Brian Siefferman, Author at Perficient Blogs

Microsoft Teams Updates (July 2021)

Sun, 04 Jul 2021 12:55:17 +0000

Welcome to July! Microsoft has a cornucopia of updates across various areas of Teams: Meetings, calling, chat and collaboration, management, and security! In this blog, we’ll cover some of the latest and greatest announcements announced last month, many of which you can start using today!

Meeting Updates

Attendance Dashboard

Now as a meeting organizer, whenever you’ve finished a meeting or webinar you will have the ability to view the attendance report which shows who registered for the meeting versus who actually attended the meeting. This also includes the other goodies like the names of the participants, the duration they were on the call, participant join and leave times, and their role in the meeting (organizer, presenter, attendee). You will still have the option of downloading the excel spreadsheet containing the attendees but this new option is built into the Teams UI for easier access and better reporting analytics. As the meeting organizer, all you need to do is click on the Attendance tab in your Meeting Details to find the attendee dashboard. Check out the Microsoft documentation on the attendance dashboard here.

Image provided by Microsoft

Note: The attendance dashboard is not available for channel meetings at this time.

Lower all raised hands

Now while in a meeting as a meeting organizer or presenter, if you have multiple users with raised hands you no longer need to go one by one and lower their hand. Instead, you will now see the option of Lower all hands with a single click! All you need to do is navigate to the participant pane and click on the ellipses ( … ) and you’ll be presented with the option of Lower all hands. Nothing groundbreaking here, but if you have a large group of people with their hands up, this is a godsend.

Image provided by Microsoft

Spotlight up to 7 participants at once

In the past, you were limited to spotlighting only one participant in a meeting. Now organizers and presenters can spotlight up to 7 participants simultaneously during a meeting! A common misconception is that pinning and spotlighting do the same thing. However, pinning only pins that participants video/screen for yourself, not others in the meeting. Although you could pin multiple people, you weren’t able to spotlight multiple people, until now!

Image provided by Microsoft

If you’re not familiar with spotlighting, you can check out the step-by-step guide here!

New Chat Bubble pop-ups

During a meeting, it is often hard to track some of the conversations happening within the chat window. Luckily, Microsoft has added a new chat bubble that surfaces chats on the screens of all meeting participants making it easier to correlate chats with ongoing conversations. The best thing of all, you won’t even need an admin to enable this, as this feature is on by default! However, if you’re just not feeling the whole chat bubble feature, you can easily disable this in the meeting by going to the More actions ( … ) and then selecting Don’t show chat bubbles.

Image provided by Microsoft

Inking and Laser Pointer features in PowerPoint Live

Get the most out of PowerPoint Live in Microsoft Teams with the new visual laser pointer and inking annotations! Now, with just a few simple clicks you can engage your audience by drawing attention to certain areas of the PowerPoint or adding clarification with real-time inking capabilities! The inking will be visible to everyone in the meeting and only the presenter can point and draw on the slides.

Image provided by Microsoft

Microsoft has some additional documentation on using these features, which can be found here!

Teams mobile large gallery view updates

With the latest updates to Teams mobile, when selecting Large Gallery view in your Teams meeting, you will now see an updated layout that allows you to swipe through all the participants in the meeting. In addition, this update allows you to see up to 10 participants (plus yourself) on the screen at one time! To get this cool new layout you’ll one of the following criteria:

iOS 13+ for our Apple folks
Android OS 9+ for our Android folks
Any OS version that has more than 4GB of RAM

Image provided by Microsoft

Including device audio when sharing on Teams mobile

If you’re familiar with the “Include computer sound” option (example below), then this will be a welcomed addition to the mix.

Now you can include your mobile device audio when sharing on your Android or iOS device during a Teams meeting! So if you’d like to include video audio and/or a voiceover, you can now do so all from your mobile device! Now you won’t need to worry about playing music/voiceovers so loud from your mobile device speakers for others in the meeting which ultimately just resulted in audio syncing issues and massive echoes! To use this feature, go to More actions > Share screen with audio. This is available today for those with Android 10+ or iOS 13+.

Live Transcription w/ Speak Attribution for additional license types

If you’re unfamiliar with Live Transcription in Teams, basically it allows you to follow and review conversations (English only at this time), in real-time with the meeting audio/video. So, if you have someone that arrives a little late to the party (or maybe they missed the entire meeting), they’d be able to easily catch up by reading through the transcript. This cool feature was only available to Office 365/Microsoft 365 E3/E5, Microsoft 365 Business Standard, and Microsoft 365 Business Premium license types. However, Microsoft has now expanded this feature to customers with Office 365 E1/A1, Office 365/Microsoft 365 A3/A5, Microsoft 365 F1, Office 365/Microsoft 365 F3, and Microsoft 365 Business Basic license types. If you’re totally lost by that licensing, don’t worry you can find Microsoft’s license plan options here.

Large Gallery for VDI

The Large gallery feature is now available for those on VDI’s! If you’re using a Virtual Desktop Infrastructure you will now be able to expand your gallery and view up to 49 participants on the same screen during a Teams meeting! This now aligns with the typical Teams desktop client experience!

Calling Updates

1:1 PSTN Call Recording

There have been some slight tweaks in how call recording is enabled within the tenant. Microsoft has delineated meeting recordings from PSTN call recordings. Previously, the two fell under the same umbrella which was controlled via the CsTeamsMeetingPolicy > AllowCloudRecording attribute. With this latest update, PSTN calling will get its own policy and will now be controlled via the CsTeamsCallingPolicy > AllowCloudRecordingforCalls attribute.

Note: This feature is only available via PowerShell at this time.

Chat & Collab Updates

Approval Templates

Looking to streamline a workflow within Teams? Look no further! With the Approvals app in Teams, as a team owner (or admin) you can now use approval templates as is, customize existing templates, or create a new approval template from scratch for your organization to use! You can learn more about Approval templates here.

Tasks in Teams

You can now quickly create a task right from a chat or channel conversation! No need to jump between windows or switch apps to create a task, just click the ellipses ( … ) by hovering over the chat and then select More actions and choose Create Task. You can then find that newly created task within the Tasks app for Teams! Learn more about this cool new feature here!

Image provided by Microsoft

Management Updates

App Risk Evaluation capabilities

As a Teams admin, you’ll now have the ability to view the security, compliance, and privacy details for apps detected in MCAS (Microsoft Cloud App Security). This will help Teams admins and your security team more easily review apps to see if they meet your organization’s security specifications.

Automatic Alerting for devices in Teams Admin Center

Identify device issues quicker than ever! With Device health monitoring you can proactively monitor the health of various Teams devices in your environment. For example, if the device goes Offline, you now have the ability to trigger notifications which can be turned into immediate corrective actions by your administrators.

Security, Compliance, and Privacy Updates

Data Protection for apps

Now all Microsoft 365 Certified Teams apps will contain security, compliance, and data protection details within the Teams admin center. This gives your security and compliance teams peace of mind when granting the apps access to run within the organization. You can learn more about Microsoft’s App Compliance Program here.

That wraps up the biggest updates for Microsoft Teams that were announced last month! I hope you have found this blog helpful and I encourage you to check back regularly for more Microsoft 365 related content!

]]>

Adopting a Zero Trust Approach to Security – Part 2

Sat, 19 Jun 2021 13:40:21 +0000

Welcome back! Our last blog on adopting a Zero Trust approach to security gave you a high-level overview of the core principles in a Zero Trust security model. In this blog, we’ll start by discussing o the first and most important pillar, identity. Identity is the primary control plane for the Zero Trust model, which acts as the front door for users, service accounts, and devices that require access to resources.

