actions.

 

MTP3.pngAction Center – see pending and historical actions taken by analysts 

 

Cross-product threat hunting

Security teams can leverage their unique organizational knowledge like proprietary indicators of compromise, orgspecific behavioral patterns, or freeform research to hunt for signs of compromise by creating custom queries over raw data. Microsoft Threat Protection provides query-based access to 30 days of historic raw signals and alert data across endpoint and Office 365 data.  

 

MTP4.pngQuery-based hunting on top of email and endpoint raw data 

 

Security professionals and customers with Microsoft 365 Security E5 and all M365 E5 licenses are invited to explore the integrated Microsoft Threat Protection solution public preview. (Eligibility Requirements).  

 

Visit http://aka.ms/EnableMTP today to learn more. 

Introducing the integrated Microsoft Threat Protection solution (public preview)

Introducing the integrated Microsoft Threat Protection solution (public preview)

 

Every day, attackers compromise endpoints, identities, and email to infiltrate and quickly expand their foothold in an organization. Customers need protection across these attack vectors to defend against evolving threats. Microsoft Threat Protection is an integrated solution that’s built on our best-in-class Microsoft 365 security suite: Microsoft Defender Advanced Threat Protection (ATP) for endpoints, Office 365 ATP for email and collaboration tools, Azure ATP for identity-based threats, and Microsoft Cloud App Security (MCAS) for SaaS applications.  

 

Within the suite we’ve been expanding our threat detection and automated investigation and response capabilities, as well as adding cross-product visibility, with additions such as automated incident response in Office 365 ATP, integration of MCAS and Microsoft Defender ATP for deep insight into cloud app usage, integration of Azure ATP with Microsoft Defender ATP, and more.  

 

Starting today, across the threat landscape security teams can correlate alerts to focus on what matters most, automate investigation and response and self-heal affected assets, and simplify hunting for indicators of attack unique to an organization. They can also use Microsoft Threat Protection to centrally view all detections, impacted assets, automated actions taken, and related evidence. 

 

Move from alerts to incidents

We are introducing the concept of “incidents, previously available only for endpoints. These incidents correlate alerts across threat vectors to determine the full scope of the threat across Microsoft 365 products.

 

For example, we can correlate the following attack sequence: Office 365 ATP observes a malicious email attachment. That attachment contains a weaponized Word document that is opened on the endpoint and observed by Microsoft Defender ATP. The attack then launches queries to the domain controller in search of user accounts to abuse, which is observed by Azure ATP. And, finally, corporate data is exfiltrated to a personal OneDrive account, which is observed by Microsoft Cloud App Security.   

 

MTP1.png

All related alerts across the suite products presented as a single incident (alerts view) 

 MTP2.png

Cross-product incident (Incident overview) 

 

Automate threat response

Critical threat information is shared in real time between Microsoft Threat Protection products to help stop the progression of an attack. The central Microsoft Threat Protection logic orchestrates and triggers actions on the individual products. This includes blocking malicious entities and initiating automatic investigation and remediation. 

 

For example, if a malicious file is detected on an endpoint protected by Microsoft Defender ATP, it will instruct Office 365 ATP to scan and remove the file from all e-mail messages. The file will be blocked on sight by the entire Microsoft 365 security suite. 

 

Self-heal compromised devices, user identities, and mailboxes

Leveraging the capabilities of the suite products, the integrated solution uses AI-powered automatic actions and playbooks to return all impacted assets to a secure state. Within the portal security teams can use the Action Center to centrally view results of all automated investigations and self-healing actions and approve or undo specific actions.

 

MTP3.pngAction Center – see pending and historical actions taken by analysts 

 

Cross-product threat hunting

Security teams can leverage their unique organizational knowledge like proprietary indicators of compromise, orgspecific behavioral patterns, or freeform research to hunt for signs of compromise by creating custom queries over raw data. Microsoft Threat Protection provides query-based access to 30 days of historic raw signals and alert data across endpoint and Office 365 data.  

