Teams Real Simple with Pictures: Configuring Zero Hour Auto Purge (ZAP) for Teams through PowerShell now in Preview

Ok, first things first - congratulations to all the Microsoft MVP's who were renewed this week! It was awesome to see so many friends, and so many passionate community members earn the award after their incredible efforts last year. Blogging. Speaking. Feeding back to product teams. Sharing code. Running events. Staffing events. Writing books. Even social media. You name it. Jeff Teper - CVP of Microsoft SharePoint and Microsoft Teams often refers to them at events and on social as being part of 'The Best Community in Tech'. It's something I would have to agree upon having known many of them now for some time. So congrats again MVP's! And with that out the way for another year let's move onto the blog which is a shorter one this week, and a direct follow up from a recent blog on ZAP within the new Collaborative Security for Microsoft Teams. Now only last month I recommended sticking with the security presets given that since it came out in March there didn't appear to be a seperate ZAP policy for Teams and that the settings for Exchange Online and Teams appeared to be bound together. But in a recent message issued through the Message Centre this week, it was announced that Microsoft is 'adding new Teams Protection cmdlets to control ZAP for Teams'. Moreso, 'Going forward, please utilise the new cmdlets to control ZAP and quarantine policies for Microsoft Teams'. So the good news all up is that management starts becoming more granular, and you can have different ZAP policies for Exchange Online and Teams if and should you need them. On the other hand it's likely going to raise a few questions such as - if the policies are set in PowerShell moving forward will they then surface in the Microsoft 365 Defender Portal and the security presets? And if they are set in PowerShell, will changes in the Microsoft 365 Defender Portal overwrite? Whilst this blog is an awareness piece regarding the cmdlets and serves as an addendum to the previous blog given personal testing, I would actively encourage admins to go on and test further. Being in preview and with so much evolving so quickly it's fair to state that we don't ultimately know the destination or the final intended behaviours and user experience as it isn't confirmed beyond these cmdlets. Whilst I would wager that there will be a change in the GUI so that ZAP policies for Exchange Online and Teams are distinct and explicit, and that you will see the specific Teams Protection policies on quarantined items, and everything will fit flush within the presets, well you just never know, or when that's going to land. So let's look at something that has a load of caveats on, but at the same time will be central to how ZAP for Teams is managed moving forward.

Teams Real Simple with Pictures: Collaboration Security for Microsoft Teams – Zero-Hour Auto Purge (ZAP)

Over the last month we've gotten into it on two of the four components of Collaboration Security for Microsoft Teams which were announced back at Secure in March - Attack Simulation and End User Reporting. Both seem really solid adds. I personally think that both are worth the price of the P2 in order to bring this XDR functionality into Teams. So let's push on and investigate the third component - one which has been part of Exchange Online for some time which is Zero-Hour Auto Purge. Typically known by its acronym ZAP, in the context of Teams it 'protects end-users by analyzing messages post-delivery and automatically quarantines messages that contain malicious content to stop the actor from compromising the account'. So it is a retroactive automated protection feature which goes after malware, spam and phishing messages. Furthermore 'once a malicious message is identified, the entire Teams environment will be scanned for that same indicator of compromise and quarantine relevant messages at scale for more effective protection'. Sounds good. Sounds like it's going to be a real big help to admins who cannot be on hand - or are expected to be on hand - to continuouly monitor their users chats in Teams 24/7. So let's see ZAP in action. It is currently in preview like the other components and on by default if a P2 licence is assigned and CSTM is lit up via the shell. Of all the components within CSMT this is the one I see changing the least by the time GA comes around since it just works. But having tested the past few days there appears to be some hefty limitations at the time of writing - and ones that as Microsoft 365 admins we need to know upfront even though we know it's only at the preview stage. One. ZAP only works on private chat and private group chat currently. Channel conversations aren't supported today. Given that channel messages are housed in shared mailboxes within the Microsoft 365 group construct that's surprising. But hey, that exactly what happened with loop components so I am pretty sure that will arrive at some point. Two. On the testing I did this weekend it only seems to work for messages within the organisation currently. In other words, no federated chat support for messages sent and received to/from others outside the organisation. That's probably the biggest limitation here in terms of day to day use or the likelihood of something malicious getting in. Three. During testing I noticed it doesn't seem to cover meeting chat which is also important, especially if the org allows anonymous users to join meetings. Now, these could be blockers for many organisations. Or they may not be given these orgs could be adding CSMT in preview primarily for the other components. It'll be important to support all three moving forward, but looking past this the preview does a good job showing you how ZAP works if you have something to test it with.