Verify Identity

Identity is at the core of Zero Trust concepts which involves verifying explicitly and granting the appropriate level of access through a least privilege approach. Identity as a whole defines our security boundaries and is used as the driving factor in how the organization chooses to allow (or deny) access to its corporate resources. So what do we mean by this exactly? For example, if we have an identity (whether it be a person, service account, IoT device, etc.), we check the following:

Verify that identity with strong authentication
Ensure that access is compliant and abides by typical access patterns for that particular identity
Verify the identity follows least-privilege access principles

Enforce Strong Identity

One of the most important steps in your journey to Zero Trust relates to identity is establishing a common and unified directory service, such as Azure Active Directory (AAD). By doing this, we can then authenticate users, devices, and processes to your resources, applications, and services. This means that every employee who needs access to your corporate resources will be assigned an identity synchronized to Azure AD. That identity will give users access to the corporate resources, Microsoft 365, Microsoft’s SaaS applications, and even third-party PaaS/SaaS applications. With all that being said, you must enforce a strong identity that can be fulfilled through solutions like:

Microsoft Defender for Identity
- Microsoft Defender for Identity (formerly known as Azure Advanced Threat Protection (Azure ATP)) allows you to monitor on-premises Active Directory signals so you can identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization.
Integrate Microsoft Defender for Identity with MCAS
- Microsoft Cloud App Security (MCAS) integrates with Microsoft Defender for Identity, which provides user entity behavioral analytics (UEBA) across hybrid environments. This hybrid offering will analyze activity and alerts to determine risk behaviors and provide investigation priority scores so you can streamline your incident response if one of your identities is ever compromised.
Application Integration with Azure AD
- Microsoft requires that all applications integrate with Azure AD via OAuth 2.0 with the latest Microsoft Authentication Library (MSAL). In addition, Microsoft uses an extensive SSO store to enforce strong authentication for any third-party applications.
Multifactor Authentication
- Multifactor authentication is one of the most important aspects of a strong identity. By requiring multifactor authentication to verify a user’s identity before giving them access to corporate resources, you significantly reduce the risk of that identity being compromised. So much so that based on Microsoft’s studies, your account is 99.9% less likely to be compromised if you use MFA. In short, long passwords aren’t enough anymore, and if you’re not using MFA today, stop reading this article now, and come back once it is in place!

Stop depending on passwords

By reducing password dependency, you can begin to eliminate password usage within the organization. “Why would an organization want to reduce password dependency,” you may ask? The goal is not to eliminate password data but to reduce the need for a user to repeatedly use that password as part of the authentication process. Microsoft themselves are eliminating passwords within the organization by utilizing several different platforms and technologies. Some of those including:

Multifactor Authentication
- As we alluded to earlier, MFA is one of the most critical pieces used to protect your identity. In Azure Active Directory, MFA will allow your organization to remove password requirements for authentication. Microsoft uses Azure AD MFA, the Microsoft Authenticator app, and Windows Hello for Business to facilitate this authentication within their environment. Still, they also use other technologies like Fast Identity Online (FIDO) to replace biometric data in Windows Hello and utilize smart cards for administrative access control scenarios.
Windows Hello for Business
- As mentioned, Microsoft utilizes Windows Hello for Business as a two-factor biometric authentication method. In essence, Windows Hello for Business allows all users on Windows 10 devices to replace their password data with biometric data, such as a fingerprint. In addition, Microsoft uses Windows Hello for Business to support “smart card-like” scenarios such as certificate-based deployments, which allows them to easily provide certificate renewal and remote-access capabilities.
Modernized hardware
- Last but certainly not least, it is always important to keep your hardware as modernized as possible. Modernizing your hardware portfolio is a crucial part of your MFA journey, especially since MFA and Windows Hello for Business rely on technologies like Trusted Platform Module (TPM) 2.0 and FIDO 2.0 for biometrics support. This may seem like a big investment to modernize your hardware, but this will likely be a drop in the bucket compared to what a breach to your environment would cost you otherwise, especially with the latest ransomware attacks that have been happening far too often.

Only granting least-privilege access

One key way of reducing the attack surface area of your identities is by granting them the least privileged access required to carry out their job. By default, all identities begin with no access. We then expand on this by using the least-privilege access model, which means our systems only grant access when needed. This means that all applications, services, and infrastructure will only provide the minimum set of access required by its users. This involves the following key factors:

Eliminating unnecessary access to reduce any impact from the compromised identity
Follow the KIS (Keep it Simple) method towards your implementation. This method can be used for about 90% of scenarios, and you should only pursue more complex implementations when necessary, i.e., with administrative accounts or high-risk environments.
Simplify your access-administration solutions for users and application owners
Aim for central preventative controls versus distributed manual configurations
Look at things from a cloud-first approach where the Zero Trust model thrives the most.

To begin this journey of least-privilege access, I suggest you identify and classify the roles that require elevated access. Once determined, look at each identity and determine the level of elevated access required, as not all elevated access is created equal. For example, does your Teams administrator really need to have Global admin privileges? Probably not! In short, to successfully reduce your organization’s attack surface, you should be looking to reduce the number of elevated privilege accounts and provide those elevated privilege accounts with the least privilege access needed to get their tasks done within their respective role. On top of that, we can require conditional access to applications by granularly enforcing MFA at the application level. This flexibility allows you to target specific people or groups and apply access requirements based on where they reside (internal or external to the organization’s network). For example, many organizations may want to only enforce single-factor authentication for users accessing resources while on the corporate network. In contrast, users not on the corporate network will require multifactor authentication.

Wrapping things up

I’ll say it until I’m blue in the face, but identity is the most important factor in your Zero Trust model. Identity is the most important factor when determining your access to your organization’s resources, so it is crucial to get identity down before looking at the other pillars of the Zero Trust model. To recap, if you are just beginning your Zero Trust journey, start by implementing the things we discussed today:

Enforcing strong identities
Reducing dependency on passwords
Limiting access to data based on leave-privilege access

Once you’ve tackled these identity tasks throughout the organization, you can begin to strengthen and build out the remaining pillars by securing your endpoints, applications, data, infrastructure, and network! Just keep in mind, this is not a 40-yard dash. This is a marathon. So start with one area, secure it to the best of your ability, and then proceed to the next pillar. The last thing you want to do is jump around from one pillar to the next, and as a result, you’re left with a half-baked security solution with multiple gaps that can easily be exploited. I hope you have found this article helpful, and I encourage you to check back soon, as we’ll take a look at endpoints next in our journey towards adopting a Zero Trust security strategy!

]]>

Adopting a Zero Trust approach to security – Part 1

Sat, 05 Jun 2021 14:10:19 +0000

Zero Trust has become somewhat of a buzzword over the past couple of years and has been coined the new gold standard of security models as technology has changed. So what exactly does “Zero Trust” mean, and should your organization start considering adopting this model? In this blog, we’ll discuss the Zero Trust security model at a high level so you can determine if this journey is worth enduring. Then, in subsequent blogs, we’ll cover each of these core components of Zero Trust in more detail so you can learn how to start implementing these core components within your organization!

What is Zero Trust?

Before data resided in the cloud, organizations structured their security model around implicit trust assuming that anything behind the corporate firewall would be safe. The Zero Trust model flips this old model on its head. The new Zero Trust model assumes breach and instead will explicitly verify each and every request as though it derives from an uncontrolled/untrusted network. This newer model follows the “never trust, always verify” mentality, which means that regardless of where the request is coming from, or what resources are being accessed, we must verify before access is granted to the network. With that said, we can break Zero Trust down into 3 core principles:

Verify explicitly
Use least privileged access
Assume breach

Verify explicitly

This first core principle transforms the security trust model into one that will verify requests explicitly based on data points including credentials/identity, location, device health, risk level, service or workload, data classification, and other anomalies. If we actually look at how many attackers compromise environments, this can be attributed to three main vectors:

Compromised user accounts
- Using techniques like password spray, phishing, or malware
  - On-premises identity systems are also more vulnerable since they lack “cloud-powered” protections like password protection, password spray detection, and AI for account compromise prevention
Compromised vendor accounts
- Vendor account that lack things like multi-factor authentication (MFA), IP range restrictions, device compliance, and access reviews were large targets for attackers.
Compromised vendor software
- Cases, where user accounts are used with a vendor’s software that lacks MFA or other policy restrictions, can also open holes in the security posture for attackers to take advantage of. By treating vendor accounts in the same manner that we manage our regular end-user accounts, many of these attacks could be stopped in their tracks.

