Friday Five: Azure VM, Teams Tips, More!

by Contributed | Aug 20, 2021 | Technology

This article is contributed. See the original author and article here.

A first look at Azure AD Conditional Access authentication context

Kenneth van Surksum is an Enterprise Mobility MVP from The Netherlands. Kenneth a works as a modern workplace consultant at Insight24 and is specialized in building modern workplace solutions on top of Microsoft 365. Kenneth is co-founder of the Windows Management User Group Netherlands (WMUG_NL), which was recently rebranded to the Workplace Ninja User Group Netherlands, and organizes (virtual) community meetings on a regular basis. Kenneth loves to speak about technical topics related to his daily work. Kenneth is Microsoft Certified Trainer (MCT) and has multiple certifications, he has received the MVP and VMware vExpert award multiple times. For more, check out Kenneth’s Twitter @kennethvs

Set up organizational Teams meeting backgrounds

Vesku Nopanen is a Principal Consultant in Office 365 and Modern Work and passionate about Microsoft Teams. He helps and coaches customers to find benefits and value when adopting new tools, methods, ways or working and practices into daily work-life equation. He focuses especially on Microsoft Teams and how it can change organizations’ work. He lives in Turku, Finland. Follow him on Twitter: @Vesanopanen

UNO PACKAGE: A NEW WAY TO UPDATE WINDOWS 10 AND WINDOWS SERVER 2019

Silvio Di Benedetto is founder and CEO at Inside Technologies. He is a Digital Transformation helper, and Microsoft MVP for Cloud Datacenter Management. Silvio is a speaker and author, and collaborates side-by-side with some of the most important IT companies including Microsoft, Veeam, Parallels, and 5nine to provide technical sessions. Follow him on Twitter @s_net.

Azure VM: Log in with RDP using Azure AD

George Chrysovalantis Grammatikos is based in Greece and is working for Tisski ltd. as an Azure Cloud Architect. He has more than 10 years’ experience in different technologies like BI & SQL Server Professional level solutions, Azure technologies, networking, security etc. He writes technical blogs for his blog “cloudopszone.com“, Wiki TechNet articles and also participates in discussions on TechNet and other technical blogs. Follow him on Twitter @gxgrammatikos.

Teams Real Simple with Pictures: Using Generic Links in Approvals for SPO Docs, Sites, Videos and Lists

Chris Hoard is a Microsoft Certified Trainer Regional Lead (MCT RL), Educator (MCEd) and Teams MVP. With over 10 years of cloud computing experience, he is currently building an education practice for Vuzion (Tier 2 UK CSP). His focus areas are Microsoft Teams, Microsoft 365 and entry-level Azure. Follow Chris on Twitter at @Microsoft365Pro and check out his blog here.

Microsoft Compliance – Paint By Numbers Series (Part 5) – Advanced eDiscovery

by Contributed | Aug 19, 2021 | Technology

This article is contributed. See the original author and article here.

Disclaimer

This document is not meant to replace any official documentation, including those found at docs.microsoft.com.  Those documents are continually updated and maintained by Microsoft Corporation.  If there is a discrepancy between this document and what you find in the Compliance User Interface (UI) or inside of a reference in docs.microsoft.com, you should always defer to that official documentation and contact your Microsoft Account team as needed.  Links to the docs.microsoft.com data will be referenced both in the document steps as well as in the appendix.

All of the following steps should be done with test data, and where possible, testing should be performed in a test environment.  Testing should never be performed against production data.

Target Audience

The Advanced eDiscovery (Aed) section of this blog series is aimed at legal and HR officers who need to understand how to perform a basic investigation.

Document Scope

This document is meant to guide an administrator who is “net new” to Microsoft E5 Compliance through the use of Advanced eDiscovery.

It is presumed that you already data to search inside your tenant.

We will only step through a basic eDiscovery case (see the Use Case section).

Out-of-Scope

This document does not cover any other aspect of Microsoft E5 Compliance, including:

• Sensitive Information Types


• Exact Data Matching


• Data Protection Loss (DLP) for Exchange, OneDrive, Devices


• Microsoft Cloud App Security (MCAS)


• Records Management (retention and disposal)


• Overview of Advanced eDiscovery (AeD)


• Reports and Analytics available in of Advanced eDiscovery (AeD)

It is presumed that you have a pre-existing of understanding of what Microsoft E5 Compliance does and how to navigate the User Interface (UI).

