The Microsoft Whiteboard just got better

What’s Microsoft Whiteboard?

Microsoft Whiteboard allows Windows, SurfaceHub and iOS (Android coming soon) to Create freely and work naturally – giving ideas room to grow with Microsoft Whiteboard. Transform your work into professional-looking charts and shapes on an infinite canvas with an interface designed for pen, touch, and keyboard.

The Whiteboard app is also built into Microsoft Teams and can be used in video calls to help teams work collaboratively in a virtual whiteboard space.

Whats Changed?

Microsoft Whiteboard allows Windows, SurfaceHub and iOS (Android coming soon) to Create freely and work naturally – giving ideas room to grow with Microsoft Whiteboard. Transform your work into professional-looking charts and shapes on an infinite canvas with an interface designed for pen, touch, and keyboard.

Microsoft updated their White Boarding App yesterday “Microsoft Whiteboard” for Windows (including Surface Hub) and iOS yesterday adding a hugely requested feature which they have called “templates”.

What Templates are available?

The templates help to quick start meetings and get everyone on the same page. They have been added to help with common tasks and Team sessions around SWOT analysis, project planning, learning, and more. Microsoft have created layouts that provide an immediate structure  with helpful tips for running activities that can be easily expanded to fit any and all content.

Microsoft have said that more templates and capabilities will be made available continuously in the coming months.

If you cant see the feature yet, head to the store and check for updates!

If you dont have Whiteboard yet – you can get it here:

Another critical step to preventing Identity and Information Theft…

One of my earlier posts talked about how enabling Multi-Factor Authentication across your organisation can dramatically reduce your risk of attack/breach or data theft by Identity Compromise however after reading some of the comments and talking to some other IT admins and CSOs, I felt this needed a Part #2.

According to Symantec, 91% of all Cyber Attacks start with a spear phishing email  

Protecting Corporate Email

Its fair to say that “most” organisations who use Microsoft Exchange Online for their corporate email services use some form of additional security or protection…. 

Exchange Online Protection

Microsoft provides Exchange Online Protection (EOP) as a standard service with Exchange which essentially is an anti-spam and antivirus service.

Every and any mail security company, Symantec, proof point, mimecast, you name it, will heavily criticise Microsoft for its “lack” of protection against modern and zero-day threats and to be honest they are quiet right too but what many people aren’t aware of (and I don’t think Microsoft shout about it loud enough) – they have some pretty good advanced services you can enable (or buy).  Any security officer will tell you that they key to security is defence in depth and there isn’t a single  “master of all” platform or vendor out there that can protect an organisation from attack, regardless of what form it comes in.

Having multiple defences (not necessarily multiple vendors) in place helps because if spam sneaks by the first line, it might be stopped by the second. 

As you’d expect there are many 3rd party products and services available that complement the standard Exchange Online Protection services available including ProofPoint, Symantec, Mimecast etc, but if your organisation uses Microsoft Exchange Online then, depending on your licensing level, you have some pretty impressive advanced security features which to be honest, you should be using especially if you don’t use any 3rd party bolt-ons. This Office 365 ATP (note, its not specifically focuses on Exchange).

Hello Office 365 ATP

Microsoft Office Advanced Threat Protection (ATP), which is part of Office 365 E5 (or an add-on) builds on the Microsoft EOP and provides two key features aimed at protecting users from phishing attacks, malicious attachments and other advanced threat vectors which typically target users but getting them to click something, fill something in or download something. Again, according to Symantec 1 in 4 people will click a link in an email without checking the message header or checking it is from who they think it is.

Of course Microsoft claim Office ATP is the best line of defence for their Office 365 customers. As you’d expect, Third-party mail hygiene services beg to differ and say that their solutions offer better protection. Either way, you’re better protected when EOP is not the only line of defence.

So what’s Office ATP Include?

Office ATP delivers two key security enhancements for Exchange (and Office 365 in general) including ATP Safe Attachments and ATP Safe Links, both features designed to prevent or stop malicious content arriving in user mailboxes and indeed across the other key Office 365 services.

ATP Safe Attachments

The concept behind ATP Safe Attachments is fairly simple and is designed with protecting users against emails that may contain malicious attachments. ATP Safe Attachments helps here by intercepting all emails before they hit the users inbox, essentially detonates the attachment to makes sure its safe. ATP Safe Attachments also stops infections caused by malware being uploaded to SharePoint Online and OneDrive for Business sites, including the SharePoint Online sites used by Microsoft Teams (which is enough for Microsoft to claim ATP support for Teams).

There are a couple of configuration options around how Safe Attachments works which are mainly designed to control how attachments get delivered to users.