In all three of the cases above, these can be seen as major gaps in explicit verification. By making sure you extend this verification to all access requests, even those from vendors and especially those from on-premises environments, you are one step closer to a more secure environment.

Use least privilege access

For this second core principle, we can use least privilege access to ensure that we are granting permissions required for that user to meet a specific goal and nothing beyond what is actually needed. This can be accomplished by limiting user access with Just-In-Time and Just-Enough-Access (JIT/JEA), risk-based adaptive policies, and data protection. By granting the least privilege access, this can significantly minimize an attacker’s opportunity to move laterally throughout your environment if a breach were to occur. The overall goal of least privilege access is to distinguish attacks by limiting how much of a resource (user, device, or network) the attacker can access.

Assume Breach

Have you ever heard the term “security through obscurity”? If so, throw that methodology out the door, because Microsoft doesn’t want anything to do with it! However, if you’re not familiar with the term, security through obscurity (STO) basically revolves around the idea that an organization will be less open to attacks if they hide important information and/or enforce secrecy as their main security technique. This is equivalent to hiding your front door key under the welcome mat thinking no one would be smart enough to look under it and find the “keys to the castle”. Unfortunately, this far too common, and as soon as that key is found you and your entire house have now become vulnerable! In the security world, this could involve hiding passwords inside of binary code or a script or changing a daemon port to reduce brute force attacks. The main issue with STO is that this is seen as the main method of security within an organization, and throwing all eggs into one basket is a very bad idea. Instead, one of the best ways to protect your environment is to assume as if an attacker has already breached your network. This last core principle revolves around minimizing the blast radius and segmenting access. Building your systems around the idea that a breach has already happened or will soon happen will give you more confidence knowing that mitigations are already in place if/when an intrusion occurs. So what does this entail? This involves collecting system data and telemetry, using it to detect anomalies, and then use that insight to automate prevention tactics so you can preferably prevent altogether. However, if that is not possible you will still be able to quickly detect, respond, and remediate near-real-time. Microsoft 365 Defender will allow you to quickly assess the attacker’s behavior and immediately begin remediating the issue.

By putting these three Zero Trust key principles into practice, you’ll be implementing an end-to-end strategy that spans across your entire digital estate! Now that we know the concept of Zero Trust, let’s talk about the approach to implementing Zero Trust through its seven main pillars:

Secure Identity
Secure Endpoints
Secure Applications
Secure Data
Secure Infrastructure
Secure Networks
Visibility, Automation, and Orchestration

Secure Identity

This involves verifying only people, devices, and processes that have been granted access to your resources can access them. When one of these identities tries to access a resource, this would include verifying its identity with strong authentication and also making sure the identity is compliant and typical for that identity. For example, typical” could mean accessing a resource from the USA consistently and then all of the sudden seeing that same identity attempting to access the resource from Russia that same day. When securing identity you should be following least privilege access principles mentioned earlier.

Secure Endpoints

Now that the identity has been granted access to the resource, this means data could be flowing through a variety of different endpoints (i.e. BYOD devices, company issues devices, on-prem workloads, cloud-hosted servers, IoT devices, etc.). With all of these devices out in the wild comes a massive attack surface area. Luckily, we can enforce things like device compliance and device health to secure our access.

Secure Applications

Another massive attack surface area involves your applications. This could include both on-premises legacy applications, as well as cloud-based applications. Applications are the software entry points to your information, so securing it should be top of mind! We can do this by applying controls and technologies to discover shadow IT, allowing you to ensure people are not using applications they shouldn’t be. We can also apply controls for in-app permissions, monitor for abnormal behavior, control specific user actions, and much more!

Secure Network

It’s safe to say that almost all data that your organization uses will be accessed over the network. This means that proper network controls should be put in place to enhance the visibility of that data and also help prevent any attackers from moving laterally if they were to compromise the network. The biggest areas to focus on include, network segmentation and in-network micro-segmentation, real-time threat protection, end-to-end encryption, monitoring, and then reviewing analytics.

Secure Infrastructure

This includes on-prem servers, cloud-based VM’s, containers, microservices, and the underlying operating systems and firmware. All of which can present a large attack vector. However, by assessing for versions and configuration you can significantly reduce the risk by hardening your defense. In addition, use telemetry to detect attacks and anomalies and stop them in their tracks by automatically blocking or flagging the behavior as risky and taking protective action accordingly.

Secure Data

Data is everywhere! Data resides across all of your files and content and includes both structured and unstructured data. Regardless of where the data resides, you will want to ensure that it remains safe especially once it leaves your devices, apps, infrastructure, or network. Luckily, data can be secured through things like classification, labeling, and encryption and access can be restricted accordingly.

Visibility, automation, and orchestration

Although this isn’t technically a core pillar for Zero Trust, it has become an important aspect in how you manage your data and ultimately helps you make better-trusted decisions which in turn hardens your security even further. With each of the pillars highlighted above, you will see various alerts generated along the way which will likely result in your Security Operations Center (SOC) analysts becoming busier than ever and may result in some of them missing alerts. Luckily, Microsoft gives you the proper tools to manage those threats through proactive and reactive detection so your SOC can focus on the real threats that matter the most and let the tools handle the rest!

That wraps up our first blog on adopting a Zero Trust strategy! I hope now you understand at a high level what exactly Zero Trust means and also have an understanding of each pillar in the Zero Trust strategy. In subsequent blogs, we’ll dive into each of these layers in our end-to-end journey of Zero Trust! I hope you have found this blog helpful, and I encourage you to check back shortly when we cover our first pillar of securing identity.

]]>

Microsoft Teams Updates (June 2021)

Sat, 29 May 2021 11:40:47 +0000

The month of May had a plethora of new features announced by Microsoft. In today’s article, we’ll review some of the biggest features and innovations released in Microsoft Teams around meetings, calling, chat and collaboration, security, compliance, and privacy! Let’s get started!

Meeting Updates

Dynamic View

One of the biggest announcements around Teams meetings involves Dynamic view. Dynamic view will automatically arrange the elements in your meeting for the best viewing experience. This means that as people join the meeting, turn on their video, start speaking, or present their screen, Microsoft Teams will adapt to these real-time changes and adjust the layout automatically!

Image provided by Microsoft

Presenter Mode

Microsoft has been hyping up this new feature for quite some time and now you can finally start using this new meeting feature to put a new spin on how you want to present your video feed and content to your audience. With the new Presenter mode, you can customize how your video feed and content is displayed in the meeting by using layouts like “Standout” which shows the speaker’s video as a silhouette in front of the content being shared! This will be the only layout within Presenter mode available at this time, however, there are two additional layouts (Reporter and Side-by-side) coming at a later date.

Image provided by Microsoft

Large Meeting Updates

Now you will have the ability to hold interactive meetings and webinars with up to 1,000 people which can include features like chat, polls, and live reactions. What if you surpass that 1,000 user limit though? Luckily for you, the meeting will then scale to accommodate up to 10,000 people with a view-only experience. In addition, you can now have view-only broadcasts of up to 20,000 attendees until the end of 2021. For those of you that are not familiar with Live Events the typical limit is half of that (10,000 attendees), so take advantage while you can!

Attendee Registration

Microsoft is giving you more customization options for your meeting and webinars by allowing you to create your own attendee registration page as the meeting organizer. This attendee registration page will help meeting organizers easily manage attendance before and/or after your virtual event. Once your attendee has registered, they will automatically receive a confirmation email with a calendar invite to join the event. Additionally, you can add custom questions and images for branding purposes! What are you waiting for? Try it out today!

Image provided by Microsoft

Updates to your sharing experience in a meeting

While sharing content in a Teams meeting, you’ll now see a new streamlined experience that consolidates all windows into a single bucket so you no longer have to endlessly scroll to find the one piece of content you would like to present. Additionally, any PowerPoints you have will be automatically organized to present with PowerPoint Live for easier access to the content you need now!