It is also presumed you are using an existing Information Types (SIT) or a SIT you have created for your testing.

Use Case

There are many use cases for Advanced eDiscovery.  For the sake of simplicity, we will use the following: Your organization has a Human Resources investigation against a specific user.

Overview of Document

1. Use Case


2. Definitions


3. Notes


4. Pre-requisites


5. Create a Case


6. Run an investigation


7. Export a subset of data


8. Appendix and Links

Definitions

• Data Sources – These are the locations (EXO, SPO, OneDrive) where searches will be performed.  These are all the custodians (users) being investigated.  This is not the users performing the investigation.


• Collections – This is the actual search being performed.  Collections include user, keyword, data, etc.


• Review Sets – Once a collection/search has been performed, the data most be reviewed.  This tab is where secondary searches can be done and a review of the data.


• Communications – If the HR or legal team wishes, they can notify the user that they are under investigation.  You can also set up reminder notifications in this section of the UI. 
  
  
  
  • Note – This task is optional.
  
  
  
  


• Hold – Once the data has been collected/searched or reviewed, either all or part of the data can be placed on legal hold.  This means that the data cannot be deleted by the end user and if they do, then only their reference to the data is deleted.  If the user deletes their reference, then the data is placed into a hidden hold directory.


• Processing – This tab is related to the indexing of data in your production environment.  You would use this if you are not finding data that you expect and you need to re-run indexing activities.
  
  
  
  • Note – This task is optional.
  
  
  
  


• Exports #1 – When referring to the tab, this provides the data from the case to be exported to a laptop or desktop.


• Export #2 – This is also the term used to export a .CSV report.


• Jobs – This provides a list of every job run in eDiscovery and is useful when trying to see the current status of your jobs (example – Collection, Review, Processing, Export, etc).  This is useful if you launch an activity and want to monitor its status in real-time.


• Setting – High level analytics and settings and reports, etc.


• Custodian – This is the individual being investigated.

Notes

• Core vs Advanced eDiscovery (high level overview)
  
  
  
  • Core eDiscovery – This allows for searching and export of data only.  It is perfect for basic “search and export” needs of data.  It is not the best tool for data migration or HR and/or Legal case management and workflows.
  
  
  • Advanced eDiscovery – This tool is best used as a first and second pass tool to cull the data before handing that same data to outside council or legal entity.  This tool provides a truer work flow for discovery, review, and export of data along with reporting and redacting of data.
  
  
  
  


• If you are not familiar with the Electronic Discovery Reference Model (EDRM), I recommend you learn more about it as it is a universal workflow for eDiscoveries in the United States.  The link is in the appendix.


• For my test, I am using a file named “1-MB-Test-SSN-1-AeD” with the phrase “Friedrich Conrad Rontgen invented the X-Ray” inside it. This file name stands for 1MB file with SSN information for Advanced eDiscovery testing.


• We will not be using all of the tabs in available in a AeD case.


• How do user deletes of data work with AeD?


• If the end user deletes the data on their end and there IS NO Hold, then the data will be placed into the recycle bin on the corresponding applications.


• If the end user deletes the data on their end and there IS a Hold, then the data will NOT be placed into the recycle bin on the corresponding applications.  However, the user reference to the data will be deleted so they will believe that the data is deleted.

Pre-requisites

If you have performed Part 1 of this blog series (creating a Sensitive Information Type), then you have everything you need.  If you have not done that part of the blog, you will need to populate your test environment with test data for the steps to follow.

Create a Case

1. Click Create Case

2. Give the case a Name, Case Number (if applicable), and Case Description, and then click No, just go to the home page.

a. Note – the more you put in the description, the better for reporting later on.  So, if you have received an email from HR, Legal, outside council, etc., you can cut and paste that information into the Case Description.

3. You will now find yourself in the Case Overview. 

4. With the case created, we will now run an investigation

Run an investigation

In this section, we will walk through the steps and flow to run a basic eDiscovery case:

1. Configure data sources


2. Run a collection


3. Working with data into a review set


4. Export a subset of data

Configure Data Sources

There are 2 ways to indicate what data sources will be searched, custodian or location.