The options are relatively self explanatory. For avoidance of doubt, I’d strongly recommend using Dynamic Delivery, which means all users receive their email messages (at first) without the attachments (well, they get a place-holder) while those attachments are being scanned by Microsoft to check they are safe.

Safe Attachments doesn’t generally take long to process attachments and in my experience the delay is usually less than 30 seconds (though that can feel like ages if you are waiting for the scan to complete in order to open your attachment – especially if its a sales PO!). 

ATP Safe Links

ATP Safe Links as the name implies, provides “click-time” URL Protection to blocks malicious links by analyzing them at arrival time and also each and every time the user clicks on the link to protect against spear phishing attacks that weaponize a link after an email is delivered.

While links are being checked, users are prevented from getting to these to the sites. Yes, this can delay mail recipients from being able to get to information but given the amount of bad sites that exist on the internet (and that more than 91% of phishing attacks original from email), this is a fair compromise, even if users are sometimes frustrated when they can’t immediately reach a site because of a blocked link.

A newish feature in the ATP Safe Links policy allows Office 365 administrators to “delay message delivery” until all links in an email message are scanned (see below). This seems to be “off” by default but is definitely one I think should be enabled. 

” alt=”” aria-hidden=”true” />Configuring Wait for URL Scanning in an ATP Safe Links policy

What are my other Options?

I’m not going to go into the pros and cons of the other services in this blog, the 3rd party vendors will do this, but depending on your licensing level, need or desire to use multiple vendors for security or to standardise your security products across other key strategic vendors, you may choose to explore. Which is best – its hard to say but if you have nothing, I’d start with Office ATP as its most likely included within your licensing plan (and if not its easy to set-up a trial with your partner).

Summary

Microsoft and also many 3rd parties provide Advanced Threat Protection services across Exchange Online . At time of writing, Microsoft, however, are the only vendor that extend these services across other Office 365 services including SharePoint Online, One Drive for Business and therefore Teams.

New AI capabilities promise to transform the physical retail space

OK so a short blog this time and about something I don’t usually write much about… Dynamics

Microsoft have announced 2 major and significant new features coming to its #Dynamics 365 platform which will essentially bring Dynamics 365 AI into real stores.. Which is actually really really cool..

Aimed at bringing AI driven insights to physical retail stores

These two new retail-focused apps named are called “Dynamics 365 Commerce” and “Dynamics 365 Connected Store”.

  • Dynamics 365 Commerce is a solution that will unifiy back office, in-store, call center and digital experiences all within a single interface with “intelligent” features.
  • Dynamics 365 Connected Store will help companies improve the physical retail experience by analysing data from video cameras and IoT sensors to help show traffic flow, dwell zones, dead areas etc allowing retail spaces to better visualise and plan their store front layouts and adjust based on where people foot fall and grouping occurs.

Dynamics 365 Connected Store will help companies improve the physical retail experience by analysing data from video cameras and IoT sensors to help show traffic flow, dwell zones, dead areas etc allowing retail spaces to better visualise and plan their store front layouts and adjust based on where people foot fall and grouping occurs.

This could add real competitive edge to Dynamics retail customers

This release wave will also see a new Dynamics 365 Product Insights, a new application with Dynamics 365 which will use product telemetry to help companies “build richer relationships and improve engagement.”

Learn More – There is a free Microsoft Business Applications Virtual Launch Event on the 10th October in which the world will learn more.

How to quickly prevent 99.9% of attacks on your users’ accounts

Cyber-attacks aren’t slowing down, and it’s worth noting that many attacks have been successful without the use of advanced technology.

For even the largest, most security averse company, all it takes is one compromised credential or one legacy application to cause a data breach.

This underscores how critical it is to ensure password security and strong authentication across your organisation and whilst there are many many solutions out there that can protect networks, applications and data, there is one simple thing that organisations can do, regardless of size and sector that can have a significant impact on protecting cyber-attacks and breach through compromised credentials.

Where are organisations most vulnerable?

A recent report from the SANS Software Security Institute, the most common vulnerabilities include:

  • Corporate email compromise: Where an attacker (often called bad-actor) gains access to a corporate email account, such as through a phishing or spoofing attack (emails that look like they are from IT or a trusted source that get users to “handover” their log on credentials), and uses it to exploit the system, and steal data or compromise your business. Accounts that are protected with only a user id and password are easy targets.
  • Legacy protocols: Old email clients and many “stock smartphone email clients” can create a major vulnerability since applications that use these old basic protocols, such as SMTP, were not designed to leverage or use modern security technologies such as Multi-Factor Authentication (MFA). So even if you require MFA for most use cases, if legacy protocols are enabled, attackers will search for opportunities to use outdated browsers or email applications to force the use of less secure protocols.
  • Password reuse: This is where attacks such as as “password spray” and “credential stuffing attacks” come into play. Common passwords and credentials compromised by attackers in public breaches are used against corporate accounts to try to gain access. It is considered that more than 70% percent of passwords are duplicates and used on other public sites such as shopping or consumer sites, this has been a successful strategy for many attackers for years and it’s easy to do. Most users re-use passwords because many believe that complex passwords (a mix of letters, numbers and symbols) make passwords and accounts secure  – but it can actually have a counter affect since passwords are more likely to be re-used. 

