I don’t blog about Intune nearly as much as I used to, now that I no longer work for Microsoft and have a greater focus on the Apple ecosystem (which, to be fair, Intune still plays a pretty significant role with iPad/iPhone management).
However, I like to keep across what is happening in this space and I saw a great tweet earlier this week that touched on one of the age old complaints about Intune – the perceived slowness of policy synchronisation (especially compared to other MDM such as Jamf). The tweet came from Rudy Ooms who describes himself as:
Content Creator at Patch My PC | Reverse engineering Intune and Windows internals. Sharing what actually happens under the hood.
How Windows device check-in works with Intune
Windows does not only rely on the eight-hour Maintenance sync to receive new policies. That maintenance cycle exists, but it is only one part of the process.
During enrollment, the device checks in rapidly to pull down everything it… pic.twitter.com/9s1vMZKpRD
Back in 2019 I shared a similar blog post from Oliver Kieselbach entitled New To Intune As An MDM? Read This Blog Post First! – SamuelMcNeill.com (which is still a good read), where Oliver dived into how policy syncs work. In this newer post from Rudy, he tackles similar ground but with a view 6yrs on (wow, time flies!) and as always, I encourage you to read the original post in full:
Rudy does have a video overview of this topic if you’re more into listening and watching than reading:
I’ll share a few highlights from the post that are pertinent in my view, starting with:
Microsoft hasdocumented this first enrollment sync behavior: during the Intune/MDM enrollment, devices check in more frequently to PULL down configuration profiles, certificates, and policies.
Every 3 minutes for the first 15 minutes
Then every 15 minutes for the next 2 hours
And only after that, it shifts to the ~8-hour cycle
Those first two bullet points are generally pretty well understood and most IT Pros will have seen this frequent sync and update during the first OOBE workflow (Out Of Box Experience).
Rudy correctly focuses on “Change Based Check-ins” with Intune and has even created a great diagram to help explain that:
To expand on that, he talks about the role of the Windows Notification Service (WNS) which functions in a similar fashion to Apple’s own Push Notification Service (APN – Configure devices to work with APNs – Apple Support (NZ)). As explained by Rudy:
That push message travels over the Windows Notification Service (WNS) and tells the device to check in. These are the triggers that make Intune notify devices:
Changing targeting (adding or removing a device or user group)
Editing a payload (changing/adding a new Intune policy or updating app assignment)
Entra group membership changes
Store app version updates released by the vendor
In practice, the first policy change is usually pushed down within a few minutes. From there, Intune enforces a quiet period/throttle (roughly 30 minutes per device) before sending another push. So, while it’s not instant like a remote wipe (which must always be immediate), it’s still far faster than waiting for the full 8-hour maintenance cycle. Let me zoom in on the push message itself a bit more.
The blog includes some interesting testing data showing that the WNS is somewhat of a ‘black box’ in terms of how it operates and where buffers can come into play between a push of a policy change and execution on the device (again, read the full blog on Rudy’s site).
But What About Throttling, You Say?
Something that many frustrated IT Admins have suspected and/or complained about is the preception Microsoft throttles Intune changes to reduce load (either for the Azure cloud or the endpoint). Rudy’s post goes into this in some detail, explaining how the first changes are almost immediate and then subsequent rapid changes are bundled together and throttled:
Change #1 → WNS push almost immediate
Change #2 and #3 (<30 min later) → bundled, resolved when device responds to the same notification
Change #4 (>30 min later) → new WNS push delivered
Whilst this may make a lot of sense for Microsoft, for IT Admins that are perhaps making rapid changes to configurations it can be a source of intense frustration. Of course, in a perfect world IT Admins are cool, calm and collected at all times and make all of their policy configuration changes with a single update. However, that rarely matches the often frenetic pace which busy IT Admins are required to work at and knowing that changes are being bundled and throttled is often a suboptimal experience.
It does sound like there is some work being done by Microsoft to redesign this with something called “Fast Lane” that is broken down in the blog – check it out.
Final Thoughts
It can be very hard to change perceptions and the old adage of “perception vs reality” is very real when it comes to Intune sync speed. Dealing far more regularly with Jamf and macOS/iPadOS these days than Intune and Windows, I can say that in terms of speed of policy sync and responsiveness it really does feel like Jamf is a Ferarri and Intune can be a Bambina stuck in rush hour traffic.
