Tagged: Security

Sensitivity labels in Teams, SharePoint sites and Microsoft 365 groups

This post is about protecting information in your Teams, SharePoint, and Microsoft 365 group data by using Microsoft Information Protection (MIP) sensitivity labels. In July 2020 sensitivity labels were announced GA by Microsoft. It provides an answer on How to protect information in Teams, SharePoint Online and Microsoft 365 groups. In this post I walk through the configuration.

Source: https://pixabay.com/de/illustrations/sicherheit-sichern-gesperrt-2168233/
Source: https://pixabay.com/de/illustrations/sicherheit-sichern-gesperrt-2168233/

What are sensitivity labels?

Sensitivity labels are some kind of persistent data or information labels to protect sensitiv and business-critical information. The following security measures are available with sensitivity labels, in general:

  • Enforce encryption or watermarks
  • Cross platform/device content protection
  • Third-party app and service content protection to detect, classify, label and protect content with Microsoft Cloud App Security, e.g. SalesForce, Box, DropBox
  • Third-party app and service extensibility by using Microsoft Information Protection SDK
  • Classify content (without protection)

Policy scoping or association options

For Microsoft Teams, 365 Groups and SharePoint Online you can decide or configure options/actions/exclusions based on

  • privacy
  • external user membership
  • unmanaged device access

For instance, any Team, SharePoint Online Site, or M365 group created with a certain label can be forced to be a private one. In consequence, the owner is not allowed and cannot add external users plus users utilizing unmanaged devices can only access the contents via web access.

Requirements

Licensing

I’m not going into details regarding licensing requirements, therefore you can find a link at the bottom of this post. Please note, that there is a difference in license requirements depending on manual vs. automatic labeling. For the latter you need Microsoft 365 E5/A5/G5, Microsoft 365 E5/A5/G5 Compliance, Microsoft 365 Information Protection and Governance, Office 365 E5, Office 365 Advanced Compliance, Enterprise Mobility + Security E5, and AIP Plan 2.

Permissions/roles

To manage/create sensitivity label you must be assigned one of the following roles:

  • Global Administrator
  • Compliance Data Administrator
  • Compliance Administrator
  • Security Administrator

Enable sensitivity labels on Azure AD

To use sensitivity labels, you need to enable it first in Azure AD by using PowerShell, for example:

#https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/groups-assign-sensitivity-labels
Import-Module AzureADPreview
Connect-AzureAD

#Check if settings object exists or needs to be created first (that's missing in Microsoft Docs)
$settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id
if(!$settingsObjectID)
{
      $template = Get-AzureADDirectorySettingTemplate | Where-object {$_.displayname -eq "group.unified"}
    $settingsCopy = $template.CreateDirectorySetting()
    New-AzureADDirectorySetting -DirectorySetting $settingsCopy
    $settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id

#Enable Microsoft Information Protection (MIP) labels
$Setting = Get-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id
$Setting.Values
$Setting["EnableMIPLabels"] = "True"
Set-AzureADDirectorySetting -Id $Setting.Id -DirectorySetting $Setting

Disconnect-AzureAD

How to create and publish labels?

In this section I walk through and show some settings based on screenshots, this is not yet for Microsoft Teams, SharePoint Online and Microsoft 365 Groups. A bit more down in this post you find a section showing the part and options for sensitivity labels in Teams. Nevertheless, the process, is similar for Teams, SharePoint, and groups.

To create labels you need to start in the Microsoft 365 security center.

Screenshot – Microsoft 365 security admin center \ classification \ sensitivity labels 1

Example – create a label

Screenshot – Microsoft 365 security admin center \ classification \ sensitivity labels 2
Screenshot – Microsoft 365 security admin center \ classification \ sensitivity labels 3
Screenshot – Microsoft 365 security admin center \ classification \ sensitivity labels 4

Be cautious about encryption settings because this can have make a big impact.

Screenshot – Microsoft 365 security admin center \ classification \ sensitivity labels 5
Screenshot – Microsoft 365 security admin center \ classification \ sensitivity labels 6

Finish this and repeat the above steps as often as required to have as much labels as required.

