Monthly Archives: December 2020

Microsoft Teams Storage Location

Microsoft Teams chats are persistent, this means the chat will always be available. Though, we can retain or delete the chat data by creating retention policies from Security & Compliance Center for Teams chat and channel messages.

But, where does the chat data and files shared in chat get stored ?

Teams stores chat data in a primary storage and secondary storage for compliance. Below is the brief details about Teams storage locations.

DataPrimary StorageSecondary Storage
MessagesThe Chat service stores its messages in Azure Cosmos DB.Compliance records for messages are stored in group and personal Exchange Online mailboxes [Under a hidden folder in mailbox]
ImagesMedia service (Azure) using blob storage.Any images referenced in messages are also copied in compliance records and stored in Exchange Online.
FilesPersonal files are in users’ OneDrive for Business accounts. Files shared in channels are in the team’s SharePoint document library. 
VoicemailPersonal Exchange mailboxes. 
RecordingsMeeting recordings are captured in a media service in Azure (blob storage).Within 24 hours, the recordings are ingested by Stream and available as video/audio files there.
CalendarsGroup and personal Exchange mailboxes. 
ContactsPersonal Exchange mailboxes. 
 

Get Multi-factor authentication details for Microsoft 365 Users.

Multi-factor authentication is a process where a user is prompted during the sign-in process for an additional form of identification, such as to enter a code on their cellphone or to provide a fingerprint scan.

In Azure AD, user can register for MFA using below link. We can also use conditional access policy to force users to register for MFA, before we implement MFA to avoid any inconvenience.

https://aka.ms/mfasetup

Using the below scripts, we can get details of MFA registered users and methods they are using for MFA.

The script takes three parameters.

-UPN – You can pass any single user’s UPN and will get details of MFA for user.

-UserList – You can pass a list of users as a txt file. One UPN per line.

-All – You can pass All switch if you want to get details of all users in your Microsoft 365 environment.

EXAMPLE 1 – This example will give MFA details of supplied UPN “User@domain.com”

Get-MFAUserDetails -UPN User@domain.com

EXAMPLE 2 – This example will give MFA details of users supplied in “MFAUPN.txt” file, one UPN per line, without any header.

Get-MFAUserDetails -UserList C:\temp\MFAUPN.txt

EXAMPLE 3 – This example will give MFA details of ALL Users enabled for MFA in your Microsoft 365 environment.

Get-MFAUserDetails -All

Download the script from here.

<#
.Synopsis
  Script to get details of MFA enabled users.

.DESCRIPTION
 This script can be used to get details of MFA enabled users

. NOTES
   Author Subodh Uniyal <TechCognizance@outlook.com>

. Disclaimer: Author holds no responsibility to damages caused due to incorrect use of this script.
  It is recommended that you run this script in  your lab before using in production.

.EXAMPLE
This example will give MFA details of supplied UPN "User@domain.com"

   Get-MFAUserDetails -UPN User@domain.com

.EXAMPLE
This example will give MFA details of users supplied in "MFAUPN.txt" file, one UPN per line, without any header. 

 Get-MFAUserDetails -UserList C:\temp\MFAUPN.txt

 .EXAMPLE
This example will give MFA details of ALL Users enabled for MFA in your Microsoft 365 environment. 

 Get-MFAUserDetails -All

#>

    Param
    (
        
        [Parameter(ValueFromPipeline=$true)]
                   [String[]]$UserList,
                   [String]$UPN,
                   [String[]]$All
    )

#Connect to MSOL
Write-Host "Checking Current MsolService Session"
try {
    Get-MsolDomain -ErrorAction Stop | Out-Null
} catch {
Write-Host "No current session detected. Please supply credentials to connect to Microsoft Online Service"
Connect-MsolService
}

$Result = @()
$Results = @()
$reportPath = ".\"
$ReportName = "MFAReport_$(get-date -format dd-MM-yyyy_hh-mm-ss).CSV"
$MFAReport = $reportPath + $reportName


Function Get-MFAUserDetails
{
$Result = @()
$Results = @()
Foreach ($User in $List)
{

Write-Host "Processing user "$User.DisplayName""
    $StrongAuthenticationRequirements = $User | Select-Object -ExpandProperty StrongAuthenticationRequirements
    $StrongAuthenticationUserDetails = $User | Select-Object -ExpandProperty StrongAuthenticationUserDetails
    $StrongAuthenticationMethods = $User | Select-Object -ExpandProperty StrongAuthenticationMethods

