Azure AD
Video: MFA using Microsoft Authenticator App instead of SMS for 2FA
Video: Discover Shadow IT using Microsoft Cloud App Security
Govern, Audit and Control G Suite with Microsoft! (Google Apps + Cloud App Security)
Does your organization use G Suite or Google Apps? Do you have these requirements?
- Audit activity occurring in G Suite (user logons/logoffs, settings changed, files modified, etc)
- Audit file activity? (what files are being accessed, from where, how they are being accessed, etc)
- Govern how G Suite is accessed? (Only from a managed device? Only from a managed network? Don’t allow download from a non-managed computer?)
- Scan files in G Suite for sensitive data?
- And more!
In this blog we will explore how Microsoft Cloud App Security (CAS) part of Microsoft 365, can help you meet these requirements. For more information on connecting G Suite to CAS see this article. Let’s get started!
Note: Microsoft nor Matt Soseman nor this blog assumes no responsibilities and offers no warranties as a result of following the instructions in this blog. This requires enabling and modifying APIs. Use at your own risk.
Configure G Suite within Microsoft Cloud App Security:
From within Cloud App Security, click Investigate then select Connected Apps:
Click the + sign and select G Suite:
Type in a name and click Connect G Suite:
We need to pull the appropriate details from G Suite. Open a new browser instance and navigate to your G Suite admin portal using your admin credentials:
Once signed in, navigate to https://cloud.google.com/console/project
and click Create Project:
Give the project a name and click Create Project
Click Google Cloud Platform then click Go To APIs Overview:
Click API Library and enable the following APIs:
Back on the APIs and Services screen, click Credentials click the OAuth Consent Screen then in Application Name type Microsoft Cloud App Security and click Save:
Back on the Credentials tab click Create Credentials and select Service Account Key:
Configure the Service Account Key and click Create. Copy the secret to a scratchpad area. Download the certificate.
Back on the Credentials screen click Manage Service Accounts
Edit the Service Account:
Check the box next to Enable G Suite Domain Wide Delegation and click Save:
In the search box at the top type Google Drive API and press Enter
Click on Drive UI Integration, and configure using the following parameters (you can get the icons from here) and click Save Changes when finished:
In the search box type G Suite Marketplace
SDK and press Enter
On the Configuration tab, copy the Project Number to a scratch pad area:
Upload the same icons you used previously, and configure the following URLs:
Configure the following URL scopes:
https://www.googleapis.com/auth/admin.reports.audit.readonly
https://www.googleapis.com/auth/admin.reports.usage.readonly
https://www.googleapis.com/auth/drive
https://www.googleapis.com/auth/drive.appdata
https://www.googleapis.com/auth/drive.apps.readonly
https://www.googleapis.com/auth/drive.file
https://www.googleapis.com/auth/drive.metadata.readonly
https://www.googleapis.com/auth/drive.readonly
https://www.googleapis.com/auth/drive.scripts
https://www.googleapis.com/auth/admin.directory.user.readonly
https://www.googleapis.com/auth/admin.directory.user.security
https://www.googleapis.com/auth/admin.directory.user.alias
https://www.googleapis.com/auth/admin.directory.orgunit
https://www.googleapis.com/auth/admin.directory.notifications
https://www.googleapis.com/auth/admin.directory.group.member
https://www.googleapis.com/auth/admin.directory.group
https://www.googleapis.com/auth/admin.directory.device.mobile.action
https://www.googleapis.com/auth/admin.directory.device.mobile
https://www.googleapis.com/auth/admin.directory.user
Under Visibility select My Domain and click Save Changes:
Browse back to
AzureAD: Setup SSO to G-Suite for free, and govern access! (Google Apps)
Did you know Azure Active Directory can provide Single Sign-On (SSO) to G-Suite (Google Apps)? In this blog, we will explore how to set this up from both the Azure AD side and also the G-Suite side.
Once SSO is configured, consider creating policies for Conditional Access to govern how G-Suite is accessed (e.g. only from a managed device, specific network, monitor for threats of the credentials such as for sale on the dark web, etc). For more information on G-Suite and Azure AD integration for SSO, see Tutorial: Azure Active Directory integration with G Suite
Note: SSO for up to 10 apps comes with the free version of AzureAD. For additional capability, P1 or P2 may be required. See Azure Active Directory pricing for more information.