Example – Publish labels and create a label policy

Screenshot – Microsoft 365 security admin center \ classification \ sensitivity labels 7
Screenshot – Microsoft 365 security admin center \ classification \ sensitivity labels 8
Screenshot – Microsoft 365 security admin center \ classification \ sensitivity labels 9
Screenshot – Microsoft 365 security admin center \ classification \ sensitivity labels 10
Screenshot – Microsoft 365 security admin center \ classification \ sensitivity labels 11
Screenshot – Microsoft 365 security admin center \ classification \ sensitivity labels 12

Depending on the labels you’ve created and your security requirements regarding information protections and groups you can also repeat the above steps for different sensitivity label policies in case you need to differentiate between certain user groups and therefore different information/sensitivity labels and respective label policy assignments.

Example – Create sensitivity label for Teams, SharePoint Online Site and M365 group

For Microsoft Teams etc. the process is similar but as you can see in the following screenshots, you can edit already created labels to add the capabilities for Teams if there were labels already in place.

Edit existing labels
Check Group & Sites
Decide for each label how you want to protect groups and sites
Decide on the privacy configuration and external access
Decide on the device access for unmanaged devices
Now you’ve got some labels

Here you must not forget to also configure SharePoint Online for this to cope with unmanaged device access to make it work.

Also, if you haven’t yet published labels, you’ll have to publish the newly created labels.

Please note, that it can take several hours for this to appear, I’d recommend waiting approx. up 24 hours.

If you create a new [Teams] Team it should look like this with the sensitivity label option
In Azure AD groups you can also see and select a label for existing groups

Usage

The sensitivity label for Teams, SharePoint Online Sites and Microsoft 365 groups can than be applied/selected in the creation process in case you assigned the sensitivity label policy to the users which should be able to apply it.

Conclusion, opinion and summary

Sensitive labels are another good concept and means for your holistic security architecture concept to protection your organization’s information. It’s a central aspect for your Microsoft 365 service and information protection. However, the entry barrier is high because of the license requirements to use this advanced security capabilities.

Additional resources

Microsoft Teams Security and Compliance Video Playlist

In this post I like to reference to a comprehensive video playlist regarding Microsoft Teams Security and Compliance. It contains eight short videos covering different and important topics for your collaboration security focusing on Microsoft Teams. The author of the YouTube videos is Matt Soseman, Security Architect at Microsoft.

Source: https://pixabay.com/de/illustrations/sicherheit-sichern-gesperrt-2168233/
Source: https://pixabay.com/de/illustrations/sicherheit-sichern-gesperrt-2168233/

Basically, Microsoft 365 services are secure by design, however there are settings and configuration aspects which might not yet be enabled by default. That’s why it is important to know what’s available to set it up to make your collaboration even more secure. Please find the link at the bottom Security & Compliance in Microsoft Teams [YouTube Playlist].

The following Teams related topics are covered in the the playlist:

  • Identity and access management
  • Advanced Threat Protection (ATP)
  • Intune Mobile Application
  • Data Loss Prevention (DLP)
  • (Windows) Information Protection
  • Cloud App Security and third party storage
  • Cloud App Security and Azure Active Directory (AAD)
  • Unified SecOps w/ Microsoft Threat Protection

Conclusion, opinion and summary

The duration for each video is below six minutes although the most important aspects are mentioned. These videos are an impressive summary for security and compliance capabilities related to Microsoft Teams and Microsoft 365.

In my opinion the videos are very good to get an overview on what security capabilities are available and to get a glimpse on how it works to help you.

Additional resources

Microsoft 365 safe documents configuration

In this post I describe what safe documents in Microsoft 365 are, how you can configure it and why you should enable this in your Microsoft 365 tenant.

If you are not yet familiair with safe attachments and safe links you might want to read my previous post Safe attachments and links to protect your Office 365 collaboration first.

Source: https://pixabay.com/de/illustrations/sicherheit-sichern-gesperrt-2168233/
Source: https://pixabay.com/de/illustrations/sicherheit-sichern-gesperrt-2168233/

What are safe documents?

Safe documents are a Microsoft 365 Advanced Threat Protection (ATP) feature. It protects your users from opening malicious documents which might harm your users data, privacy or even your complete IT infrastructure depending on what malicious document content is opened. ATP checks before opening it and avoids a user to open a document or leave the protected view in case ATP has recognized anything potentially malicious.

