Microsoft Teams: Protect against Phishing & Malware

Pretend for a moment that I am a marketing agency you just hired, and invite me as a guest to a team in Microsoft Teams to collaborate. What happens if that guest’s account gets compromised and a bad actor gains access to your team in Microsoft Teams? Your organization is having sensitive conversations there, uploading sensitive files, and if that data were to be publicly disclosed, could do damage to the organization. More importantly, a bad actor can post hyperlinks to “phishing” web sites, and upload malicious files into Microsoft Teams – from there users can open the links or run the files, posing a serious threat to your organization’s security.

How do we help to protect against phishing attacks and malicious files in Microsoft Teams? Office 365 Advanced Threat Protection is here to help. In fact, Office 365 ATP can also help to protect against phishing and malware in not just Microsoft Teams, but Exchange Online, SharePoint, and OneDrive! More information in the Service Description here.

To configure, once the appropriate licenses have been purchased and assigned to each user, open the Office 365 Security & Compliance Center ( -> Threat Management -> Policy and click on ATP Safe Attachments:

Check the box Turn on ATP for SharePoint, OneDrive and Microsoft Teams and click Save:


Now, when a malicious file is uploaded to Microsoft Teams, Office 365 ATP will perform a detonation of the file (following this process). Here we have files in Microsoft Teams, are they malicious?

If the file is indeed malicious, when the user attempts to execute the file in Microsoft Teams, they will receive the following message:

Safe Attachments stops the user in their tracks, and never gives them the opportunity to launch the file. This same behavior also occurs when the file is executed directly from SharePoint. If using Office 365 Alerts (in the Security & Compliance center), and alert can be configured to notify the admin that malware was uploaded to Microsoft Teams:

Here’s what the alert looks like:

(Note, if using Microsoft Cloud App Security an SMS notification can be sent, and MCAS also offers integration into your SIEM.)

What about phishing links in Microsoft Teams? If the ATP Safe Links policy is correctly configured (more information here), then when a phishing hyperlink is posted, the user will receive a blocking message when attempting to click on the hyperlink. Let’s take a loot at this below, here’s a hyperlink in a team conversation in Microsoft Teams:

When the user clicks on the link, ATP Safe Links and the Intelligent Security Graph goes into action to provide protection. ATP recognized the website is malicious, and stops the user in their tracks, not giving them the opportunity to click through to the original website. (Although, that can be changed in the policy).


Office 365 Advanced Threat Protection provides protection against advanced thread such as phishing and malware for not only your email in Office 365, but also Microsoft Teams! What if everyone had this enabled? The world might just be a safer place! Enjoy!

Block OneDrive Downloads and Audit OneDrive Activity! (SharePoint too!)

Do you have a business requirement to block the download of specific files or file types from OneDrive? What about detailed auditing to understand what files are downloaded or viewed? Well, today is your lucky day – because this is all possible with Microsoft security technology and takes minutes to create. I’m going to walk you through how to do this, and in return, make you look like an IT Rockstar to your organization!

Note: There are other methods to restrict those files from being synchronized using the OneDrive desktop client, we won’t cover those today however (but are accessible in the SharePoint Online Admin Portal)

IMPORTANT: Nothing is 100% secure and it’s all about defense in depth. If you want that extra ply in the tinfoil hat, I highly recommend protecting and encrypting those files with Azure Information Protection as that extra layer of protection.

Also, it’s important to note,the method below at the time of this writing is in public preview.


My organization, an engineering firm, designs buildings for their commercial and government clients. These design plans often contain additional documentation that are in the form of a .PDF and sometimes photos in the form of a .JPEG (or .jpg).


These .PDF and .JPEG files are highly confidential and thus we want to make sure they never leave OneDrive in Office 365 and can only be viewed in a web browser. In other words, we need to block the ability for an end-user to download these two file types from OneDrive. So, how do we do this?


Azure Active Directory Conditional Access and Microsoft Cloud App Security Conditional Access App Control to the rescue! These two products are part of Microsoft 365 E5 or EMS E5 or my new favorite: Microsoft 365 E3 + Identity & Threat Protection. The two products that make up this solution are Azure Active Directory and Microsoft Cloud App Security.