Ultimately, it’s a great thing if Windows and Intune become increasingly more responsive as managing endpoints from the cloud is a good thing for everyone. With that, a final graphic from Rudy’s blog to visualise timings:
I saw this post today from Scott Breen at Microsoft, a great guy that I used to work with off and on over the last six years I was at Microsoft.
In this video, he steps through the configuration of using Apple’s Platform SSO with password sync for an EntraID Join of a macOS device that will be shared by multiple users. This is of course a very common scenario in education where labs of iMacs are common, or shared devices in a library context is also prevalent.
This builds on my earlier blog post last month announcing the launch of Microsoft’s PSSO integration with EntraID and highlights the effort Microsoft is clearly making in terms of improving the macOS experience within Intune.
Given many educational organisations already own M365 A3 licenses and many corporates have M365 E3 (both of which contain Intune and EntraID licensing – see this post), it reduces the cost of ownership to securely and easily integrate Macs into an organisational fleet of devices.
Reminder: this functionality is still currently in preview (as of June 2024), but watch this space once it goes public.
It references a good article (direct link here) of a new feature coming in April 2024 called Restricted SharePoint Search – from the article:
Restricted SharePoint Search gives you time to review and audit site permissions. It is designed to help you maintain momentum with your Copilot deployment while you implement robust data security solutions from Microsoft Purview and manage content lifecycle with SharePoint Advanced Management. Combined, these two solutions offer a complete solution for data discovery, protection, and governance.Â
This seems like a sensible offering from Microsoft as one of the most frequent topics of conversations I’ve had with customers exploring Copilot adoption is concerns around data security and oversharing. I’ve written a few blogs about this already and with this new feature, Microsoft is clearly looking to encourage customers to take the first steps into Copilot usage but with some additional guardrails in place to try specifically exclude SharePoint sites that may have highly sensitive data in them or have not adopted effective file security permissions through Purview.
Organisations should note that SharePoint Restricted Search is off by default which likely makes sense from a Microsoft perspective (maximum datasets for Copilot to search and respond with), however I’d imagine many organisations may have preferred this was turned ON by default to allow a staged rollout with a more cautious approach to AI powered assistance.
Nevertheless, the fact this functionality is being added suggests to me that Microsoft is responding to feedback from customers around data privacy concerns and providing a valuable tool to be able to restrict access to data until all the necessary security permission are in place. When this functionality is turned on, users are given a visual cue that restrictions are in place:
For users with Microsoft 365 A3 and A5 licenses for faculty, the Bing Chat Enterprise service plan isn’t yet available. See the following sections for specific instructions related to these licenses
Interestingly, this is going to be turned ON by default for tenants and you can turn it off by going to https://www.aka.ms/TurnOffBCE. If you’ve already turned it off and wish to turn it back on, then you can do so at https://aka.ms/TurnOnBCE – this change may take up to 48hrs to take effect. Given the enhanced benefits of using Bing Chat Enterprise, you may wish to turn off access to the consumer Bing Chat, with instructions on how to do that listed here. Microsoft shares a few ideas on what employees may wish to do with Bing Chat Enterprise such as:
UPDATE 3rd October: Within a couple of hours of writing this blog post I’ve see Microsoft has released a series of prompts for education audiences to improve their experience interacting with generative AI such as ChatGPT and Bing Chat I’ve added a section below to include this. Click here to skip straight to it.
Like many of the large technology organisations, Microsoft has made numerous recent announcements of AI powered offerings across their popular Windows and Microsoft 365 products. The umbrella product name Microsoft is using for their generative AI solutions is Copilot. This blog has four sections:
As of September 2023, there are two primary ways this could be accessed by customers:
Windows Copilot: arriving as part of the Windows 11 23H2 update, starting September 26th 2023 via Microsoft’s rolling updates to Windows customers
Microsoft 365 Copilot: arriving as a paid SKU on 1st November 2023 that customers would need to purchase and assign to designated users.
Given the associated licensing costs for Microsoft 365 Copilot, most education customers are likely to experience the Windows Copilot features first. Outlined in detail in this blog from Microsoft, there are numerous enhancements to familiar applications in Windows that will be AI-powered. Before sharing some more details on this below, it is important for educational institutions to understand that they can delay/block these features if they wish for devices in their organisation if they are managed by Intune or other means that can deploy policy updates to Windows devices.