Image provided by Microsoft

Include computer audio while sharing your desktop on a Mac

Better late than never! Mac users are finally getting the option to include their computer’s audio when presenting their desktop or a particular window in a Teams meeting. For the majority of us on Windows computers, we have had this option for years now, however, Mac users no longer need to feel left out on this nifty feature that makes sharing video with voiceover and music a breeze! Mac users, you can finally say goodbye to echoes while trying to blast your audio from your speakers so they watching your presentation can hear the music .

Breakout Room Timers

Sometimes it’s hard to keep track of time in a meeting, especially when it comes to breakout rooms where multiple meetings are going on at the same time. Luckily, Microsoft is giving organizers the ability to set a timer within a Breakout room so you can make sure everyone rejoins the main meeting in a timely manner. With this new setting enabled, all users in the Breakout rooms will be returned to the main meeting as soon as the timer has expired. These settings can easily be tweaked to your liking within the Breakout room settings!

Image provided by Microsoft

Attendee Video updates

This new feature is a great new addition to Microsoft Teams! Now you’ll have 3 new ways to manage the attendee’s camera in a meeting.

Meeting attendees will be able to turn their camera on or off to share video (default option)
Disable all attendees’ camera from within the Meeting Options web page before a meeting
Re-enable attendee video capabilities mid-meeting, allowing attendees with the ability to turn their camera on once again
Enable or disable the camera for attendees on an individual user basis.

Note: For the attendees of the meeting, even if the video capabilities are re-enabled by the organizer, this won’t force your video to turn on automatically. Additionally, these settings have no bearing on presenters or meeting organizers.

Image provided by Microsoft

AI-based noise suppression for Mac users

Another one of those “better late than never” features for our Mac users . If you’re like me and you have a very loud work environment (thanks to my dog), you likely have your noise suppression turned to high. This capability is extremely helpful and luckily Mac users will now be able to benefit from this awesome feature!

Note: If you are a Mac user with an M1 ARM processor, I regret to inform you that you will not be getting the noise suppression capabilities yet.

Participant List updates

The participant list is getting a facelift! You may have already noticed that the participant list is now broken up into three different sections:

Lobby
Presenters
Attendees

For the lobby section, you can now review a full list of people waiting in the lobby before admitting them into the meeting. Additionally, attendees will be sorted in alphabetical order and once someone raises their hand in the meeting, they will be pinned to the top of the participant list.

But wait…. there’s more! There have also been some updates around searching capabilities in the participant list. You can now search by the user’s name or PSTN number within the participant roster. If the user you’re searching for isn’t included in the meeting, you will also have the option to request that the user joins.

Image provided by Microsoft

Block Downloads for non-channel Teams meeting recordings on OneDrive

By default, all users in a non-channel Teams meeting will have view-only permissions to meeting recordings. This means that if the user attempts to download the meeting that was uploaded to OneDrive they will be blocked by default. This is done intentionally to provide greater control over meeting recordings and prevent accidental data loss. Microsoft does however give you the ability to go into the OneDrive file share dialog and toggle the “block download” option on/off for individual files if you find the need to share the recording.

Image provided by Microsoft

Calling

Updated calling user interface

Microsoft has updated the layout of your calling tab in Teams. Now you’ll see a more streamlined view that includes contacts, voicemail, and calling history all on a single screen. Prior to this update, you had to go between several different tabs in order to get to the area you wanted.

Image provided by Microsoft

Call Merge in Teams

If you have the calling capabilities within Teams you will now see the option of merging an active 1:1 call into another 1:1 group call. Let’s say you’re preparing for a fundraising event for your organization and you’re currently on a call with the event coordinator. The event coordinator wants to talk about some specifics that you don’t have an answer for so you want to reach out to someone on your team to see if they can lend you a hand. Now you won’t have to end the call with the event coordinator. Instead, you can call your colleague while your call with the event coordinator is still active and then merge the two calls together so he can nail down all of the specifics the event coordinator was asking you about! Best of all, this capability isn’t limited to PSTN calls, you can also merge VOIP calls!

Image provided by Microsoft

Calling Plan updates

If you’re unfamiliar with Teams Calling Plans, they give you a quick method of deploying PSTN calling capabilities in Microsoft Teams, without the need for any on-premises servers or equipment! Microsoft has recently expanded its geographic coverage on where they offer Calling Plan capabilities to include:

New Zealand
Singapore
Romania
Czech Republic
Hungary
Finland
Norway
Slovakia
Poland
Luxembourg

This now makes 28 different markets where Microsoft offers Calling Plans! Find out more about Calling Plans here!

Chat and Collaboration

Group chat with external users

As you may know, you have the ability to chat with up to 250 participants within a single chat. However, Microsoft is expanding on this capability by giving you the ability to add multiple federated/external users into chats to collaborate more efficiently. In the past, you could only have a single user for federated chats which means you’d be forced to create a Teams meeting with all federated participants if you wanted to communicate with them all at once. If you’re the Teams administrator, don’t forget to look at your external access/federation settings as this is the main setting driving this ability to chat with federated users.

Image provided by Microsoft

Security, Compliance, and Privacy

Customer Key support in Teams

Microsoft 365 Customer Keys allow your organization to meet specific compliance requirements by providing encryption keys that are used to encrypt your data in a Microsoft Datacenter. This is handled through DEPs (Data Encryption Policies) which encrypt your data across multiple M365 workloads for all users within the tenant. As it relates to Microsoft Teams, this could include:

Teams chat messages (1:1 chats, group chats, meeting chats, and channel conversations)
Teams media messages (images, code snippets, video messages, audio messages, wiki images)
Teams call and meeting recordings stored in Teams storage
Teams chat notifications
Teams chat suggestions by Cortana
Teams status messages
MIP exact data match (EDM) data – (data file schemas, rule packages, and the salts used to hash the sensitive data). For MIP exact data match (EDM) and Microsoft Teams, the multi-workload DEP encrypts new data from the time you assign the DEP to the tenant. For Exchange Online, Customer Key encrypts all existing and new data.

To learn more about Customer Key support in Teams, check out the Microsoft docs article here.

That wraps up the latest updates to Teams for the month of May! This blog covered most of the larger updates around the core Teams features, however, if you are looking for the full list of updates big and small, you can find that here!

]]>

What’s Rolling Out to Your Teams Client This Month?

Sat, 22 May 2021 13:13:46 +0000

We’re well into May and Microsoft still has quite a few features on their roadmap that are slated for release before the end of the month. In this article, we’ll cover some of the features that should be showing up in your Teams client within the next couple of weeks. With that said, let’s see what Microsoft has in store for us!

Android On-Demand Chat Translation

Get inline message translation on your Android device with a simple click! Now you’ll be able to easily communicate with someone that speaks a different language by translating posts in channels and chats. Now you can break down those language barriers by allowing every worker to facilitate global collaboration!

Dynamic View

Microsoft is making some changes to how content is seen when being shared within a meeting. The new controls will allow you to personalize the view such as the ability to show shared content and participants side-by-side to better suit your viewing preferences.

Custom Attendee Registration

Looking for ways to more easily manage the attendance in a Teams meeting or webinar? Look no further, now you can add a custom attendee registration page so you can manage the meeting attendance before or after an engagement. Once the registration has been set, all meeting attendees will receive an email confirmation and a calendar invite.

Out of Office

Microsoft is making it easier to set your Out of Office status by integrating this feature into your presence status options in Teams! Now you’ll be able to schedule your “Out of Office” presence in Teams which will also carry over to your Outlook calendar and update the automatic replies accordingly.

Block Downloads for non-channel Teams meeting recordings on OneDrive

Now if a standard (non-channel) meeting is conducted and you are only granted view-only permissions of a meeting recording that was uploaded to OneDrive, you’ll be blocked from downloading the recording by default.

