Creating and Managing Security and Compliance Filters in the Real World [Part 2]

Picking up where I left of on part 1 of this post, I wanted go into what it would take to refine some roles for managing eDiscovery for larger organizations. In this scenario, we’re going to: Remove users from any existing eDiscovery roles or groups Create a security group to hold users that will perform…

0

Creating and Managing Security and Compliance Filters in the Real World [Part 1]

Diving deeper into the Security & Compliance Center, I decided to embark on trying to scope eDiscovery permissions to meet a certain set of requirements that we see when multiple business units want or need to maintain independence from a content search and discovery perspective. Here is the scenario and requirements that we’re going to…

4

Office 365 Groups and Anonymous External Senders

Office 365 Groups are glorious creations.  There are, however, some instances where they don’t work as you anticipate (or hope). One of those scenarios is when you are configured in hybrid coexistence with the following scenario: Office 365 Group Writeback is enabled (for configuring permissions, see this script) RequireSenderAuthenticationEnabled is set to False for an…

1

Office 365 Administration Inside Out

Hey! It’s finally here! After months of hard work (almost a year from when we started until a copy at my doorstep), we’ve finally made it to the finish line!  Also, pay no mind to my poor cuticles! You can read the press release here: https://blogs.msdn.microsoft.com/microsoft_press/2017/11/27/new-book-microsoft-office-365-administration-inside-out-includes-current-book-service-2nd-edition Or jump straight to Amazon and order it: http://aka.ms/o365adminio…

1

Block direct delivery to @onmicrosoft.com addresses

We’re all familiar with how Office 365 tenants work–when you spin up a new Office 365 tenant, you get a managed domain (tenant.onmicrosoft.com).  Then, maybe you configure a hybrid environment, and now your tenant has your domain, as well as your original tenant.onmicrosoft.com domain, and a new tenant.mail.onmicrosoft.com.  The two managed domains–tenant.onmicrosoft.com and tenant.mail.onmicrosoft.com both…

1

Disable Skype SKUs across all users

This week, I was presented with a question from a partner who was in the middle of the Skype for Business portion of a larger merger and acquisition migration project. The customer had enabled the Skype for Business license for all users in the tenant (including users who hadn’t migrated for other domains and forests),…

0

Detecting Outlook / Exchange data exfiltration

While I was working on a script to configure Office 365 Secure Score settings, I came up with a few scripts that I thought would be helpful in monitoring your messaging environments.  Many organizations have policies against data exfiltration, but detecting and enforcing are totally different animals.  One method that an attacker can set up…

2

Display or Export All User Mailbox Holds

Last week, I was asked by a few people for information on displaying holds applied to mailboxes. Holds come in several varieties: In-Place Holds created via the Exchange Admin Center or eDiscovery case Retention Policies (either as Retention or Label policies) Litigation Hold set as a mailbox property Legacy Exchange MRM policies When viewed programmatically…

1

Backup and Restore Office 365 Groups

While working with a partner this weekend on a tenant to tenant migration, we had the need to migrate Office 365 groups.  There’s not really a lot of information around on recreating groups and memberships, so I decided to put together a tool to help the effort. The first thing to understand about Office 365…

2

Update to Wipe Exchange Online Mailbox script

Earlier today, I was asked to make an update to my script to wipe Exchange Online mailboxes to include Archive Mailboxes.  Fortunately, it ended up being much easier than I anticipated: When I enumerated the mailbox originally, I used: $Root = [Microsoft.Exchange.WebServices.Data.Folder]::Bind($service, [Microsoft.Exchange.WebServices.Data.WellKnownFolderName]::Root) In order to access the Archive folder, I just had to change…

0