Important: Chromebooks can sign-in with Azure AD credentials, see this video! (and here for more information)
Also Important: Once SSO is enabled in G-Suite only Azure AD credentials will be authorized and all legacy credentials (i.e. G-Suite credentials) will not be authorized for sign-in. If the user is using a Windows 10 device that is AADJ, then they will not need to type in their password to access G-Suite, SSO from Win 10 will automatically be available.
Let’s begin!
Add G-Suite to Azure AD and configure it:
From within the Azure portal navigate to Azure Active Directory -> Enterprise Applications -> New Application and search for G Suite then click Add:
Once added, click Single Sign-on and click SAML
Edit the Basic SAML Configuration by clicking the pencil icon:
Configure using the following parameters:
Click Save. For User Attributes & Claims click the pencil icon:
Add a new claim:
Go back to the main SAML SSO configuration page, and download the base64 certificate for SAML Signing Certificate:
Copy the following URLs to a scratch pad, we’ll use these to configure G-Suite:
Setup G-Suite for SSO:
See this article for more information on configuring G-Suite for SSO. From within G-Suite navigate to Admin –> Security -> Setup SSO. Paste the URLs you copied in the last step, into the SSO configuration, upload the certificate you downloaded previously, check the box for use a domain specific issuer and then click Save:
Assign the user to G Suite
Back in the Azure portal, click Users & Groups from within the G-Suite Enterprise Application:
Add a new user to G-Suite:
Turn on Provisioning:
Click on Provisioning and go through the steps on the blade. Starting with changing Provisioning Mode to Automatic.
Then click Authorize and type in your G-Suite credentials to go through the authorization process. Grant consent:
Back in the Azure portal, click Save to save your provisioning configuration. Once saved, you can opt to enable automatic synchronization of identities from Azure AD to G-Suite by clicking On for Provisioning Status:
Side bar, I could configure self service for end-users!
Back in G-Suite, you will notice the assigned users will start to sync:
Time to test!
I’m going to navigate to http://mail.google.com/a/soseman.org:
Notice this will redirect to Azure Active Directory:
Notice it challenges me for multi-factor authentication!
And I respond to the challenge using my Apple Watch 🙂
Once authenticated, accept the terms and conditions:
Now, I’m logged in and ready to use G-Suite!
Browsing to myapps.microsoft.com – G-Suite is added to the launcher!
Conclusion:
As you can see, configuring Single Sign On for G-Suite using Azure Active Directory is a rather easy and simple process – and probably can be completed within 15 minutes or less. Once configured, don’t forget using Azure AD Conditional Access to govern how G-Suite is accessed, such as requiring a managed device (mobile or PC), monitoring the credentials for being compromised (impossible travel, up for sale on dark web, coming from atypical locations,etc), requiring MFA, and more!
Microsoft Teams: Protect against Phishing & Malware
Pretend for a moment that I am a marketing agency you just hired, and invite me as a guest to a team in Microsoft Teams to collaborate. What happens if that guest’s account gets compromised and a bad actor gains access to your team in Microsoft Teams? Your organization is having sensitive conversations there, uploading sensitive files, and if that data were to be publicly disclosed, could do damage to the organization. More importantly, a bad actor can post hyperlinks to “phishing” web sites, and upload malicious files into Microsoft Teams – from there users can open the links or run the files, posing a serious threat to your organization’s security.
How do we help to protect against phishing attacks and malicious files in Microsoft Teams? Office 365 Advanced Threat Protection is here to help. In fact, Office 365 ATP can also help to protect against phishing and malware in not just Microsoft Teams, but Exchange Online, SharePoint, and OneDrive! More information in the Service Description here.
To configure, once the appropriate licenses have been purchased and assigned to each user, open the Office 365 Security & Compliance Center (protection.office.com) -> Threat Management -> Policy and click on ATP Safe Attachments:
Check the box Turn on ATP for SharePoint, OneDrive and Microsoft Teams and click Save:
Now, when a malicious file is uploaded to Microsoft Teams, Office 365 ATP will perform a detonation of the file (following this process). Here we have files in Microsoft Teams, are they malicious?