Why safe documents?

It adds another valuable layer of security for your users and infrastructure which kicks in even if someone opens a document which was not caught or categorized as malicious before by other security mechanisms. It might be the last barrier and defense if someone (accidentally) opens a document in your company to avoid a security incident with corresponding consequences for your company.

What’s required to use this capability in Microsoft 365?

Safe documents are an advanced security feature which requires the following:

  • Microsoft 365 E5 or Microsoft 365 E5 Security
    Microsoft emphasizes that it is not in Office 365 ATP plans
  • Organization Management or Security Administrator role in M365 (for configuration)
  • Office Version 2004 (12730.x) or later

How to configure it?

If the requirement are met you can configure and test it. By default it is turned off.

Please note configuring this will enable this for your complete Microsoft 365 tenant and therefore for your complete organization.

Enabling it via Admin Center

Screenshot – Go to Security & Compliance Center at https://protection.office.com
Screenshot – Go to Threat management\Policy\ATP Safe Attachments
Screenshot – Tick the checkbox “Turn on Safe Documents for Office clients …”

Maybe DON’T tick the checkbox “Allow people to click through Protected View even if Safe Documents identifies the file as malicious”.

Screenshot – Click Save

That’s it now it’s live.

Enabling it via Shell

Alternatively, you can also enable this using Exchange Online PowerShell. Example:

#Install Module 
Install-Module -Name ExchangeOnlineManagement
#Check Module availablity on system
Get-Module ExchangeOnlineManagement
#Update Module
Update-Module -Name ExchangeOnlineManagement
#Import Module
Import-Module ExchangeOnlineManagement

#Connect to EXO with MFA enabled
Connect-ExchangeOnline -UserPrincipalName <UPN> -ShowProgress $true

#Enabling safe documents but prevents users from leaving protected view
Set-AtpPolicyForO365 -EnableSafeDocs $true -AllowSafeDocsOpen $false
#Check values
Get-AtpPolicyForO365 | Format-List *SafeDocs*

#Disconnect from EXO
Disconnect-ExchangeOnline

#Uninstall Module
Uninstall-Module -Name ExchangeOnlineManagement

Validating it with Shell

Due to the fact that I’ve configured this in the Admin Center I’m just checking if the settings is set as expected.

Screenshot – Validate / verify settings

And there we go, it’s set.

Conclusion, opinion and summary

It’s very easy to configure however the licensing and client requirements are quite high. In case you met the licensing requirements you can enable it (with previous planning and testing).

Also note, you should check what your antivirus (av) client might do. In case you running a third-party av client. I did not test this having a third-party av client plus this enabled. I’d assume there should be no conflicts but there can be conflicts. So, I would not directly enable this in production without previously testing this maybe in a test tenant and a test client to ensure it works as expected before going live with safe documents.

Additional resources

G Suite security controls overview [May 2020]

Due to the increased and still increasing number of people working from home the requirement to keep users’ identities and devices secure and up-to-date is a must. Recently, I wrote some blog posts on Microsoft 365 communication and collaboration security. This time, I’d like to share what Google provides to secure its G Suite platform for communication and collaboration on an high level.

Basically, it doesn’t matter what kind of solution and service you provide, it must be secure by design to cope with more and more advanced threats for your company assets and user identities. To do so, you need to be alert, but not only just maintain your as-is security standards and architecture, no, moreover you must steadily enhance the security capabilities as there are always new threats on the rise.

Source: https://pixabay.com/de/illustrations/sicherheit-sichern-gesperrt-2168233/
Source: https://pixabay.com/de/illustrations/sicherheit-sichern-gesperrt-2168233/

To keep your company assets secure if you rely on G Suite you might want to know what you can do.

