2024 Security BSides // Doug Hislop

here thanks so much good morning everybody uh all right so we are going to talk about Microsoft 365 um so there's some thing Parts about 365 that I we feel like in our practice tend to be a little bit surprising a little bit confusing and uh and some settings that we feel like people should be aware of before we really get started I do I like to know sort of who's in the audience and who I'm talking to I know this is the technical track but I do want to get a feel for kind of who's in the audience uh for those that I can see the the old like raise your hand if feels like a real binary choice to me so

we're going to make it a little more complicated and confusing which is the theme of the talk so let's do let's do thumbs up yes and thumbs down no and then it's complicated uh oh sorry let me grab the clear so let's do let's do uh yes no and it's complicated um and so let let's see who's in the room so who was born and raised here in Cayman all right so quite quite a bit yeah I love that percentage we we've been on the island since Friday and really only run into a couple few that I've actually met and gotten to speak to her born and raised here so fantastic thanks for being here thanks for welcome

welcoming us uh here to kman it's been a real pleasure to be here all right let's let's get a feel for how the room breaks down even though this is the technical track who's who's Hands-On managing a 365 environment and is responsible like Hands-On keyboard setting settings yes no complicated haven't figured it out yet okay so some yeses NOS good mixed crowd okay who's indirect responsible for 365 security maybe you run your organization security program and someone on the team's 365 or you you have a a vendor who does it for you but who's again if you're able to show a hands here or show fingers thumbs who's indirectly responsible for that security and it's

complicated it's always complicated isn't it so that's a lot of complicated in there all right to go with the theme of surprising and complicated a quick story about this thumbs up thumbs down thing so I think the movie Gladiator maybe maybe popularize the the thumbs up this let them live kind of thing thumbs down killed the gladiator who lost in battle re researchers actually think that the thumb represents a sword and so this was Kill The Gladiator with the sword so the opposite of what you would think and they would they would hide their thumb like this to mean show Mercy spare the Gladiator so even something as simple that we take for granted of you know yes

no good bad uh has some history and some complication to it and that sort of fits in the theme Here of um complicated or maybe surprising and and less than straightforward settings in 365 all right so what we're going to do primarily is we're going to go through five configuration options in 365 they're a little bit surprising certainly counter to least privilege and may not be what you want for your organization before we get into that I do want to set the context and the scope a little bit so I I do want to hit two things I want to put what I'm going to talk about in the context of your security program where it fits into a

more holistic security program and then we'll get into sort of the size and scope of the issue that we're dealing with in terms of 365 configuration uh and then and see where we go from there first a little bit and this is not meant to pick on foret this is not meant to be a big fud slide this is just meant to point out that if you pay attention to some of the security news that's out there you will pick up on loss of data breaches compromises that happen in 365 on a fairly regular basis and cost companies significant amounts of money and so thinking that you as an organization can drop into 365 and start using the whole Suite of apps

and services without a significant amount of thought and force thought in security configuration settings is a little naive because bad things do happen uh I was not able to attend the workshop yesterday morning but for those who attended the workshop yesterday morning there was a 365 and kind of hacking and and getting access to 365 so shout out to that I heard it was fantastic um but certainly sheds more light on the fact that 365 is a common attack Vector all right before we get in the rest of this quick introduction uh and thank you for the introduction before I started to speak Doug hop worked for area we are a fullservice cyber security firm out of uh Charleston South Carolina

so I'm from the states I'm joined here by Scott Thomas who's also with sataria uh I'm primarily on the advisory vciso and Cloud security side Scott manages our offensive security team and we provide whole host Services have a table out there if you want to talk to us that'd be fantastic um I do scuba dive I've got scuba diver up there just because it seemed pretty appropriate for Grand came in so uh I was able to get I think eight or nine Dives in since we landed to to today so we're doing pretty good the weather did not prohibit what we were what we were hoping to accomplish um I tried to I'm not a normal presenter I

don't do this like for a living I don't go around I don't do business development but I was I looked up when I did my first security presentation and honestly it was so long ago I couldn't quite pin the date but it was either 2000 or 2008 and it was about uh Unix security so um I I'm I'm not a natural presenter but I do uh I do enjoy it and have done a couple all right so to put this in context I thought it might be safe to talk about nist uh since there is a bit of a nist focus in presence here on the island and so to put this in the nist security program context we're