If the file is indeed malicious, when the user attempts to execute the file in Microsoft Teams, they will receive the following message:
Safe Attachments stops the user in their tracks, and never gives them the opportunity to launch the file. This same behavior also occurs when the file is executed directly from SharePoint. If using Office 365 Alerts (in the Security & Compliance center), and alert can be configured to notify the admin that malware was uploaded to Microsoft Teams:
Here’s what the alert looks like:
(Note, if using Microsoft Cloud App Security an SMS notification can be sent, and MCAS also offers integration into your SIEM.)
What about phishing links in Microsoft Teams? If the ATP Safe Links policy is correctly configured (more information here), then when a phishing hyperlink is posted, the user will receive a blocking message when attempting to click on the hyperlink. Let’s take a loot at this below, here’s a hyperlink in a team conversation in Microsoft Teams:
When the user clicks on the link, ATP Safe Links and the Intelligent Security Graph goes into action to provide protection. ATP recognized the website is malicious, and stops the user in their tracks, not giving them the opportunity to click through to the original website. (Although, that can be changed in the policy).
Conclusion:
Office 365 Advanced Threat Protection provides protection against advanced thread such as phishing and malware for not only your email in Office 365, but also Microsoft Teams! What if everyone had this enabled? The world might just be a safer place! Enjoy!
Block OneDrive Downloads and Audit OneDrive Activity! (SharePoint too!)
Do you have a business requirement to block the download of specific files or file types from OneDrive? What about detailed auditing to understand what files are downloaded or viewed? Well, today is your lucky day – because this is all possible with Microsoft security technology and takes minutes to create. I’m going to walk you through how to do this, and in return, make you look like an IT Rockstar to your organization!
Note: There are other methods to restrict those files from being synchronized using the OneDrive desktop client, we won’t cover those today however (but are accessible in the SharePoint Online Admin Portal)
IMPORTANT: Nothing is 100% secure and it’s all about defense in depth. If you want that extra ply in the tinfoil hat, I highly recommend protecting and encrypting those files with Azure Information Protection as that extra layer of protection.
Also, it’s important to note,the method below at the time of this writing is in public preview.
Background:
My organization, an engineering firm, designs buildings for their commercial and government clients. These design plans often contain additional documentation that are in the form of a .PDF and sometimes photos in the form of a .JPEG (or .jpg).
Scenario:
These .PDF and .JPEG files are highly confidential and thus we want to make sure they never leave OneDrive in Office 365 and can only be viewed in a web browser. In other words, we need to block the ability for an end-user to download these two file types from OneDrive. So, how do we do this?
Solution:
Azure Active Directory Conditional Access and Microsoft Cloud App Security Conditional Access App Control to the rescue! These two products are part of Microsoft 365 E5 or EMS E5 or my new favorite: Microsoft 365 E3 + Identity & Threat Protection. The two products that make up this solution are Azure Active Directory and Microsoft Cloud App Security.
Let’s take a look at how to do this!
Step 1: Create a Azure AD Conditional Access Policy
From within the Azure portal -> Azure Active Directory -> Conditional Access -> New Policy I am going to create a new policy. First, give it a name, “OneDrive Block JPEG and PDF”. Next, assign it to specific users or groups of users. For testing purposes I’m assigning to Adele Vance (IMPORANT: Don’t lock yourself out! Careful planning is required when assigning to all users).
Next, add Office 365 SharePoint Online as the application to be applied to:
Under Session, select Use Conditional Access App Control, then click Done.
Next, click Enable policy to enable the policy and click Create.
Step 2: Launch OneDrive (via portal.office.com)
Wait 15 minutes for the new Conditional Access policy to propagate. Next, open a new browsing session (inprivate or on another computer) and logon as the test user that was just assigned to. In my case, I am going to sign in to portal.office.com in an in-private session as Adele. Browse to OneDrive in the Office portal and open a file in the web browser. Sign out of this web browsing session when done.
Step 3: Configure Microsoft Cloud App Security
We now need to configure Microsoft Cloud App Security (CAS) and create the appropriate policies.
To start, validate that OneDrive is a connected application by browsing to http://portal.cloudappsecurity.com and navigating to Investigate -> Connected Apps. Notice OneDrive for Business will be listed and connected: (Yes, you can also connect CAS to G-Suite, Box, and other apps!)