Custodians

1. Select the Data Sources tab and then click Add Data Source.  You will have several options.  We will choose Add new custodians.  This allows you to search across multiple Office 365 applications for a user.

2. Type the name of the custodian you want to search.  I will only selecting one user at this time, Pradeep.

3. Select your Hold Setting.  The Hold Setting indicates which users’ data set to place on automatic hold when searched.  If you do not select Hold for a user, the user’s data will be searched but not placed automatically on legal hold.

4. In the Review section of the wizard, you will see what data locations are being searched and which are placed on automatic hold. 

a . Note #1 – Any data location associated with that user will have a number 1 associated with it.  If there is no number associated with the data location, then, the user is not determined to have any data in that location.  Automatic Hold will be placed on locations where the user has data, per the 2^nd step of the wizard.

b. Note #2 – When you edit a custodian, you can change or clear the setting in this screen.

5. If you are content with what you see, click Submit.  Then click Done on the next screen.

Locations

1. If wish to search specific locations, and not just users and their associated data locations, you can select Add data locations. Asdf

2. You can add SharePoint or Exchange locations.  I will add the default SharePoint location of the “The Landing” which is one of my pre-populated SharePoint sites.  I will not be adding an Exchange location. 

3. Then click Add.

Run a Collections

1. Now we will run a collection (ie. search) of data.  Select the Collections tab and click Add Collection and chose Standard collection.

2. Give the collection a name and description and click Next.

3. For the custodians being searched (Custodial Data Sources), you can search either a) specific custodians assigned to this case or b) all users associated with your case.  I will choose All users.  Click Next.

4. Next are Non-custodial data sources.  These are sites, groups and other sources that are not associated with the custodians that you might want to add to your search.  For now, accept the default and select Next.

5. If you want to add other locations, other than those associated with the user via their Identity, then you can add them in the Additional Locations part of the wizard.  For example, you can search Sarah Smith’s email in addition to Pradeep’s by adding her mailbox in this section.  Accept the default and click Next.

6. We have come at long last to the search criteria itself.  In this section labeled Conditions, you can run searches based on keyword or other conditions.


7. For my test I am using a file named “1-MB-Test-SSN-1-AeD” with the phrase “Friedrich Conrad Rontgen invented the X-Ray” inside it. This stands for 1MB file with SSN information for Advanced eDiscovery testing.   I will search against the three names of this inventor.

8. Here is a list of those other conditions you can choose from.

9. Select the criteria that you want to search.  When you are ready, click Next.

a. Note – A common initial search is to search a user or set of users and a date range.  Then run a secondary search against a secondary search on a narrower data range, keywords, a subset of users, etc.  In Advanced eDiscovery, we will do those sorts of searches in the Review Sets tab which is next.

10. Next is Save Draft or Collection.  Here you have the option to save this collection as a draft (meaning the data set is not officially placed on hold) or you can collect items into a review set.  We will choose the latter (Collect items and add to review set), and I will add it to a new Review set.

1. Note #1 – If you have a case with multiple collections, you might decide to add a collection to a pre-existing Review Set.  I do not have one here and so will use a new review set.


2. Note #2 – If adding to an existing Review Set, you can select Additional collection settings.  Again, we will not do those here as those options are also found in the Review Set section of the eDiscovery too.


3. Note #3– placing data in a Review Set does not place that data on hold.  That is a done in the Hold tab which will allow you to place a “hold in place” action on data.  We will not be performing that in this blog

11. Under Collection ingestion scale, I will choose the first option, Add all collection to review set.
    
    
    
    1. Note – you can chose to add only part of the collection to a review set, if you wish.
    
    
    
    

12. Now review your collection and select Submit and then Done.

13. Click Done and move to the Review Sets tab.

Working with data in a Review Set

1. Go to the Review Sets tab.  Select the review set you just created click Open Review Set. 
   
   
   
   1. Note – You, can also click Add Review Set to create a new review set. The reason to do this is so that you can better organize your future collections.
   