Let’s take a look at how to do this!

Step 1: Create a Azure AD Conditional Access Policy

From within the Azure portal -> Azure Active Directory -> Conditional Access -> New Policy I am going to create a new policy. First, give it a name, “OneDrive Block JPEG and PDF”. Next, assign it to specific users or groups of users. For testing purposes I’m assigning to Adele Vance (IMPORANT: Don’t lock yourself out! Careful planning is required when assigning to all users).



Next, add Office 365 SharePoint Online as the application to be applied to:



Under Session, select Use Conditional Access App Control, then click Done.

Next, click Enable policy to enable the policy and click Create.


Step 2: Launch OneDrive (via

Wait 15 minutes for the new Conditional Access policy to propagate. Next, open a new browsing session (inprivate or on another computer) and logon as the test user that was just assigned to. In my case, I am going to sign in to in an in-private session as Adele. Browse to OneDrive in the Office portal and open a file in the web browser. Sign out of this web browsing session when done.

Step 3: Configure Microsoft Cloud App Security

We now need to configure Microsoft Cloud App Security (CAS) and create the appropriate policies.

To start, validate that OneDrive is a connected application by browsing to and navigating to Investigate -> Connected Apps. Notice OneDrive for Business will be listed and connected: (Yes, you can also connect CAS to G-Suite, Box, and other apps!)


Next, click on Conditional Access App Control apps and OneDrive for Business will also be displayed:

Step 4: Create the Session Policy in Microsoft Cloud App Security

Next, we need to create the policy that will provide the session control when Adele uses OneDrive in the Office 365 Portal. To do this navigate to Control -> Policies, click New Policy and select Session Policy.



Let’s give the policy a name and description:


Next, under Session control type select Control file download (with DLP). Under Activity source and activity filters configure configure them per the screenshot below



Scroll down (leave content inspection blank and don’t check the box) and under Actions select Block. OPTIONAL: Configure user email notification or customize block message. When finished at the bottom of the page click Create.

Step 5: Test the User Experience

Now it’s time to test and validate this is the behavior we want. Open a new web browsing session and login as the test user. In my case, I’m going to login to using Adele Vance’s account in an in-private browser session.


Once signed in, navigate to OneDrive in the Office 365 Portal. When you click on OneDrive, notice the splash page indicating this site is being monitored!





Also, notice the address of the site. It’s being proxied through CAS.MS indicating this session is being controlled by Cloud App Security:


Click Continue to Microsoft OneDrive for Business

Notice I have two files, a .PDF and a .JPEG in the OneDrive folder:


Hover the cursor over the PDF and click the ellipses, and select Download


Notice, the file download is blocked with a splash message indicating it’s blocked!


Now, I know what you’re wondering, “Matt what’s that file it wants to save?” When I open that file, it’s just a warning:


From here, within the Cloud App Security Portal, I can audit the activity and receive additional details around this attempt:

Additional alerting can be generated, with an email or SMS notification sent. Imagine having CAS send an email to your ticket system so you can be notified of this violation? What about sending to your SIEM? Endless possibilities.


As you can see, with a bit of an open mind and creativity, possibilities to build true security solutions that lead to a real business outcome, is entirely possible. The total time spent creating this solution was 10 minutes. Don’t forget to test (which obviously will add to the 10 minutes) all the scenarios for this. Questions? Let me know in the comments below!

Enjoy and help us make this world more secure! –Matt Soseman

Microsoft Teams: Protecting against advanced threats

How well do you trust your employees? What about your vendors? I’m constantly coming across organizations that are storing intellectual property and other sensitive data in Microsoft Teams, so they can collaborate with that data in a centralized manner. I’m also learning that most of those organizations are enabling guest access, and allowing outside vendors to have access to that data and the resources within the team. A good example of this is an outside marketing agency that you contract with for event marketing, online marketing, etc. What if a guest of that team (or employee), accidently (or intentionally) uploads malware to the team (but masks it as a file called MarketingRoadmap.pptx), and an employee of the organization opens the file? The malware could now spread throughout your environment.