The Windows 11 23H2 feature update will bring over 150 updates to the OS, many of which will support Copilot and generative AI. There will be a Copilot icon on the taskbar by default, and it can be automatically activated by the pressing Win+C keyboard shortcut. Three of the feature applications that will integrate Copilot are in the area of creativity (example video here):
Paint: clever new functionality will allow for AI drawing and digital creation, along with intelligent removal of backgrounds and adding layers (something typically found in more advanced image editing applications)
Photos: enhanced image editing and powerful new searches if you’re using OneDrive Personal, where you can search for photos with natural language queries based on content inside them (e.g. ‘find photos with bikes in them’)
It’s worth understanding that for this to happen OneDrive images will be searched and indexed automatically.
Snipping Tool: Copilot will add the ability to extract text visible in images, as well as redact sensitive information such as names or email addresses. Users will also be able to add audio to images/videos created using the Snipping Tool
While undeniably convenient, keep in mind this ability is likely based on Optical Character Recognition (OCR) functionality scanning and processing images and extracting text from them automatically (something many smartphones are doing already with photos taken). Take some time to understand any potential privacy concerns this functionality may create.
Windows Copilot will also bring enhancements to Outlook for Windows with support to write emails along with intelligently attaching documents from OneDrive. As part of Microsoft’s continuing commitment to accessibility, Copilot will add further enhancements to voice commands for controlling your PC.
The Windows 11 23H2 feature update will also bring enhancements to the Bing Copilot functionality. An example provided by Microsoft to showcase how this might work included if you’ve been following the progress of a soccer team through Bing and you then plan a trip to a city it will automatically check if that team is playing in the city during the time of your visit. Users can optionally turn off the ability for Bing to leverage chat history (this needs to be done per user, per device – there does not appear to be an organisational configuration for this at this time).
Another creative feature that will be unlocked is the Bing Image Creator, leveraging the OpenAI DALLE 3 generative AI functionality for original image creation. Interestingly, Microsoft is introducing Content Credentials, an invisible watermark showing when the image was first created (example video here).
A final note on security – this feature update will introduce the ability to use Passkeys for Windows users, a more secure and arguably faster way to log into websites and apps that support these. With passkeys, a user can use Windows Hello to sign in with a PIN, facial recognition, or fingerprint instead of entering a username and password each time.
Microsoft 365 Copilot
As mentioned earlier, this will be a paid SKU and launching on November 1st 2023 and before rushing out to purchase a few licenses for earlier adopters.
It’s worth noting that Microsoft 365 Chat combs across your entire universe of data at work, including emails, meetings, chats, documents and more, plus the web. Therefore, it’s worth considering how prepared your organisation is from a data sharing and restriction perspective before simply turning this on and giving it a try.
With Copilot, Microsoft is also introducing new capabilities in Outlook, Word, Excel, Loop, OneNote, OneDrive and Bing Chat Enterprise (example video here).
The requirements for accessing this new functionality include:
Microsoft 365 E3/E5 licenses
AzureAD accounts for users
M365 Apps set to ‘Current Channel’ if users want to experience Copilot in the desktop apps (instead of just the Office Online apps)
A critical consideration for organisations is the current state of their M365 tenant sharing and permissions. If these are too lenient, Copilot will trawl and index content that will be surfaced up to users in ways the institution may not want creating challenges around oversharing and data governance. Therefore, I suggest you watch this video, and read this article to get details on how to adopt content management best practices as the full breadth of data sources Copilot will draw include the organizational content in your Microsoft 365 tenant, including users’ calendars, emails, chats, documents, meetings, contacts, and more.
Ultimately, the richness of the Microsoft 365 Copilot experience depends on the volume of data that is accessible in the tenant, so there is a balancing act between restricting access to content through appropriate sharing permissions and opening up contact to Copilot to add value and save time.
A couple of points of clarification: Copilot does not use the organisational data or user prompts to train the foundational AI model and nor does it use the public OpenAI services that power the free functionality found in Bing Chat. Instead, all processing is achieved using Azure OpenAI services.
Prompts for Education: Enhancing Productivity & Learning
I see that the Microsoft Education team have released as series of prompts to help the education community engage more effectively with generative AI such as ChatGPT and Bing Chat – you can find the link to the prompts here. If you’re wondering what these are, the GitHub repository describes them as follows:
Welcome to the Prompts for Education repository! Our mission is to transform the way students, educators, and staff in K-12 and higher education institutions interact with generative AI technology like ChatGPT and Bing Chat. By using these prompts, staff can save time and work more efficiently, and students can explore new and exciting learning opportunities.
