Feedback by UserVoice

Sam Buccieri-Gillett

My feedback

  1. 287 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    11 comments  ·  Office 365 Security & Compliance » Auditing  ·  Flag idea as inappropriate…  ·  Admin →
    Sam Buccieri-Gillett commented  · 

    I see it's possible to get the full, not truncated audit log string for 'updated user' events in the unified audit log via the azure portal, as detailed in a comment here

    https://answers.microsoft.com/en-us/msoffice/forum/msoffice_o365admin-mso_dep365-mso_o365b/how-to-get-full-details-from-office-365-audit-log/a4e8767e-7095-412c-b1a2-f48f76d2eb6e

    That thread is now inexplicably locked, and I've found that exporting the CSV from the Azure Portal provides a mal-formatted file; there are commas within some fields, so parsing it as a comma-separated CSV is impossible, and it would take some crazy regex to make it readable. Even after you've done that you'd have to write some customer parser for the actual data, since it's not in any standard format.

    I'm guessing there are some 3rd party solutions out there for £££?

    Sam Buccieri-Gillett supported this idea  · 
  2. 137 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    6 comments  ·  Office 365 Security & Compliance  ·  Flag idea as inappropriate…  ·  Admin →
    Sam Buccieri-Gillett commented  · 
    Sam Buccieri-Gillett commented  · 

    Client Access Rules feature promised to resolve this, but now it's released it seems that it does not, as it is impossible to block EWS and MAPI (OutlookAnywhere) clients from using Basic Authentication.

    Sam Buccieri-Gillett supported this idea  · 
  3. 390 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)

    Thanks for taking the time to provide this feedback. We’ve updated the TechNet documentation (https://technet.microsoft.com/library/mt842508(v=exchg.150).aspx) to clear up confusion around which authentication type and protocol combinations are supported in CARs. Expanding support for more combinations could prevent bad actors with valid credentials from accessing mailbox content, but it wouldn’t help with scenarios like password spray attacks or malicious lockout attempts because CARs are evaluated post-authentication. There’s work underway on a solution that covers a broader array of basic authentication scenarios – we’ll share more details as soon as possible. In the interim, this blogpost (https://cloudblogs.microsoft.com/enterprisemobility/2018/03/05/azure-ad-and-adfs-best-practices-defending-against-password-spray-attacks/) outlines the recommended approach for forcing multi-factor authentication when using AAD and ADFS.

    Sam Buccieri-Gillett shared this idea  · 
  4. 1,747 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    85 comments  ·  Office 365 Admin  ·  Flag idea as inappropriate…  ·  Admin →
    Sam Buccieri-Gillett supported this idea  · 

Feedback and Knowledge Base