This is where Office 365 Advanced Threat Protection (ATP) comes in. ATP can help to safeguard your organization from this threat by “detonating” (executing) files uploaded to Microsoft Teams (specifically the SharePoint/Office 365 Group on the back-end) to validate it is a legitimate file and contains no malicious code that can do harm. This feature comes with Microsoft 365 E5, Office 365 E5, or available as an add-on to an existing Office 365 subscription.

Too Long Don’t Read (TLDR):In this blog, I’m going to describe how to enable this feature, perform a test, and show you alerting. For details on how Office 365 Advanced Threat Protection for SharePoint, Microsoft Teams, OneDrive works and it’s architecture, see the below diagram – and read the following article: Office 365 ATP for SharePoint, OneDrive, and Microsoft Teams

Office 365 Advanced Threat Protection Architecture:

How to enable Office 365 Advanced Threat Protection:

Note: I will not be discussing Office 365 ATP for Exchange Online.

To enable, simply browse to the Office 365 Security & Compliance Center ( -> Threat Management -> Policy and click ATP Safe Attachments:

Once in ATP Safe Attachments, check the box Turn on ATP for SharePoint, OneDrive and Microsoft Teams and click Save:

IMPORTANT: Review the Safe Attachment policies and configure as appropriate. Consider running Set-SPOTenant to DisallowInfectedFileDownload in PowerShell for the SharePoint tenant
to ensure the malicious files cannot be downloaded. For more information see Turn on Office 365 ATP for SharePoint, OneDrive, and Microsoft Teams

User Experience:

If a malicious file is uploaded, and detected by ATP, the user will be unable to open the file. If the user browses to the Office 365 Group or SharePoint site where the file is stored, and attempts to run from there, they will be presented with the following:

Setting up an alert:

As the admin, I want to be notified when this activity occurs. Using Office 365 Alerts I will create an Alert Policy to notify me so I can take action:

When the alert notification arrives via email, here is an example of what it looks like:

Clicking Investigate will launch the alert in Office 365 Alerts (notice I can suppress, or notify users):

Accessing the event via Threat Explorer gives me access to additional details and advanced analysis that could be helpful in my investigation of the threat:


Office 365 Advanced Threat Protection is one of the many layers in your defense in depth approach to cyber security, and with it’s ease of administration and use, it can be a valuable tool to protect your organization. Enjoy! –Matt Soseman

Microsoft Teams: Use an Existing SharePoint Library


Have you had a need to connect an existing SharePoint file repository to a team in Microsoft Teams? Perhaps you have a legacy SharePoint document library that has been in use for years, and stores many files valuable to the organization. I’d like to explore with you how to connect that existing document library to a channel in a team, so you can continue to use that investment without having to migrate data to the document library in Teams.


UPDATE 6/17/18: This is now replaced with the new SharePoint/Folder tab icon. Look for the first icon in the list!

First, background on files in Teams:

When a new channel is created within an existing team, a document library is created within the Office 365 Group the team is associated with. This document library is “pinned” to the channel as a tab called Files. This allows you to interact with the files in the document library directly within Teams without having to leave the application. Here’s a couple of examples of what this looks like:

If you are curious about the relationship between document libraries and teams/channels, here’s a nice diagram that helps to describe that relationship:

What if I want to use an existing document library?

If you have an existing document library from another SharePoint team site, it’s possible to connect that library to the channel in Microsoft Teams. To do this, within the channel click the + icon at the top of the channel to add a new tab to the channel:

On the Add a tab dialog box, click SharePoint:

Next, in the SharePoint dialog box, you will be presented with two options: Relevant sites and Use a SharePoint link. Click Use a SharePoint Link:

In the Library Url field, type the URL of the document library. For my demonstration I will use once entered click Go: and the site will appear. Then click Next.

On the Pick a document library dialog box, select the document library you wish to connect to. For my demonstration I will use Documents then click Next.

On the Name your tab, give your tab a name ( I will use Online Marketing Documents) then click Save. (Note, the Post to the channel about this tab is checked. I like to do this as it alerts other team members in the conversation feed that this tab was created.