Whether you’re a student, a third-grade teacher, a college professor, or a school administrator, this collection is designed with you in mind. No technical expertise required!
If you’re still wondering precisely what a prompt is, then here’s the definition:
Think of a prompt as a special question or statement that you can give to an artificial intelligence model like GPT. It’s designed to provide you with information, insights, or even creative ideas tailored to your needs. It’s like having a knowledgeable assistant at your fingertips!
From what I see and read, the key to using generative AI effectively is to use intelligent prompts to get the most useful answers back (the old adage of ‘garbage in, garbage out’ still applies!).
Conclusion
In conclusion, Microsoft Copilot appears to replace much of the functionality previously offered by Cortana (a service that is now discontinued) but do it in a more intelligent way by accessing an organisation’s content in the paid Microsoft 365 Copilot, and user input and OpenAI models in the free Windows Copilot version coming in the Windows 11 23H2 feature update. Educational institutes should be actively considering how this technology may impact users and take necessary steps to provide guidance if allowing these features to roll out to users, or consider pausing them until the impact is more fully evaluated.
Furthermore, seeing Microsoft release prompts to help educators and students engage more effectively with generative AI is a helpful thing and I can imagine educators will leap on this and help refine these further and share with the broader education community.
Since I’ve moved on from Microsoft, my interests and focus have expanded beyond just the realm of Microsoft365 offerings and I’m dabbling in other technologies that can add value to the education industry and beyond.
In this multi-part blog series, I’m going to explore different flavours of Azure Virtual Machines, so buckle up and enjoy:
Azure Lab Services enable you to easily set up a class, run a training lab, host a hackathon, experiment, and test your proof-of-concept ideas in the cloud.
Configuring a traditional computer lab for specific scenarios has historically been a time consuming process. This has been made easier with the advent of cloud MDM tools like Microsoft Intune which can offer a significant amount of customized experience based on the user signing into the device, however there are still many scenarios that exist where greater levels of customisation are needed (Note: it is possible to use Intune to manage your Azure Lab Services too).
Furthermore, the end users may be bringing their own device (BYOD) that is not compatible or powerful enough for the task at hand – cloud based virtual computer labs provides a very real solution to this situation. In fact, recently I was talking with a school that was in this exact situation – students were using iPad Pros but required a Windows device for a particular online test. The ability to provision virtual machines for short term usage for students for the test was one avenue the school explored.
Other scenarios that Microsoft has created specific ‘how to’ tutorials for Azure Lab Services include:
In a business context, the ability to run training for staff in a contained environment that can be easily re-deployed for different groups of staff is very appealing. Likewise, if you’re conducting UX/UI testing with control groups, having the ability to run repeatable testing in a pre-configured environment is helpful.
Creating An Azure Lab Service
Rather than reinvent the wheel, I’ve embedded a good 3minute video from Microsoft showing the basics for setting up an Azure Lab. Note that the video is 2yrs old and there are some subtle differences to the Azure Portal now, but fundamentally the process is the same.
If you’re more of a ‘step by step’ learner, then the overarching process is as follows:
The Lab Plan is basically a collection of configurations and settings that apply to any labs created inside it. This includes linking it to an active Azure subscription, resource group for management and also the Azure region where the lab VM’s will be deployed.
This is where you configure and create the actual VMs. It differs from the Lab Plan (high level configurations and settings) as it focuses much more on the type of VM you’re wanting in your Lab (OS, RAM, CPU, policies etc)
Note: initially you create a generic username/password to log into the VM. You have a choice to lock the password or allow the end users to reset the password on first login.
Customise the VM: You have a choice of running a standard OS template (choices around Linux, Windows 11, Windows Server etc) or choosing to customise a template with your specific needs.
Essentially, you start the custom template VM, make changes (install required software, make settings changes etc), stop the VM, then publish the custom VM template to the Lab. Details are here.
This process allows you to choose/define the maximum number of VM that will be available to your end users. It’s super easy and the time to access the VMs depends on the number you’re creating.
Note: due to Azure region capacities, I have found the ability to create VMs is limited at times – the Azure Lab Services wizard advises how many VMs you can create in the current region during the Publish Lab process.