really here on the identify and protect side this isn't like uh like vulnerability management or pen testing and that offensive security uh it's not really in that detect even though we're going to talk about logging a little bit this is a bit up front let's identify the scope in the context of what it is we're trying to protect and then let's put pieces proactively in place to protect those and so those fit in here and and straight from uh CSF there's some implementation examples that talk about hardened Baseline so not to overdo the thumb thing but let me pull the group a little bit for for baselines uh how many organizations that are represented in in the room are pretty

good about vulnerability scanning and Patch management like who's patching your stuff and keeping on top of vulnerabilities give us like a yeah where's the where we sit with that yeah hold them up so I all right so not not bad I mean that you kind of in trouble if you're not covering some of the basics there vulnerabilities and patches how about secure baselines every time you roll a piece of equipment out into service and you go from provisioning to production whether that's production on a user's lap or whether it's production in the cloud or a data center you've got a secure Baseline a configuration you're applying that you know you have thought about and configured to meet your

organizational security objectives how many you're doing Baseline configuration okay some thumbs up that's not bad I mean normally we we find that that ends up being like step four fors but that's pretty good pretty good all right that's that's really the world that we're talking about is a lot of organizations are either thinking about moving into 365 much in the states for our environment have or organizations are looking to retroactively configure and get serious about their 365 configuration and so we think about this is uh secure configurations and what we'll get to in a minute what you'll see on some of the slides when we cover the items is that we reference some CIS benchmarks so CIS is a fantastic

resource for security bench all right one more th thing who's who's heard of CIS and understand CIS benchmarks okay fantastic CIS Benchmark 4 365 most of the items we cover have a benchmark recommendation that Associates with them and so we'll take a look at them and so that's where we are in the security program context and where all this fits in all right now the size and the scope of the problem so here's this is not meant to be read this is a bit of an ey chart and it's it's on purpose this as of probably for four or five weeks ago was the list of apps and services and 365 just off the Microsoft

apps and services page and so some of the items on here the big hitters like exchange and team SharePoint one drive tons of functionality lots of configurability and then you have the entire Defender Suite of everything which is if it's security related it's called Defender now and you've got this whole world of Defender that you're trying to set up and configure if you're in the 365 space and so this is meant really just to represent that this is a large scope for organizations to try to cover if you're using these tools and you haven't thought about the security configuration uh there there's a lot to cover and a lot of ground to make up so

fairly large problem uh so now let's talk about I don't think we coin the term or anything but this pyramid of complexity where what you have here is this that Bottom Rung in the pyramid is the previous slide just the scope of what it is that we're trying to get our arms around and then for many of those like exchange online team share point1 Drive they've got a whole set of features that are built into that product you've got a bunch of feature coverage many of those configurable by the end user because Microsoft caters to five people accounting firms and global companies and they can't pre-configure everything right for everybody so you've got this whole set of configuration and

then on top of that pyramid of complexity is anything that you don't fully understand or misunderstand think you know but you don't actually know and all of these things combine into this uh fairly challenging problem of getting 365 security consistently right okay weird to stop in the middle but I want to see if there are any questions because this is the pivot point in the in the conversation where we go to the actual settings any questions any comments any feedback last chance okay here we go so uh given given the whole pyramid of complexity here we're going to step through five surprising counterintuitive maybe weird configuration choices that Microsoft is made by default what we think is wrong

with those what CIS thinks is wrong with those and then what should be configured instead so the first one here is a entra ID or what was Azure active directory tenant which I think many people who haven't been in 365 for a while think of your entra ID or Azure active directory as the thing in 365 like that's the central corner piece and there is one of those and that's my tenant uh the relationship's a little bit more complicated I'm going to go I'm going to be risky I'm going to go forward and then come back so the relationship's a little more complicated there is generally a one for one relationship between uh the ENT tenant and your

subscription and a bunch of other information uh and there is one relationship at a time but that does not mean that you can't have additional or create new Entre ID tenants and so uh back to the surprising Point here what this feature is is normal users can create these tenants so not only can you create additional Entre ID tenants but non-privileged users can create those uh and and oh wow sorry about that so so this relationship while it is true when the Microsoft documentation is correct there is actually a little bit more to it so in the ENT ID portal or in the Azure portal you can create new tenants the weird part here for us is that