Updated in-meeting sharing experience

Microsoft is giving its in-meeting sharing experience a facelift! The in-meeting share features have been redesigned to help presenters more easily navigate and find their desired content for sharing.

Updates to Sensitivity Label hierarchical display in Teams

If you are currently using hierarchical sensitivity labels (parent label and child labels), the channel headers in Teams will now only display the parent label as opposed to showing the child label. For example, if we had a sensitivity label entitled Confidential\Accounting, the Teams client would only show the parent label “Confidential” in the channel header and now the Accounting header.

New updates for Together Mode and Large gallery views

You will now have the option to change the viewing layout for both Together mode and Large gallery views in Edge and Chrome browsers! Sorry Firefox users, you weren’t invited to the party.

Disable/Enable a single attendee’s video or all attendee’s video in a Teams meeting

Soon you will have the ability to disable/enable either a single attendee’s video or the all attendee’s video in a Teams meeting! As of right now the only way to disable video is via meeting policies which would then disable video for all meetings the user(s) organize. Having the ability to control this on a per-user basis and per-meeting basis is a great addition for Teams!

Noise suppression coming to Macs

A little late to the party, but better late than never! Windows users have had the capability to set the level of noise suppression on their microphone however, Macintosh users will now have this same capability coming to their Teams clients! If you’re working from home and you’re like me where at times you have a good amount of background noise (i.e. barking dogs) then this feature can be a godsend! There are four different levels (auto, low, high, and off), and I take full advantage of the “high” noise suppression setting .

Note: This feature is available now for all Mac users except for those with the new Macs that have M1 ARM processors.

Polls are getting smarter in Teams meetings

Now when you create a poll for your Teams meeting, Microsoft Forms intelligence service will suggest some polls based on your meeting purpose. In addition, after you’ve used polls for some of your meetings the Forms intelligence service will suggest your historical polls based on the meeting’s purpose.

Webinars in Microsoft Teams

You will now be able to schedule and deliver a webinar to upwards of 1,000 people within the Teams application! Webinars support capabilities such as the registration page we talked about earlier, email confirmation for those registrants, host management for attendee audio and video, attendee reporting, and even interactive features like your polls, chats, and reactions!

Meeting participant roster changes

Microsoft is making some major changes to how the participant list is displayed. The participant list will be displayed within a meeting for the following sections: “Lobby”, “In meeting”, “Presenters”, and “Attendees”. Going forward, a maximum of 20 participants for each of the sections mentioned above will be displayed in the initial view. However, you will have the option of drilling into each of these sections to view more participants. Within the Lobby section, you will also have the ability to review a full list before admitting anyone into the meeting. Lastly, the roster will display additional details like who is the most active participant in the meeting which will be listed in alphabetical order for your viewing.

Search capabilities in participant roster

If you have a large meeting with hundreds of users attending, sometimes it becomes a bit overwhelming trying to find a particular user in the roster. Luckily, Microsoft is releasing searching capabilities so you can search for in-meeting participants. If you find that the user you’re looking for isn’t part of the meeting you can continue that search for participants outside the meeting and drag them in by requesting them to join the meeting.

Correct Answer capabilities in Polls

Microsoft is adding a new feature allowing you to select a correct answer to a multiple-choice polling question. This includes the ability to select a single option or multiple options if the “multiple answers” option is selected. After the poll is complete the correct answer choice will be shown within the Results card. The feature will exist in the following scenarios:

Teams meeting polls (ones that pop up as a window on your screen)
Polls used within a Teams chat (inside or outside of a meeting)
When opening the polls from the Forms site (read-only)

Polls in Teams are getting support for large meetings

Polls are getting a buff to their meeting support capabilities. With the power of Forms, your polls within a Teams meeting will support up to 1,000 users!

Teams Live Event Producer experience updates

Now as the Producer of a Teams Live Event you’ll have the ability to produce the event in a separate window, which will then allow you to more effectively manage and track your event!

Well, that wraps up all of the updates currently rolling out for the month of May! I hope you have found this article helpful and I encourage you to start using these features as soon as they drop to your Teams client! As always, Microsoft is constantly releasing new exciting features for Microsoft Teams, so this list will continue to grow as the month progresses. Stay tuned for another blog in a couple weeks where we’ll discuss all of the upcoming features coming to Teams over the next few months!

]]>

Skype for Business Online is being retired soon, are you ready?

Sat, 15 May 2021 18:45:04 +0000

We’re only a couple months away from Skype for Business Online’s retirement (July 31, 2021). Many organizations have been proactive with moving their users off of the service, however, some organizations may have been procrastinating for the past two years in making the switch to Microsoft Teams so now they are faced with scrambling to get everyone moved over to Microsoft Teams before its retirement at the end of July. If you fit into the latter, all hope is not yet lost, as Microsoft has some great resources and options as you plan your transition to Microsoft Teams, which we’ll discuss in today’s blog.

What happens once Skype for Business Online retires?

According to Microsoft, “after Skype for Business Online retires on July 31, 2021, the service will no longer be accessible.” Something else worth mentioning, for services that integrate with Skype for Business Online, will no longer be supported after July 31st. This includes support for third-party audio conferencing providers (ACP), Skype for Business Online Cloud Connector Edition (CCE), hybrid voice configurations, and Skype Meeting Broadcast. In addition, you’ll no longer be able to move online users out of Teams Only mode after July 31, 2021. For example, if you’re in a coexistence mode you should currently see several different options to choose from (Islands, SfB Only, Teams Only, Skype for Business w/ Teams Collaboration, and Skype for Business w/ Teams Collaboration and Meetings (Meetings First). Going forward, once your users are on Teams Only you won’t have the option of moving them back to one of the Skype for Business Online based options. Microsoft allows customers to use the coexistence modes as a stepping stone for getting to the cloud (Teams Only). With that said, if, at all possible, you shouldn’t be using the coexistence modes as an end-state for your organization, as support for coexistence modes could be deprecated at a later time and you’d find yourself scrambling to get to Teams Only mode in the end. For those reasons alone, Microsoft has made it exceedingly easier to move directly to Teams Only from Skype for Business Server, provided you have configured hybrid connectivity between Skype for Business Server and Microsoft 365. However, Microsoft hasn’t stopped there, for those of you still on Skype for Business Online (hybrid or cloud-only), Microsoft will be scheduling assisted upgrades to help you make the jump to Microsoft Teams!

Let Microsoft help get you to Teams

As mentioned, Microsoft will be offering help with getting your organization to Microsoft Teams, however, there are a few caveats that should be mentioned:

You must be in a hybrid or cloud-only deployment state (sorry you on-premises Skype for Business server folks)
Microsoft will only provide “last mile” technical steps with your transition to Microsoft Teams (more info on this in the coming weeks)
The upgrade duration will vary depending on user volume. Obviously the larger the volume, the longer the upgrade duration. However, Microsoft states that most customers can easily be upgraded within 24 hours from the start of the upgrade

Now that we’ve gotten those caveats out of the way let’s discuss what this assisted program has to offer. Microsoft has started to offer this assisted upgrade to Teams program as a way to reduce the number of technical tasks that you as the customer need to do and also allows for a greater focus on end-user training, awareness, and overall preparedness. If you have signed up for the assisted upgrade to Teams you will receive a series of upgrade notifications. You’ll start seeing these notifications 90 days prior to the scheduled upgrade date. You should see these notifications displayed as “Plan for Change” posts within the Microsoft 365 Message Center, Teams Admin Center, and as in-app flags to end-users. From a post-upgrade end-user experience, users will need to sign out of their Skype for Business Online client, they will begin to utilize the Teams client for messaging, meetings, and calling. To break things down further:

Chat and Calling
- All calls and chats are started and received in Teams
- Users can communicate (chat/call) with any Skype for Business user
- Organizations can enable Teams users to communicate with users of the Skype consumer service by managing external access permissions
- Teams users who attempt to sign in to Skype for Business Online will be redirected to Teams
Meetings
- Users schedule all new meetings in Teams (plugin replaced)
- Existing Skype for Business Online meetings are converted to Teams meetings
Migrated Data
- Existing contacts from Skype for Business Online including federated (but no distribution lists)

On the backend, the coexistence mode will be set to Teams Only for those users and can only be changed to a different coexistence mode by Microsoft. To get the full breakdown and more information on your upgrade to Teams Only, I’d recommend that you check out the Microsoft Docs page here which gives you all the information you’ll need in your journey to Teams! If you’ve been putting off the upgrade for the past two years, don’t wait another minute, get started today!