$Result = [PSCustomObject]@{
DisplayName = $User.DisplayName
UPN = $User.UserPrincipalName
IsLicensed = $User.IsLicensed
RememberDevicesNotIssuedBefore = $StrongAuthenticationRequirements.RememberDevicesNotIssuedBefore
StrongAuthenticationUserDetailsPhoneNumber = $StrongAuthenticationUserDetails.PhoneNumber
StrongAuthenticationUserDetailsEmail = $StrongAuthenticationUserDetails.Email
DefaultStrongAuthenticationMethodType = ($StrongAuthenticationMethods | Where {$_.IsDefault -eq $True}).MethodType
}
$Results +=$Result
}
$Results | ft
$Results | Export-Csv $MFAReport -NoTypeInformation
$Location = (Get-Location).path + "\" + "$ReportName"
Write-Host "Results are saved in File $Location" -ForegroundColor Yellow
}

 IF ($UserList) 
    {
    $List = Get-Content -Path $UserList | foreach {Get-MsolUser -UserPrincipalName $_}
    Write-Host "Processing with UserList provided, there are "($List).count" users to process."
    
    Get-MFAUserDetails($List)
    }
     ElseIf ($UPN)
       {
       $List = Get-MsolUser -UserPrincipalName $UPN
       Get-MFAUserDetails($List)
       }
        ElseIF ($All)
         {
         $List = Get-Msoluser -all | Where-Object {$_.StrongAuthenticationMethods -like "*"}
         Write-Host "Processing with all users enabled for MFA"
          Get-MFAUserDetails($List)
         }
           Else
           {
           Write-Host "Please input at least one parameter, check help for details."
           }

Recover Deleted Emails in Microsoft 365

In The Previous article we have learnt, how we can find the cause of deleted emails from users’ mailbox.

In similar way, we can also recover selected deleted emails back to the user’s mailbox original folder, without any import of export process.

Search items for particular time frame :-

Get-RecoverableItems -Identity User@domain.com -SourceFolder RecoverableItems -FilterStartTime "12/04/2020 00:00:00" -FilterEndTime "12/05/2020 23:00:00"

To restore these items, we can simply pipe this to Restore RecoverableItems and save results. Once the command is complete, you can examine file RestoreLogs.csv for items restored.

Get-RecoverableItems -Identity User@domain.com -SourceFolder RecoverableItems -FilterStartTime "12/04/2020 00:00:00" -FilterEndTime "12/05/2020 23:00:00"  | Restore-RecoverableItems | Export-Csv C:\Temp\RestoreLogs.csv -Append -NoType

If we want to restore only actual email items, we can use FilterItemType

Get-RecoverableItems -Identity User@domain.com -SourceFolder RecoverableItems -FilterStartTime "12/04/2020 00:00:00" -FilterEndTime "12/05/2020 23:00:00"  -FilterItemType Ipm.Note | Restore-RecoverableItems | Export-Csv C:\Temp\RestoreLogs.csv -Append -NoType

In case we want to restore emails deleted from “Sent Items” only, we can use this.

Get-RecoverableItems -Identity User@domain.com -FilterItemType Ipm.Note -SourceFolder RecoverableItems | where {$_.LastParentPath -eq "Sent Items"} | Restore-RecoverableItems | Export-Csv C:\Temp\RestoreLogfile.csv -Append -NoType

You cannot search folders in the archive mailbox. To search for deleted items across all locations, don’t pass a SourceFolder parameter to Get-RecoverableItems. For example, this search finds all deleted items for the specified mailbox:

$Items = Get-RecoverableItems -Identity User@domain.com

We can then filter the $items variable and restore the selected emails.

Location of Deleted Items –

  • DeletedItems: The Deleted Items folder in the user’s mailbox.
  • RecoverableItems: The Deletions sub-folder in the Recoverable Items folder of the user’s mailbox. This is where items go after they are removed from the Deleted Items folder. Exchange’s Single Item Recovery (SIR) feature holds items deleted from the Deleted Items folder in the Deletions folder until the deleted items retention period defined for the mailbox expires (typically 14 days with a maximum of 30 days). SIR exists to ensure that users have a reasonable chance of recovering deleted items if they make a mistake.
  • PurgedItems: The Purges sub-folder in the Recoverable Items folder. Deleted items kept due to a retention policy are stored here until the retention period set in the policy expires.

Searching for Specific Types of Deleted Items:-

• IPM.Note: A standard email message item.

• IPM.Appointment: A calendar meeting or appointment.

• IPM.Task: A task.

• IPM.Contact: A contact.

• IPM.File: A file stored in the mailbox. These include files created by Office 365 as the result of some processing.

Search Mailbox Audit Logs in Office 365

There may be situations when end user(s) report missing emails from their mailbox. It may be possible that they have inadvertently deleted the emails, but want to know the cause.

If we have mailbox auditing enabled, we can find out the cause. The auditing should be enabled by default in Microsoft 365.

The first step is to track the emails and see, if there were emails delivered/Sent to/from user’s mailbox. We can use tracking logs for this.