non-privileged users not only have access to the portal that's kind of the weird side effect here but in the portal they can create new tenants in and of itself that's not necessarily a huge problem there's some really weird behavior that users can get involved with with exporting and importing billing information and transferring some contact stuff but it it's not like creating a new tenant automatically means that the user who created the new tenant has control over your entire environment they they don't but it is a little bit weird that normal non-privileged users can access the Azure portal and create new Entre tenants while they're there and so that's any authenticated user so an authenticated user in your environment

get in the portal create a tenant now I have one and again there's some it's not like a secret back door or anything but there's some really weird behavior that they can then invoke with uh billing and subscription exports and imports uh which can lead to eventually taking over billing um so that's weird so what should be configured because that's a little bit surprising that Sue is there I hope there's no Sue's in the room because I'll probably say sue a lot Sue in accounting can can create new tenants which is weird so what should be configured and there is a setting for this is that in your 365 configuration or in your in your entra settings you

should go in and set it up so that that is restricted that non-admin users cannot create these tenants um and so what that means is there's a tenant Creator role and there's Global admin most people are familiar with global admin most people haven't fooled with tenant Creator if you're in an organization where there are people who need to create entri tenants but they don't need to be Global admin you can assign them tenant Creator role and then they're those are the people who can create tenants once you uh flip the switch we'll see it on the next slide and so there's also something that you can configure that's a little bit too too left a field to cover in this

talk which is these Azure subscription policies so because creating new tenants can lead to weird Behavior about how subscriptions are managed and billing information is done you can create subscription policies that restrict all all that so you get a little bit of a belt and suspenders approach where you can restrict who can create tenants and you can restrict what happens with your subscriptions through policies and we obviously recommend that you do both uh so on some of these settings there's going to be we'll hit a screenshot here in a second but there's also going to be Powershell so there's some Powershell Snippets where you can run this against your tenant with the appropriate privileges and essentially set this uh

flip this configuration setting to what we would expect would be normal and expected by organization so the Powershell and the slides will show up in the Shaded area all right and so here's the setting that is uh in the entra admin Center which is restrict non-admin users from creating tenants unless you're in a really interesting situation you you do not want users creating these so you might as well flip that switch you're probably safe doing it there is an Associated benchmark um there is an Associated Benchmark here so those familiar with the CIS benchmarks uh they're essentially broken down into sections the documents are very structured so recommendation 523 here is that you want to restrict

non-admin users from creating tenants and make sure that that is set to yes so uh and then finally the impact of the change we covered it a little bit once you flip that switch then only people with global admin and only people with tenant creator that group that set of people that that's who can create these tenants and we find that's almost exclusively what you want okay there's one all right second one exchange online Powershell so another one that's a little bit surprising and and counterintuitive for least privilege is the fact that users and all users who have access to mailboxes whether it's their mailbox a mailbox they have delegated access to or audit access to have the ability to

access those mailboxes with exchange online Powershell so exch think of exchange online Powershell as a a very handy Powershell module that allows user to do pretty much anything they can do through an email client or through uh administrative panels and so uh it's it's a significant way to automate access to mailboxes whether that's configuration settings or sending sending emails for example or handling emails that are received through rules it's it's an easy way to automate that so what we find is attacker standard business email compromise you end up compromising a mailbox what do you want to do you want to move as quickly as possible most of them are Smash and grab operations and what you'd love to do is

send out thousands of emails as fast as you can and you'd like to put some rules in place to make sure that you're covering tracks a little bit and and not being quite as visible to users as you would expect and so now uh because all users have by default access to their mobbox to exchange online Powershell me the thread actor can have a nice set of scripts that I'm running through and automating all of that work and and moving through the environment very quickly all right so that is uh what's surprising here is the surprise that encountered to leas privilege is that assuming all users Sue an accounting needs Powershell access to her mailbox

which she doesn't uh certainly counter thease privilege and then it's it's the users's mailbox and any other mailbox that they have access to again through delegated rights or uh through audit capabilities so tax surface uh quick data xfill convenient it's not exchange online P shell is not the only way to perform this but it is a very convenient way a simple way and you you might as well close the door to the Microsoft provided automation for dealing with mailboxes and so uh you can do all the automated in so what should be configured there's a little bit of Powershell here for this uh there's two options one for on Prem and Cloud one for cloud only and this uh gives you the