]]>

Enabling Passwordless Sign-in with Microsoft Authenticator App

Tue, 11 May 2021 09:30:22 +0000

A majority of cyber attacks today are due to a compromised username and password. As a result, many organizations have tried to combat these threats by implementing multi-factor authentication. Although this method is significantly better than just one form of authentication, this typically leaves the end-user frustrated with the extra steps on top of just remembering the username and password. This is where passwordless authentication can shine, as it gives you the best of both worlds, security, and convenience for your end-users and organization as a whole. Three different methods can be used with passwordless authentication:

Windows Hello for Business
Microsoft Authenticator App
FIDO2 security keys

In today’s blog, we’ll be covering passwordless sign-in using the Microsoft Authenticator App. This will include a breakdown of how it works, prerequisites, and how you can start using it within your organization.

How does it work?

The Microsoft Authenticator App allows you to sign in to any Azure AD account without even entering a password. It sounds almost too good to be true, but in fact, it is possible! The Microsoft Authenticator App uses something called “key-based” authentication which ties a specific user account to a device. Once the user account is tied to the device, the device then prompts for a PIN or biometric to successfully authenticate. The best thing of all, this can be used on any device platform and can be used with any website that integrates with Microsoft Authentication Libraries. So what does the end-user see when trying to authenticate if no password is required? Glad you asked! For users that have enabled the phone sign-in method from within the Microsoft Authentication App, they will be prompted to tap on a number within the app. As you’ll see in the image below when attempting to sign in to your Microsoft 365 account you will be presented with a number. Then in your authenticator app, you will need to match the number with the one you see in your browser. After matching the number, select Approve, and lastly, you’ll provide your PIN or biometric to gain access to your application. As you may have noticed, I never mentioned anything about a username or password prompt, that’s the beauty of it all!

Requirements/Prerequisites

There are a few prerequisites that must before you can start using passwordless sign-in:

Azure AD MFA with push notifications must be allowed as a verification method
You must have the latest version of the Microsoft Authenticator app installed on your device
You must have a minimum version of iOS 8.0 or Android 6.0
The device you’re using for authentication must be registered in Azure Active Directory to an individual user

How do I enable Passwordless Sign-in Authentication?

Now that we’ve discussed what passwordless sign-in is, how it is used, and the prerequisites that must be met, let’s cover how to go about implementing this method within your environment! As we’ve mentioned, there are a few different authentication methods to choose from, but in this case, we’re going to use the passwordless sign-in method. To enable this you’ll need to do the following:

With a Global Administrator account, navigate to the Azure AD portal.
Browse to Security > Authentication Methods > Policies
Under Microsoft Authenticator select from the following options:
- Enable: Yes or No
- Target: All users or Select Users
Any group or user that is targeted will use the passwordless and push notification modes (“Any” mode) by default. If you’d like to change this you will need to do the following:

- Expand the Details pane and next to the group name or user name you should see an ellipses (…). Select that and choose Configure.
- In the Configure pane, expand the drop-down and choose the authentication mode(s) you want that user or group to use.
  - In our case, we’d change this from Any to Passwordless

- Once you’re all done with making these changes select Done and then don’t forget to also select Save.

That’s all it takes! I hope you have found this quick run-through of the passwordless sign-in via Microsoft Authenticator helpful, and I encourage you to start thinking about implementing this method within your organization!

]]>

Microsoft Teams Updates (May 2021)

Sat, 01 May 2021 14:38:04 +0000

Welcome to May! As per usual, Microsoft has released a plethora of new features that you can start using today! In this blog, we’ll cover the biggest announcements around Teams meetings, chat & collaboration, and management! Let’s see what Microsoft has in store for us this month!

Teams Meeting Updates

Breakout Rooms Retention + Participant Reassignment

With this update, Breakout Room retention will give the meeting organizer the ability to persist room configuration and assignment over multiple sessions. Another update is around participant reassignment, which gives the organizer the ability to move joined participants across rooms and main meetings while the meeting room is still open! This feature is in the process of rolling out to tenants, so keep an eye out! You can check out the official roadmap item here.

Invite-Only Meeting Options

Do you ever have an issue with people getting straight into your meetings without being officially invited? Worry not, Microsoft has a new meeting option to automatically send those who were not originally invited by your meeting organizer to the lobby. This means that if an invite is forwarded to a colleague that you (as the meeting organizer) didn’t explicitly invite, they would be sent to the lobby until they’ve been admitted.

Meeting Creation and Expiration Policy Updates

In order to better meet security and compliance requirements, Microsoft has disabled meetings and their join links for any users that have had their scheduling permissions revoked. As you could likely guess, this wasn’t always the case. In the past, a user could continue to reuse an old meeting join link even after their scheduling permissions had been disabled. Luckily, that issue will be a thing of the past!

More Flexible Audio Permission Settings

Meeting organizers are getting greater flexibility around attendee audio permissions. Going forward, attendees will no longer need to request to speak for you to allow them to unmute. In addition, you’ll have the ability to prevent individuals from unmuting on a per-user basis! You can learn more about those settings here.

Live Event Presenter Support for External Users

Provided your Live Event is scheduled within Teams, you’ll have the ability to allow anonymous users (those not having a Microsoft service account or AAD account) to present content! This makes it easier than ever to allow someone outside of the organization to present content to large audiences in your Live Event! Get all the details here!

Teams Live Event Producer Updates

As the producer of the Live Event, you’ll now be able to manage the Live Event in one Teams window, all while collaborating with others in a separate window!

Custom Backgrounds on Teams iOS Devices

If you’re joining a meeting from an iOS device you’ll now have the capability of applying a custom background while using video in your Teams meeting! Get the full details here!

Casting Capabilities for Android and iOS

You can now cast your screen from either an Android device or an iOS device to a Teams Room! In addition, you can broadcast your screen to share content located locally on your device or from within OneDrive or Teams! Check out this awesome new feature here.

Chat & Collaboration Updates

Product Feedback tool

Microsoft cares about your feedback! Based on the feedback you submit, Microsoft automatically sends you help documentation pertaining to that topic. Additionally, (if enabled by your Teams admin) you’ll be able to share your email address when submitting the feedback which gives Microsoft the ability to follow up with you personally!

Windows 10 Native Notifications

You now have the ability to decide whether you want to receive your notifications through the regular built-in Teams method or through the Windows native method. If you’ve chosen the Windows native notification method, you’ll get benefits like focus mode and integration of Windows 10 action center to get notifications in one place. As for prerequisites, you just need to have a Windows build of 10.0.17763.288 or higher. If you do meet these requirements, you should see the ability to change to the Windows native notification method via the Teams notification settings.

Management Updates

Pre-configured website tab in Team Templates

You can now add URLs to the website tab within a team template. This gives your users the ability to access important web resources like company sites, most popular pages, and other online documents that you believe are pertinent.

Anonymized Users in Teams Usage Reports

As the Teams admin, you can now keep your user’s data anonymized to protect their privacy if you’re viewing, sharing, or downloading the Teams user usage report. If your admin has this enabled, PII information like email addresses, usernames, and Active Directory IDs will all be anonymized.

Custom Policy Packages

Everyone loves the ability to customize things! The same thought holds true for our Teams admins out there, especially with all of the unique scenarios presented every day. Luckily, Teams admins can create policy packages that they can customize, configure, and assign accordingly. Gone are the days of canned policy packages in Teams! Teams admins even have the ability to assign policy packages to a group allowing them to assign multiple policies to that group of users.