The Online Marketing Documents tab has now been created, and my existing files from the document library is shown. I can now interact with those files, and based on my preference , click the Open in SharePoint button to launch the SharePoint team site where that existing library lives.

What if I don’t want to add a new tab?

If you do not wish to create a new tab from within the Files tab click Add cloud storage and then select SharePoint and follow the same on-screen instructions. This will create a new folder in the files tab that links to the SharePoint document library. This might be useful to make Teams simple to adopt and reduce complexity for end-users.

Click Add cloud storage

Click SharePoint

Following the same wizard as above when I created a tab, I will enter the Url of my document library.

Select Documents then click Next

Click Add folder

The document library will be added as a folder, (note the SharePoint icon on the folder).

Conclusion: This is a very easy way to bring existing SharePoint functionality such as a document library into Microsoft Teams so that your users can collaborate effectively in the team hub.

PowerBI: Visualize your data in dashboard in 10 minutes

Introduction: In this post I will showcase how to create a Power BI dashboard in 10 minutes that connects to a SharePoint list as the data source. In the previous post, PowerApps: Be a hero and transform business process, in 10 minutes (and without writing code!), I walked you through how to create a PowerApp and use it to enter data in a SharePoint list. In this post, we will take that data and present it in a Power BI dashboard to make it easier to visualize the data.

First, Download Power BI Desktop from and install it on your PC. This is required in order to connect to SharePoint Online lists. Once downloaded, launch Power BI desktop and select Get Data from the toolbar:

In the Get Data dialog box, click Online Services on the left, then on the right highlight SharePoint Online List and click Connect:

In the SharePoint Lists dialog box, type the URL of the SharePoint parent site and click OK:

Note: This is the parent URL of the site, and not the specific URL of the list you are trying to query.

In the Navigator dialog box, on the left side place a check mark next to the list you wish to query and click Load:

The SharePoint List will be retrieved and a data model will be created in Power BI Desktop:


Once loaded, on the right side of Power BI Desktop will contain your data – specifically the columns in the SharePoint list:

Note: The data will contain columns that are also hidden on SharePoint.

Now, let’s create a simple pie chart to show how many hours are spent on each project. Click the pie chart sign , and a new pie chart will be placed in the workspace:

On the right side, drag the columns Title to the Details field and Hours Spent to the Values field:

In the workspace, notice the pie chart that was created and updated in real time:

Next, create a bar chart by clicking the icon. Drag Project
to the
field and drag Hours Spent to the Value field.

Notice the bar chart is created in real-time:

Next, on the toolbar click Publish:

When prompted to save, save the Power BI Desktop file to your desktop and give it a name, for my example I will use Time Tracker. At the Publish to Power BI dialog box select My Workspace and click Select:

The report will now be published to Power BI, once finished open an internet browser and navigate to and sign-in:

On the left side, expand My Workspace and click the report Time Tracker. This will display the report you just created in Power BI Desktop:

To create a dashboard based on this report, hover the mouse cursor over the pie chart and click the (thumb tack icon). At the Pin to Dashboard dialog box, in the New dashboard field type a name (for this example I will use Time Tracker) and click Pin:

This will create a new dashboard and a toast notification will appear, close the message:

Repeat the above steps for the bar chart. Hover the mouse cursor over the bar chart and click the (thumb tack icon). At the Pin to Dashboard dialog box, in the select Existing Dashboard ensure Time Tracker is selected and click Pin:

Next on the left side, click Time Tracker underneath Dashboards to access the dashboard that was just created:

This will display the dashboard. Click Share at the top right corner


In the Share dashboard flyout on the right side, in the Grant access to field type the name of a user and select that user. Then click Share:

A new toast notification will appear indicating the dashboard has been successfully shared:

The user will receive the following email message, giving them a link to access the dashboard:

IMPORTANT: This dashboard can also be accessed using the Power BI smartphone app.

