SysAdmin MAGAZINE

No Place like Home:

Helpful Tips for Remote
Work Challenges
 Contents SysAdmin Magazine April 2020

SysAdmin
Magazine Contents

03 Quick Guide: How to sync your Active Directory to Office 365

№
58 April ‘20
04 5 tips for hardening Microsoft Teams security

08 How to configure the Office 365 audit log

SysAdmin Magazine is a free
source of knowledge for IT Pros 11 Office 365 file sharing security: OneDrive for Business,
who are eager to keep a tight
SharePoint and MS Teams
grip on network security and do
the job faster.
14 How to track irregular app activity in Azure AD

15 Tool of the month: Free Netwrix Auditor for SharePoint

The Sysadmin Magazine team

[email protected]

2
 Contents SysAdmin Magazine April 2020

service that runs on a server in your office or datacenter. 4. The Express Settings screen appears. Read the details

Quick Guide:
You can select which objects to sync and which objects to of what the wizard will do. For the purposes of our walk-
leave on your local Windows Server. through, click Use express settings.

How to Sync Your When you use Azure AD Connect to sync directories, you
are creating what amounts to an irrevocable relationship

Active Directory
between your Office 365 tenant and your local directory.
While there are various hacks and unsupported ways of

to Office 365
breaking a sync relationship between an on-premises di-
rectory and Office 365 directory, you won’t be able to call
for help if things go wrong. Expect that your tenant will be
forever bound to a local domain controller and that you
will always have to have that domain controller unless you
Jonathan Hassell
Exchange Expert, IT Consultant migrate to a brand new tenant. Once the sync is in place,
you must create new users and make changes to your ex-
isting users in your on-premises directory; you won’t be
Many organizations that use Office 365 have a hybrid de- able to use the Office 365 GUI or PowerShell to do it.
ployment — that is, they also have an on-premises Active
Directory, which is the primary storage for identity infor- Figure 1. The Azure AD Connect Express Settings screen

mation.
Creating a new Group Policy Object
Learn how to enable integration of local AD data with your To use Azure AD Connect, take the following steps: 1. The Connect screen appears. Enter your Office 365 ad-
Office 365 environment using native Microsoft tools in this ministrator’s username and password and then click
1. Download the Azure AD Connect installer from
guide to Active Directory sync to Office 365. Next.
http://go.microsoft.com/fwlink/?LinkId=615771.
2. Copy the installer to the server that you want to desig-
To enable you to synchronize identity data from your on- 2. The wizard will do some computations and then show
nate as the sync server and run the installer.
prem Active Directory to Microsoft Azure AD, Microsoft pro- the Ready to Configure screen. On this screen:
3. Agree to the license terms and click Continue.
vides Azure Active Directory Connect, a fairly lightweight

3
 Contents SysAdmin Magazine April 2020

to participate in team activities. Guests have full access

5 Tips for Hardening

▪ Teams — This tab lets users create teams or join existing
to team channels, chats, shared files and meetings. Be-
teams to start group collaboration and conversations in
yond the requirement that guests have a business or
team channels. When a user creates a team, they essen-

Microsoft Teams
consumer email account, there are no restrictions or
tially create an Office 365 Group on the backend.
vetting procedures to govern who can or cannot receive
guest access privileges. This raises obvious concerns

Security
▪ Calendar — This service syncs with users’ Outlook calen-
about how easily sensitive or proprietary data can be
dars so they can schedule meetings and plan out projects.
exposed to entities outside the organization.

▪ Calls — This tab lets users initiate and receive peer-to-

Jeff Melnick ▪ Permissions model — To promote agile, self-organiz-
peer voice and video communications. Calls is built on
IT Security Expert, Blogger ing collaboration between individuals from different
the Skype framework, and in fact, many companies are
functional groups, Microsoft intentionally designed
replacing Skype for Business with Microsoft Teams as
Teams with an open permissions model:
their enterprise communications platform.

Overview of Microsoft Teams ▪ Any user can become a team owner by creating a
team and inviting other users to join it.
Microsoft Teams is an online collaboration platform that ▪ Every team member has full access to all the data
empowers team members to work together seamlessly Concerns About Microsoft Teams on the team’s public channels, including chat mes-
and productively. A part of the Office 365 suite, Microsoft
Security sages, meeting content and shared files. They can
Teams runs on Windows, Mac, Linux, iOS and Android, en- share files and create new channels.
abling remote communication across virtually every desk- Microsoft Teams is a powerful tool for supporting cross-func- ▪ Any guest from outside the organization can share
top and mobile device. tional and even cross-organizational collaboration, but its files and even create new channels within the team.
openness introduces concerns about unfettered file and
Teams offers the following main features and services: data sharing between an unlimited number of users. In par- It’s easy to see how quickly this permissions model can lead
ticular, the following features and concerns present security to a data-sharing environment that’s great for collaboration
▪ Chat — This function allows users to send private
challenges for IT professionals. but a headache for IT to track and control.
messages to each other and attach files to messaging
threads. OneDrive for Business serves as the underly- ▪ Guest access — The guest access feature enables team
ing mechanism for file sharing in chats. owners to invite parties from outside the organization