Next, click on Conditional Access App Control apps and OneDrive for Business will also be displayed:
Step 4: Create the Session Policy in Microsoft Cloud App Security
Next, we need to create the policy that will provide the session control when Adele uses OneDrive in the Office 365 Portal. To do this navigate to Control -> Policies, click New Policy and select Session Policy.
Let’s give the policy a name and description:
Next, under Session control type select Control file download (with DLP). Under Activity source and activity filters configure configure them per the screenshot below
Scroll down (leave content inspection blank and don’t check the box) and under Actions select Block. OPTIONAL: Configure user email notification or customize block message. When finished at the bottom of the page click Create.
Step 5: Test the User Experience
Now it’s time to test and validate this is the behavior we want. Open a new web browsing session and login as the test user. In my case, I’m going to login to portal.office365.com using Adele Vance’s account in an in-private browser session.
Once signed in, navigate to OneDrive in the Office 365 Portal. When you click on OneDrive, notice the splash page indicating this site is being monitored!
Also, notice the address of the site. It’s being proxied through CAS.MS indicating this session is being controlled by Cloud App Security:
Click Continue to Microsoft OneDrive for Business
Notice I have two files, a .PDF and a .JPEG in the OneDrive folder:
Hover the cursor over the PDF and click the ellipses, and select Download
Notice, the file download is blocked with a splash message indicating it’s blocked!
Now, I know what you’re wondering, “Matt what’s that file it wants to save?” When I open that file, it’s just a warning:
From here, within the Cloud App Security Portal, I can audit the activity and receive additional details around this attempt:
Additional alerting can be generated, with an email or SMS notification sent. Imagine having CAS send an email to your ticket system so you can be notified of this violation? What about sending to your SIEM? Endless possibilities.
Conclusion:
As you can see, with a bit of an open mind and creativity, possibilities to build true security solutions that lead to a real business outcome, is entirely possible. The total time spent creating this solution was 10 minutes. Don’t forget to test (which obviously will add to the 10 minutes) all the scenarios for this. Questions? Let me know in the comments below!
Enjoy and help us make this world more secure! –Matt Soseman
Intune: Upgrade Windows Pro to Enterprise AUTOMATICALLY!
Do you have a bunch of Windows 10 Pro devices and would like upgrade them to Windows 10 Enterprise? Microsoft 365 (specifically Microsoft Intune) can help you!
Note: For more information please reference Deploy Windows 10 Enterprise licenses. The following is an example on how to do this with Intune (assuming appropriate licenses have been purchased and assigned).
First, create a Microsoft Intune configuration policy. In the Azure Portal navigate to Microsoft Intune -> Device Configuration -> Profiles. Click Create Profile
Next, create a new Windows 10 and later profile, with a type of Edition Upgrade. Click Settings
Click Edition Upgrade
In the field Edition to upgrade to select Windows 10 Enterprise. In the Product Key field type in the product key (i.e. MAK). Then click OK
Click OK to save the Edition Upgrade. Click OK again then click Create
Next, click Assignments in the Assign to menu select All Users & Devices then click Save
Note: Your assignments may be different per your organization’s requirements. This is only an example. You could also assign only the machines in question, or use a dynamic security group that queries on the device serial number,etc.
On a virtual machine with Windows 10 1803, install Windows 10 Pro:
Note: I’m showing you this, to demonstrate the upgrade. Ideally you would sign in as an Organizational Account in the OOBE when installing Windows. However, if I did that here, you wouldn’t see that I’m coming from Pro 🙂
Notice it’s Windows 10 Pro:
Join the machine to Azure AD to receive the Intune policy:
Reboot the machine and sign in with the user’s Azure AD credentials. Once signed in, open System Information and notice that Windows has been upgraded to Enterprise!
This can be verified in the Intune portal under Device Status for the configuration policy that was previously created:
I hope you found this helpful. Questions? Please let me know in the comments below! Enjoy!
Send encrypted emails to anyone using Office 365!
