Ok, first things first - congratulations to all the Microsoft MVP's who were renewed this week! It was awesome to see so many friends, and so many passionate community members earn the award after their incredible efforts last year. Blogging. Speaking. Feeding back to product teams. Sharing code. Running events. Staffing events. Writing books. Even social media. You name it. Jeff Teper - CVP of Microsoft SharePoint and Microsoft Teams often refers to them at events and on social as being part of 'The Best Community in Tech'. It's something I would have to agree upon having known many of them now for some time. So congrats again MVP's! And with that out the way for another year let's move onto the blog which is a shorter one this week, and a direct follow up from a recent blog on ZAP within the new Collaborative Security for Microsoft Teams. Now only last month I recommended sticking with the security presets given that since it came out in March there didn't appear to be a seperate ZAP policy for Teams and that the settings for Exchange Online and Teams appeared to be bound together. But in a recent message issued through the Message Centre this week, it was announced that Microsoft is 'adding new Teams Protection cmdlets to control ZAP for Teams'. Moreso, 'Going forward, please utilise the new cmdlets to control ZAP and quarantine policies for Microsoft Teams'. So the good news all up is that management starts becoming more granular, and you can have different ZAP policies for Exchange Online and Teams if and should you need them. On the other hand it's likely going to raise a few questions such as - if the policies are set in PowerShell moving forward will they then surface in the Microsoft 365 Defender Portal and the security presets? And if they are set in PowerShell, will changes in the Microsoft 365 Defender Portal overwrite? Whilst this blog is an awareness piece regarding the cmdlets and serves as an addendum to the previous blog given personal testing, I would actively encourage admins to go on and test further. Being in preview and with so much evolving so quickly it's fair to state that we don't ultimately know the destination or the final intended behaviours and user experience as it isn't confirmed beyond these cmdlets. Whilst I would wager that there will be a change in the GUI so that ZAP policies for Exchange Online and Teams are distinct and explicit, and that you will see the specific Teams Protection policies on quarantined items, and everything will fit flush within the presets, well you just never know, or when that's going to land. So let's look at something that has a load of caveats on, but at the same time will be central to how ZAP for Teams is managed moving forward.
Tag: Teams Zero Hour Auto Purge
Teams Real Simple with Pictures: Collaboration Security for Microsoft Teams – Zero-Hour Auto Purge (ZAP)
Over the last month we've gotten into it on two of the four components of Collaboration Security for Microsoft Teams which were announced back at Secure in March - Attack Simulation and End User Reporting. Both seem really solid adds. I personally think that both are worth the price of the P2 in order to bring this XDR functionality into Teams. So let's push on and investigate the third component - one which has been part of Exchange Online for some time which is Zero-Hour Auto Purge. Typically known by its acronym ZAP, in the context of Teams it 'protects end-users by analyzing messages post-delivery and automatically quarantines messages that contain malicious content to stop the actor from compromising the account'. So it is a retroactive automated protection feature which goes after malware, spam and phishing messages. Furthermore 'once a malicious message is identified, the entire Teams environment will be scanned for that same indicator of compromise and quarantine relevant messages at scale for more effective protection'. Sounds good. Sounds like it's going to be a real big help to admins who cannot be on hand - or are expected to be on hand - to continuouly monitor their users chats in Teams 24/7. So let's see ZAP in action. It is currently in preview like the other components and on by default if a P2 licence is assigned and CSTM is lit up via the shell. Of all the components within CSMT this is the one I see changing the least by the time GA comes around since it just works. But having tested the past few days there appears to be some hefty limitations at the time of writing - and ones that as Microsoft 365 admins we need to know upfront even though we know it's only at the preview stage. One. ZAP only works on private chat and private group chat currently. Channel conversations aren't supported today. Given that channel messages are housed in shared mailboxes within the Microsoft 365 group construct that's surprising. But hey, that exactly what happened with loop components so I am pretty sure that will arrive at some point. Two. On the testing I did this weekend it only seems to work for messages within the organisation currently. In other words, no federated chat support for messages sent and received to/from others outside the organisation. That's probably the biggest limitation here in terms of day to day use or the likelihood of something malicious getting in. Three. During testing I noticed it doesn't seem to cover meeting chat which is also important, especially if the org allows anonymous users to join meetings. Now, these could be blockers for many organisations. Or they may not be given these orgs could be adding CSMT in preview primarily for the other components. It'll be important to support all three moving forward, but looking past this the preview does a good job showing you how ZAP works if you have something to test it with.
@Microsoft365Pro 