Every Question Tells a Story – Mitigating Ransomware Using the Rapid Cyberattack Assessment Tool: Part 1

They say that a picture is worth 1,000 words.

But in some cases, the questions that you ask can also help tell a very interesting story.

Let me explain.

All of us are familiar with the devastating effects of ransomware that we saw last year in the WannaCry, Petya, NotPetya, Locky and SamSam ransomware attacks. We read the stories of the massive financial impact these attacks had on their victims, and we can only imagine the stress that the individuals in the IT departments of the impacted organizations went through trying to recover.

You may know that Microsoft has created a tool called the Rapid Cyberattack Assessment. The intent of the tool is to help an organization understand the potential vulnerabilities and exposures they have to ransomware attacks so that they can take steps to keep from being the next victim.

But like I said – every question tells a story – and in this tool there are many questions that an IT admin needs to ask himself or herself, and there’s a story behind each of these questions that helps make the tool’s value evident.

Let’s take a look at the tool and as we go through the tool I’ll try to give you the story behind each question.

Preparing the Environment

First, let’s download the tool itself.

It’s a free download from Microsoft, located here:

https://www.microsoft.com/en-us/download/details.aspx?id=56034

It’s important to download both the executable (RCA.exe) and the requirements document. The requirements document is also important, because if you don’t set up the tool correctly as well as the target machines, you likely won’t get some information that’s very valuable.

Conditions

First of all, you need to be aware that the Rapid Cyberattack Assessment tool runs in an Active Directory environment, and against Windows machines only. Any machines that you target with the tool must be part of an Active Directory domain. Additionally, the tool is limited in scope to 500 machines.

What should you do if your environment is larger than that?

There are really two simple options:

  1. Assess your entire environment in 500 machine chunks. Run the tool against a specific OU or group of OU’s that total no more than 500 machines. You can also just create lists (maybe exported from a spreadsheet) and use that as input for the tool. This method will definitely take a little bit of time and it won’t give you a single, comprehensive report view, either.
  2. Take sample machines from a number of different departments and run the tool against them. With this method, you would take (as an example) 50 machines from HR, 50 machines from Finance, 50 machines from Sales, etc…and run the tool against them. It doesn’t capture data on every single machine in the environment, but the tool is designed to give you an idea of where your exposures lie, and that would most likely be revealed in even a random sampling of machines. You can reasonably assume that any vulnerabilities identified in that subset of machines likely exists elsewhere in the environment as well.

Personally, if I was running the tool in my own environment and we had more than 500 machines, I would choose the second option. It gives me a rough idea of the issues I have to resolve and helps me prioritize them. If my environment has more than 500 machines, I’m probably managing them with some sort of automation tool anyway (like System Center Configuration Manager), so I don’t have to know exactly how each machine is configured. I’ll just define what the standard should be and push out that configuration.

Hardware and Software

Installing the Rapid Cyberattack Assessment tool itself isn’t hard at all. You simply run the RCA.exe executable. There aren’t any options or choices to make other than agreeing to the license terms. Likewise, the machine you run the tool from doesn’t have a lot of requirements. It should be:

  1. Server-class or high-end workstation running Windows 7/8/10 or Windows Server 2008 R2/2012/2012 R2/2016.
  2. It’s preferable to have a machine with 16 GB+ of RAM, a 2 GHz+ processor and at least 5 GB disk space.
  3. The machine should be joined to the Active Directory domain you will be assessing.
  4. Microsoft .NET Framework 4.0 must be installed
  5. Optionally, you may want Word, PowerPoint and Excel installed to view the reports. But you can also just export the reports and view them on a machine that has Office installed already.

Account Rights

The service account you use to run the tool needs to be a domain user who has local administrator permissions to all the machines within the scope of the assessment. The account should also have read access to the Active Directory forest that the in-scope computers are joined to.

Network Access

The machines you are trying to assess obviously must be reachable by the assessing machine. Therefore, there must be unrestricted access from the tools machine to any of the in-scope domain joined machines. By “unrestricted access” we mean you should make sure there are no firewall rules or router ACLs that would block access to any of the following protocols and services:

  • Remote Registry
  • Windows Management Instrumentation (WMI)
  • Default admin shares (C$, D$, IPC$)

If you are using Windows Advanced Firewall on the in-scope machines, you may need to adjust the firewall to allow the assessment tool to run.

You can configure this using a Group Policy targeted at the in-scope machines. To do this, follow these steps.

  1. Use an existing Group Policy object or create a new one using the Group Policy Management Tool.
  2. Expand the Computer Configuration/Policies/Windows Settings/Security Settings/Windows Firewall with Advanced Security/Windows Firewall with Advanced Security/Inbound Rules
  3. Check the Predefined:radio button and select Windows Management Instrumentation from the drop-down list. Click 
  4. Check the WMI rules for the Domain Profile. Click Next
  5. Check the Allow the Connectionradio button and click Finish to exit and save the new rule.
  6. Make sure the Group Policy Object is applied to the relevant computers using the Group Policy Management Tool

You would then do the same thing for: Allow file and Print sharing exceptions

For the Remote Registry Service, you want to set the service to Automatic startup for the duration of the assessment.

  1. Open the Group Policy editor and the GPO you want to edit.
  2. Expand Computer Configuration > Policies > Windows Settings > Security Settings > System Services
  3. Find the Remote Registry item and change the Service startup mode to Automatic
  4. Reboot the clients to apply the policy

That should be enough to get you started.

In the next post, I’ll walk you through the survey questions in the Rapid Cyberattack Assessment tool.

https://blogs.technet.microsoft.com/cloudyhappypeople/2018/09/10/every-question-tells-a-story-mitigating-ransomware-using-the-rapid-cyberattack-assessment-tool-part-2/

I think you’ll find the stories revealed by the questions to be quite interesting.

Are You Following Teams Tuesdays?

Microsoft Teams has proven to be one of the biggest product releases of FY18 for Microsoft, with over 200,000 customers rolling it out within just a year!

If your organization hasn’t yet rolled out Teams, or if you are in the middle of planning your deployment, be sure to check out the Microsoft Teams webinar series, being delivered by the One Commercial Partner Modern Workplace team of architects.

This is what’s on the agenda for the Teams Tuesday webinars for the next few months!

 

August 21, 2018

Using Automation to Provision Teams, Groups and Modern Communication Sites

In this webinar, we’ll provide you with guidance on how you can leverage automation to standardize, secure and simplify your Microsoft Teams rollout.

 

August 28, 2018

Understanding the Microsoft Teams Free Version

The new free version of Microsoft Teams raises a lot of questions for partners and customers alike. In this session, we’ll walk you through the limitations and use case scenarios for the freemium version of Teams and help you articulate the value of the full version.