To check the emails received –

Get-MessageTrace -RecipientAddress User@domain.com -StartDate 12/10/2020 -EndDate 12/18/2020 -Status Delivered

To check the email received –

Get-MessageTrace -RecipientAddress User@domain.com -StartDate 12/10/2020 -EndDate 12/18/2020

If we got the emails in result and these emails are not in user’s mailbox, then we need to investigate further.

Check if the mailbox Audit logs are enabled for user.

Get-Mailbox User@domain.com | ft PrimarySMTPAddress, AuditEnabled

Get the Mailbox Folder Statics to check if there are emails in Deleted items.

Get-MailboxFolderStatistics "User@domian.com" -FolderScope RecoverableItems -IncludeOldestAndNewestItems | Format-List Name,FolderAndSubfolderSize

If auditing is enabled, we can check the mailbox audit logs and find the delete cause.

Search the Audit Logs for the user:-

Search-MailboxAuditLog User@domain.com -ShowDetails -StartDate 12/10/2020 -EndDate 12/18/2020 -ResultSize 250000 | Export-Csv -Path C:\Temp\Mailbox_Audit_Logs.csv -Notype

Open the audit logs in excel and then filter the Operation column to filter for deleted events.

Here, we can see that the mailbox owner have deleted the emails from “Sent Items” folder.

We can also run the below script to find the Audit Logs –

https://docs.microsoft.com/en-us/office365/troubleshoot/audit-logs/mailbox-audit-logs

In next article, we will learn how to restore deleted emails back to user’s mailbox.

Okta – You do not have permissions to perform the requested action

Issue – User is not able to login Okta and gets below error at the login screen.

Error – You do not have permissions to perform the requested action.

Search the user in Okta console and click on “View Logs”.

In logs, we will see below error for the User IP – “Request from suspicious actor” and “deny security.threat.detected”.

If user’s IP is flagged, we can whitelist the IP, after making sure that there is no bad actor behind this.

Create a zone for the IP –

Navigate to Security Tab -> Networks -> Add Zone -> Dynamic Zone -> Add the IP address that you need to whitelist

If some cases you will not see the “Dynamic Zone” option so you can just click “Add Zone”.

  • Zone name – Provide name for the Zone. Like “IndividualIPWhitelist”
  • Gateway IPs – Provide the IP you want to whitelist.
  • Proxy IP – If the IP which got blacklisted is a Proxy IP, add the IP here, if you are not sure, just add the IP here.
  • Click Save

Navigate to Security Tab -> General -> Scroll to the end of the page -> Edit the ThreatInsight Section -> Add the Zone name you have created earlier. Like “IndividualIPWhitelist”

Bypassing Focused Inbox

In Microsoft 365 and Outlook.com, Focused Inbox separates your inbox into two tabs – Focused and Other.

All the important emails are on Focused tab and other promotional/bulk/auto generated emails are on Other tab.

Outlook uses Artificial Intelligence to separate emails into Focused and Other tab.

We can control this setting from “Outlook on Web” or using “Microsoft 365” PowerShell.

  1. Disable Focused Inbox on Outlook on Web :-

Login Outlook on Web -> Mail -> Layout -> Don’t sort my messages.

2. Disable Focused Inbox on Outlook :-

Users’ can also move and adjust the Focused Inbox settings using Outlook.

In the View tab -> Click on “Show Focused Inbox”

3. To change settings for some emails :-

From your inbox, select the Focused or Other tab, and then right-click the message you want to move.

Move to Focused – If you want only the selected message moved.

Always Move to Focused – If you want all future messages from the sender to be delivered to the Focused tab.

4. To disable Focused Inbox using Microsoft 365 PowerShell :-

Connect Microsoft 365 PowerShell.

To view Focused Inbox Setting –

Get-FocusedInbox -Identity User@domain.com

To disable focused Inbox –

Set-FocusedInbox -Identity User@domain.com -FocusedInboxOn $false

To enable focused Inbox –

Set-FocusedInbox -Identity User@domain.com -FocusedInboxOn $true

5. Disable/Enable Focused Inbox at the organization level :-

To view the settings –

Get-OrganizationConfig | fl Focused*

To disable the Focused Inbox at organization level –

Set-OrganizationConfig -FocusedInboxOn $false

To enable the Focused Inbox at Organization level –

Set-OrganizationConfig -FocusedInboxOn $true

6. Force a email to show in Focused Inbox –

There may be a requirement sometime to show an important email in users’ Focused Inbox, like a HR, Payroll communication.

We can create a transport rule and force this using a header “X-MS-Exchange-Organization-BypassFocusedInbox”

Create using UI :-

Create using PowerShell –

New-TransportRule -Name "Bypass Focused Inbox" -From "Payroll@domain.com" -SetHeaderName "X-MS-Exchange-Organization-BypassFocusedInbox" -SetHeaderValue "true"