It really is that simple of a process and with the Lab created, the dashboard does give you an indicative cost associated with the lab. For experimentation purposes, I created a Lab with 5 VM that had a maximum of 10hrs per VM (so 50hrs total) and the indicative cost was USD$10 if all hours were used:
Shortly, I’ll share some tips on how to manage billing by implementing some guardrails around usage and avoiding cost blowouts.
Connect To A Lab
Once a lab is created and published, the ability to connect to each of the individual VM can be managed in a few ways, either by assigning VM to a specific student (AzureAD group sync or CSV upload), sharing a self-registration link, or emailing an invite to users. Once received, they can start the VM and connect to it using the RDP client of their choice. Either the Lab owner or the student can start the VM and then the remote desktop connection file can be downloaded and used to launch the remote desktop client to connect:
The student would need to sign in at the Azure Labs Portal with their organisational AzureAD credentials and they need to know the initial VM username/password created above (and, if configured, may be prompted to reset the password on first sign in).
Alternatively, if comfortable, a host and port number can be shared with an end user directly from the Lab VM pool page e.g.
Here is the same VM connected to using the Microsoft RDP client on my MacBook:
The Azure Lab Services dashboard allows you to see at a glance which machines are on, and how many hours of their assigned quota have been used:
With the appropriate permissions, a Lab Creator can start, stop or reset any of the VM in the lab. An individual student can turn on/off any VM in a lab that has been assigned to them through the portal.
One of the biggest considerations and concerns from organisations new to Azure Virtual Machines is the issue of cost and more specifically, how to avoid unpleasant bills for un-budgeted consumption! There is detailed guidance that you can read here
The good news is that Azure Lab Services offers three main ways to manage costs.
Quota Hours
The simplest way to have as close to a ‘fixed’ maximum cost as possible is the requirement to define the number of hours quota to the VM at the time of the lab creation. In my example above, I created 5 VM for a maximum of 10hrs per VM, that would have a total approximate budget of USD$10.
There are two variables that affect this cost: if students use less than the maximum quota of hours and the VM is turned off then the cost will be lower. More importantly, if the Lab Creator (professor, assistant, trainer etc) go into the VM to assess student work, then there is a charge for the consumed resources during these activities above and beyond any student consumption (and also above the quota hours)
Quotas are a good way to allow students to work on the VM for homework outside of scheduled class hours.
Note: scheduled hours and quota hours can operate separately or together. From the Microsoft Docs:
The use of schedules for a lab is optional and you might specify user quota instead, or use a combination of both. User quota is the time that lab users can run their lab VM outside of scheduled time. For example, to complete assignments or homework. Any scheduled time doesn’t count against extra time that lab users have. A lab can use quota time, scheduled time, or a combination of both.
You can set a schedule to implement a hard stop on usage of VMs (e.g. end of the school/business day) that helps with ensuring no VM is left on accidentally creating wasted expense.
Settings
Put simply, these are ways to automatically shut down the VM if there is no active usage or no user connects to the VM once it starts. The options are as follows:
Whilst turning off a VM based on idle time makes a lot of sense to avoid unnecessary costs, getting this setting right may depend on your scenarios – some forethought into an appropriate ‘timeout’ period would be beneficial to avoid frustration of a user getting logged out and having to restart their VM.
A key takeaway for me is that there are various mechanisms that can be put in place to provide assurance around costs and prevent unexpected bills for the use of Azure Lab Services
Final Thoughts
Azure Lab Services offers affordable, flexible virtual machines in a lab context for a variety of services. It’s quick and easy to deploy and, if desired, the VM can even be managed by your Intune MDM licensing.
Given many educational institutions use iPads or ChromeBooks, Azure Lab Services can provide an ‘on demand’ virtual Windows lab that can be easily connected to from any OS. This can go some way towards delivering a more equitable device experience by removing the limitations of the host device a student may use by supplementing it with a virtual desktop that has comparable specifications for all students in a class.
I certainly look forward to having more conversations with customers about scenarios were Azure Lab Services would be of benefit to them.
Well, not exactly. It is Friday, but I’ve not gone fishing or phishing, but have certainly been brushing up my skills on the latter. I’ve shared previously one of my favourite IT posters on phishing and last week shared some infographics on how to have discussions with students and educators on spotting phishing attacks and after some recent conversations with customers around phishing protections in M365 I wanted to share a few things today for others to benefit from.