 

September 4, 2018

Quality Management for Microsoft Teams

How do you prepare you network for the increased audio and video traffic that comes along with a Microsoft Teams deployment? And then once you have it deployed, how do you validate the quality on an ongoing basis? Join Andy McLaughlin in this session to learn the tricks of the trade!

 

September 18, 2018

Upgrade and Interop with SfB

There is a lot of confusion around the upgrade and interop story with Skype for Business Online and Microsoft Teams? How will it work? What are the caveats? What will partners need to do to transition customers? JoAnn Boxrud will help clear up the cobwebs in this webinar.

 

October 2, 2018

Managing Microsoft Teams Effectively

One of the great things about Microsoft Teams is that, once it takes hold in an environment, it spreads virally. As a partner, you may be asked to help manage this growth in a way that allows an organization to maintain control over data leakage, limit the use of guest access, standardize the way Teams are deployed, and so on. Robert Gates will provide tips form the pros in this webcast.

 

October 9, 2018

Planning for User adoption and Customer Success with Microsoft Teams

There’s much to consider when deploying Microsoft Teams. Join us for a discussion about what you can do today to help customer Teams deployments go smoothly. We provide the latest in guidance and outline the building blocks required to help make all of your Microsoft Teams customer deployments a success.

 

October 16, 2018

Deep Dive into Direct Routing

Direct Routing is one of the new capabilities in Teams to support Voice. What implementation options exist for Direct Routing? How do you configure Direct Routing? What are the requirements? Find out in this session.

 

October 23, 2018

Understanding Guest Access in Microsoft Teams

Guest Access in Microsoft Teams is one of the most important features in enabling collaboration between an organization and its partners, vendors and affiliates. What needs to be done to enable Guest Access? What are the limitations on what a guest can do? How do i audit guest access? These are some of the questions that will be covered in this webinar with Kevin Martins.

 

Look interesting? Then sign up here!

https://msuspartner.eventbuilder.com/?landingpageid=dst1ny

There are also lots of recorded webcasts that you can go back and review at your leisure.

Hope to see you on the next Teams Tuesday!

 

 

Leverage the Microsoft Graph with Azure Active Directory Identity Protection to Identify Network Threats

What is Azure Active Directory Identity Protection?

Azure Active Directory Identity Protection is a feature built into the Azure AD Premium P2 license. The P2 SKU is important if you want to configure SharePoint Limited Access, CAS Proxy, or perform actions related to identity protection or control of privileged identities. The Azure AD Premium P2 (AADP P2) licensing is included with the Enterprise Mobility & Security E5 license, but can be added on to other licensing, such as the EM&S E3 license.

What’s great about it is that it also allows you to use the Microsoft Graph to query your Azure AD tenant and identify potential threats to your organization and even configure an automated response to them. This post will show you how to find these sorts of events in your organization, with a very simple script.

It only takes about 5 minutes to set up, so let’s get started!

What Do I Need to Do This?

For the steps below, I’m using a trial tenant with Office 365 E5 and EM&S E5 licensing (which as mentioned above, includes the Azure AD Premium P2 licensing). This means I don’t have a fully-functioning Azure tenant, where I can set up virtual machines, web apps, containers and so on – but I have enough to do the steps below.

First, I log in to my Office 365 tenant and go to the Admin Centers and click on my Azure Active Directory admin center. I can, of course, just go to http://portal.azure.com and log in there, but this just helps illustrate the connection between the Office 365 tenant and Azure AD.

 

Click on the Azure Active Directory icon and see all the properties of the Azure Active Directory instance that underpins my Office 365 and EM&S tenant.

 

I click on App registrations, as shown below:

 

 

Click on New application registration

 

 

 

 

 

 

Now I fill in the properties for the new application registration.

The values below will work as shown.

 

Click Create when finished.

Click on the Settings gear as shown below:

 

 

One of the settings is Required permissions .

Click on the arrow to expand this property.

Next, click on Add to set up permissions for connecting to the Graph API.

You have the option of selecting which API you want to grant access to.

Click on the Select an API arrow.

 

You’ll now see a bunch of API’s that you can connect to.

For our purposes, we’ll choose the Microsoft Graph, which contains security event information.

 

Click Select at the bottom of that pane.

Now click on Select permissions.

 

In the Enable access page, scroll down till you see the Read all identity risk event information line.

Click the checkbox next to that line and then click Done.

You should see the Windows Graph in your Required permissions page.

Click on Grant permissions to apply the permissions you just selected.

 

When you click on Grant permissions, you’ll be asked for confirmation, so click Yes if you agree.

 

Back in the Settings page of your Application, click on Keys.

 

Configure an access key as shown below and click Save.

 

You should see the access key value in the field below.

Copy this key and save it somewhere. You’ll use it in the script as the $ClientSecret variable.

 

Back on the Properties of the application itself, you will also see the Application ID value.

Copy this value somewhere as well. This will be used in the script as the $ClientID variable.

Use a PowerShell script to connect to Microsoft Graph and Look for Identity Risk Events

The script below can be used to query the Microsoft Graph for identity risk events. You’ll need to fill in the following values:

  • $ClientID
  • $ClientSecret
  • $tenantdomain

For my script, it looked like the screen capture below.

 

 

 

I deleted the application after running the script so these credentials aren’t valid anymore.

Shown below is the sample script for querying the Microsoft Graph to capture identity risk events.

$ClientID       = "Application ID value from the Registered App properties page "       # Should be a ~36 hex character string; insert your info here
$ClientSecret   = "Password value from the Keys page" # Should be a ~44 character string; insert your info here
$tenantdomain   = "Tenant name"   # For example, contoso.onmicrosoft.com

$loginURL       = "https://login.microsoft.com"
$resource       = "https://graph.microsoft.com"
$body      = @{grant_type="client_credentials";resource=$resource;client_id=$ClientID;client_secret=$ClientSecret}
$oauth     = Invoke-RestMethod -Method Post -Uri $loginURL/$tenantdomain/oauth2/token?api-version=1.0 -Body $body
Write-Output $oauth
if ($oauth.access_token -ne $null) {
   $headerParams = @{'Authorization'="$($oauth.token_type) $($oauth.access_token)"}
   $url = "https://graph.microsoft.com/beta/identityRiskEvents"
   Write-Output $url
   $myReport = (Invoke-WebRequest -UseBasicParsing -Headers $headerParams -Uri $url)
   foreach ($event in ($myReport.Content | ConvertFrom-Json).value) {
       Write-Output $event
   }
} else {
   Write-Host "ERROR: No Access Token"
}

 

Once you fill in the appropriate values for your environment, you can run the script in PowerShell and it will find any identity risk events associated with your tenant.

What Information Does It Provide?