 

MTP4.pngQuery-based hunting on top of email and endpoint raw data 

 

Security professionals and customers with the Microsoft 365 E5 license are invited to explore the integrated Microsoft Threat Protection solution public preview. (Eligibility Requirements).  

 

Visit http://aka.ms/EnableMTP today to learn more. 

SharePoint Dev Weekly – Episode 63

SharePoint Dev Weekly – Episode 63

Am a keen follower of Microsoft's SharePoint Blog and proud to provide this direct from the Microsoft Tech Community:

episode-63-spdevweekly.png

In addition to drawing attention to the latest advancements being delivered by the SharePoint Community and Microsoft, Vesa and Waldek’s discussion this week focused on: The continued necessity for code analysis – server-side and browser-side. Fortunately, the job is made easier with the great contributions being delivered by the SPFx community that help drive solid coding projects. Thank you. In the coming week there are more events, fine tuning 1.10 release, CLI updates, and work on Fluid Framework capabilities sure to save users many hours of time.

 

This episode was recorded on Monday, December 9, 2019.

 

The above is kindly provided by the Microsoft Tech Community!

SharePoint Development Community (PnP) – December 2019 update

SharePoint Development Community (PnP) – December 2019 update

Am a keen follower of Microsoft's SharePoint Blog and proud to provide this direct from the Microsoft Tech Community:

pnp-december-update-promo.png

Latest monthly summary of SharePoint Development guidance for SharePoint Online and on-premises is now available from the SharePoint Dev Blog. Check the latest news, samples and other guidance from this summary.

 

The above is kindly provided by the Microsoft Tech Community!

How to manage Office 365 ProPlus Channels for IT Pros

How to manage Office 365 ProPlus Channels for IT Pros

**12/5/2019 We’ve updated this guidance and published it as an article on docs.microsoft.com: Change the Office 365 ProPlus update channel for devices in your organization. We recommend that you follow the steps in that article to change channels.”

 

Microsoft recommends enterprise customers include validation as a part of their Office 365 ProPlus deployment processes. Microsoft provides “channels” which control the rate of change in terms of features and quality fixes. For most customer deployments this means a minimum of two channels such as Semi-Annual Channel and Semi-Annual Channel (Targeted). Many IT Pros broadly deploy a single channel (usually Semi-Annual Channel) and leverage group policy to assign validation computers to faster channel such as Semi-Annual Channel (Targeted). In this way, IT Pros can preview what’s coming four months prior to production release.

 

The goal of the blog is to provide clarification around the mechanics on how Office 365 ProPlus processes channel change requests.

 

note.pngTip: New Semi-Annual Channel versions are released in JanuaryJuly and Semi-Annual Channel (Targeted) versions are released in MarchSeptember. All channels will receive a minimum of one build per month which contain security and critical customer escalated fixes. (The latter has very high bar)

To read more about Channels please see Overview of update channels for Office 365 ProPlus

 

Ideally, minimizing the number of Office 365 ProPlus packages reduces overall cost of ownership. Therefore, the next step is to develop a process where machines receive standard package placing them on Semi-Annual Channel but dynamically move validation machines to faster channel such as Semi-Annual Channel (Targeted).

 

Step 1: Deploy your standard Office 365 ProPlus package based on Semi-Annual Channel

 

Step 2: Assign GPO to validation machine(s) or add policy registry key specifying Semi-Annual Channel (Targeted)

 

Using Office ADMX files, use Update Channel GPO to set Semi-Annual Channel (Targeted)

GPO.png

* Group Policy refreshes in the background every 90 minutes by default.  Use gpupdate /force to expedite.  Alternatively, add registry key manually to policy key

             HKLMSOFTWAREPoliciesMicrosoftoffice16.0commonofficeupdate “updatebranch”=”FirstReleaseDeferred”

Step 3: Allow MicrosoftOfficeOffice Automatic Updates 2.0 scheduled task to run

Group Policy will set registry keys, that’s all. Office 365 ProPlus uniquely leverages a scheduled task named Office Automatic Updates to maintain product configuration including channel management. The name itself “Automatic Updates” can cause confusion for IT Pros in enterprise environments where System Center Configuration (SCCM) is used to deploy updates. When OfficeMgmtCom (COM) is enabled, updates will be delivered only from SCCM. The Office Automatic Updates scheduled task will fire based on default set of triggers, regardless if COM is enabled or not, or by manually running task you can compress time frame to validate change.