   
   
   

2. Let us take a tour of this interface.  A ribbon across the top will show several options. Let us take a tour of this interface

a. The first ribbon across the top will show several options to narrow your results by Keyword, Date, Sender/Author, Subject/Title, and/or Tags

b. The second ribbon allows for actions against the data in the Review Set: Overview (Summary), Analytics, Actions (download, report, redaction, etc), Tags (legal), and Manage (the collected data).

3. If you select a file or email a preview panel will appear on the right.  I will select a file.  Atop the preview pane you can find options to view the Source file, look at the file in plain text, Annotate the file for redaction, or look at the metadata.  I will not be making any annotations to this file at this time.

4. I will now export data for review by an external legal team.  I am going to highlight some files, and then go to the top toolbar and select Actions->Export. I will give the export a name and fill in the other details as needed.


5. Again, I am going to highlight some files, and then go to the top toolbar and select Actions->Export. I will give the export a name and fill in the other details as needed.

6. Give the export a name and a description and click leave the rest of the settings at their defaults.  Then click Export.

7. A job will be created. Click OK.  This set of exported data will appear in the Exports tab.

Export a subset of data

1. On the Exports tab, click on your export.  A window will appear on the right which will tell you if your export was successful.  If so, you can now download it along with a summary report to your local machine and then hand it over to outside council as needed.

2. Congratulations!  You have now have now completed a basic Advanced eDiscovery case and have finished this blog series.

Appendix and Links

• https://edrm.net/resources/frameworks-and-standards/edrm-model/


• Overview of the Advanced eDiscovery solution in Microsoft 365 – Microsoft 365 Compliance | Microsoft Docs


• Work with custodians in Advanced eDiscovery – Microsoft 365 Compliance | Microsoft Docs


• Search the audit log in the Security & Compliance Center – Microsoft 365 Compliance | Microsoft Docs 


• Work with processing errors in Advanced eDiscovery – Microsoft 365 Compliance | Microsoft Docs


• Export case data in Advanced eDiscovery – Microsoft 365 Compliance | Microsoft Docs


• Manage jobs in Advanced eDiscovery – Microsoft 365 Compliance | Microsoft Docs

Note: This solution is a sample and may be used with Microsoft Compliance tools for dissemination of reference information only. This solution is not intended or made available for use as a replacement for professional and individualized technical advice from Microsoft or a Microsoft certified partner when it comes to the implementation of a compliance and/or advanced eDiscovery solution and no license or right is granted by Microsoft to use this solution for such purposes. This solution is not designed or intended to be a substitute for professional technical advice from Microsoft or a Microsoft certified partner when it comes to the design or implementation of a compliance and/or advanced eDiscovery solution and should not be used as such.  Customer bears the sole risk and responsibility for any use. Microsoft does not warrant that the solution or any materials provided in connection therewith will be sufficient for any business purposes or meet the business requirements of any person or organization.

PetitPotam? Microsoft Defender for Identity has it covered!

by Contributed | Aug 18, 2021 | Technology

This article is contributed. See the original author and article here.

If you didn’t grow up in the ’90s in France like yours truly, you probably wouldn’t be familiar with the animated kids show named Petit Potam, which was based on the books of the same name by Christine Chagnoux.

While I could talk about the TV series for days, the reason Petit Potam came to the news lately is because of a vulnerability that was recently published with the same name which can potentially be used in an attack on Windows domain controllers. PetitPotam is a tool that can exploit the Encrypting File System Remote (EFSRPC) Protocol.

Exploiting the MS-EFSRPC

The EFSRPC protocol that PetitPotam exploits is typically used to maintain and manage encrypted data that is stored remotely and accessed over a network. It’s mainly used to manage Windows files that reside on remote file servers and are encrypted using the Encrypting File System (EFS).

Figure 1. Message sequence for opening a file using EFS

Using the PetitPotam vector, an adversary can manipulate MS-EFSRPC API functions without authentication using the OpenEncryptedFileRaw calls. This allows the adversary to force a domain controller to authenticate to an NTLM relay server under the attacker’s control.

NTLM Relay attack

NTLM relay attacks allow the malicious actor to access services on the network by positioning themselves between the client and the server and usually intercepting the authentication traffic and then attempting to impersonate the client.