For fun, let’s use the natural language Q&A to ask a question about the data. On the dashboard page, in the Ask a Question about your data field type how many totals hours spent and press Enter. In real-time the sum of the total number of hours will be shown:

Let’s ask another question, repeating the step above ask how many hours spent on project eclipse:

Click Exit Q&A. Click on the pie chart, the report view will open. Click the red area of the pie chart. Notice how in real-time the data is filtered on both the pie and bar charts to reflect filtering on Project Health:

Conclusion: As you can see, it’s relatively straightforward, fast and easy to connect to your SharePoint list and create powerful visualizations of your data and share with others using PowerBI.

As always, if you have feedback, comments on this post or ideas for future posts please let me know in the comments below. Also, I would love to hear how you are using PowerApps, SharePoint and PowerBI to digitally transform and create new scenarios.


PowerApps: Be a hero and transform business process, in 10 minutes (and without writing code!)

Introduction: This post will walk you thru how to create an application using PowerApps in 10 minutes.

PowerApps is a powerful tool from Microsoft that allows anyone (yes anyone) to build an application that connects to your existing data sources, that can run on iOS/Android/Windows Phone/Windows devices or in a web browser – all without writing any code. This is pure awesomeness, because you can solve business problems with real solutions, and drive real results.

The data you can connect to can range from Excel spreadsheets, SQL databases, SharePoint lists, Dynamics 365 and even non-Microsoft applications such as Salesforce or Dropbox, and custom APIs (full list of sources PowerApps can connect to can be found here)

Scenario: The possibilities are endless. In this blog post we’ll use a scenario of time tracking and the challenge of having to enter that time into a system of record and make the interaction with the data as frictionless as possible. For this example, we’ll use SharePoint Online as that system of record, and will build a PowerApp to enter that data. For bonus points in a follow up post, we’ll explore how to visualize and make sense of that data using Power BI. (Of course, this is just an example – what’s an example from your business that you can use to build your first PowerApp?)

For the example, I’ll make it real by sharing with you this is a similar solution my team at Microsoft uses to keep track of time spent on projects and programs we manage and provide reporting on how we spend our time up to our leadership. This simple solution provides an easy way to not only perform data entry but also enables a very interesting way to provide visibility of the data to others outside the team who may not be familiar with the details.

Let’s do this!

To start, we’ll take an existing SharePoint site that has a list the team uses on a daily basis to perform time entry. This list contains the following columns:

  • Title
  • Date
  • Project
  • Hours spent
  • Team Member

Note: SharePoint is powerful and allows you to create lists that can perform data lookup from other sources (i.e. a drop down menu that looks up data in another list) and even personalize this for the user so they can only see time they entered. For purposes of this blog and example, I’m going to keep it simple and use free form text fields, date, and a few radio buttons. But I encourage you to play around with this and explore!

Here’s a screenshot of the list with columns:

And a view of the list, in data entry view on SharePoint:

Now, back to the SharePoint list, on the toolbar you will notice a menu for PowerApps. Click that menu and select Create an app:

On the flyout on the right, in the Name field type Time Entry and click Create:

A new browser window will launch, and you will be taken to A dialog box will appear, select your country and click Get started:

The PowerApps Designer will be displayed:

At this point, the app can be further customized using the designer, however it is fully functional. To access the app, browse to and sign in:

IMPORTANT: You can also access this app by download the app PowerApps on your mobile device. Once signed in, you will see the same list of apps to access.

From the menu on the left click Apps:

Click the app you just created:

A new browser window will open and the web version of the PowerApp will be launched:

Click the + (plus) sign in the app and enter some data then click the check mark to submit the data:

Once the data is submitted, you will be returned to the home screen and can see a history of the data that was entered (note this view can be customized if needed):

Back in SharePoint, we can see the data populated in the list:

Conclusion: It really is that easy to create an easy to use application. Depending upon the use case you may need to use PowerApps Designer to customize the user interface. To see how to visualize and report this data in a dashboard in Power BI see PowerBI: Visualize your data in dashboard in 10 minutes. In addition, you can automate these tasks and workflows using Microsoft Flow, which I will write about in a future blog post as well.

As always, if you have feedback, comments on this post or ideas for future posts please let me know in the comments below. Also, I would love to hear how you are using PowerApps to digitally transform and create new scenarios.