ability per mailbox so this is uh you can see it's based on setting the user configuration but per per mailbox turning off the capability to access the mailbox through exchange online Powershell which again is just most of the time what you're going to want you can put users in groups I mean can do all the normal kind of administrative shortcut so if you've got a group of users who need that access you can segregate them in another group plow through a whole set of other users it'd be good to set this up in your user provisioning process make sure that you have all that set all right the CIS Benchmark uh if somebody knows better we did not find

one we don't have a CIS Benchmark related to this one we feel like there should be one and maybe there will be one in 3.2 but as of the 3.1 version uh we're not seeing that again this is not the only way to autom attack against BC compromised mailboxes but it's certainly a handy one that you'd want to shut down all right so when this change gets made what happens is you've you've reduced your attack surface and then uh users who only users who you have allowed it have access to their mailbox to exchange online poers shell and then uh we would say that if you're in a particularly large organization where there's some automation going on and and

you've got some integration built or something like that you're going to want to take this change through a whole change management process and not just get the wild hair one night to shut it down on on mxes because you you could certainly break something so definitely use uh your change management process which I hope everyone has maybe we're not going to do the thumb just think in your head do I have a thumbs up for my change management all right uh next one Enterprise applications so we all right we'll do the thumb thing one more time I promise last time I don't promise uh how many how many people are very familiar with ex Enterprise applications how they work in

365 what the connection here is all right so all right I'll okay I'll I'll explain a little bit of it so essentially in a cloud environment where you want to create these Integrations let's let's take something like a zoom I want to give Zoom access to my calendar the way that I'm going to do do that is I'm going to consent through a process that's probably based on some standards uh oo or other standards and I'm going to consent that application now has permissions that I've granted to read my mailbox or or read my calendar and maybe put items on my calendar so if I'm scheduling through Zoom now it can reflect it on my calendar it can see if

my calendar's busy and allow somebody to book onto my calendar it's what provides all that visibility so so uh that that essentially is it it they can be more user based so a user granting access to their calendar it certainly can be enterprise-based where administrators are granting consent to Enterprise features uh maybe like a integrating mcast or Barracuda with your exchange online and that's going to happen at an administrator level but that essentially is the way that we're giving permissions in and out of tenants so that thirdparty applications or or external applications can can speak to each other other and so uh and users can for a set of these users can can provide that

access all right so here's what happens when you're going through the consent I'm I'm reasonably sure all of us have seen these types of dialogues where I want to connect Zoom or I want to connect this be best practices demo to something in my environment or at least know who I am and I get a popup that says hey you're going to allow this access to your environment and then there's a bunch of uh kind of let me zoom in a little bit there's a bunch of little kind of points here that you would want to pay attention to when you're granting this consent I I have to be honest when I put this slide in there

it reminded me of a fishing training slide which fishing training is great and everybody should do fishing training but fishing training is not 100% right we still have a bunch of business email compromise because users click links and getting users to understand all of of the things that they want to pay attention to on a consent dialogue is maybe useful but probably a bit feudal right you just don't want users granting access into their ten into your tenant that you're trying to manage uh particularly for permissions that you're not interested in them granting so while while you can help users understand what they're doing the best practices is not to do that when users consent to

dialogues like this they end up with some you end up with something in your 360 5 configuration which is your application in your Enterprise applications list and here's a a Microsoft example from some of their documentation and so you can see that this has happened you can see who has consented to what but at that point the horse has already left the barn or whatever that saying is and that these are already configured in your environment this is a great list to review periodically just to kind of double check what's going on uh but those are certainly applications already in the environment so the surprising part is here by default users can just consent to stuff um yeah I can I can let

this application read everything I have access to and SharePoint I can let this application have access to all my team's contacts or my calendar my email box whatever that is and so users who are maybe naively PR providing that consent granting that access are potentially allowing access into your tenant that you're not interested in and then maybe this is maybe this is super loose but it's kind the cloud equivalent of letting users install software on their desktop it's just not the practice to do anymore uh and so it certainly leads to data loss certain consent can enable the attacker to have a better foothold in uh bypass MFA which you clearly don't want uh MFA providing