To prevent NTLM relay attacks on networks with NTLM enabled, domain administrators must ensure that services that permit NTLM authentication utilize protections such as Extended Protection for Authentication (EPA), or signing features, like SMB signing.

PetitPotam takes advantage of servers where Active Directory Certificate Services (AD CS) is not configured with protections for NTLM relay attacks.

Microsoft Defender for Identity detection

Starting from version 2.158 onwards, Microsoft Defender for Identity will trigger a security alert whenever an attacker is trying to exploit the EFS-RPC against the domain controller, which is the preliminary step of the PetitPotam attack.

Figure 2. Suspicious Network Connection over EFS-RPC alert information

The alert provides visibility into network activity over the protocol and when an attacker is trying to force the domain controller to authenticate against a remote device. The alert will contain the following information:

• Source context – which can be the user and/or the device originating the request


• The target domain controller


• The remote device – including the file the attacker was trying to read

How to protect your organization further

On August 10, 2021, Microsoft published CVE-2021-36942 which addresses this vulnerability, named Windows LSA Spoofing Vulnerability. We highly recommend prioritizing updating the domain controllers with this CVE.

To learn more about the CVE, see the details in the MSRC portal with the following link: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36942

What next?

If you haven’t already got access to Defender for Identity, you can start a trial using this link. 

We’re always adding new capabilities to Defender for Identity and we’ll make announcements about great new features here in this blog, so check back regularly to see what the latest updates bring to your security teams. 

We’re always keen on hearing your feedback, so please let us know in the comments section below if you have anything to share with us about this detection. 

Use Azure Storage Table REST API with AAD token via PostMan

by Contributed | Aug 18, 2021 | Technology

This article is contributed. See the original author and article here.

You can refer to below steps for scenarios in which you have an application special requirement and need to call raw Storage table REST API from your dev environment via Postman. It consists of two main HTTP requests: first, to authenticate directly using AD security principal to get access token, second an authenticated storage REST API call for Table Storage.

Documentation related

• Query Entities REST API – https://docs.microsoft.com/en-us/rest/api/storageservices/query-entities


• Authorize access to tables using Azure Active Directory https://docs.microsoft.com/en-us/azure/storage/tables/authorize-access-azure-active-directory

Prerequisites

To follow the steps in this article you must have:

• Azure subscription


• An Azure AD tenant


• Registered application (AD Service principal)

Steps to reproduce this scenario:

1. Acquire oAuth 2.0 token:

1. Created security principal for application (Azure portal > AAD > app registrations). Documentation reference: https://docs.microsoft.com/en-us/rest/api/servicebus/get-azure-active-directory-token#register-your-app-with-azure-ad


2. Assigned Storage Table Data Reader role at storage account level to SP created in step #1 (waited for 30 mins)
   

    

   
   


3. Used Postman to get the Azure AD token:

• Launch Postman.


• For the method, select GET.


• For the URI, enter https://login.microsoftonline.com/<TENANT ID>/oauth2/token. Replace <TENANT ID> with the tenant ID value you copied earlier.


• On the Headers tab, add Content-Type key and application/x-www-form-urlencoded for the value.

• Switch to the Body tab and add the following keys and values.


• Select form-data.


• Add grant_type key, and type client_credentials for the value.


• Add client_id key, and paste the value of client ID you noted down earlier.


• Add client_secret key, and paste the value of client secret you noted down earlier.


• Add resource key, and type https://storage.azure.com/ for the value

• Select Send to send the request to get the token. You see the token in the result. Save the token (excluding double quotes). You will use it later

2. Called Query Entities storage REST API and passed the oAuth 2.0 token from previous step

• In Postman, open a new tab.


• Select GET for the method.


• Enter URI in the following format: https://<account>.table.core.windows.net /<table>(). Replace <account> with the name of the Storage Account name. Replace <table> with the name of the table.


• On the Headers tab, add the following three headers.


• Add Authorization key and value for it in the following format: Bearer <TOKEN from Azure AD>. When you copy/paste the token, don’t copy the enclosing double quotes.

• Select Send to get the entities from table. You see the status as OK with the code 200 as shown in the following image.