  • Fundamental device management
    • Reports/view all devices which access corporate data
    • Reports on devices accessing corporate data
    • Remediation actions, e.g. remotely sign out a user
    • Context-aware access control, e.g. allow access to corporate data/services only under defined circumstances like only device storage must be encrypted etc.
  • Enhanced security for Windows 10
    • login with Google credentials because Google can be used as a credential provider for Windows
    • Single Sign-On (SSO) for Windows 10 devices, apps and services
    • identity and account protection (detection of anti-hijacking, suspicious login detection)
    • compliance checks for Windows 10 devices (checking if the device is secured and updated)
    • device management to roll out device configuration updates and wipe a device
  • New G suite security capabilities
    • data protection insights [for data loss prevention (DLP)]
    • automated classification with labels for DLP
    • iOS copy/paste protection for DLP
    • context-aware access with group-based policies
    • context-aware access for SAML apps
    • monitor logs with third-party monitoring

Conclusion, opinion and summary

I must admit that I haven’t checked for some time what’s new and which capabilities are offered lately with G Suite. By what I’ve read so far, a lot has changed and was added for good. I recognize that the features and capabilities regarding communication and collaboration security have been growing very well, too. It’s interesting to see how G Suite also evolves over time regarding communication and collaboration security, to keep users and things secure.

Additional resources

How to secure your guest access in Teams?

In this post I point out what you can do to secure your Microsoft 365 guest access or guest identities for a secured collaboration experience. Guests in Microsoft 365 are external persons or identities which you can enabled to access defined Microsoft 365 resources, e.g. to work together in a project by using a Microsoft Teams Team. This is very beneficial for a more in-depth collaboration in project teams which include several external stakeholders from other companies like external project managers, subject matter experts, suppliers or others. By enabling guest access for specific scenarios and workloads you can easily work together across companies, if required. So, your employees do not need to find another way or a (#ShadowIT) workaround to do this which does not align with your company’s compliance.

I often have discussions regarding collaboration security on external (guest) access. So, what’s the answer to convince all from guest access? Well, let me put it that way, there is never an “one size fits all” answer, definitely not. Company A is not the same as company B. There might be similar processes, requirements, collaboration strategy goals or else but it’s still different, of course. The people, the services, the products, the vertical etc. are different. To keep it short, B2B collaboration with guest access is an excellent feature but usually requires a different implementation approach depending on the company. Sometimes a basic implementation is sufficient, sometimes you need to establish a new organizational process in varying complexity including B2B collaboration governance and so on.

Please note, that is is just one of many measures to secure your communication and collaboration in Microsoft 365. This is only a single part of a more holistic and required security architecture concept. Moreover, the below description, configuration etc. might change at anytime and is just an example, demo piece.

Source: https://pixabay.com/de/illustrations/sicherheit-sichern-gesperrt-2168233/
Source: https://pixabay.com/de/illustrations/sicherheit-sichern-gesperrt-2168233/

Limitations for guests

Guest are a “special” member type in Azure AD and M365. So, there are some limitations by design for guests you should know of. For more please read What are the default user permissions in Azure Active Directory? and Guest access in Microsoft Teams [links at the bottom].

  • Per licensed user you can add up to five guests (1:5 ratio)
  • Guest user permissions in Azure AD are limited by default*
    • cannot browse other tenant information
    • but can view their own profile
    • but can retrieve input on other users if he/she searches for a UPN or object ID
  • Guest user permissions in Office 365 groups are limited
  • Guest user permissions in Teams are limited
    • no One Drive for Business
    • no people search outside of Teams
    • no calendar
    • no meeting scheduling
    • no pstn/telephony
    • no org chart
    • no teams creation/revision
    • no teams browsing
    • no file upload in P2P chats

*unless you assign any admin role to a guest. So be cautions. Don’t.

What you can do to secure your Microsoft 365 guest identities?

Microsoft added a very good article in the documentation Create a secure guest sharing environment [link at the bottom] which describes the key elements you must take into account for your B2B collaboration and guest access configuration.

  • enforce multi-factor authentication for guests
  • provide terms which guests musts agree on
  • regularly review permission needs are still valid
  • restrict access for guest to web-only / browser-only
  • set session timeout to enforce regular/daily authentication by guests
  • classify content by using sensitivity labels
  • auto classify defined sensitive information to highly confidential
  • auto remove guests access from files labeled high confidential

Conclusion, opinion and summary

Guest access can be vital for your company and employees to easily work together with external stakeholders. If required. It must be secured.