Have you ever needed to send an email to someone, but didn’t want them to forward the email nor copy sensitive text out of the attachment or email? You probably only want the intended recipient to view the email, and not accessible to anyone else. In other words, you probably want that email to be encrypted. If you are an Office 365 subscriber – you have this capability today: Office 365 Message Encryption (OME)! Would this be useful in your environment? If so, read on…
OME enables only the intended recipient to open the message using their identity: Azure AD, Office 365, Microsoft Account, Gmail, or a One Time Passcode (OTP). Once accessed, they can read the email but based on your policy they cannot forward the email – and they have read only of the attachments (and cannot download the attachments).
Let’s take a look at the user experience and what OME is all about!
IMPORTANT: For the full technical documentation on how to setup and the IT Admin configuration that is required see: Office 365 Message Encryption and Set up new Office 365 Message Encryption capabilities for more information.
Sending the email:
I am going to send an email to a Gmail account. Office 365 Message Encryption in my environment is configured using a Mail Flow rule in Exchange Online to apply encryption to any email leaving my organization that has the key words of Sales Quote. I am also going to send the same email to a Outlook.com account. I’ll explain later why the two accounts.
The message will now be received at Gmail and Outlook.com. Note the experience (subject line and body of message) in Gmail:
The email is encrypted. To view its contents I am going to click “Read the message”. A new browser window will appear asking me to authenticate. From here I can use my Gmail (Google) credentials to view the email– or a One Time Passcode emailed to me:
For purposes of this demo I am going to click Or,sign in with a one-time passcode. The OTP will be emailed to me:
Next, I am going to type in the OTP to gain access to the encrypted email:
Once I have authenticated using the OTP, I can now view the contents of the encrypted email. Notice how the Forward button is grayed out and the email is only viewable in the browser. Even right click functionality is disabled!
If I try to open the attached document, I can download it, but once opened I can view the text but cannot cut/copy text out of the document (it is protected). Also, notice how I cannot take a screen shot – it’s blacked out!
Pretty cool huh? Remember I also sent the same email to an Outlook.com address.
IMPORTANT: Outlook.com and Azure AD (Office 365) subscribers, will never have to authenticate using a OTP or have a secure browser session – pass thru authentication will enable the recipient to view the email within the email application. Here’s what this looks like in Outlook.com without having to take any additional action to read the encrypted email (note the forward button is also grayed out)
Conclusion:
Depending on you business scenario Office 365 Message Encryption may help you to stay compliant and ensure that only intended recipient can view your email, and stay confident the information in the email will be protected. Enjoy!
AIP: I know when you open my document, and I can revoke access! (Compliance + Sales = Seller Hero)
Have you sent an email to someone (perhaps a customer) that contained an important document and wish you could see if they have opened it? What if you accidently sent the document to the wrong audience, wouldn’t it be nice to revoke access? Perhaps it’s a sales quote and you want it to expire in 30 days? Well the future is here, and this is possible today using Azure Information Protection (AIP), included with Enterprise Mobility + Security, Microsoft 365, or a plan that includes AIP with Office 365. In this blog post we will explore from an end-user perspective how they can see if their recipient has opened the document, and how to revoke it’s access.
Azure Information Protection enables your organization to classify it’s data and apply security policy to that data, but more importantly gives the end-users visibility and control over how the data is consumed. This tool is extremely powerful for both IT and end-users, because it allows you to not only discover what data is in the organization, but classify it based on some criteria (i.e. Confidential, Secret, Top Secret and risk to organization) and apply policies that govern who can access what data based on the classification assigned.
This can be especially useful when you need help complying with regulations like GDPR. For more information about Azure Information Protection, I suggest reading the IT Pro documentation: What is Azure Information Protection? As I will not be covering full technical details here, such as how to configure the protection policy. I also highly suggest reviewing the AIP client user guide HERE.
You’re telling me I can see who has opened my document?
Yes! If I send you a document, spreadsheet, PDF, PowerPoint, etc – I can see if you have opened that file, doesn’t matter how it was sent either (email, file transfer over Skype, posted to Teams,etc). I can also see who has opened the file, by their identity, regardless if they were the intended recipient. I simply control this using the site https://track.azumrerms.com
When I browse to the site, and login, I can see a list of the documents I have protected using Azure Information Protection:
Clicking on one of the documents, I have access to see how many views (and by whom), how many (and by whom) were denied access to the document, among other controls. Let’s click on the list at the top menu
Here I can see who (by user identity, as signed into the Office applications) have attempted to access the document and whether or not they were successful. This is extremely useful!