As this post has grown in length, you can jump to the various sections of interest by clicking below:
Phishing is a type of email scam. The sender pretends to be a trustworthy organisation — like a bank or government agency — in an attempt to get you to provide them with personal information, particularly financial details.
Interestingly, and pleasingly, LastPass were implementing stronger MFA technologies from MSFT in the wake of this attack:
LastPass has upgraded its multi-factor authentication (MFA) by applying Microsoft’s conditional access PIN-matching MFA, and the company is now rotating critical and high-privilege passwords that were known to the attackers, to reduce the chance of an additional breach.
The reality is, no organisation is immune from attacks and we should all adopt a stance of humility and learning as there are many educational benefits of studying the misfortune of others who have been fooled by a phishing or malware attack. In particular, the education industry is by far and away the biggest target/victim as shown by Microsoft’s global threat tracker, consistently showing 80% or higher of the malware encounters in the last 30 days:
Microsoft does provide a range of malware, spam and phishing protections for Exchange Online users through both Exchange Online Protection (basic) and more advanced features in Defender for Office365. SE Labs also recently named Defender for Office365 the best email security service for 2023: Microsoft named Best Email Security Service of 2023 by SE Labs – Microsoft Security Blog
It’s also worth noting that the configurations for all of these settings have been moved into the Microsoft Defender security administration portal and out of the Exchange Online administration portal:
Mail protection policies are no longer in EXO admin centre
It’s at the content filtering stage that phishing and spam detection kicks in.
To configure the anti-phishing policies, head to the Security Admin dashboard and navigate to: Email & Collaboration –> Policies & Rules –> Threat Policies –> Anti Phishing. For the more visual:
One thing worth being aware of (as I missed it on the first run through) is that there are actually some preset security baseline policies that are worth enabling as a starting point and I suspect many organisations don’t have this on by default:
You have two baselines to choose from in the EOP licensing:
I’d recommend organisations turning on this preset security policy as a starting point to improve their defenses against phishing attacks.
Now, back to the main anti-phishing policies, like any policy in M365 you set the policy and then decide which users/groups this will apply to. By default, there is a policy already created for your tenant by Microsoft:
By clicking on it, the configuration pane opens on the right hand side showing your current settings and you have a choice to edit the protection settings and the actions:
It’s worth noting that with EOP licensing you only have the Spoof Intelligence option to turn on/off – learn more about what this is here. It is under the “edit actions” that you have a few more options and I’d recommend turning all of these on:
The First Contact Tip is actually one of my favourites and shows up when a recipient receives a message from someone for the first time or on an irregular basis and is a visual cue warning to pay extra attention to whether the message appears legitimate or not. The tip bar looks like this:
The “Show via tag” is also a helpful one, although perhaps requires a bit more understanding from the recipient as to why this matters. As per the settings tip it states:
Choose if you want to apply a “via” tag in Outlook (chris@contoso.com via fabrikham.com).
The warning here is that someone may be trying to spoof your company’s domain name to appear to be an internal employee when in fact they’re sending from an external domain provider. There are some legitimate reasons for this behaviour:
Legitimate scenarios for spoofing internal domains:
Third-party senders use your domain to send bulk mail to your own employees for company polls.
An external company generates and sends advertising or product updates on your behalf.
An assistant regularly needs to send email for another person within your organization.
An internal application sends email notifications.
Legitimate scenarios for spoofing external domains:
The sender is on a mailing list (also known as a discussion list), and the mailing list relays email from the original sender to all the participants on the mailing list.
An external company sends email on behalf of another company (for example, an automated report or a software-as-a-service company).
Note: The default rule is always on – you can not choose which users/groups it can apply to, however if you want a custom policy to apply to only some users or groups, then you can do this at the time of creation:
So you can see that Exchange Online Protection anti-phishing settings are pretty quick to configure – simply because there are not many of them! Which brings us to Defender for Office365 and the more advanced features:
Defender for Office365
Requires additional licensing such as Office365 A5 or M365 A5, or Defender of Office365 P1/P2. Want a free 90 day trial license? Obtain these by clicking here.
