Office 365

Gain access to former user’s OneDrive data

In most organizations, you will have the employees leave at some point.  In most cases, you will you probably want to access and protect their data. Data such as documents and emails and then transfer ownership to a manager or new employee.  Performing a dump of the users home directories and contents of a hard drive is common practice, like that of exporting their PST from Outlook or even directly out of Office 365’s compliance center.  Often overlooked is the contents of the users OneDrive.

OneDrive for Business may have been used to not only store and share documents but an archive space for the employee.  Please note that OneDrive offers the user the ability to keep its contents synced with the user’s computer or just in-cloud.  So the traditional method of backing up the computer may not always apply in this area.

I suggest taking the following steps to gain access and download the contents:

  1. Sign in to Office 365 with your admin account – Account having administrative privileges
  2. Go to the Office 365 admin center.
  3. Go to Active users and select the user.
  4. Expand OneDrive Settings in the user details pane, and then click Access files.
  5. Copy the files to your own OneDrive for Business or a common location.

Note:

  • If you only remove a user’s license but don’t delete the account, the content in the user’s OneDrive will remain accessible to you even after 30 days by default
  • Before you delete the account, you should move the content of their OneDrive to another location that’s easy for you to access. If you already deleted their account, you have 30 days to restore it.

If the account license has been removed, then the following steps can be used:

  1. Sign in to Office 365 with your admin account – Account having administrative privileges
  2. Go to the Office 365 admin center.
  3. Goto SharePoint
  4. In the SharePoint admin center, Select ‘user profiles’
  5. Select manage user profiles
  6. Enter former user’s account name under find. – Note: you may have to switch from Active Profiles to Profiles Missing from Import

  7. Choose the account and click the small (almost not seen) black arrow and select Manage site collection owners to add your admin account site collection administrators
  8. Once added as a site collection owner you can choose manage the personal site to access the setting page of that user’s OneDrive for business site settings
  9. Next, change the URL “setting.aspx” at the end of the url to “onedrive.aspx”

You should now be in the users One Drive Folder to view contents.

 

 

Phishing Attacks using Office 365 and SharePoint

The bad guys are at it once again and now have a new slick way of stealing your login credentials, by sending you an invite via email to open a SharePoint document. The link(s) takes you to an actual SharePoint page where you will see a OneDrive prompt.

This prompt will have an “Access Document” link in it – don’t click this link!

This link is malicious and will take you to a fake Office 365 login screen. Any credentials you enter here will be sent to the bad guys. Don’t be tricked.

Whenever you’re submitting login credentials to any site, make sure to check the URL of the page for accuracy. Also, remember to always hover over links to see where they are taking you.

Remember, Think Before You Click.

Here’s how the Phish / Scam attack works

  • You the Friendly Office 365 user receives the malicious email –Often the use of URGENT or ACTION REQUIRED to instill a sense of immediacy to respond. The email contains a link to a SharePoint Online-based document.
  • The link directs to SharePoint – Attackers are using true-to-form SharePoint Online-based URLs, which adds credibility and legitimacy to the email and link since the user is being directed to a known-good hosting site.
  • You are then shown a OneDrive prompt – The SharePoint file impersonates a request to access a OneDrive file (again, a known cloud entity), with an “Access Document” hyperlink that is actually a malicious URL, as shown below.
  • You are then presented with an Office 365 login screen – Here is where the scam takes place. Using a very authentic-looking login page where the cybercriminals harvest the user’s credentials.

Here are is an example of a phishing email:

Just some advice – Jermal

 

Configure preferred geo data location in Office 365

 

GDPR had me thinking about Multi-Geo in Office 365

By default, Office 365 resources for your users are located in the same geo as your Azure AD tenant. So, if your tenant is located in North America, then the users’ Exchange mailboxes, OneDrive is also located in North America. For a multinational organization, this might not be optimal for various reasons.

Reasons such as

  • Performance and
  • Data residency requirements for data-at-rest

Multi-Geo enables a single Office 365 tenant to span across multiple Office 365 data-center geographies (geos) and gives customers the ability to store their Exchange and OneDrive data, at-rest, on a per-user basis, in their chosen geos

By setting the attribute preferredDataLocation, you can define a user’s geo

A list of all geos for Office 365 can be found here or long URL format: https://products.office.com/en-us/where-is-your-data-located?geo=All

These values can be set in your Office 365 tenant via PowerShell or Azure AD Connect.