4
 Contents SysAdmin Magazine April 2020

▪ App management — Users can extend the capabili- share confidential information with unauthorized re- Security Tips for Microsoft Teams
ties of team channels by adding apps, which can take cipients, which can put the company’s intellectual prop-
In addition, you can bolster Microsoft Teams security by us-
the form of custom tabs, bots or connectors. An app erty, compliance status and reputation at risk. In addi-
ing a combination of built-in features and third-party tools.
lets users in a channel get content and updates direct- tion, because Teams is a SaaS platform that sends and
Here are five best practices that will help you roll out a se-
ly from their favorite third-party services, such as Trel- receives packets through the cloud, there is a risk that
cure deployment of Teams to your organization.
lo and GitHub. However, these apps often request (or malware or bad actors will intercept files in transit and
even require) users to allow them to access their data, use them for malicious ends.
which opens the door to improper transfer of compa- 1. SET UP APP MANAGEMENT.
ny information to external third parties. With so many
Apps in the Teams store fall under one of three categories:
partners eager to publish their productivity apps in the
Teams store, IT now has an additional security concern
Security Basics of Microsoft Teams • Built-in apps provided by Microsoft
to monitor and manage. • Apps built by third parties
Fortunately, Teams benefits from its integration with key el-
• Custom-built internal apps
ements of the Microsoft security framework:
▪ Data lifecycle management — The Teams ethos of
Consider restricting the use of certain apps based on their
open communications and file sharing runs counter ▪ The file-sharing experience is powered by SharePoint.
source and how they handle data:
to the practices of secure data governance, which has ▪ Team conversations are stored in a dedicated group
strict protocols for the collection, usage, retention and mailbox in Exchange Online. • To control which apps to block or make available to
removal of sensitive information. In addition, securi- ▪ Azure Active Directory (Azure AD) stores and manages your organization, use the settings on the Manage apps
ty and compliance standards like HIPAA and PCI DSS team data and membership. It also manages user au- page in the Teams admin center.
mandate data governance measures such as enter- thentication for the Teams platform as a whole. • You can also use app permission policies to block or
prise-wide labeling, oversight and tracking of content, make certain apps available to specific sets of users.
Before you make Teams generally available to your organi-
as well as appropriate handling of data that has expired
zation, be sure to review and configure the following:
or changed classification. It’s challenging to impose this
level of control on the dispersed ecosystem of chat ▪ Authentication setup in Azure AD for user logins to Teams 2. ESTABLISH GLOBAL TEAMS MANAGEMENT.
messages and data files circulating through Teams. ▪ Global security settings in Office 365 — many settings By default, any user with a mailbox in Exchange Online can
carry over to Teams or to SharePoint, OneDrive and Ex- create a team and become a team owner. If you want to
▪ Data leakage — Without adequate security enforce- change, which work in tandem with Teams limit the number of users with this privilege, consider creat-
ment, a Teams user can deliberately or accidentally ing an Office 365 group whose users have exclusive permis-