In my tenant, it found one identity risk event, as shown below:



What this tells me is that on February 26, 2018 there was an AnonymousIPRiskEvent that took place using Allan DeYoung’s user account.

It looks like someone logged in with his credentials using a TOR browser, and it was classified as a medium risk event.

Additionally, I am able to see the location where this event took place and the IP address associated with it.

From there, I am able to start tracking down what happened and see if it poses any risk to my network or Allan’s account.

What other types of events would we be able to identify? Microsoft Graph contains identify events such as:

  • Impossible travel to atypical locations (Did you log in from New York and then 5 minutes later try to log in from an IP address in Indonesia?)
  • Sign-in events from unfamiliar locations (Is the location you are signing in from outside of your typical login patterns?)
  • Sign-ins from an infected device (Is the device where the login was attempted communicating with a botnet server?)
  • Sign-ins from IP addresses with suspicious activity (Maybe an IP address where a number of login attempts are taking place for lots of different accounts, which could indicate a brute force password attack)

We can categorize the risk events because the Microsoft Graph maintains information related to billions of login events each month. That means we can detect anomalies and determine whether they are just a user who forgot their password three times, or some sort of automated attack against that user’s account.

This is a very simple example, but you could configure something like this to run periodically and dump the events to a SIEM, allowing you to collect all your security related events in a single place and have them reviewed by your security team.

There are LOTS of other event types you can query on using the Microsoft Graph API (and the other application-specific API’s). I encourage anyone who manages the security for a network to take advantage of these API’s and create automated scripts that can capture risk events on your network.

Have fun with Microsoft Graph!

Secure Your Office 365 Tenant – By Attacking It (Part 2)

By David Branscome

 

In my previous post (https://blogs.technet.microsoft.com/cloudyhappypeople/2018/04/04/secure-your-office-365-tenant-by-attacking-it ), I showed you how to use the Office 365 Attack Simulator to set up the Password Spray and Brute Force Password (Dictionary) Attacks.

What we often find, though, is that spear phishing campaigns are extremely successful in organizations and are often the very first point of entry for the bad guys.

Just for clarity, there are “phishing” campaigns and there are “spear phishing” campaigns.

A phishing campaign is typically an email sent out to a wide number of organizations, with no specific target in mind. They are usually generic in nature and are taking the approach of “spreading a wide net” in hopes of getting one of the recipients to click on a URL or open an attachment in the email. Think of the email campaigns you’ve likely seen where a prince from a foreign country promises you $30 million if you’ll click on this link and give him your bank account information. The sender doesn’t particularly care WHO gets the email, as long as SOMEBODY clicks on the links.

On the other hand, a spear phishing campaign is much more targeted. In a spear phishing campaign, the attacker has a specific organization they are trying to compromise – perhaps even a specific individual. Maybe they want to compromise the CFO’s account so that they can fraudulently authorize money transfers from the organization by sending an email that appears to be coming from the CFO. Or maybe they want to compromise a highly-privileged IT admin’s email account so that the attacker can send an email asking users to browse to a fake password reset page and harvest user passwords. The intent with a spear phishing campaign is to make the email look very legitimate so that the recipients aren’t suspicious – or perhaps they even feel obligated to do as instructed.

What Do I Need?

As you can imagine, setting up a spear-phishing campaign takes a little more finesse than a brute force password attack.

First, decide WHO the sender of the spear phishing email will be. Maybe it’s HR requesting that you log in and update your benefits information. Or perhaps it’s the IT group asking everyone to confirm their credentials on a portal they recently set up.

Next, decide WHO you want to target with the campaign. It may be the entire organization, but keeping a low profile as an attacker also has its advantages.

You’ll probably want to use a realistic HTML email format so that it looks legitimate. The Attack Simulator actually provides two sample templates for you, as we’ll see below. Using the sample templates makes the campaign very easy to set up, but as you get more comfortable using the Attack Simulator, you will likely want to craft your own email to look more like it’s coming from your organization.

That should be enough to get us started.

Launching a Spear Phishing Attack

In the Attack Simulator console, click on “Launch Attack”.

 

At the Provide a name to the campaign page, choose your own name, or click on “Use template”. If you click on “Use template” you will see two template options to choose from. I’ve chosen “Prize Giveaway” below:

 

Next, select the users you want to “phish”. You can select individual users or groups.

 

 

On the next page, if you’ve selected a template, all the details will be filled in for you. One important value to note here is the Phishing Login server URL. Select one of the phishing login servers from the drop down. This is the way the attack simulator is able to track who has clicked on the URL in the email and provides reporting.

Note that the URL’s for the phishing login servers are NOT actually bad sites. They are sites set up specifically for the purposes of this tool’s functioning.

 

 

In the Email body form, you can customize the default email. Make sure that you have a variable ${username} so that the email looks like it was sent directly to the end user.

 

 

Click Confirm, and the Attack Simulator will send the email out to the end users you specified.

Next, I opened the Administrator email account that I targeted and saw this:

 

 

Notice that it customized the email to the MOD Administrator account in the body of the email.

If I click on the URL (which points to the http://portal.prizesforall.com URL we highlighted earlier) I get sent to a website that looks like this.

 

Finally, if I click on the reporting area of the Attack Simulator, I can see who has clicked on the link and when.

 

 

Okay. But seriously…would you really have clicked on that URL?

Probably not.

So how do you make it a little more sophisticated?

Let’s create a more realistic attack.

In this attack we will use the Payroll Update template, which is very similar to what you might actually see in many corporate environments.  You can also create your own HTML email using your organization’s branding and formatting.

 

 

I’ll again target the MOD Administrator because he seems like a good target, since he’s the O365 global admin (and seems to be somewhat gullible).

In this situation though, instead of sending from what appears to be an external email address (prizes@prizesforall.com, used in the previous attack) I’m going to pose as someone the user might actually know. It could be the head of HR or Finance or the CEO. I’ll use the actual email address of that person so that it resolves correctly.

Notice that this templates uses a different phishing login server URL from the drop down. You’ll see why in a second.

In the Email body page, we’ve got a much more realistic looking email.

It should be noted, though, that if you make the email look ABSOLUTELY PERFECT and people click on the URL, what have they learned? It’s best to provide a clue in the email that a careful user would notice and recognize as a problem. Maybe send the official HR email from someone who isn’t actually in HR, or leave off a footer in the email that identifies it as an official HR email. Whatever it is, there should be something that you can use to train users to look out for.

So if you read the email template below carefully, you’ll see some grammatical errors and misspellings that should be a “red flag” to a careful user.

 

 

Again, you Confirm the settings for the attack and the attack launches.

Going to the MOD Administrator’s mailbox….that’s much more realistic, wouldn’t you say?

