Unable to find the security alert in M365 Defender referenced in an email alert.
This happens a lot. I get these emails from Office365Alerts notifying our team that "A medium-severity alert has been triggered". At the bottom of the email is a link to "View alert details". When I click that, the site shows an error: "Can't find it. Either what you are looking for doesn't exist or you need to use a different search string." So, then I go to the Alerts view and filter to show everything (at least I think I am) but there's nothing related to this particular alert (unusual volume of file sharing). Where did it go? EDIT: Including a screenshot of another email I got today. The result of clicking the 'View alert details' is again the same.
Security Admin Center Tenant Allow/Block List Not Able to Block IPv4?
While using the Security Admin Center Tenant Allow/Block List we have been able to block specific email addresses and IPv6 IP addresses but are unable to block IPv4 IP addresses. We have tried both using the console and the CLI but have turned up unsuccessful both times when it comes to IPv4. A large majority of the phishing attempts that we encounter come from IPv4 addresses but we have been unable to block any of these. Will there ever be functionality for IPv4 within the Tenant Allow/Block list or is the only option to use conditional access policies? Also why is this enterprise tool only functional with IPv6 and without documentation stating that it does not work for IPv4?
MFA alerts for when a alternative phone number is added
Hi, i need to be able to find a way when someones adds a alternative phone number to MFA it sends an alert via email that would go into a shared mailbox but haven't been able to find a way to get the MFA alerts for alternative phone numbers. can someone help please?
USB security key MFA prompt does not work on any app like Teams or Outlook, only via webbrowser
I have this issue on every computer or device I use. I use MFA and I'm a Global Admin. I ONLY have USB keys as my security method and have 3 added. If I'm using Chrome, Edge, any browser and get prompted for MFA, I simply insert the key, tap it, enter my pin, tap the key again and it works. However, for any desktop application, such as Teams, Outlook, etc, whenever it prompts me to log in, if I pick USB Security Key it just freezes and displays the loading progress bar at the top over and over. It does this on every computer I try, Mac, Windows, etc. The only option to ever authenticate is to go in, add the Microsoft Authenticator app as a MFA option, and then use that, then remove it as an option which is obviously not ideal. I have never been able to get USB security to work outside of a browser. If I access the same Teams, Outlook, etc from ANY web browser and get prompted, it works every single time. Please see screenshot above for what I'm referring to. The moment I click "Windows Hello or USB Security key" those blue dots just bounce across the top of the screen forever, it never proceeds past here. This is Teams when I'm trying to log in that's doing this. If I manually go to Teams on the web it will work fine. I can come back 4 hours from now and this screen will still be showing the same thing. As mentioned, ALL devices have this issue, it does not work on any computer, PC or Mac so it must be something with Microsoft 365. If it helps at all, I use Conditional Access and not security defaults.
Safe Links policy for ONLY internal email
Is it possible to define a Safe Links policy that ONLY applies to internal email (i.e., not inbound email). We have a 3rd party email gateway platform with it's own URL protection capabilities to re-write and scan URLs on inbound mail, but this doesn't apply to internal-internal email - can 365 instead control just this function, without double-scanning (if that'd even work on an already re-written URL) and in turn then re-writing an already re-written URL?Delist Portal not working
Greetings, I'm trying to delist my server's IP address using this form, but all I get is the following error when I try to submit the form: Step 1: Our messaging service has experienced a temporary issue, please resubmit your information below. See screenshot I've been trying to resubmit, but it never works. Don't know where to issue a bug report. Best regards, DouglasMessage trace: Quarantined message: Missing instructions
Hi Please look at the screen shot: The "How to fix it" instructions are incomplete. I tried multiple browsers and checked the HTML source code. There is just text missing! Thank you for reporting this to the appropriate parties. Best regards [EDIT] I see the same for filtered messages:Enabled Enhanced Filtering, but EOP still uses my on-prem IP as the source when checking SPF
Last week, I enabled the Enhanced Filtering option in the Security Center, giving it 2 IP addresses that are the public addresses of my on-prem exchange server and spam filter. My understanding is that it should ignore those IPs when determining the source of external mail, and use the next external hop up the chain as the source for mail filtering purposes. When I send a test message from an external address, I do see the header added by Enhanced Filtering, indicating that it detected the real source server: X-MS-Exchange-SkipListedInternetSender: ip=[209.85.166.170];domain=mail-il1-f170.google.com But the header showing the SPF check shows a failure, because it's using my on-prem IP instead of the IP listed in that SkipListedInternetSender header: Received-SPF: Fail (protection.outlook.com: domain of OTHERDOMAIN.XYZ does not designate MYON.PREM.SERVER.IP as permitted sender) Has anyone else here enabled Enhanced Filtering successfully? Does EOP use the skiplist sender as the source IP for DKIM and SPF checks for you? What would cause the behavior I'm seeing?Customer Lockbox access revocation
Hi, I understand that Customer Lockbox access is granted for up to 4 hours, after which access is revoked. Can you explain what exactly happens after 4 hours? Is the Microsoft Engineer automatically logged off or will access be revoked on next logout? If the former, will they lose their work? Is there some sort of timer that shows them how much time they have left?