Clicking on Map at the top menu I can see where in the world the document has been accessed. If all my users were accessing from the US, and then one user was from outside the US – this could indicate a stolen identity or data breach, and I may want to revoke access to the document.
Clicking on Settings from the top menu, allows me to do something REALLY COOL: Whenever the document is accessed – I can receive an email notification! Why is this really cool? I might be a salesperson and this document might be a proposal to a client. If I never receive an email indicating you never opened the document, then I know you may not be interested and I need to adjust my sales approach. This is one of the features of the product (in my opinion) that sells itself. Having that type of intelligence can be critical to the closure of a deal.
At the bottom of the page, I can revoke everyone’s access to the document by the clicking Revoke Access button:
At the bottom, I click Confirm:
All access to the document has now been revoked:
How does this work?
All roads lead to identity:
When a file is protected using Azure Information Protection (AIP), the file is actually encrypted at the file level, and the encryption travels with the file where ever it goes. This encryption is tied to the user’s identity in Azure Active Directory (AD). When the file is accessed, they are authenticating to Azure AD, and authorization is checked, the file is de-encrypted and the user can view the file. For more detailed technical information on how this encryption process works see How does Azure RMS work? Under the hood
So, if I give you a super sensitive file that has been protected using AIP, unless you have my identity – or have been granted authorization – you cannot open the file. This is (in my opinion) a game changer, as this means your organization’s data can travel from device to device (personal home computer, work computer, mobile devices, USB sticks, etc) and the data will stay encrypted. It doesn’t matter if the device is protected or not – because the file is already encrypted. It doesn’t matter if I accidently send the file to someone I shouldn’t have – because it’s already encrypted.
What’s required to do this? A few things as outlined in the technical documentation but most importantly: The recipient (inside or outside your organization) needs to have an identity account in Azure Active Directory.
What if the recipient does not have an Azure AD account?
If the file is being sent to someone outside your organization, and that recipient does not have an identity account in Azure Active Directory you have a few options:
- The recipient can signup for “Azure RMS for Individuals” by browsing to this website and going through the wizard. Microsoft will check the email address to see if it’s associated with an AIP subscription, or an Office 365 subscription that includes AIP. If it is not found, you can register and essentially an account in Azure Active Directory will be created for you. For more information about this process see: RMS for individuals and Azure Information Protection (Note, this DOES NOT sign your company up for anything, this is tied to a single identity so you can use the viewer or sign into a protected file)
- If you do not want to go with option 1 (although, it’s VERY easy!) then your second option is actually pretty interesting. When AIP is used with Exchange Online – and that document is sent using Office 365 Message Encryption, then you can sign in using a Gmail, Hotmail or Microsoft (Live) account! See New Capabilities Available in Office 365 Message Encryption
-
The last option, uses the Azure Information Protection client. You can manually specify the recipients who are authorized to access the file (by email address) and their associated permissions using the AIP client:
IMPORTANT: All three options require the user to sign into Office on their device (or use the Azure AIP Viewer) with the identity that is associated with the AIP protected file. So, if I receive a spreadsheet from you sent to johndoe@gmail.com, I need to sign into Excel on my device as johndoe@gmail.com.
NOTE: Notice above, there is an option to Expire Access. I can have the file expire after say, 30 days and no one can open it afterwards. This is again another important feature that adds tremendous value (salesperson that wishes to expire a quote after 30 days).
Conclusion:
As you can see, Azure Information Protection can provide tremendous value back to your organization with empowering employees to take control over their data and ensure it’s security. However, this also enables them to be more productive through being able to seamlessly share the sensitive files outside the organization and track it’s usage. This used to require different 3rd party products and trying to get them integrated with the environment was a challenge.
It’s important to note, I have not shown all the back-end configuration that can be performed by IT to add additional value and to meet organizational requirements. Please review the technical documentation to learn more about the following: trusted domains, permissions based on classification type, Office 365 Message Encryption (and how typing the recipient’s email address in the To line in Outlook automatically grants them permissions, etc.)
If you own AIP through Microsoft 365, Office 365 or Enterprise Mobility and Security – give this a try and tell me about your success in the comments below!
Matt Soseman's Blog 