as a modern workplace consultant also means that sometimes you have to go deep
into Exchange Online options in order to make sure that (sensitive) data of
your customer doesn’t leave the organization without the proper security
measurements taken. In the Microsoft documentation titled: “Best
practices for configuring EOP and Office 365 ATP“, the recommended
settings for both Standard and Strict states that Auto-forwarding to external
domains should be disallowed or monitored at least.
email forwarding is one of the possible and still most common way (sensitive)
company data might leave the organization. Giving the users the ability to
automatically forward emails using either mailbox forwarding or message rules
to users outside the organization in that case can be very risky. I’ve seen
many cases where corporate email accounts were configured to automatically
forward all email to personal gmail.com or hotmail.com accounts. Also still
enabled mailboxes which forward mail to users personal accounts while the user
doesn’t work at the company anymore is common practice.
commonly known that if a user somehow gets compromised, hackers usually put a
forward on the mailbox of the user in order to gain knowledge about the user in
order further continue with their attack methods, or to retrieve sensitive
company data for their own gains.
default, on Windows 10 devices which are Azure AD joined, the user performing
the join is added to the Local Administrator group. Besides the user and the
local administrator (which is disabled by default), two other SIDs are added
without any friendly name which explain who they are. So where are those SIDs
may know, it’s possible for your users to sign-in to SaaS based applications
using their Azure AD account. By doing this, a Single Sign On (SSO) experience
is created for the user. Before this SSO for an SaaS based application is
possible though, the user needs to accept (a) permission request(s) from the
application allowing the application to access the users data on its users
behalf, even when the user is not using the application.
Added February 11th: Erik Loef pointed me to the following two interesting articles detailing on how oAuth can be used to exploit Office 365 environments. See:
has quietly introduced the option to automatically block connections to
unsanctioned cloud apps from the Microsoft Cloud App Security (MCAS) console.
This is accomplished by integrating MCAS with Microsoft Defender Advanced
Threat Protection (MDATP).
the information available in Cloud App Security, the app’s domains are used to
create domain indicators in the Microsoft Defender ATP portal. Within
Windows Defender the Exploit Guard Network Policy option is used to block the
access to the URLs. This will eventually result in the following notification
sent to the user.
blog post I will explain how to setup this functionality when Microsoft Intune
is used and what the behavior is within Windows 10. This assumes that you are
licensed for both MCAS and MDATP, in my case by using a Microsoft365 E5
When you host your email on the Exchange Online (EXO) platform part
of Office365 you can implement several security measures to make sure that
email send from your domain gets delivered to the mailbox of the recipient.
The most known solution for this is by implementing a Sender Policy
Framework (SPF) DNS record. By creating a SPF DNS record in your DNS you
provide receiving email servers the option to check if the originating IP of
the email is also the authorized email server for the domain. If not the email
can be considered suspicious and the email system from that point forward can
decide to threat the email as spam, phishing and so forth.
If you decide to make the nameservers of Microsoft authoritative,
which allows you to manage your DNS settings from the Office administration
portal, the SPF record needed can automatically be enabled for you.
When you want to integrate other products into your Conditional Access
environment you can use “Custom controls” to include products from
other vendors into your Conditional Access conditions. If a custom control is
used the browser is redirected to the external service, performs any required
authentication or validation activities, and is then redirected back to Azure
Active Directory. If the user was successfully authenticated or validated, the
user continues in the Conditional Access flow. More information and some
samples can be found here: Azure AD + 3rd party MFA = Azure AD Custom Controls
– https://blogs.technet.microsoft.com/cbernier/2017/10/16/azure-ad-3rd-party-mfa-azure-ad-custom-controls/. This feature is still in preview
but very promising for 3rd party vendors who want to integrate with Conditional
When designing a Conditional Access strategy for a customer we first
need to start with an inventory of the environment, in the most ideal situation
you would design and implement conditional access in a green field scenario,
but I for sure never had that luxury before so it’s better to assume that the
customer is already using cloud apps and wants to implement conditional access
as an security measure.
Microsoft explains Conditional Access in the following way. Conditional Access consists of access scenario’s called Conditional Access policies. An Conditional Access policy follows the following pattern:
“When this happens” defines the reason for triggering your policy. This reason is characterized by a group of conditions that have been satisfied. With “Then do this” you define how users can access your cloud apps.
Technically this is translated to Conditions (When this happens) and Access controls (Then do this)
Privacy & Cookies Policy
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.