To provide guest access, I think it is a good idea to establish a organizational process that internal employees must request guest access for an external person via an approval process. The latter could be accomplished by using Power Automate with Forms or Power Apps. Onboarding or adding a new guest should be based on the approach which Microsoft provides in Create a secure guest sharing environment [link at the bottom]. To complete the guest user life cycle the identity should be audited and monitored regarding permission needs and activities, so that either certain permissions can be removed or that an guest account gets disabled or even deleted depending on usage/activity/last logon or other criteria.

Additional resources

What’s new in Microsoft Teams in April 2020?

In this post I like to highlight some new and planned Microsoft Teams features based on the latest roadmap updates by Microsoft. The last few days many updates were made to the Microsoft Teams roadmap. There are several neat feature updates for Microsoft Teams which will be rolled out soon, are rolling out now or which are already available. Let me give you an overview on these.

Source: https://pixabay.com/illustrations/landscape-hill-sky-clouds-hilly-922581/
Source: https://pixabay.com/illustrations/landscape-hill-sky-clouds-hilly-922581/

Meetings and live events

  • end meetings | as an host you can now end meetings. So nobody can remain in the meeting to proceed or use the online meeting space.
  • audioconferening dialin user number masking | PSTN participant phone numbers will be masked from external users [~May 2020]
  • background effects in meetings | use background (pre-selected) images to enable other participants to focus on you and reduce distraction. later also custom background images.
  • raise hands in Teams meetings | attendees can rais their virtual hand to notify the presenter that there is a person who would like to speak
  • share system audio in a meeting
  • share system audio in a live event

Voice / telephony

Microsoft 365 Business Voice | Microsoft 365 phone system capabilities are available for SMB organizations with up to 300 seats as addon license for the smaller licensing bundles (business plan/s).

So, also business plans are enabled to go for calling plans and/or Direct Routing to enable (pstn) telephony to/from Microsoft Teams.

Chat

Multi window chat | Ability to pop out a chat in a separate chat window

Security

Microsoft adds Azure AD Premium Plan 1 to M365 Business plans which provides feature like

  • conditional access,
  • self-service password reset and
  • multi-factor authentication (MFA) to secure your identities.
  • Plus some more features like Cloud App Discovery (to discover used apps which you might were not aware that these are used within your company),
  • application proxy,
  • dynamic groups,
  • passwordless auth (Windows Hello for Business, Microsoft Authenticator app, FIDO 2).

All this helps to make your communication and collaboration for your business more secure. Especially for SMBs (up to 300 seats). This is really compelling due to price and feature set. Until know you had to get enterprise plans for this to get the option to add these features to your Microsoft 365 deployment.

Conclusion, opinion and summary

Microsoft now really pushes out these features and changes to enable small and medium sized business (SMBs) to securely communicate and collaborate at a reasonable price. To me, MFA (for all) was long awaited in this licensing segment because nowadays MFA should be the imperative anyway.

Additional resources

Safe attachments and links to protect your Office 365 collaboration

In this post I describe how you can configure safe attachments and safe links in Microsoft Office 365 Advanced Threat Protection (ATP) to make your communication and collaboration a more secure. It is for your Office 365 workloads (SharePoint Online, OneDrive for Business, Exchange Online and Microsoft Teams).

Please note, that is is just one of many measures to secure your communication and collaboration in Microsoft Office 365. This is only a single part – well, two capabilities – of a more holistic and required security architecture concept. Moreover, the below description, configuration etc. might change anytime and is just an example, demo piece.

Source: https://pixabay.com/de/illustrations/sicherheit-sichern-gesperrt-2168233/

Basics

Let me describe it as follows short and simplified:

What are Safe Links?

Safe Links are (hyper)links/urls which are pre-checked (in a sandbox) before a user opens the link. This “pre-check” is built to check if the website behind the link is ok or might be bad, start to download malware or something else which might harm your system/s.

What are Safe Attachments?

Safe Attachment[s] is a feature which checks attachments and tries to detect if it is malicious.

Requirements

You need a subscription which includes Microsoft [Office] 365 Advanced Threat Protection (ATP).

To configure this your administrative Office 365 account must have the global admin, security admin or Exchange Online Organization Management role assigned.

Configuration overview and walk-through

For both, you can start at https://security.microsoft.com/securitypolicies in the Microsoft 365 Security portal.
The following screenshots depict what I configured, so you can of course configure it another way depending on your needs and requirements.