 

 

When I click on the “Update Your Account Details” link, I get sent to this page, where I’m asked to provide a username and password, which of course, I dutifully provide:

 

 

Notice, however, that the URL at the top of the page is the portal.payrolltooling.com website – even thought the page itself looks like a Microsoft login page. Many attacks will mimic a “trusted site” to harvest credentials in this manner. When you’re testing you can use any email address (legitimate or not) and any password for testing – it isn’t actually authenticating anything.

Once I enter some credentials, I am directed to the page below, which lets me know I’ve been “spear phished” and provides some hints about identifying these kind of attacks in the future:

 

 

And finally, in the reporting, I see that my administrator was successfully spear phished.

 

The Value of Attack Simulations

This is all interesting (and a little bit fun) but what does it really teach us? The objective is that once we know what sort of attacks our users are vulnerable to (password or phishing are the two highlighted by this tool), then we can provide training to help enhance our security posture. Many of the ransomware attacks that are blanketing the news lately started as phishing campaigns.

If we can take steps to ensure that our users are better equipped to identify suspicious email, and help them select passwords that aren’t easily compromised, we help improve the organization’s security posture.

 

 

 

 

 

Secure Your Office 365 Tenant – By Attacking It (Part 1)

By David Branscome

I’ve been waiting several months for this day to arrive. The Office 365 Attack Simulator is LIVE!

If you log into your Office 365 E5 tenant with the Threat Intelligence licensing, it shows up here in the Security & Compliance portal.

When you click on it, the first thing it will tell you is that there are some things you need to set up before you can run an actual attack. There’s a link that says, “Set up now” (in the yellow box shown below). After you click that link, it says the setup is complete, but you’ll have to wait a little while before running an attack. (I only had to wait about 10 minutes when I set it up)

 

It also reminds you that you need to have MFA (multi-factor authentication) set up on your tenant in order to run an attack. This makes a lot of sense, since you want to ensure that anyone who runs the attack is a “good guy” on your network.

To set up MFA, follow the steps here:

Go to the Office 365 Admin Center

Go to UsersActive users.

Choose MoreSetup Azure multi-factor auth

 

Find the people who you want to enable for MFA. In this case, I’m only enabling the admin account on my demo tenant.

Select the check box next to the people you want to enable for MFA.

On the right, under quick steps, you’ll see Enable and Manage user settings.

Choose Enable.

 

 

 

In the dialog box that opens, choose enable multi-factor auth.

The Attacks

Spear Phishing

With a spear phishing attack, I’m sending an email to group of “high-value” users – maybe my IT admins, the CEO/CFO, the accounting office, or some other user group whose credentials I want to capture. The email I send contains a URL that will allow me to capture user credentials or some other sensitive data as part of the attack. When I set up this attack, it needs to look like it’s coming from a trusted entity in the organization. Maybe I’ll set it up to make it appear as though it’s coming from the IT Security group asking them to verify their credentials.

Brute Force Password (a.k.a., Dictionary Attack)

In this attack, I’m running an automated attack that just runs through a list of dictionary-type words that could be used as a password. It is going to use lots of well-known variations, such as using “$” for “s” and the number 0 for the letter O. If you thought Pa$$w0rd123 was going to cut it as a secure password on your Office 365 account, this attack will show you the error of your ways.

This type of attack is pretty lengthy in nature because there are thousands of potential guesses being made against each user account. The attack can be set up to vary in frequency (time between password guesses) and number of attempts.

It’s important to note that if a password is actually found to be successful, that password is NOT exposed to anyone – even the admin running the attack. The reporting simply indicates that the attack was successful against Bob@contoso.com, for example.

Password Spray Attack

A password spray attack is a little different from the brute force password attack, in that it allows the admin/attacker to define a password to use in the attack. These would typically be passwords that are meaningful in some way – not simply an attempt using hundreds, or thousands of guesses. The password you use could be something like the name of a football team mascot and the year they won a championship, or the name of a project that people in one department are working on. Whatever criteria you select, you define what password or passwords should be attempted and the frequency of the attempts.

Ready? Let’s go hunting…

Launching a Password Spray Attack

First, I’ll try the password spray attack. I’ve set up several accounts in my test tenant with passwords that are similar to the one I’ll attempt to exploit – which is Eagles2018!. Notice that, by most criteria, that’s a complex password – upper and lower case, alphanumeric and it includes a special character, but it’s also a fairly easily-guessed password, since the Philadelphia Eagles won the Super Bowl in 2018 (though it pains me to say that).

I’ve set up a couple users with that password to ensure I get some results.

I go to my Attack simulator and click on Launch Attack.

The first screen is where I name the attack.

 

 

Next, I select the users I want to target. Notice that I can select groups of users as well.

 

 

Now I manually enter the passwords I want to use in the attack.

 

 

Confirm the settings, click Finish and the attack will begin immediately.

If I go back to my Attack Simulator console, I can see the attack running.

 

 

After the attack completes, I see the users who have been compromised using the password.

(Yes, I’ve reset their passwords now, so don’t try and get clever.) 😊

Now I politely encourage ChristieC and IrvinS to change their password to help ensure their account security.

Launching a Brute Force Password (Dictionary Attack)

Again, I’ve set up a couple accounts with some pretty common password combinations (P@ssword123, P@ssw0rd!, etc..)

I walk through the configuration of the attack, which is very similar to the Password Spray attack setup.

 

I set up my target users as before, and then I choose the attack settings.

In this case, I uploaded a text file containing hundreds of dictionary passwords, but you can create a sampling of several passwords by entering them manually one at a time in the field above the Upload button.

 

As the attack runs, you’ll see something like the screenshot below. Remember, if you have a large number of users and a very large wordlist for the dictionary attack, this attack will run for quite some time as the simulator cycles through all the possible variations for each user.

 

And again, when the simulation is complete, you’ll want to caution DiegoS on his lack of good password hygiene.

In my second blog post, I’ll show you how to do a Spear Phishing Attack. These are the REALLY sneaky ones….

Stay tuned!

 

“Argh…My Skype for Business Recording Failed!!”

By David Branscome

 

I recently received a call from a colleague who had been working on a two-hour Skype for Business meeting.

At the end of the call, she went into her Recording Manager to get the recorded meeting but saw that the recording for the meeting had failed. It was showing up as “0 bytes” in size.

When we browsed to C:Users%USERNAME%AppDataLocalMicrosoftCommunicatorRecording ManagerTemporary Recording Files we saw this:

So, we were pretty sure that the files were available, they just hadn’t been finalized at the end of the meeting into a single file. But how do you fix it?

Actually, the fix was pretty easy.

First, start a new Skype for Business meeting. It can be a meeting with just one person.

Once the meeting is started, share out your desktop.

Now start the recording.