That wraps up the biggest updates this month for Microsoft Teams! If you want to see all of the updates (including things like Government, Devices, and Frontline Workers), I encourage you to check out the official blog post here. Also, if you’re currently a Skype for Business Online user, we’re only a couple months away from Skype for Business Online’s retirement. In my next blog, I’ll cover what this means for you and how you can take action now with your migration to Microsoft Teams!

]]>

How to Save Queries in Microsoft Cloud App Security (MCAS)

Sat, 24 Apr 2021 10:44:01 +0000

Microsoft Cloud App Security (MCAS) is Microsoft’s Cloud App Security Broker (CASB) solution that provides organizations with simple deployment, centralized management, and innovative automation capabilities. One of the great features within MCAS that not many administrators leverage (or even know about) is the ability to save your custom queries! In this blog, we’ll create our own query, and then we’ll highlight how to save the query and even turn that query into its own policy! Let’s get started!

Creating a custom query

Let’s start by navigating to portal.cloudappsecurity.com. Once there, we’re going to go to the Investigate tab and then select Activity log.

Now that we’re where we need to perform a query, you should see the “Select a query” option at the top. Microsoft gives you 10 suggested queries to choose from, but in our case, we’re going to create our own!

Creating and using the custom query

For our scenario, I’ll use something we came across with a recent customer, that being ActiveSync. Since Exchange ActiveSync is not designed to be used for server-to-server communications in the online environment, the customer wanted to block ActiveSync and instead leverage more modern authentication methods. To block this, we were going to leverage Conditional Access rules. However, we weren’t entirely sure how many users were leveraging ActiveSync within the environment. Thanks to MCAS, we’re able to create a custom query that will show us who is using ActiveSync today to properly plan for this change. To do this, we would need to toggle the Advanced Filters option to On and then select the following filters:

Device >Type > Equals > Mobile

Activity Type > Equals > ”Log on: OrgIdWsTrust2:process” and “Failed Log On: OrgIdWsTrust2:process”

So, in summary, this query is “saying,” find any mobile device with ActiveSync data. Since new users are constantly joining the organization, we will want to run this report daily to keep the reports as up-to-date as possible. Instead of finding these advanced filters each and every time you want to run this report, MCAS gives you the ability to save a query! To do that, just select the “Save as” option, name the query, and that’s it! Now when you come into work the next day, you’ll be able to easily find and run that particular query!

Turning your query into a policy

We can even take things a step further by turning this query into its own custom policy! To do this, just select the ” + New Policy from search” option below the query. You’ll notice all of the filters and conditions will be pre-populated for you, so all you’ll need to do is add a name to your policy, select a category to classify your query, include a description (optional), and add any actions that you want to be performed when the policy is triggered.

It’s as simple as that! MCAS is a potent tool, and with the amount of flexibility and customization at your fingertips, the capabilities are endless! I hope you have found this article helpful, and I encourage you to check back soon for more Microsoft-related content!

]]>

Preparing for the SC-400: Microsoft Information Protection Administrator (April 2021)

Sun, 18 Apr 2021 13:55:04 +0000

Back in February, I posted another blog that outlined each of Microsoft’s new certifications around security and compliance. Today, we’ll dig into one of those exams, the SC-400: Microsoft Information Protection Administrator so you can get certified! Without further ado, let’s see what this exam entails!

There are three main components to this exam:

Implementing Information Protection
Implementing Data Loss Prevention
Implementing Information Governance

To help you prepare for this exam, I’ll include links to each of these topics so you can go straight to the source and avoid the confusion of not knowing what to study.

Implementing Information Protection (35-40%)

Create and manage sensitive information types

Create and manage trainable classifiers

Implement and manage sensitivity labels

Plan and implement encryption for email messages

Implement Data Loss Prevention (30-35%)

Create and configure data loss prevention policies

Implement and monitor Microsoft Endpoint data loss prevention

Manage and monitor data loss prevention policies and activities

Implement Information Governance (25-30%)

Configure retention policies and labels

Manage data retention in Microsoft 365

Implement records management in Microsoft 365

That wraps up all of the topics covered on the SC-400. I also encourage you to check out Microsoft Learn content on this exam, which can be found here. I hope you have found this helpful, and I wish you the best of luck on your exam!

]]>

Microsoft Teams Updates (April 2021)

Sun, 04 Apr 2021 11:26:32 +0000

Spring has sprung! If you’re like me and you live in frigid temperatures about 7 months out of the year, the first day that reaches 50+ Fahrenheit you’ll find me on the running trail in shorts and a t-shirt! However, rising temps aren’t the only thing to be excited about, Microsoft has also been hard at work releasing a plethora of new features to end-users! In today’s blog, we’ll outline some of the biggest announcements for Microsoft Teams over the past two months!

Meeting Updates

Meeting Recap

Microsoft is making it easier than ever to stay on track and keep your work moving forward even after the meeting has concluded. With the new meeting recap feature, you can easily view meeting recordings, transcripts, chats, and attached files! The meeting recap will be shared with meeting participants in the Chat tab and will also be viewable within the Details tab.

Image provided by Microsoft

Meet Now Option in Outlook for Windows

You can now easily spin up ad-hoc Teams meeting from within Outlook for Windows by going to the calendar tab and clicking the new Meet Now option. If you don’t see this option have your admin check the Allow Private Meet Now policy option in the Teams Admin Center (TAC).

Meet Now Link in Teams Calendar

You can now copy a Meet Now directly from your Teams Calendar and share it with others without having to actually start the meeting! This isn’t exactly groundbreaking, but it is definitely a nice feature to have!

Mask PSTN Participant Phone Numbers

This request has been in high demand for those using Audio Conferencing for Teams meetings! Now tenant administrators have the ability to decide how they want participant phone numbers to be displayed in the roster view for meetings scheduled in the organization. The options include:

Masked to external users
Masked for everyone
Off (visible to everyone)

Image provided by Microsoft

This allows organizations to conceal PSTN participant phone numbers if needed. To turn on this feature, you’ll just need to run a quick PowerShell command, which can be found here.

Bypass Lobby Meeting Option

Microsoft is giving organizations an even more granular approach when scheduling a Teams meeting. Microsoft has just released two additional Teams Meeting Options, the two additional options include:

People in my organization
- Excludes guests
People in my organization, trusted organizations, and guests

This gives meeting organizers additional options, security, and flexibility when it comes to allowing users to bypass the lobby and get directly into the meeting.

Image provided by Microsoft

Calling Updates

Voice-enabled channels

This awesome new feature allows you to connect a call queue to a channel in Teams! So if you have users that need to collaborate within a channel while taking calls (i.e. IT service desk or HR), admins can now easily connect a call queue to a channel and the team owners will have the ability to manage the settings! You can learn more about this neat new feature here.

Image provided by Microsoft

Survivable Branch Appliance (SBA) Support

If you’re unfamiliar with SBAs, they allow users to continue to place and receive PSTN calls in the event of a network outage. In the event of an outage, the Teams client would switch to the SBA automatically and any outgoing calls would continue to work without any type of break in the call! Then once the network connection has been restored, the Teams client will detect this and normal call functionality will continue as normal. You can learn more about SBAs in Teams here.

Image provided by Microsoft

Chat and Collaboration Updates

250 GB file size support in Teams client

Microsft is upping the file size upload limit in the Teams client from 100GB to 250GB. This not only applies to the Teams client, but it’ll also apply to all other Microsoft 365 services such as SharePoint and OneDrive for Business.

Viva Connections on Teams Desktop

Viva Connections was recently announced by Microsoft and it integrates seamlessly into apps and devices you use every day! With Viva Connections, you get a curated, company-branded experience that brings together relevant news, conversations, and other resources. Best of all, you can start using this within Teams today! Learn more about Viva Connections and how you can easily add this to your Teams desktop experience here!