5
 Contents SysAdmin Magazine April 2020

sions to create new groups and, by extension, new teams. 4. BUILD AN INFORMATION PROTECTION ARCHITECTURE. ▪ Content search — Office 365 provides content search
capabilities with rich filters to search through all your
Setting up an information protection architecture is critical
Also configure the global Teams settings for your organization Teams data for target content. For example, you can
not only for preventing data leakage but also for meeting
— you can specify organization-wide preferences such as: use the search tool to find content associated with a
compliance and litigation requirements.
compliance standard. Or you can perform a content
▪ Whether users can communicate with individuals out-
search as part of an eDiscovery workflow to gather le-
side the organization Your Teams data resides in an assigned geographic region
gal evidence.
▪ Whether to enable file sharing and cloud storage capa- of the Azure cloud infrastructure, depending on your or-
bilities ganization’s Office 365 tenant. Since different regions may ▪ Data retention policies — You can create retention
▪ Authentication requirements for accessing meeting follow different data security standards, it’s a good idea to policies that specify when to keep Teams data to stay
content make sure that the location of your Teams data is appro- compliant with business, regulatory or litigation require-
priate for your business requirements. ments. You can also use retention policies to direct the
As part of employee training, educate your users about the
removal of data that no longer needs to be retained.
capability to create private channels, which are restricted to
Use the following out-of-the-box and third-party tools to
a selected subset of team members. If some team members ▪ Advanced Threat Protection (ATP) — This feature that
establish information management in Teams so that your
want to collaborate on confidential content, they should cre- detects and blocks user access to malicious content in
data stays trackable, protected, and compliant.
ate a private channel instead of a standard channel that all Teams. ATP also wards off malicious files in SharePoint
members and guests can access. However, keep in mind that ▪ Electronic Discovery and legal hold — Electronic Dis- and OneDrive for Business, the platforms that pow-
at the time of this writing, Microsoft does not yet offer full se- covery (eDiscovery) is an Office 365 tool that lets you cre- er the file-storage and file-sharing services in Teams.
curity and compliance support for content in private channels. ate and manage eDiscovery cases to comply with legal Make sure that you turn on ATP for SharePoint, One-
You can assign members with specialized permissions Drive and Teams.
to an eDiscovery case and define the parameters of a
3. SET UP SECURE GUEST ACCESS. ▪ Data loss prevention (DLP) — You can set up DLP pol-
search query for content relevant to an investigation.
icies that automatically block unauthorized users from
You can use the Guest access settings in the Teams admin
sharing sensitive data in a Teams channel or private
center to configure the level of access granted to guest users. To preserve crucial evidence, you can place the contents of
chat. Use DLP policies to enforce secure user behavior in
For maximum security, you can leave guest access disabled a user mailbox or team mailbox on a legal hold. The hold
Teams and prevent data breaches.
by default. Or you can turn on guest access but disable cer- ensures that immutable copies of the content will remain
tain privileges like screen sharing or peer-to-peer calls. available through eDiscovery search even if the original ▪ Backups — Configure automatic backups of all your Of-
content is altered in Teams. fice 365 data to OneDrive or an on-premises storage drive.

6
 Contents SysAdmin Magazine April 2020

▪ Automated information labeling — To ensure that your ▪ User logins to Teams

DLP policy actions are applied correctly, you need to accu- ▪ Membership and changes to teams
rately classify and label the data shared in Teams, which ▪ All data manipulations around the data exchanged in
requires an automated data discovery and classification both regular and private conversations in Teams
solution that ensures high precision in classification. ▪ Permissions to data and changes to those permissions
▪ Installation of applications in Teams GUIDE
Netwrix Data Classification offers robust data classification
technology to ensure that sensitive information in Teams
is accurately and systematically tagged. Netwrix Data Clas-
sification let you control the use of tags so that sensitive
files receive the correct classification. You can also apply Remote Access
Security Best
workflows to remove tags from files whose sensitivity level
has expired so that Teams users can access the files again
without business disruption.

5. AUDIT USER ACTIVITY.

Practices
You can use Microsoft’s Supervision policies to monitor chats Free Download
and team channels. You can also monitor usage through var-
ious built-in reports and functionality:

▪ Go to Analytics & reports in the Microsoft Teams ad-

min center.
▪ Go to Reports > Usage in the Microsoft 365 admin center.
▪ Use Microsoft 365 usage analytics in Power BI.

To get even more insight into activity in Teams, use a solution

like Netwrix Auditor. Netwrix Auditor provides comprehensive
and detailed monitoring of events and activities, including:

7
 Contents SysAdmin Magazine April 2020

How to Configure How to Set up Office 365 Audit

Logging
How to Run an Audit Log Search
Prerequisites

the Office 365 Native log auditing is not enabled by default. To enable
native log auditing:
Before you can run an audit log search, an admin must as-
sign permissions to your account, either "View-Only Audit

Audit Log
Logs" or "Audit Logs".
1. Head to the Office 365 Security & Compliance Center.
2. Go to "Search" and then "Audit log search."
You may have to wait several hours from the time you en-
3. Click "Turn on auditing."
able log auditing before you can run an audit log search.
Adam Stetson
Alternatively, you can enable log auditing using this Note that a unified audit log search consolidates analytics
Systems Engineer, Security Expert
PowerShell command: from multiple Office 365 services into a single log report,
which requires anywhere from 30 minutes to 24 hours to
Set-AdminAuditLogConfig complete.
Microsoft Office 365 is a robust and diverse ecosystem
-UnifiedAuditLogIngestionEnabled $true
that involves multiple services, such as Microsoft Teams,
Exchange Online, Azure AD, SharePoint Online and One- Procedure
Drive for Business. It’s a lot to keep tabs on, and global Audit logging for Power BI and other auxiliary applications
To run an audit log search, take the following steps:
admins often need to oversee multiple sub-admins and is also not enabled by default; you’ll have to enable it in the
sometimes thousands of users. separate admin portals to get those audit records. 1. LOG IN.
Sign in at https://protection.office.com.
Office 365 audit logs help you track admin and user activity, Check your licensing requirements to see how long your
including who’s accessing, viewing or moving specific doc- log data can be stored. For instance, the cap is currently 90 Tip: To prevent your current credentials from being used
uments and how resources are being used. These logs are days for an Office 365 E3 license and one year for an Office automatically, open a private browsing session:
essential for investigating security incidents and demon- 365 E5 license.
▪ In Internet Explorer or Edge, press CTRL+SHIFT+P.
strating compliance. However, the native logs have multi-
▪ For most other browsers, press CTRL+SHIFT+N.
ple limitations, so additional services are usually needed
to effectively monitor activity, keep systems secure and
ensure regulatory compliance.