a significant amount of protection and coverage so Grant all right the point here Grant granting users access to consent to these applications is just a bad idea all right so what should be configured there's a couple things number one um Microsoft has created and it's been in place for quite a while now the entire admin consent workflow which essentially is I want the users to have the convenience of being able to request granting access but I want to drop it into a workflow where administrators have to review and approve or deny that and so that's all baked into 365 it's part of the ad administrator consent workflow and it gives you the ability for instead of creating tickets and

tracking a bunch of stuff out of band for users to be able to click through and then and then you're working those requests um so consenting there's there's two sides to this there's what the user capability is and that's this uh screenshot here and then next we'll pivot to what the administrator the backend consent approval process looks like on the front side what you allow users to do is instead of the default which is allow users to consent for apps which is just kind of everything uh you can go two steps you can go to a step that says allow users to only consent to applications that are requesting a subset of permissions maybe read profile

and maintain profile data which really is just I I'm going to let the the app know who I am uh or you for your organization you might configure a few other permissions uh but generally that's a kind of high depending on the org maybe a high maintenance mode to do this you've got to keep up with what permissions you allowed and then users are consenting to apps that you may or may not want but maybe they fit the permission profile so you allow it um maybe not the optimal setting I don't know why I have it picked here on the screenshot but uh the other one is do not allow users to consent which seems a

little counterintuitive you're saying don't allow them to consent but I'm going to try to set up a an admin approval process so how do those play and the admin approval process which we'll see here in just a second is that for for any applications that a user does not have permission to consent provide their own consent for which would include that top option you've essentially blocked it but allowed this back door uh then they go into the admin consent workflow so if you check the top box and say users can't consent it means they can still get the dialogue they can still press the button saying I want to consent and it all drops into the admin consent

workflow um and then there's a set a set of options or screenshot at the end what this looks like but it's all baked into 365 and uh fairly convenient and understandable uh once you get it set up and have the the consent workflow in place all right the CIS Benchmark there is a CIS Benchmark for this and ensuring that that is enabled we think there's two parts right you can enable it without restricting users and you haven't really done anything because this only kicks in when the users can't do it themselves you need to do both sides you need to implement the consent workflow you need to restrict what users can consent to and those two things work hand inand

which is kind of the onew punch we found clients that have configured one and not the other they configure one and it bothers all their users they configure the other and it actually doesn't do anything and so you want to make sure you do both even though the Cs Benchmark really just talks about the consent workflow all right so when this happens users get the dialogue they press the button it actually gives them a dialogue that says this has gone into your administrator team for some sort of approval when administrators all the communic approve it or deny it all the communication happens and Microsoft has built that out uh so it work it works pretty well and then uh so the user kept

informed as to what their request status is okay and then administrators are working that on the backside if you've got a fairly large busy Dynamic environment you've got these requests coming in and you're working them through this consent request process which is again baked in and pretty simple all right odd stop for questions again any questions comments feedback last call number three all right email forwarding rules so um users can consent to email forwarding so what this allows user to do is go in and create rules in their inbox that allows them to forward internally or externally so any emails coming in or all emails coming in can be forwarded to an external mailbox uh and by default

there's no exchange transport rules or limitations on mailboxes that prevent this from happening for users and so by default out of the box even if you have secure defaults you've got uh you've got this capability uh it can be useful so to be fair there's are some organizations that need some mailboxes affing mail and that can make sense you just want to know which ones those are and which ones those aren't um so so the interesting part here the surprising part is that there are really no restrictions in place by default this can happen at multiple levels in multiple ways uh and that standard users have the ability to do this inside and outside the

organization super common aath uh attack path we we've worked IR cases where we're the MDR provider and we'll we'll get a a BEC we'll start to work it and there's inbox rules that block all email or discard to delete I'll email from sataria so if we try to email the client or that client then and it's like that's super weird but obviously the attacker understands their environment so these rules get used all the time um there's a kicker here let me uh I think it's on this slide so the the bottom link here maybe for time we'll speed up here but this is the this is maybe the interesting point is not only can user set up inbox rules but through

certain techniques you can hide those rules so they're not evident when you're looking at the mailbox so you can not only create hidden rules you can create hidden folders uh the uh Compass Securities the group that kind of surfaced this maybe a year or so ago two years ago and and we see this being used so you get mailbox tackers creating mailbox rules and hiding them we happen to have a blog post that kind of built off what Compass security put out there and um provided some information to the community on how to detect those across your environment it's probably a good scan to be doing uh but all right so back to email forwarding the FBI has