What you can do to protect your company

There’s loads of simple steps than can and should be undertaken to provide some basic account and security hygiene.

Administrators can quickly help prevent many of these attacks by banning the use of bad passwords (Azure AD can do this naively), blocking legacy authentication, and through basic awareness and training to staff on how to spot common phishing attacks.

Whilst all this will help – by far the most effective step you can take as a business is to turn on and require Multi Factor Authentication (MFA). This  extra layer of user account protection, creates a very effective barrier and layer of security that makes it incredibly difficult for attackers to log on or use stolen/compromised credentials even if a user “hands the over” as a result of a successful phishing attack.

Simply put, MFA can block over 99.9% percent of account compromise attacks. With MFA, knowing or cracking the password isn’t enough to gain access since the user will be challenged to enter a code, respond to a text sent to their phone or approve logon via an app on a device that they have in their possession. To learn more, read Your Pa$$word doesn’t matter.

MFA is easy to enable and use

According to the SANS Software Security Institute there are two primary obstacles to adopting MFA implementations today:

  • Misconception that MFA requires external hardware devices.
  • Concern about potential user disruption or concern over what may break.

When we have these kind of conversations with customers, the 2nd point is usually the most common – “the owner wont like it” or “what if stops person x from logging on and they cant talk to IT?”

No banking app allows their customers to access their services these days without some form of MFA and we all (as we have to) simply accept this so why should accessing your company’s data be any different?

Depending on your organisations choice of MFA technology and the level of licensing they have in place, services such as MFA can be used in conjunction with Risk Based Conditional Access – which is a feature included within Azure Active Directory. 

Risk Based Conditional Access

Risk Based Conditional Access is essentially adaptive authentication which looks at a number of different risk factors to determine what and how to allow a user to gain access to resources. In the MFA example, RBCA can be configured to now need MFA to be used when on a corporate device when in the office but enforced when ever users are remote or on an non-corporate or non encrypted device.

Need some help – the organisation I work for @cisilion can help – get in touch via twitter or visit our website. For more click here: 

 

Note: Aspects of this information are taken from a blog by 
Melanie Maynes | Senior Product Marketing Manager | Microsoft Security

 

 

What are organisation-wide Teams in Teams?

Organisation-wide teams provide an automatic way for everyone in a small to medium-sized organisation (up to 5,000 users) to be a part of a single team for collaboration and notifications.

With org-wide teams, an organisation can easily have a (well actually up to 5) public teams that pulls in every user in the organisation and keeps the membership up-to-date with Active Directory as users join and leave the organisation (assuming your AD is well managed of course).

As your organisation’s directory is updated to include new active users, or if users no longer work at your company and their Teams license is disabled, changes are automatically synced and the users are added or removed from the team.

Team members can’t leave an org-wide team.

As a team owner, you can manually add or remove users if needed.

Best practices for organisation-wide teams

To get the most benefit out of using an org-wide team, there’s some best practice Microsoft has published based on its research with customers:

  • Allow only team owners to post to the General channel, to reduce channel “noise.”
  • Turn off @team and @[team name] mentions to prevent overloading the entire organisation.
  • Automatically mark important channels as favorites to ensure that everyone in your organization engages in specific conversations.
  • Set up channel moderation so that moderators can control who can start a new post in a channel as well. As who can reply..You may want it as an annoucment only channel for example.
  • Remove accounts that might not belong. Such as test accounts etc.

I also discovered you can convert an existing Team to a Org-wide team if you want to.. Again this is an admin required task.

Private Channels in org-wide Teams?

There is of course Private Channels also coming very shortly to Teams which can also be used to segregate aspects of your org-wide Team to, well, less than all the organisation… I’d probably suggest not using this function inside these kind of Teams (assuming it’s permitted).

https://robquickenden.blog/private-channels-for-teams-are-almost-here

Thanks for Reading.

Private channels for Teams are finally here.

What are Private Channels In Teams?

Updated: 4th Nov 19

Private Channels (which are being released this week) will allow team owners to limit which team members can see the conversation and content within a particular channel within a Team (kind of a private space between a wider Team). This allows team admins to right-size channel participation and exposure without having to create discrete teams to limit visibility. This can help with reducing team sprawl and can help with internal and B2B communications.