1 Open https://security.microsoft.com/securitypolicies
2 Policies
3 + 4 Configure each (ATP safe attachments + ATP safe links)

ATP Safe Attachments

1 Enable ATP for SharePoint, OneDrive and Teams
2 Save it, to enable it
3 Protect attachments – create a new safe attachments policy

1 + 2 Give it a name + description
3 Configure handling
4 + 5 Enable redirect of potentially maliciouse attachements to another mail [don’t use a usual mailbox, create a “dumpster mailbox” just for that purpose]
6 Configure condition/s / exception/s
7 Save it

Validate input and check if the policy is enabled and the priority fits in case you create several policies.

ATP Safe Links

1 Configure the default Safe Links organization policy
2 Create Safe Link policies for specific recipients

1 Enable it for all Office 365 Apps, … iOS and Android
2 Configure “reporting” + handling

1 + 2 Give it a name + description
3 Turn it on
4 Enable real-time scanning for URLs including content for download
5 Enable it internally, too
6 Configure “reporting”
7 Enable – disables users to click the original URL from the warning page if it is blocked

1 Configure condition/s / exception/s

Validate input and check if the policy is enabled and the priority fits in case you create several policies.

Finally, test and verify your configuration. Regularly take a look into your security reports to enhance your configurations. Plus, don’t forget from time to time to check out what has changed to keep your security configurations always at a current level.

Conclusion, opinion and summary

Safe Links and Safe Attachments are very helpful features in Microsoft Office 365 to make your communication and collaboration more secure regarding sending/receiving links and attachments. These two features are options to increase your security setup with Office 365. I think it might be a good idea to enable it if you do not yet have something like this in place already.

Although it makes links and attachments safe[r] there are more and more advanced/intelligent threats and approaches available to trick and compromise users and systems. So, admin and user security awareness is also essential although you can get rid of many threats with a holistic security architecture and technical solution or service implementations.

Additional resources

How to secure Microsoft Teams? Some thoughts.

In this post I give you an architectural overview on thoughts, ideas and options to a more secure communication and collaboration experience with Microsoft Teams.

It’s inevitable to provide a secure, modern and usable (!) solution for your users, your company and keep identities and [information] assets secure. I want to emphasize usable because you can surely set up a highly secure service, however, if you do so, nobody might be able to use it because you locked it too restrictively. So, this will probably cause other headaches, first of all users need to get work done and might workaround that highly secured service [just using anything else which they find online]. No adoption. Hence, the added value of the communication and collaboration solution and the ROI will never be achieved. That’s why you need to figure out a suited balance between security and collaboration.

Source: https://pixabay.com/de/illustrations/lernen-hinweis-schule-betreff-3245793/
Source: https://pixabay.com/de/illustrations/lernen-hinweis-schule-betreff-3245793/

Microsoft Teams as part of the Microsoft 365 cloud services can leverage these comprehensive security features to enable a secured communication and collaboration. Besides the fact that Microsoft encrypts data in transit as well as at rest.

The following slides contain what you could do to secure your Microsoft Teams communication and collaboration experience by not giving up usability and a modern teamwork experience.

Beyond these basic security considerations in the slides you could, of course , also make further and more granular optimizations, for example …

  • in the Microsoft Office 365 Admin Center
  • in the Microsoft Teams Admin Center
  • in the Microsoft SharePoint Online Admin Center
  • in the Microsoft One Drive for Business Admin Center
  • in the Microsoft Exchange Online Admin Center
  • as well as in other Microsoft Admin Centers

as needed.

Conclusion, opinion and summary

Microsoft 365 enables you to secure Microsoft Teams and Office 365 with the eligible licenses. There are many aspects around securing your modern teamwork experience. It starts with general identity and information protection and goes ahead with fine tuning Microsoft Office 365, Teams, SharePoint Online, Exchange Online, Yammer etc. There are some bigger and some smaller switches to be aware of and to configure modern teamwork secure. E.g. guest access, external access (federation), message policies, meeting/conferencing policies, app setup policies, app permission policies and many more. At least but not at last you also should think about monitoring and auditing so that you’ll be able to trace things in case it is required.

Additional resources