released uh a and I realized we're not in an FBI territory here but the FBI has released a private Private Industry notification uh that essentially just tries to communicate to the entire industry these are being used by attackers all the time you want to shut this down you want to prevent this everywhere you can and not assume that Sue and accounting needs to forward all her email out to a Gmail account uh so what should be configured there is no Powershell that I have up on the slide for this there's no screenshots because uh mail transport rules and other things can be a little bit of a naughty problem sometimes it depends on what third party pieces you

have in place if any and uh but here are three particular um three particular links to very useful resources and how to set this up in a way that gives you sort of multi-level cover coverage in not allowing emails to just be fored out of your environment uh and then obviously this is another one for uh change management which is if if you have users who need the ability to for you need to pay attention that and not break uh existing Fe features and functionality in your environment all right so those are the useful links CS Benchmark there is a benchmark for this 621 which is ensure all forms of email forting are blocked or disabled which is maybe a little cut

and dry a little binary there you might want to again go through your change management make sure that you're not breaking anything uh and then the impact of the change so when a user goes into their mailbox and sets up a rule it seems to work fine but then when a email comes in and gets forwarded they actually get a a non- deliverable on it and they get a message back from exchange online that says that that access was n you can't afford so it's at least clear to them that what they tried to do is not allowed and and so they can either contact somebody for a legitimate reason or not and give up on foring all their

email to a Gmail account all right next one maybe the last one I don't think it's the last one all right standard logs so Microsoft did kind of the world and 365 users a favor last fallish I think it was probably somewhere in that yeah fall 2023 where you've got different levels of uh audit log capability the the level that you get for free and the level that you pay for and the level that you pay for was way better and so obviously Microsoft's trying to balance revenue and functionality but given some of their recent security problems recent in the last 20 years but given their really recent security problems they have sorry I'm not picking on them we're a partner

I'm not trying to pick on them um so given some recent security problems in 365 and azure in particular they tried to do a little bit better for users and what they did was they came out with some changes for the standard tier and the premium tier so free tier included with your subscription and then the the high pay tier and they closed that Gap a little bit they did it with retention they went from a default or standard or maximum 90day to 180 day retention and then they added a lot added quite a big collection of standard log sources that are available in the in the free tier the included here now and so they made

that change it was it was really good for the community certainly for IR responders forensics work trying to figure out what happened in a cloud environment um people who are not paying for that premium tier are in a much better position um and so it it certainly helps customers and then gives you so you drop into purview you do a bunch of searches you just get a bunch more information now without having to pay an arm and leg for it and go to like E5 licenses and a bunch of other stuff all right so here's what's surprising about that change is that they made this long list of log sources available but they didn't enable all of them they

enabled a lot of them and that was great but they didn't enable all of them and since Microsoft is footing the bill for compute and storage and everything else that comes to this there's really no reason not to enable them all we feel like you'd want to enable them all yeah you get some noise but search capabil is fine and noise is everywhere and we've kind of learned to deal with it so it is a bit surprising that they're generally available but not enabled there are some like mailbox items or mail items access and exchange send which are now included in the free tier and that's fantastic but uh search uh search query initiated exchange is not enabled by default and

what what's one of the first things attackers do when they get a becc is they start combing through what's in the mailbox trying to find interesting information and they do it with a bunch of Search terms that are pretty recogniz ible uh and follow a pretty good pattern that you can pick up an MDR if you're looking at your 365 logs but if you don't have it enabled you don't have the visibility so uh and then here's the last surprising part is that to enable this it is a mailbox by mailbox setting you cannot go into your tenant level and just say hey I'm going to turn on these logs for my tenant you have to go

through mailbox by mailbox and again with Microsoft footing the bill on Compu and storage I'm not sure why you wouldn't so what should be configured uh there because this is mailbox by mailbox and you're trying to enable standard logs by name and there's a giant list of standard logs uh the Powershell syntax is a little bit hairy because you're you're creating the you're providing these arrays of of log names per mailbox so you're plowing through mailboxes and setting the setting there is a a link at the bottom something else that we uh try to provide for the community uh this is a GitHub link so you can go to GitHub we've got some Powershell out there allows you to

do a couple things it allows you to tie in with your provisioning process so that as new mailboxes get provisioned runbook is executed and these settings get applied the way you want and then there's also a kind of scan my tenant and find where I've got some gaps in my audit logging and uh and and set those for me so instead of hand crafting a bunch of crazy poers shell to get the setting you want across all your tenant there's a GitHub resource there that it's uh very handy for doing that uh a GitHub screenshot that's what it's going to look like when you go there and get the poers shell how about that all right so the C the CIS