 

Immediately afterward, pause the recording as shown below:

 

Go to the temporary recording files path:

C:Users%USERNAME%AppDataLocalMicrosoftCommunicatorRecording ManagerTemporary Recording Files and locate the folder with the temporary files for the RECORDING YOU JUST PAUSED. It should be easy to locate based on the time stamp.

Open that folder and delete all the files EXCEPT the file named lock.lock.

Next, go back to the C:UsersdabranAppDataLocalMicrosoftCommunicatorRecording ManagerTemporary Recording Files path and locate the folder for the FAILED recording. Again, you can use the timestamps on the files to ensure you have the right files. Select all the files in this folder and copy them using either CTRL-C or the Copy command

At this point, you should have all the files from the folder of the original FAILED Recording copied over into the folder for the NEW, paused recording.

Now, from your Skype for Business client, STOP the recording for the meeting you initiated earlier. This will start the process of combining all the files from the FAILED recording into a single, functional recording.

 

 

Go into your System Tray in the lower right corner and click on the Recording Manager icon and select “Open”

 

Ensure that the New recording is being compiled, as shown by the green progress bar.

 

 

In a few minutes (depending upon the length of the original meeting), your file should be completely recovered and ready to use!

The End of Support for Older TLS Versions in Office 365

by David Branscome, with a callout to Joe Stocker at Patriot Consulting for the heads-up!

The SSL/POODLE Attack Explained

UPDATE: As per the support article listed here (https://support.microsoft.com/en-us/help/4057306/preparing-for-tls-1-2-in-office-365) We will be extending support for TLS 1.0/1.1 through October 31, 2018 in order to help ensure our customers are adequately prepared for the changes.

 

As most of you know, there was a significant vulnerability identified in the SSL 3.0 protocol back in 2014, named POODLE (Padded Oracle On Downgraded Legacy Encryption).

The problem was this: SSL 3.0 is basically an obsolete and insecure protocol. As a result, it has been, for the most part, replaced by its successors, TLS 1.0 and TLS 1.2. The way a client-server encryption negotiation sequence would typically work is that the client would contact a server, and through a handshake process, agree on the highest level of security over which they both can communicate. So, for example, a client makes a request to a server and says, “I’d like to use TLS 1.2 for our communication, but I can also use TLS 1.0, if you need to.” The server responds with, “I don’t speak TLS 1.2, but I do speak TLS 1.0, so let’s agree to use that.” They then use that downgraded protocol as their preferred encryption method. The downgrade sequence could ALSO downgrade the encryption to use SSL 3.0, if necessary.

However, even in situations where client and server both support the use of the newer security protocols, an attacker with access to some portion of the client-side communication could disrupt the network and force a downgrade to the SSL 3.0 encryption. This is typically referred to as a man-in-the-middle attack, because the attacker sits on the network between two parties and captures their communication stream. This is an altogether separate type of attack, unrelated to the POODLE vulnerability itself, and must be defended against using other methods.

Anyway, now that the attacker has successfully forced SSL 3.0 encryption to be used, and the attacker has access to the communication stream, the attacker can attempt the POODLE attack and get access to decrypted information between the client and the server.

When this vulnerability came out, there was a significant amount of work done worldwide to mitigate the impact and scope of the issue. The vulnerability in SSL 3.0 itself couldn’t be remediated because the issue was fundamental to the protocol itself. Because of this, the best solution for organizations was simply to disable support for SSL 3.0 in their applications and systems.

So That Was 3 Years Ago….

As described in the links at the bottom of this article, Microsoft still supports the use of TLS 1.0 and 1.1 for clients connecting to the Office 365 service. However, due to the potential for future downgrade attacks similar to the POODLE attack, Microsoft is recommending that dependencies on all security protocols older than TLS 1.2 be removed, wherever possible. This would include TLS 1.1/1.0 and SSL v3 and V2.

The problem here is that many operating systems and applications have a hardcoded protocol version to ensure interoperability or supportability. In Windows 8 and Windows Server 2012 and higher, the default protocol that is used is TLS 1.2 – which is good.

However, in Windows 7 and Windows 2008 R2, TLS 1.0 was the default protocol. In fact, TLS 1.1. and 1.2 were actually configured as “disabled”. See the table below:

 

 

As outlined in the article “Preparing for the mandatory use of TLS 1.2 in Office 365”, this is going to present a problem if your organization is still using Windows 7/Vista clients. Why?

Because on October 31, 2018, Microsoft Office 365 will be disabling support for TLS 1.0 and 1.1. This means that, starting on October 31, 2018, all client-server and browser-server combinations must use TLS 1.2 or later protocol versions to be able to connect without issues to Office 365 services. This may require certain client-server and browser-server combinations to be updated.

Our internal telemetry of client connections indicates that this shouldn’t be a problem for most organizations, since the majority are not using TLS 1.0 or 1.1, anyway. However, for the network you manage it’s probably a good idea not to simply assume everything will be great. 😊

As an example, if you’re using any on-premises infrastructure for hybrid scenarios or Active Directory Federation Services, make sure that these infrastructures can support both inbound and outbound connections that use TLS 1.2.

How Do I Know if I Need to Take Action?

A new IIS functionality makes it easier to find clients on Windows Server 2012 R2 and Windows Server 2016 that connect to the service by using weak security protocols.

https://cloudblogs.microsoft.com/microsoftsecure/2017/09/07/new-iis-functionality-to-help-identify-weak-tls-usage/

There are also some simple checks available from Qualys Labs to check browser compatibility – https://www.ssllabs.com/ssltest/viewMyClient.html as well as the certificate and encryption configuration on your servers with SSL certificates – https://www.ssllabs.com/ssltest/ .

Hopefully these checks will help you to ensure that your organization is ready when the change is made to the Office 365 services early next year.

Additional Resources

Preparing for the mandatory use of TLS 1.2 in Office 365

https://support.microsoft.com/en-us/help/4057306/preparing-for-tls-1-2-in-office-365

Solving the TLS 1.0 Problem

https://www.microsoft.com/en-us/download/confirmation.aspx?id=55266 

Disabling TLS 1.0/1.1 in Skype for Business Server 2015 – Part 1 and 2

https://blogs.technet.microsoft.com/nexthop/2018/04/18/disabling-tls-1-01-1-in-skype-for-business-server-2015-part-1/

https://blogs.technet.microsoft.com/nexthop/2018/04/18/disabling-tls-1-01-1-in-skype-for-business-server-2015-part-2/

Implementing TLS 1.2 Enforcement with SCOM

https://blogs.technet.microsoft.com/kevinholman/2018/05/06/implementing-tls-1-2-enforcement-with-scom/

Exchange Server TLS Guidance

https://blogs.technet.microsoft.com/exchange/2018/01/26/exchange-server-tls-guidance-part-1-getting-ready-for-tls-1-2/

https://blogs.technet.microsoft.com/exchange/2018/04/02/exchange-server-tls-guidance-part-2-enabling-tls-1-2-and-identifying-clients-not-using-it/

https://blogs.technet.microsoft.com/exchange/2018/05/23/exchange-server-tls-guidance-part-3-turning-off-tls-1-01-1/