 

Warning.pngMicrosoft recommends Automatic Updates remain Enabled (default configuration) in all update scenarios. This task does more than name implies. By disabling task, you may observe diminished experience in terms of channel management and disable feature to apply updates when SYSTEM is IDLE.

See 2:00 in Managing Office with SCCM (2019) video for more information, applicable for CDN update workflow.

 

note.pngTip: List of Channels and respective URL identifiers

CDNBaseUrl represents the channel where product was installed. If no channel was defined in unattend, Semi-Annual Channel is default selection.

Monthly Channel 
(formerly Current Channel):
CDNBaseUrl = http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60

Semi-Annual Channel 
(formerly Deferred Channel):
CDNBaseUrl = http://officecdn.microsoft.com/pr/7ffbc6bf-bc32-4f92-8982-f9dd17fd3114

Monthly Channel (Targeted)
(formerly First Release for Current Channel):
CDNBaseUrl = http://officecdn.microsoft.com/pr/64256afe-f5d9-4f86-8936-8840a6a4f5be

Semi-Annual Channel (Targeted) 
(formerly First Release for Deferred Channel):
CDNBaseUrl = http://officecdn.microsoft.com/pr/b8f9b850-328d-4355-9145-c59439a0c4cf

note.pngTip: IT Pros can monitor several registry keys to validate change has occurred after scheduled task has completed. Registry keys of interest when monitoring can be found under the following key: HKLMSOFTWAREMicrosoftOfficeClickToRunConfiguration. Editing key(s) should not be done directly and can lead to unintended consequences. Rather, monitor keys for desired outcome.                                                                                                         

UpdateChannel: This is the channel configuration “winner”.  This is dynamically managed by the Automatic Updates scheduled task and should not be edited directly.

 

In our example where we are using GPO to move Office 365 ProPlus to Semi-Annual Channel (Targeted), Office Automatic Updates scheduled task will discover policy key and then will flip UpdateChannel to new value, in this case from http://officecdn.microsoft.com/pr/7ffbc6bf-bc32-4f92-8982-f9dd17fd3114 (SAC) to http://officecdn.microsoft.com/pr/b8f9b850-328d-4355-9145-c59439a0c4cf (SAC-T). Additionally, UpdateChannelChanged will be set to True. Upon next successful Office 365 Client update, UpdateChannelChanged will reset to False. The product can only accept one channel change request at a time with successful update as a prerequisite prior to accepting another change.

 

If you have completed steps above and channel change is still not being reflected, you may be blocked by temporary “Discovery Period.” Generally, updates will not happen within the Discovery Period which can last up to 24 hours after initial installation. IT Pros may encounter this scenario during compressed time validation in lab scenarios.

 

After UpdateChannel has successfully changed, Office 365 Clients pointing to CDN will download latest build from faster channel. Office 365 Clients which have COM enabled for SCCM integration will download newer build next time Software Updates Deployment Evaluation cycle runs based on configuration of Software Deployment within SCCM. IT Pros can expedite testing channel migration by deploying desired build to validation collection (should be a build from Semi-Annual Channel (Targeted), use the Configuration Manager applet from control panel to perform Machine Policy Retrieval followed by Software Updates Deployment Evaluation Cycle.

 

Applet.png

 

note.pngTip: Office 365 ProPlus behavior – slow to fast vs fast to slow

Slower -> Faster (Example: Semi-Annual Channel to Semi-Annual Channel Targeted)

  • Client will always gracefully move forward when now available build number is higher.  For example, a client on June 2019 Semi-Annual Channel with build version 1808 (Build 10730.20348) will move to Semi-Annual Channel Targeted with build Version 1902 (Build 11328.20318).  No other Administrative intervention is required, normal update processworkflow applies the change.