Teams Real Simple with Pictures: Collaboration Security for Microsoft Teams – End User Reporting

My memory is a little hazy as I approach my 40th year on this earth next week, but it doesn't seem too long ago that Teams was added into Defender for Office 365. And when I think of the two together, I typically think about Safe Attachments and Safe Links, and their application via built-in security policies, or through custom policies within the Microsoft 365 Defender Portal. But now - after Microsoft Secure a few months back - we have seen the introduction of 'Collaboration Security for Microsoft Teams'. Sounds awesome. And I almost had to crack a smile whilst I was sitting there in that hotel room in Paris doing Secure since I actually worked on parts of it over recent months through inner ring testing without ever knowing what it was meant to be, or what the totality of it was. By definition CSMT is 'the full feature set that customers use to protect their email environments across prevention, detection, and response to Microsoft Teams'. In other words its bringing Teams fully into it's Extended Detection and Response (EDR) solution which is Microsoft 365 Defender, which correlates signals and alerts across others domains such as identities and endpoints. Why is this important? In the words of Microsoft 'Attacks like phishing and ransomware that for decades have primarily used email as an entry point, are now also targeting users on collaboration tools with growing frequency' which makes sense given that Teams is now used by over 300 million users worldwide - many of whom it is fair to say are not protected to the extent they could be. So who can use CSMT?, 'If you are a customer of Microsoft E5, Microsoft E5 Security, or Microsoft Defender for Office 365 (Here meaning Plan 2, not Plan 1) you can take advantage of [this set of new capabilities] immediately and improve the security of your Microsoft Teams'. Very exciting then. Now this blog post was in fact meant to come out a month ago and was meant to be the lead off to a whole CSMT series: but a bug in my Ring 4 test environment meant I had to do attack simulation first. C'est la vie. We are going to enable CSMT and report a suspicious message for our security admins.

Teams Real Simple with Pictures: Launching an Attack Simulation in Teams with Collaborative Security

It's done. Vuzion is now Infinigate Cloud. And from my own practice perspective the Teams, and the SharePoint Sites have been rebuilt. The lists, and the flows, and the loops, and the Power BI reports. And all has been migrated. There has been legal to do. There has been some architectural to do. There has - truly - been an obscene amount of DevOps tasks. And there has been burndowns the like of which could very much be considered ones for the ages. But it's done. And I never intended to go six weeks off of the blog, but neither did I anticipate having to practically suspend my community and MVP inputs whilst I had to focus and hone in on what needed to be done on the business end. Now, I am very much looking forward to the next few years at Infinigate Cloud. In the immediate future whilst I am holidaying out on the Isle of Wight with the family, I am looking forward to simply writing this blog. It's going to be about launching attack simulations within Microsoft Teams which is part of the new Collaborative Security functionalities announced at Secure and which is currently in preview. This'll need Microsoft Defender for Office 365 Plan 2, of which Attack Simulation Training (AST) is a part, and whilst I'll only run through a straightforward credential harvest, I hope that it will whet the appetite enough for you to go on and test it and explore more. One note right off the bat - in the context of Teams messages are defined strictly as private 1:1 chat messages. No group chat. No channels. No guests. For now.