Private channels will be indicated by a small lock / padlock icon next to the channel within a Team.

  • Team owners will be able to see all channels and private channels
  • Team members will only be able to see and participate in private channels they have been added to.
  • Any member of a Team can create a private channel and they then become the owner of that private channel even if they aren’t the owner of the Team.
  • Private Channel owners can add and remove members just like with a Team but to be a member of the Private Channel, the user must be (at least) a member of the Team first.
  • External users/guests can be added to a Private Channel just like with a Team but again the the guest must also be a member of the Team first.
  • Related to the above… YOU CANNOT USE A PRIVATE CHANNEL to invite guests and then only share certain information with them and not the rest of the Team.

But it’s not been an easy journey!

  • Private channels have been the most requested feature on User Voice
  • The feature has been in development for over two years now
  • On March 19th this year Microsoft announced that private channels will be coming out later this year
  • This week the upcoming change started apprwaing in customers Office 365 Message Centre
  • They start rolling out this week (Nov 4th)

Why do we need Private Channels in Teams?

Pretty much ever since Teams was released users have been asking (shouting) for Private Channels. The concept sounds straightforward enough; private channels would only be seen and accessible by the creator and whoever he/she invites. In practice, however, the feature has been a major development challenge.

According to the user requests and comments in Teams User Voice, people generally want more options when it comes to creating channels in Microsoft Teams. Specifically, they want channels that are:

  • Public-Open (Visible anywhere including outside the organisation that anyone can join)
  • Public-Invitation (Visible anywhere including outside the organisation; must be invited)
  • Company-Open (Only visible inside the organisation and anyone inside can join; those outside the organisation must be invited)
  • Company-Invitation (Only visible inside the organisation, must be invited)
  • Secret (Invisible to everyone except existing members, must be invited)

The need has raised quite a debate

What might seem a simple request has created lots of friction and almost brexit like opinion polls over the last couple of years

The “Pro” private channels want it becuase:

  • Private channels enable admins to have more granular control over who can and can’t access certain content.
  • Sensitive material can be more easily gated.
  • Having private channels would also make something like a manager/executive-only chat within a Team possible or make a customer focused team have an internal “private” area

The “anti” private channels don’t like the concept of a private channels because:

  • Teams is all about open collaboration. It was designed to make working with others as seamless as possible. Once you’re in a Team you have access to everything in there so the concept of a private channel goes again the grain.
  • By implementing more controls and requiring the team owner to manage permissions for every private team that gets created, it can quickly become counter productive and ‘anti’ to the purpose of the platform.
  • Private channels can be seen as unnecessary. You can arguably create a new separate team if you want privacy.
  • If you want a private chat between two or more managers/execs, you could simply create and use a regular group chat.

These are all workable (though not necessarily as convenient) options.

Why has it taken so long to develop?

Outside of the long and extensive debates above and Microsoft having to try to make sense of it, consult with large enterprise and event run early alpha tests with clients to test and confirm the pro and cons, the design and implementation of this feature has been complex

In simple terms, Channels in Teams simply were not originally designed or created to be “blocked off” or isolated and so because of this, the architecture of channels doesn’t lend itself to being private and has had to be majorly modified to accommodate this feature

There’s more to it than this though…

Every Team that’s created is enabled by other components of Office 365. For example, Teams need Planner for task management and SharePoint (that includes One Drive) for file storage. If a certain channel in a Team became private…

  • SharePoint permissions would be broken.
  • Planning permissions would be broken.
  • Stream permissions would be broken.
  • Tab level permissions would be broken.

The engineering team at Redmond have had to overcome a whole load of technical and process integration obstacles to provide options for organisation who wish to make part of their open collaboration platform. not open!

I already use Teams? What do I need to do?

You don’t have to do anything. Private channels can be used or disabled should IT not want this feature being used…whilst not released yet the options to control it are available now in the Teams policies settings in the Teams Admin Centre.

There isn’t a process to covert a Team into a channel within another team so this is a process you’ll need to consider and think about and there will be use cases for such you’ll want to consider… A personal example for our organisation is where we have Team sites for customer project work which is internal and another customer Team site we use for sharing and collaborating with a customer..

We in effect have duplicate Teams today for this reason. I expect we will look to consolidate these down to one and use private channels within a wider channel that we will use for internal / company confidential communications and docs.

Of course… This also is a great time to look at house cleaning Teams across the estate…Time will tell on that one!

When it is available?

Private Channels is rolling out this week…so now (almost). Like all new features.. They take a few days to roll out depending on your Office 365 release schedule.