A helpful way to understand what is included in the Defender for Office365 P1/P2 plans is contained in the awesome m365maps.com, a great website that I’ve blogged about before. The key components are:
User impersonation is the combination of the user’s display name and email address. For example, Valeria Barrios (vbarrios@contoso.com) might be impersonated as Valeria Barrios, but with a completely different email address.
Domain impersonation is where the sender’s domain is visually close to the organisations: e.g. microsoft.com is impersonated as micr0soft.com.
Allows you to configure the aggression level of detection based on the confidence of the phishing detection through four stages from standard through to most aggressive.
One of the other differences is a third option around Security Presets – reminder that with EOP you only had two, neither of which were on by default. With Defender for Office365 there is a third option of “built in protection” only for licensed users:
To configure these additional settings, go to the Anti-Phishing settings as above and this time when you edit Protection Settings there are many more choices, with the first choice being the aggression level with a simple slider:
After that, you can configure the impersonation settings (including both users and domains):
When you add internal or external email addresses to the Users to protect list, messages from those senders are subject to impersonation protection checks. The message is checked for impersonation if the message is sent to a recipient that the policy applies to (all recipients for the default policy; Users, groups, and domains recipients in custom policies). If impersonation is detected in the sender’s email address, the action for impersonated users is applied to the message.
The idea with impersonation settings is that you would apply them to authority figures in the organisation that most people would respond to any request from without thinking. For instance, if the CFO emailed asking for financial information most people would comply and provide the details. Therefore, adding the impersonation rules to CFO’s account (there is a limit of 350 per organisation) makes complete sense. That way, any inbound email that has an approximation of CFO’s name/email address will have warning tips applied through the actions if there is a match:
Impersonation safety tips
Impersonation safety tips appear to users when messages are identified as impersonation attempts. The following safety tips are available:
Show user impersonation safety tip: The From address contains a user specified in user impersonation protection. Available only if Enable users to protect is turned on and configured.
Show domain impersonation safety tip: The From address contains a domain specified in domain impersonation protection. Available only if Enable domains to protect is turned on and configured.
Show user impersonation unusual characters safety tip: The From address contains unusual character sets (for example, mathematical symbols and text or a mix of uppercase and lowercase letters) in an sender specified in user impersonation protection. Available only if Enable users to protect is turned on and configured.
With more protection settings comes more actions in terms of handling identified phishing attempts, based on spoof protection or impersonation attempts:
Options include routing to junk/quarantine, re-routing the email to a dedicated safety email address, delete the message or add a Bcc address. Additionally, of course, there are the extra safety tips and indicators for user/domain impersonation based off this licensing.
A final reminder: you can have granular policies based on users/groups and customise the levels of protection/aggression of filtering as well as custom actions based on who the intended recipients are. One instance might be if you’re getting a user who consistently “falls” for phishing attempts despite all tips/education, you might choose a more aggressive action for that user and simply delete those emails before they ever see them!
The other major benefit with Defender for Office365 to protect against phishing attacks is Safe Links and Safe Attachments.
Safe Links & Safe Attachments in Defender for Office365
Safe Links is a super helpful feature and is described in documentation as follows:
Safe Links is a feature in Defender for Office 365 that provides URL scanning and rewriting of inbound email messages in mail flow, and time-of-click verification of URLs and links in email messages, Teams messages and other locations.
Safe Links will protect users for any links they click in email, Microsoft Teams and Office documents. Configuration is very similar to the anti-phishing policies above, starting at Threats & Policies in the Security Admin centre
The pane on the right should be starting to become familiar to users now, with the usual “edit protection settings” button required to get access:
Here you can turn on/off the different applications for Safe Links, and note that you can also choose to apply real time URL scanning (recommended) and you can optionally choose to wait for scanning before delivering an email if you wish. There are also configuration options in terms of what happens when a link is clicked:
Instead of “edit actions” for this, you have the option to edit notifications – the message that the end user sees when they click on a link. You can customise this which I recommend because you want to provide as much reassurance to your users that alerts and warnings around phishing are coming from your organisation and not simply random “pop ups”:
Safe Attachments in Microsoft Defender for Office 365 provides an additional layer of protection for email attachments that have already been scanned by anti-malware protection in Exchange Online Protection (EOP). Specifically, Safe Attachments uses a virtual environment to check attachments in email messages before they’re delivered to recipients (a process known as detonation).
Configuration is in the same area of the Security Centre and applies the same general formula of settings: create a policy, assign it to users/groups.