Intune TLS Guidance

https://blogs.technet.microsoft.com/intunesupport/2018/06/05/intune-moving-to-tls-1-2-for-encryption/

Preparing for TLS 1.0/1.1 Deprecation – O365 Skype for Business

https://techcommunity.microsoft.com/t5/Skype-for-Business-Blog/Preparing-for-TLS-1-0-1-1-Deprecation-O365-Skype-for-Business/bc-p/223608

Moving Your Office 365 Groups to Microsoft Teams – Getting Past the Gotchas

By now, most of us know that Microsoft Teams is built on Office 365 Groups. Additionally, many customers had been using Office 365 Groups for some of their collaboration before Microsoft Teams was released. That means that there are a number of Office 365 Groups out there, that may need to be converted to Microsoft Teams. The general process for using an Office 365 Group as the foundation for a Microsoft Team is well documented, and it would seem to be fairly straightforward. However, as anyone who has actually done this knows, it isn’t quite that simple.

The purpose of this article is to help you move the data that may exist in your Office 365 Group – such as email, OneNote, Planner, etc…over to a newly created Microsoft Team.

We’ll start with a brand-new Office 365 Group, create some content and then convert everything over to a new Team.

Let’s get started…

 

Creating the Office 365 Group and Populating it with “Stuff”

Let’s start by creating a new Office 365 Group so we know exactly what happens.

Here, I am creating an Office 365 Group named O365-TeamsUpgrade. Notice that it has been created with the default Privacy setting of “Private”.

 

 

 

 

 

 

 

 

 

 

 

 

Next, I add some of my team members to the Group.

 

 

 

 

 

 

 

 

 

 

 

 

Now my Office 365 Group is ready to go, and I have all the usual things in my configuration.

 

 

 

 

 

 

 

 

I can send email to the group, because every Office 365 Group has an associated email address. As expected, the email and meeting invites show up in the Office 365 Group mailbox, which exists in Exchange Online.

 

 

 

 

 

 

 

 

 

 

I go to Files and create a Word document.

 

 

 

 

 

 

 

 

 

 

 

 

Next, I go into my Notebook and create some content in the Office 365 Groups OneNote

 

 

 

 

 

 

I can go into Planner next and create some content there….

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Lastly, I click on the Site link and I see the SharePoint Site.

 

 

 

 

 

 

 

If I go to the Documents library I see the Word document that I created just a few minutes ago.

So, we all agree I have legitimate content in my Office 365 Group, right? Right.

Okay, now comes the fun part –converting it to Microsoft Teams.

 

Upgrading to a Microsoft Team

In my Microsoft Teams client, I click “Add team”.

 

 

 

 

 

 

 

Next, I click on Create team.

 

 

 

 

 

 

 

 

 

 

 

 

In the next dialog box, I can create a brand-new Team, or as shown below, I can create one from an existing Office 365 Group. That’s what I want to do, so I click on that link.

 

 

 

 

 

 

 

 

 

 

 

 

 

It now provides me with a list of the Office 365 Groups for which I am the Owner, and which are set to Private visibility.

 

 

 

 

 

 

 

I click the radio button and click Create team.

NOTE:

When upgrading an Office 365 Group to a Microsoft Team, there are several points that you must keep in mind:

You must be the Owner of the Office 365 Group

The Office 365 Group visibility must be set to Private. If it is not set to Private, you can set it to Private long enough to do the switch and then turn it back to Public once you’ve switched it over to a Microsoft Team.

There cannot be a Team that already exists with the name of the Office 365 Group you intend to convert. If it exists already, you’ll end up with two disconnected objects. For example, I created a brand-new Team with the same name as my Office 365 Group.

 

 

 

 

 

 

 

 

 

It lets me create the Team with that name, but it doesn’t bring over any of the content from the Office 365 Group with the same name.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Lastly, Teams doesn’t support these characters: ~#%&*{}+/:<>?|'”.. This, if any of your Office 365 Groups are named using those characters, you won’t be able to convert them to a Microsoft Team without renaming them.

Not cool, man…not cool

So far, everything is going just swimmingly, wouldn’t you say? Now I just open up my brand-spanking-new Microsoft Team and I see all the stuff from my old Office 365 Group, which has been converted over, just like magi……..wait….what happened? It only moved over the group membership? Where’s my super important Word document???? Where’s my Planner? Where’s the OneNote?

 

 

 

 

 

 

 

 

 

Let’s investigate…

Files

If we go back to our Office 365 Group (it still exists), we see our Word document still sitting in the Files area. On the far-right side, click on “Browse Library”.

 

 

 

 

 

 

Microsoft Teams stores documents and files in a folder in the SharePoint Document Library which is named for the Channel.  By default, the only channel that exists in a new Microsoft Team is named “General”. Therefore, the SharePoint library shows me that my Word document is sitting outside of the General channel, as you see below.

 

 

 

 

 

 

 

 

 

If I select my Word document and click on the ellipsis, I can choose to move the document.

 

 

 

 

 

 

 

 

 

Let’s move it to the General folder. You can move all of your documents to the General folder, or if you have more channels in your Team, you can move them to any channel you like.

 

 

 

 

 

 

 

 

 

 

 

 

I now go to my Team and there’s my Word document in the General folder!

 

 

 

 

 

 

 

 

 

 

OneNote

But wait, I also had some business-critical information in OneNote. Where did that go?

Well, unfortunately there aren’t any really great options for moving your OneNote from an Office 365 Group over to a OneNote in Teams.

Here’s one way to do it:

In your Teams client, go to the channel of your preference, and click on the “+” sign to add a tab to that channel. In this case, I’m adding a tab to the General channel.

 

 

 

 

 

 

 

You’ll be presented with a number of options. Select the one that says OneNote.

 

 

 

 

 

 

 

 

 

 

 

Create a new OneNote notebook, and name it whatever you like. For my example, I’ll name it O365-TeamsUpgrade01

 

 

 

 

 

 

 

 

 

If I go back now to my Office 365 Group, I see the newly created OneNote notebook, and it exists beneath the notebook that existed already.

 

 

 

 

 

 

 

 

Now I can copy the individual pages from one notebook to the other. I right-click on the page and select “Copy”.

 

 

 

 

 

 

 

I switch over to the new notebook, right-click and select “Paste”.

 

 

 

 

 

 

 

For my example, I deleted the “Untitled Page” and I’m left with only the page from my original OneNote.

 

 

 

 

 

 

 

And back in my Microsoft Teams client, everything looks good as well.

 

 

 

 

 

 

 

 

Planner

Mercifully, moving your Planner files over is relatively easy.

First you go into the new Microsoft Team and select the “+” sign to add another tab to the appropriate channel. Click on the Planner icon.

 

 

 

 

 

 

 

In the next dialog window, select “Use an existing plan”, and from the drop-down menu, select the name of the appropriate Office 365 Group.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

And just like that, all your Planner information is switched over to Microsoft Teams.

 

 

 

 

 

 

 

 

 

 

 

Email

The last thing that needs to be converted over is email.

Again, there unfortunately isn’t a great story there yet. Here’s one idea that you can use.

As we have seen, each Team channel has its own email address. You can get that email address by going to the channel (such as General), clicking the ellipsis and selecting “Get email address”.

 

 

 

 

 

 

 

Copy the SMTP address, which is the section that’s highlighted below – 62057b2c.microsoft.com@amer.teams.ms (Yours will be different).

 

 

 

 

 

 

 

 

Now, go back to your Office 365 Group, select the email you want to move and click on “Forward”. In the new email window, copy the email address for the Teams channel into the “To” field in the email and click “Send”.

 

 

 

 

 

 

 

 

Go back to your Teams – General channel and you’ll see the email that has been forwarded from the Office 365 Group email inbox.

 

 

 

 

 

 

 

 

This is definitely not the easiest process in the world, and it tends to be error-prone if you have lots of email, but it will get the email conversations moved over.

Now, there may still be some people who will accidentally use the Office 365 Group email address. How do you account for that? One way is to add the new Microsoft Team as a member of the Office 365 Group.

Go in to the membership of the Office365 Group and click “Add members”.

 

 

 

 

 

 

 

 

 

 

In the dialog window, select the email address of the Microsoft Teams channel where you want the new emails to be delivered.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

In my case, I select the email address beginning with “62057b2….” and click “Save”.

Next, go into the Group settings and select “Manage group email”.

 

 

 

 

 

 

 

 

 

 

 

 

In the dialog box, select “Follow in inbox” and click “Save”.

 

 

 

 

 

 

 

 

 

 

 

Now, when an email is sent to the address of the Office 365 Group, it is also sent to the email address of the Microsoft Teams channel that I have designated, as you can see below.

 

 

 

 

 

 

 

 

 

 

 

Well, that was easy, wasn’t it?

Obviously, I’m being a little sarcastic…this isn’t the easiest process, and there are certainly ways that much of it can be scripted, but for a quick and dirty way to move a few Office 365 Groups over to Microsoft Teams, it should be sufficient for your needs.

 

 

 

 

 

 

Killing Sessions to a Compromised Office 365 Account

David Branscome
Partner Technical Architect

We live in a world full of nasty threats to our online environments. One of your end users might click on a link that they shouldn’t and they get sent to a location where a piece of malware is installed on their machine and it captures their user credentials. In many cases, the goal of the attacker is to compromise a user account – ANY user account – and then move forward from there. Maybe their goal is to use that email account to send spam email or access organizational data for exfiltration. Or maybe the bad guy wants to have access to the environment so that he can gather confidential information and misuse it.

If an account in your Office 365 environment is compromised in this way, what can you do?

We have to recognize that there are two basic approaches to the problem:

Watch what the bad guy does so that you can take legal action against them

In this case, the actions we take will be done on the advice of the customer’s legal team and will be designed to establish a legal framework for prosecution. For example, there may be a scenario where an employee has been fired, but he knows the CEO’s password – maybe because the CEO left it on a sticky note on his monitor? Nah. That NEVER happens. The fired employee then decides to access the CEO’s mailbox for some nefarious purpose.

What can we do in this situation? Again, on the advice of the customer’s legal team, you may want to take steps such as the following:

  1. Put the CEO’s mailbox on Litigation Hold so that the data in the mailbox is preserved in its entirety. https://technet.microsoft.com/en-us/library/dn743673(v=exchg.150).aspx
  2. Configure Exchange Transport Rules so that all incoming as well as outgoing email is also forwarded to a second mailbox for preservation. https://technet.microsoft.com/en-us/library/jj919238(v=exchg.150).aspx
  3. If the compromise is severe enough, it may be advisable to set up a new, temporary Office 365 tenant so that communications related to the legal case are handled out-of-band and cannot be seen by the bad actor. This tenant would be where the legal team, IT and the users whose accounts have been compromised can communicate without the risk of their email being read by the bad guy.

Kill the session to block access to all Office 365 resources

The thing to remember about this effort is that we have to do more than simply block access to the mailbox. The user’s identity can be leveraged across multiple Office 365 services, so we have to block access to all those additional services as well. The challenge is that, in order to improve performance, the services often will cache the credentials of the user for a period of time, which means that EVEN IF you change the user’s password, there will be a period of time when the bad actor can remain authenticated and do damage.

That means that we have to break the sessions that allow them to connect to any of the services. There are three ways we can accomplish this:

For the first method, we need to sign in to the Office 365 Admin portal. Then go to Users –> Active Users, and then select the account of the compromised user. Expand OneDrive Settings, go to the Sign-out area, and click on the Initiate link. Notice that this will sign out users from all Office 365 sessions across all devices, but it will still allow the user to sign in. That means the bad actor can immediately sign back in and go about his day. We’ll address password change in a moment.

When you click Initiate, the service begins killing the sessions for the user on all their devices.

At this point, it’s a good idea to also block further sign-ins for the user. Granted, it’s impactful, but so is having a compromised account.

To block sign in, from the properties of the compromised user account, go up to Sign-in status and edit the status.

 

Change the status of the account to “Sign In Blocked

With the sign-in blocked, nobody (good or bad) can re-authenticate using that account until an administrator unblocks the account. When you click Save, notice the recommendation given.

This reminds us that another good idea is to change the user’s password.

 

The second method is specific to SharePoint and uses the SharePoint Online PowerShell Module, which can be downloaded here: https://www.microsoft.com/en-us/download/details.aspx?id=35588 . Once you have it installed and have connected to your tenant (Steps are here https://technet.microsoft.com/en-us/library/fp161372.aspx) run the Revoke-SPOUserSession cmdlet, as shown below.

The third method actually goes beyond just the Office 365 services and kills all active user sessions in any Azure AD application. To use this method, download the Azure AD PowerShell Module here (https://docs.microsoft.com/en-us/powershell/azure/active-directory/install-adv2?view=azureadps-2.0).

Once installed, connect to your Azure AD tenant and kill all sessions by using the Revoke-AzureADUserAllRefreshToken cmdlet, as shown below.

Changing the Password

All of this is great, but as we mentioned earlier, if we don’t change the user password, then all we’ve done is make the bad guy sign in again. This is where it can get kind of tricky, especially in a scenario where we have directory synchronization taking place between an on-premises environment and Azure AD.