Image provided by Microsoft

Viva Insights in Teams

With Viva Insights, you get personalized insights and actionable recommendations to help you and your organization thrive in your work environment. Available today as an app in Teams, Viva Insights allows you to build better work habits and dedicate focus time so you can work individually without being interrupted. These insights are derived by summarizing your Microsoft 365 data around emails, meetings, calls, and chat and presents you with private and personalized insights that only you can see! You can learn more about Viva Insights here.

Image provided by Microsoft

Teams Template PowerShell support +Template Policies in TAC

As a Teams admin, you can now manage your team templates at scale with template cmdlets in PowerShell! Admins can now easily get a full list of all available templates within the tenant, get details from a particular template, create templates, edit templates, and delete templates all within PowerShell! In addition, admins can choose which policies they want to be shown to end-users. Within the Teams Admin Center, admins can create different Teams template policies and target which templates to show/hide.

New File Sharing Experience in Teams

Sharing files in Microsoft Teams has never been easier! Now you can create shareable links for any file that is stored in Teams and easily set permissions on each file. This now aligns with the permissions that can be set for files stored in SharePoint or OneDrive for Business so the sharing experience becomes more streamlined and consistent regardless of where you’re sharing the file. You can learn more about the file-sharing process and the permissions for file sharing here.

Bring SharePoint content into Teams

Microsoft is making it easier than ever to bring SharePoint content into Teams! When connecting SharePoint to Teams you’ll have the ability to choose which lists, libraries, and pages you want to bring over into Teams as tabs as part of the General channel.

Image provided by Microsoft

10,000 member org-wide team

Org-wide teams can now support up to 10,000 members! For tenants with less than or equal to 10,000 users, you can easily create an org-wide team, which syncs all tenant members with the team.

25,000 person teams

Yep, you read that right! Microsoft has increased the limit for an individual team to 25,000 members! This new increase allows you to easily communicate and collaborate with larger-sized teams!

Out of Office Status

You can now schedule an Out of Office status within Teams! No need to update your Outlook calendar too, as automatic replies will be updated there accordingly!

Image provided by Microsoft

History Menu in Teams

You can now quickly and easily get back to areas you’ve recently been to in Teams by hovering over the Back Arrow < or Forward Arrow > located to the left of the search bar. The history menu will list up to the last 12 areas you’ve visited and can include activities, channels, conversations, tabs, files, apps, and more!

Image provided by Microsoft

Management Updates

Restricting Windows and Mac managed device sign-in to specific tenants

With this latest update, administrators now have the ability to set device policies for Windows and macOS that restrict sign-in to your organization. The policies can be set via device management solutions like MDM or via GPO. Once applied, users will only be able to sign in with accounts homed in an Azure AD tenant that is included in the “Tenant Allow List” defined in the policy. For example, we have a user named Adele that is using a company-issued laptop. Adele is doing some consulting work for an organization called Contoso that has given her an account in their tenant. If Adele tries to log into Contoso’s tenant from her company-issued laptop with the account they provided her, she will be blocked from doing so. As an added note, this can be used to configure access to personal accounts as well! You can learn more about this new feature here.

Assign Policy Packages to Groups in TAC

Microsoft is making it even easier to push out policy packages to users by giving admins the ability to assign the policy packages to groups! Learn more about it here!

Image provided by Microsoft

Team Creation Alignment

In the past, a team’s creation would differ slightly depending on where you created the team (Teams Admin Center vs Teams client). Microsoft has now aligned the team creation process experience so now all teams will have the same look and feel regardless of which interface you created the team.

Security and Compliance Updates

Sensitivity Label Display

Microsoft has made some tweaks to how sensitivity labels are shown in a team. Now the channel headers will only display the parent label instead of showing the child label (if one exists). So let’s say we had a parent label entitled “Confidential” and a child label of “TOP SECRET”. In this scenario, Teams would only display the “Confidential” label in the channel header since this is the parent label.

That just about wraps up all of the biggest updates around Microsoft Teams for the past two months! If you’d like to get the full breakdown of the new features that Microsoft announced, you can check out the official blog post here. I hope you’ve found this helpful, and I encourage you to check back shortly for more Teams related updates!

]]>

How to control sensitive data on unmanaged devices with MCAS (Part 2 of 2)

Mon, 22 Mar 2021 14:52:32 +0000

Welcome back! Last time we talked about controlling file downloads of sensitive content by using a session policy in MCAS. This time we’ll take things a step further and show you how to restrict specific activities like cut/copy, paste, and printing! If you are joining us for the first time, I encourage you to check out the first blog for a quick rundown of our scenario. Without further ado let’s jump back into things!

Scenario Recap

In the first blog, we outlined a scenario where our user Megan B. was attempting to download an Excel file that contained sensitive information from her personal laptop. Without proper protection in place, Megan B. would have the ability to easily download any content to her personal device which could result in sensitive information leaving your organization for good. However, once we implemented the proper session policy in MCAS, we were able to look for files that contained sensitive information (in our case SSNs) and block anyone on an unmanaged device from downloading the file.

Blocking Cut/Copy and Printing in MCAS

In this blog, we’re going to change things up a bit and instead of only blocking downloads we’re going to create another session policy to block cut/copy, paste, and print activities of sensitive data on an unmanaged device. To create the session policy, we’ll do the following:

Navigate to portal.cloudappsecurity.com
On the left-hand side, find the Control drop-down and select Policies
Find Create Policy drop-down and select Session Policy
On the “Create session policy” page, select the Policy template drop-down and choose the Block cut/copy and paste based on real-time content inspection
Select Apply template
Find Session Control Type and in the drop-down to select the type of control you want to enable, select Block Activities.
Under Activity Source we’ll choose the corresponding filters that we want to match on. First, we’ll choose our activity type which will equal Print, Cut/Copy item, and Paste item. In addition, we’ll want to find all devices that aren’t Intune compliant nor hybrid Azure AD joined. Lastly, we’re only going to look at Teams, Exchange, and SharePoint Online for our apps. Once all of those filters have been configured, it should look similar to this:
We can take things a step further by using content inspection. This can include text matches for preset expressions (i.e. PII: Social Security Numbers) or custom expressions. You also have the ability to exclude text that matches a regular expression. For our use case, we’re going to select one of the preset expressions and choose US: PII: Social Security Number.
Next, we’ll configure our actions, and as mentioned we’re going to select Block. You can also have the user notified via email when the block occurs and customize the block message to your liking.
Last but not least, you’ll set your alert limit. The default will be 5 daily alerts, but this can be increased to as many as 1000 daily alerts! You can also send the alerts as an email to the email address of your choosing and/or send the alert via text message! If you’re even feeling wild enough, you can use Power Automate to send your alerts!

End-user experience

Now comes the fun part…testing! Just like with our last scenario, when Megan navigates to SharePoint Online she immediately sees a screen letting her know that her access to SharePoint Online is being monitored and that access will only be available from a web browser. Once she selects Continue to Microsoft SharePoint Online, she will be proxied through MCAS but from the end-users perspective, everything will look the exact same.

A good way to tell that this has successfully been forced through MCAS is by looking in the address bar once the page has loaded. You should see mcas.ms in the address.

Megan B. has now reached the SharePoint site from her personal laptop and proceeds to open the Excel file that contains several different SSNs.

Previously, Megan B. would be able to cut/copy, paste, or even print this file, in which case you could kiss that sensitive information goodbye as it just left your organization for good. However, with the new Session Policy in place, when Megan B. attempts to cut/copy, paste, or print this file on her personal/unmanaged device she will be blocked from doing this and will receive a pop-up informing her that the action was blocked by the organization’s security policy.

Attempting to Print: User Experience

Attempting to Cut or Copy: User Experience

Attempting to Paste SSN from Notepad into file: User Experience

As you can see, there are various ways that someone could try to exfiltrate sensitive information, but with MCAS we can stop many of these actions from ever occurring. I hope you have found this second blog as helpful as the first, and I hope you’ll check back shortly for more MCAS scenarios like this one!

]]>