Known malware is going to already be addressed by EOP filtering/scanning, so what you’re really needing to make decisions on here is how to manage unknown potential malware and you have a range of options. Again, keep in mind the ‘value’ of the target i.e. you may have more aggressive filtering on higher priority targets in your organisation (Vice-Chancellors, Provosts, Principals, Financial, Pastoral Care staff etc) to reduce the chance of a successful attack (whilst increasing the risk of a potential false positive).
Note: the recommended option is “Block”, however if you’re wanting to not delay any incoming email you may choose Dynamic Delivery which I prefer.
Attack Simulation Training – Last But Not Least
Saving the ‘best’ for last, I want to touch on Attack Simulation Training which is a super cool feature I really like as it focuses on the education of end users inside your organisation which is critical to build a robust defense against phishing attacks. All the ‘smarts’ in the world from a technology perspective can still fail, so training your users to be vigilant in spotting a phishing attack is best practice in my mind. My strongest recommendation is that you advise your users in advance of any attack simulations so they are at least aware this may happen. No employee likes to learn unexpectedly that their employer is running tests against them to look for ‘weak links’ in cyber security. Again, education is meant to be a positive experience and not a punitive one! I suggest you watch the guide video here first:
With Attack simulation training in the Microsoft 365 Defender portal you can run realistic attack scenarios in your organization. These simulated attacks can help you identify and find vulnerable users before a real attack impacts your bottom line.
I am not going to cover this in too much detail, but there are various types of simulated attacks you can run against your users:
In Attack simulation training, multiple types of social engineering techniques are available:
Credential harvest: An attacker sends the recipient a message that contains a URL. When the recipient clicks on the URL, they’re taken to a website that typically shows a dialog box that asks the user for their username and password. Typically, the destination page is themed to represent a well-known website in order to build trust in the user.
Malware attachment: An attacker sends the recipient a message that contains an attachment. When the recipient opens the attachment, arbitrary code (for example, a macro) is run on the user’s device to help the attacker install additional code or further entrench themselves.
Link in attachment: This is a hybrid of a credential harvest. An attacker sends the recipient a message that contains a URL inside of an attachment. When the recipient opens the attachment and clicks on the URL, they’re taken to a website that typically shows a dialog box that asks the user for their username and password. Typically, the destination page is themed to represent a well-known website in order to build trust in the user.
Link to malware: An attacker sends the recipient a message that contains a link to an attachment on a well-known file sharing site (for example, SharePoint Online or Dropbox). When the recipient clicks on the URL, the attachment opens and arbitrary code (for example, a macro) is run on the user’s device to help the attacker install additional code or further entrench themselves.
Drive-by-url: An attacker sends the recipient a messages that contains a URL. When the recipient clicks on the URL, they’re taken to a website that tries to run background code. This background code attempts to gather information about the recipient or deploy arbitrary code on their device. Typically, the destination website is a well-known website that has been compromised or a clone of a well-known website. Familiarity with the website helps convince the user that the link is safe to click. This technique is also known as a watering hole attack.
OAuth Consent Grant: An attacker creates a malicious Azure Application that seeks to gain access to data. The application sends an email request that contains a URL. When the recipient clicks on the URL, the consent grant mechanism of the application asks for access to the data (for example, the user’s Inbox).
Remember, when you “catch” an employee who is fooled by your attack simulation, be gentle, avoid making them feel foolish and use the process as an educational learning experience.
Final Thoughts
Security patching of devices, spam filtering and other real time protections have become so good that the previous attack vectors to exploit devices are far harder to compromise these days. For this reason, bad actors are turning to human manipulation through ever increasingly sophisticated phishing scams that can fool even the most vigilant users.
Microsoft 365 has some excellent tools to increase your security posture through Exchange Online Protection and Defender for Office365 and I trust that this post has brought some of these to your attention and consideration. There are other healthy things to do around email routing and integrity that I have not covered, such as DMARC configuration (Use DMARC to validate email, setup steps – Office 365 | Microsoft Learn) and it’s important to explore setting these up as well.
I can’t stress enough that regular education of your end users is critical in the fight against phishing attacks. Using the Attack Simulator is a helpful tool, but always do so gently and with an educative approach aimed at helping your users become more effective in spotting attacks.
Good luck!
Useful Links From Microsoft Documentation
In no particular order, some documentation that I reviewed/referenced in this blog post: