Exchange Online mailbox defaults to Pacific Time
Mailboxes in Exchange Online have two timezones; one in regional settings and the other in working hours. These are both set to Pacific Standard Time by default, regardless of where in the world the mailbox is created or what tenant or Exchange regional settings are in place. This behaviour is by design, according to Microsoft support. The first time a mailbox is accessed by a user, these settings are determined based on their location and the defaults are changed automatically (most of the time)....
FIDO? Schmido!
In my last post I looked at the state of authentication for non-technical folk, pointing out that there are too many barriers and an insufficient amount of scaffolding to lift them off the ground floor. The answer that’s come back from Microsoft and others is ‘just use FIDO2’ – but this apex method isn’t without its own issues. No phone, no problem! If you’re not familiar with what FIDO2 involves, have a look at this session from last year’s Microsoft Ignite; it’s one of the clearest explanations I have seen....
Dropping the ball on MFA
At the February Microsoft 365 Security & Compliance user group, Eric Woodruff (@msft_hiker), author of Eric On Identity, gave an excellent presentation on the topic of passwordless authentication. This struck a chord with my recent experience in the field, particularly in terms of the new Authentication Strengths feature in Azure AD. This post is based on my Q&A with Eric and feedback I submitted to the Azure AD team (thanks to the brilliant @merill for that) and sets it in a wider picture, namely that we’re making better technology than we’re using; there seems to be a gap in terms of getting the security we know we need into widespread practice....
Microsoft Connected Cache (standalone) private preview
I’ve put this post together as an update for a number of schools who have asked me how we’re going on our Private Preview of MCC and will try to keep it generally updated on our progress. I’ll start with a bit of background though, for anyone new to this. You had me at DOINC The best product acronym Microsoft ever devised was DOINC, for the Delivery Optimisation In-Network Cache. This was a service that would store local copies of Windows and Office apps and updates so that client devices could access a fast, consistently-connected local copy rather than downloading from peers or over the Internet....
NPS RADIUS with AADJ – Part 2
Microsoft made a decision to force what they consider to be insecure certificate bindings out of use, placing my great little workaround for modernising NPS onto life support. When their planned changes kick in, my own fleet of Azure AD-joined devices will be kicked out. Third-party products exist which solve this problem by operating independently of AD, however in a cash-strapped education context they aren’t financially viable against the negligible cost of running NPS....
SC-200 Notes
I’ve been tacking in the direction of cybersecurity in recent years and specifically within the Microsoft 365 suite. I took the Security Administrator track on my Enterprise Admin certification and didn’t find that too difficult as it was grounded in my day-to-day. This one was pushing the boat out as it’s more Azure-based and honestly I wasn’t expecting to pass first time, but it fairly soaked up these dull days between Christmas and New Year!...
The end of an era
In a couple of weeks I’m leaving this vast, beautiful island and my home for the last decade to return to the substantially smaller, wetter and greener one of my birth. This is for family reasons (lots of missed time over the covid years) and is thankfully not goodbye; my role has changed to accommodate remote work until next year and I’ll hopefully retain a stake thereafter pending my eventual return down the track....
Code debt and custom sandboxes
Schools can hardly be the only organisations with legacy applications in regular use for vital ’line-of-business’ functions. Hopefully for the most part these are visible to IT, securely contained and have an end-of-life date with a succession plan rather than being adopted through choice into a modern desktop environment. A while ago I encountered a nasty and unavoidable case of the latter and had to figure out a solution. The application I was tasked to deploy was for processing sensitive financial data on our most heavily-secured devices and relied on Internet Explorer and Java....
User bypass of policy-enforced browser extensions
By most estimates, Chromium browsers have a 70-80% market share and are deployed in academic and enterprise environments across the globe. Policy-based management is vital to ensure a uniform user experience and enforce security controls, yet on Windows bypassing some aspects of this as a restricted, non-admin user is trivial. This is concerning because schools may rely on these settings for duty of care and student protection. Enter Extensions In recent posts I’ve outlined why Internet security is important for schools and how network-based monitoring and filtering solutions are no longer sufficiently comprehensive to be viable in isolation....
HTTPS inspection: a lost cause
HTTPS inspection is a function provided by many Internet security vendors marketed at schools and businesses since it promises to remove encryption from web traffic and ensure that everything is visible to the filtering system where it can be checked for malware or flagged for inappropriate content. This worked fairly well a decade ago but in the post-Snowden era of pervasive encryption and advancing Internet security standards, this cannot deliver what it once promised and instead puts us and our networks at risk....