In PowerShell – 

# Connect to Office 365 – by Jermal Smith (@jermsmit)
Set-ExecutionPolicy RemoteSigned
# Get-Credential – You will be asked for username / password
$credential = Get-Credential
# Import-Module MsOnline
Import-Module MsOnline
# If this step fails in error – Install-Module MsOnline
# Connect to MsolService using supplied credentials
Connect-MsolService -Credential $credential

Then use the command: Set-MsolCompanyAllowedDataLocation followed by service type and location.

Ref: https://docs.microsoft.com/en-us/powershell/module/msonline/set-msolcompanyalloweddatalocation?view=azureadps-1.0

After you have assigned Data Locations you can then set users to the location by issue the following example command:

Set-MsolUser -UserPrincipalName jsmith@jermsmit.com -PreferredDataLocation EUR

Then confirming with:

Get-MsolUser -UserPrincipalName jsmith@jermsmit.com | Select PreferredDataLocation

The above works well for new users, but for existing user’s you will need to trigger a migration with the following command:

Start-SPOUserAndContentMove -UserPrincipalName jsmith@jermsmit.com -DestinationDataLocation EUR

Ref: https://docs.microsoft.com/en-us/powershell/module/sharepoint-online/start-spouserandcontentmove?view=sharepoint-ps

Lastly… “To be eligible for Multi-Geo, you must have at least 5,000 seats in your Office 365 subscription” As this is just getting released I am confident more information will be known soon.

 

 

Blank Screen at Office 365 Login Page

Unsure what is going on with the Office 365 Infrastructure, however I have been having major issues all morning getting into my portal to manage resources. I’ve attempted multiple browsers without any further resolution to this issue.

https://portal.office.com/adminportal/home shows only a blank page.

 

Down Detector is showing an increased report of users facing incidents

Ref: http://downdetector.com/status/office-365

Anyone else having this same issue

 

Office 365: Use Content Search to delete unwanted Emails from Organization

Office 365: Use Content Search to delete unwanted Emails from Organization

As an admin you can use the Content search located under Security & Compliance to search for and delete email message from select or all mailbox in your organization.  This is particularly useful to remove high-risk emails such as:

  • Message that contains sensitive data
  • Messages that were sent in error
  • Message that contain malware or viruses
  • Phishing message

 

To start the process, we begin with creating a content search:

  1. Log into your Office 365 protection center – https://protection.office.com
  2. Click on Search & investigation, then select Content search
  3. From Content search click on the “New” Icon
  4. Enter a name for this search job
  5. Select either specific mailboxes or “all mailboxes”
  6. Select “Search all sites”, public folders are an option depending on your search criteria
  7. Click Next
  8. Enter in keywords to search of leave blank to search for all content
  9. Add Conditions – In my example I am looking for a subject (ex. Microsoft account unusual sign-in activity)
  10. Click Search

 

The search will start and results will be displayed in the right pane.

When completed you a preview the results and export to computer as a report.

Now the you have generated a search you can move to deleting the content you had searched for.

To do this we will need to connect to the Security & Compliance Center using remote PowerShell.

$UserCredential = Get-Credential

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.compliance.protection.outlook.com/powershell-liveid -Credential $UserCredential -Authentication Basic -AllowRedirection

Import-PSSession $Session -AllowClobber -DisableNameChecking

$Host.UI.RawUI.WindowTitle = $UserCredential.UserName + ” (Office 365 Security & Compliance Center)” 

 

Once successful authenticated, and connected to the compliance center you can creation a new action to delete the items found in our previous search.

This is done by using the following example:

New-ComplianceSearchAction -SearchName “Phishing” -Purge -PurgeType SoftDelete


$UserCredential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.compliance.protection.outlook.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
Import-PSSession $Session

New-ComplianceSearchAction -SearchName “RE: Account Confirmation” -Purge -PurgeType SoftDelete