Remember, it doesn’t do any good to just configure the user properties to have the user change their password at the next logon. The bad guy can try to login, get the prompt to change the password, and change it to whatever he or she wants to use!

If the password is being synchronized to Azure AD, you’ll need to use the Get-MSOLUser cmdlet to identify the LastDirSyncTime and LastPasswordChangeTimestamp value to ensure that the password change has also been synchronized to Azure AD. Make sure that, if the user changed their password in the on-premises directory, the password synchronization has taken place.

 

What Else Can I Do?

If none of these seem to have blocked access to the mailbox of the compromised user by the bad actor, one more thing you can do is perform a mailbox move. This would effectively break any current sessions the bad actor had open. If the password was changed and synchronized correctly, then the bad actor should not be able to log in again with the old credentials.

To move a mailbox in Office 365, use PowerShell to connect to Exchange Online using these steps: https://technet.microsoft.com/en-us/library/jj984289(v=exchg.160).aspx

Once you are connected, just run New-MoveRequest compromisedUser@contoso.com -PrimaryOnly.

Depending on the size of the mailbox, this could be fairly quick, but for very large mailboxes, it could take a couple hours to move.

One more thing! Don’t forget about mailbox delegates. If a bad actor granted Full Mailbox delegate access to another user, and the delegate user account was also compromised, then the bad actor would retain access to the original mailbox anyway! Therefore, make sure you check the mailboxes and accounts of any delegates of the compromised user so that you are removing all unwanted access to the original mailbox.

Conclusion

There aren’t many things as unnerving and disheartening to an IT admin as finding compromised accounts in your environment. When you find them, don’t panic!

Following a logical set of steps can help you clean up your environment and get things back to their natural order, where you sit back and collect accolades for a job well done, all day long!

 

 

 

 

 

“NOW it makes sense!” – Microsoft’s Collaboration Story in a Single Slide

By David Branscome

Partner Technical Architect

 

Who knew PowerPoint would make my day today?

One simple, elegant, PowerPoint slide.

And just like that, the picture of Microsoft’s collaboration strategy became clear and explainable.

This is the slide I’m talking about.

The slide was part of the presentation given by Microsoft’s Office 365 Marketing Chief, Ron Markezich at Ignite this week, and it answered visually what has often been a very challenging question to answer from partners and customers – namely, “What Microsoft collaboration tool should I use for scenario X?”

The reason for the question is obvious. There’s an abundance of tools available for communicating with people inside and outside your organization – Yammer, Teams, Skype for Business, Outlook, Office365 Groups, SharePoint – never mind all the other options like public folders, email distribution lists, OneDrive, and so on. The problem has never been “Is there a tool that will allow me to share this content with somebody?”. Rather, the problem has been “How do I explain to my end users or my customers which tool is best suited for a particular task?”

There is a very well written, detailed whitepaper named ““When To Use What” in Office 365” that you can download here. http://www.2tolead.com/whitepaper-when-to-use-what-in-office-365/ It does a great job of laying out the many options and the specific scenarios where a given tool would be the optimal solution. But here’s the problem: it’s more than 60 pages long.

Anybody in IT knows that you will never be able to get an end user to read a 60-page whitepaper – no matter how well written – and synthesize the information from it. It just won’t happen. To be honest, most of us would be lucky to get the end users to read the email pointing them to the whitepaper.

But Ron Markezich’s slide is digestible. It’s something you could show to an end user and they would “get it”. They would understand when to use a given tool and know how to use it.

Breaking Down the Slide

The principles are simple:

Microsoft Teams is best suited for scenarios where you are working with a group of people on a given project. These are the people in your “Inner Loop” (or “Circle of Trust” as I prefer to call them). Because Microsoft Teams is built on Office 365 Groups, this group of people will have access to the SharePoint site created by default for each Team. That’s where I can share documents and files with the Team. If you’re a member of that Team – you have access. Since an Office 365 Group is also mail-enabled, I can send email to the Team channel so that everyone has access to the information in the email. Teams also incorporates all the features you love from Skype for Business – Instant Messaging, Presence, Conferencing, calling capabilities, etc… Teams keeps the conversations in a persistent, threaded format, so we can always go back and review questions that came up or decisions that were made. And with the recently announced Guest Access capabilities for Teams, you can extend the reach of your Team outside your organization. In effect, Microsoft Teams is a portal into Office 365.

Yammer expands the scope of who has access to a given set of content and the conversations. The people in your Yammer group are the “Outer Loop”. Sure, you still like and trust the people in your Outer Loop, but it’s a different type of interaction. Information and conversations flow much more organically and is likely not going to be project -specific. At Microsoft, our Yammer groups are more likely to be centered around certain technologies (such as Skype for Business Voice) or areas of expertise (“Security” or “Education”) than to be focused on a project (“Contoso Azure Deployment”). This allows for people to jump into Yammer groups at any time and still benefit from the historical knowledge of the Yammer group. And just like with Teams, new Yammer groups are built on Office 365 Groups, so the Yammer group has access to OneNote, a Planner for managing tasks, a SharePoint team site and document library.

And then there’s Outlook. Good old, reliable, “I know how to use this”, Outlook. We all know that Outlook is often the easiest tool for sharing a file….one time. But things start to get sticky when you have to ask multiple people to edit the document or comment on it. Then we run into versioning issues, and you have to find the right copy of the file in your email thread…it’s just not the best tool for really collaborative work on a large team. Rather, Outlook is good for targeted communications – confirming an appointment with a customer, verifying information in a proposal, asking your boss for days off (which is personally my favorite email to write). Now the neat thing is that Outlook also allows you to connect to the mailboxes for Office 365 Groups. This allows you to view and reply to email messages that land in the mailbox of the Office365 Groups you are a member of directly from your Outlook client.

Back to Reality

Now let’s be honest for a moment, shall we?

Even with a single PowerPoint slide, some of your end users are going to get confused about when to use which tool. There will be questions that still come up:

  • How many users can be in a Team vs a Yammer group?
  • Can I restrict channels within a Team to only certain members of the Team?
  • What’s the right way to remove someone from a Team or a Yammer group?
  • How do I manage compliance concerns with Yammer or Teams?
  • How do I manage communications over SO MANY individual Teams and Yammer feeds?

…and the list goes on.

Those are all valid questions and they’ll require some end user training and guidance. But the basic framework of how to select the right tool for the job is still the same. My suggestion would be to take that one slide and use it when training your end users. It gives them something that is simple enough to understand in just a few moments and points them in the right direction. They will always have questions – and that’s why a great adoption planning and training program is so important or any rollout of new technology. But with the right planning and the right tools at your disposal, you’ll be successful.

Who would have thought one PowerPoint slide could help you do all that?