Faster -> Slower (Example: SAC-T to SAC)

  • In SCCM managed environment where COM is enabled, Office will not auto downgrade when channel is changed.  It will only move forward once build advertised is greater than what’s currently installed.  For example, Office ProPlus client on Semi-Annual Targeted build June 2019 Version 1902 (Build 11328.20318) will have to wait until Semi-Annual Channel build number is greater to move forward such as July 2019 Version 1902 (Build 11328.20368).  Supported downgrade method is to re-run Office Deployment Tool (ODT) with desired build and channel.  Keep in mind during waiting period, Office 365 Client will not receive any updates including security.
  • In non COM managed environment such as default configuration CDN, we will downgrade your new version to match the Group Policy assigned.  

*Since we can’t do binary delta compression (BDC) the download will be larger.  As a result, network considerations should be considered when downgrading from CDN.

 

FAQ:

How does channel management work when Office 2019 is installed and GPO “Upgrade Office 2019 to Office 365 ProPlus” is enabled?

Some customers may have a need to have one factory image of Windows which includes Office 2019 and later upgrade a subset of machines to Office 365 ProPlus.  The steps outlined above still apply in terms of mechanics and how channel chnages are processed.  The only difference is Office 2019 will initially have CDNBaseURL and UpdateChannel will reflect http://officecdn.microsoft.com/pr/f2e724c1-748f-4b47-8fb8-8e0d210e9208.  First, the GPO above will set policy key.  Second, The Office Automatic Updates 2.0 scheduled task will flip the UpdateChannel to Semi-Annual Channel (3114) by default and dynamically convert the product to Semi-Annual Channel.  In short, Office 2019 is just an older version of Office 365 ProPlus, so differences in content between the two products will download from CDN or from SCCM Distribution Point depending on your configuration. (Size will be significant for one-time conversion).  For CDN, this process is automatic.  For SCCM, IT Pro only needs to deploy latest Semi-Annual Channel build software update to collection, just like any monthly “Patch Tuesday” process.  SCCM will find build applicable and upgrade like any other Office update.  LicensingActivation will switch from volume activation (KMS) to subscription based (Office Licensing Service).

 

Why does this guidance differ from SCCM page Change the update channel after you enable Office 365 clients to receive updates from Configuration Manager?

Microsoft recommends customers leverage Group Policy to change Office 365 ProPlus channels because its easier for IT Pros. Group Policy sets registry key under policy hive and Office Automatic Updates scheduled task to processes channel change.  The link above references CDNBaseURL.  Notice from the list below this is the 4th item evaluated for priority by the scheduled task.  As a result, if the first three priorities listed are not configured and CDNBaseURL doesn’t match UpdateChannel, scheduled task will align them resulting in channel change.  This blog posting leads with Group Policy where link above requires a direct registry change through Group Policy Preferences or Compliance Item in SCCM.

 

1st Priority : GPO "UpdatePath" - HKLMsoftwarepoliciesmicrosoftoffice16.0commonofficeupdate!updatepath
2nd Priority : GPO "UpdateChannel" - HKLMsoftwarepoliciesmicrosoftoffice16.0commonofficeupdate!updatebranch
3rd Priority : "UpdateURL" or UpdatePath="ServerShare" HKLMSOFTWAREMicrosoftOfficeClickToRunConfiguration
4th Priority : CDNBaseURL - HKLMSOFTWAREMicrosoftOfficeClickToRunConfigurationCDNBaseUrl

I hope this blog post helps provide additional context for how Office ProPlus Channel Management works “under the hood”.

 

This blog post is brought to you by Dave Guenthner, a Senior Premier Field Engineer and “ProPlus Ranger” at Microsoft. Feel free to share your questions and feedback in the comments below.