Benchmark uh there is this again is not maybe as granular as we would like maybe they updated in 3.2 essentially is make sure this audit Log search is enabled that's a yes you want to make sure audit Log search is enabled the flip side of that the back side and maybe more confusing side is you want to make make sure you're getting all the material into audit logs you want and that's where this uh surprise settings come from all right so we make this change and you get a lot more log visibility you get if you've got 3 if you've got MDR tied into your 365 logs you get detection capabilities and detection rules you can leverage now because of

the new material in audit logs uh and again you're just writing on Microsoft computin storage so why wouldn't you and then all of this is available through the normal perview ser

capability all right that those are the last ones that I'm going to go through based on time so here's here's some resources uh the CIS Benchmark for sure uh it is 417 pages long so there's a lot more surprises in there uh if you've had the chance to go through it it's uh actually very interesting to see some of the other things that are set up by default the book on the left there is fantastic uh it's a great resource for 365 security so we definitely recommend that uh cisa which again is another U us thing but cisa's got great resources and some tooling built around 365 and then not a product pitch this is

free and available in GitHub we have a uh a GitHub project called 365 inspect which allows you to download install run against your tenant and comes back with a whole set of uh findings which few of all of these are in there plus another hundred probably that tell you uh give you insight and advice on how to configure your environment so that's a super handy tool automated you don't have to go bunch of Click Ops through your 365 configuration trying to figure out where you line up um the sorry I'm trying not to misspeak so the open-source version those findings that are returned are now mapped to the the CIS Benchmark so you get full

alignment with the CIS Benchmark and the recommendations we're providing so you you do get that in the open source tool today which is fantastic all right questions

comments I'm man I'm trying not to do a show of thumbs again all right last call questions all right

yeah she she got the micang I got a mic for you make yeah make sure it shows up on the

stream all right sir what is um could you name two worst case scenarios that the um the tenant would be able to do that the regular user has made the new yeah so the new tenant really uh it it's a it's a primarily about billing and subs and where subscriptions are associated with so when a new tenant is created I think it was on the slide the user that creates it becomes Global admin in that tenant that does not mean that they have Global admin capability over all of your resources but they do have the ability to transfer export and import subscriptions and move some billing information so that's that's probably worst case is it's it's more of a

nuisance and you you you're alerted to it and you you find out about it but a bit of a nuisance and uh and problem there I guess the other thing is for least privilege problems where you have something like this that doesn't have an immediate like disaster scenario but it's certainly not in alignment with leas privilege Our concern is what is what is that leas privilege and this least privilege problem and this Le how do those get combined by clever attackers to become a problem we're not aware of yet and so that that's a bit of the issue on that one is if you follow a least privileged approach rigorously you essentially prevent a lot of things you

don't know about yet and how these things can be used in combination with each other so that that's essentially why we would include that one in there yeah you bet else last call there we go one over here here on oh well I'm running back that way you guys are giving me a workout oh where was it I missed it oh I'm on the wrong side [Laughter] completely who had the question iar there was one here on the left I'm not sure about the back people in the back were trying to point to you and I misunderstood that good morning um this is a very basic question I I lost count of how many you

highlighted but is is that where you the ones that you listed the benchmarks is that the ones that you think that organizations should start their focus on or do or do you have like a a top 10 a top 20 that's a great question so I would if if you're going to take a benchmark oriented approach I would tend to defer to how CI set sets those up so they set those up in levels so most of their benchmarks have levels the 365 foundations has levels and so they have level one level two and I think level three in the Benchmark in the foundations and some of them relate to license levels so some things you you

can't configure if you don't have the right license level but all of the level ones I'm pretty sure cover the kind of the Baseline license level and so I would start at level one and go across the board the the five here weren't necessarily for criticality they just tended to be the ones that were kind of surprising and interesting novel and weird like creating tenants and just exchange Powershell for Sue and accounting um but I I would look at all the level ones Across The Benchmark first thank you and there are quite a few okay last call all right thanks everyone thank you Doug [Applause]