8
 Contents SysAdmin Magazine April 2020

2. START A NEW SEARCH. Other search criteria include: of smaller date ranges and combine the results manually.

In the Security & Compliance Center, click "Search" on the Activities related to a website — Add an asterisk after
left pane. Then select "Audit log search." the URL to return all entries for that site. For example, 5. SAVE YOUR RESULTS.
"https://contoso-my.sharepoint.com/personal/*".
To save your results, click “Export results” and choose

3. CONFIGURE YOUR SEARCH CRITERIA. “Save loaded results” to generate a CSV file with your data.
Activities related to a given file — Add an asterisk be-
You can use Microsoft Excel to access the file or share the
The main criteria to specify are: fore the file name to return all entries for that file. For ex-
results as a report.
ample, "*Customer_Profitability_Sample.csv".
Activities — See Microsoft's list of audited activities. There
are over 100, so Microsoft has grouped them into related You will see a column called “AuditData”, which consists of
activities. If you don't narrow this down, your audit report 4. FILTER THE SEARCH RESULTS. a JSON object that contains multiple properties from the
will include all activities performed during the time frame audit log record. To enable sorting and filtering on those
The search criteria options are helpful for an overview, but
specified. properties, use the JSON transform tool in Excel’s Power
filtering the search results will help you comb through the
Query Editor to split the “AuditData” column and give each
data more effectively. You can enter keywords, specific
Dates — The default time frame is the last seven days, but property its own column.
dates, users, items or other details.
you can configure your search for any period within the
last 90 days. See Export, configure, and view audit log records for more
In addition, note that the search is capped at the 5,000
information.
most recent events. If your search returns exactly 5,000
Users — Specify which user or group of users you want to
items, you’ve likely maxed out the search results. Refine
include in your report.
your search further to ensure that you see all relevant

Location — If you want to limit the search to a particular

data within your date and time range without missing cru-
Limitations of Native Audit Log
cial information.
file, folder or site, enter a location or keyword. Searches in Office 365
Alternatively, you can generate a report of raw data that Manually digging into the audit logs in Office 365 is often
meets your search criteria by pulling the data into csv. This difficult and time-consuming. The search tools are helpful,
lets you download up to 50,000 events instead of 5,000. To but consider the following drawbacks when deciding how
generate even more than 50,000 events, work in batches to handle auditing in your organization:

9
 Contents SysAdmin Magazine April 2020

▪ It’s difficult to spot aberrant activity — It takes a trained you’re trying to get from your audit data.
eye to interpret data, especially if you're not already
aware of a problem with a specific user or file. ▪ Audit data is stored for a limited time — Since Microsoft’s
standard subscription allows only a 90-day data retention
▪ It’s hard to keep your audit data secure — Detailed data period for audit logs, you’ll have to download and save
on every event within your system is highly sensitive in- your audit logs on a regular basis, and then try to merge GUIDE
ON-DEMAND WEBINAR
formation. While the default export options are conve- them together to see the longer term picture of activity. If

Fast Track to
nient, they make your files more vulnerable. you forget to save the logs, you’ll have gaps in your record.

▪ Putting together human-readable reports is very diffi-

cult — To get a report, you need to export specific audit
data into a CSV file, which then needs to be sorted and Other Ways to Access Audit Log
Office 365:
interpreted before it becomes actionable.

Office 365 Management Activity API

Controlling
▪ You have limited filtering options — The native audit
log search does not provide comprehensive filtering
The Office 365 Management Activity API allows you to view
Access and
Protecting Data
data about admin system, user and policy events from
options, making it harder to glean insights and find
Office 365 and Azure AD activity logs. The tool helps you
what you’re looking for.
monitor, analyze and visualize audit data.

▪ There are only a few predefined log reports available

— If you want other reports, you have to create them Netwrix Auditor Free Download
manually. Also, there’s no report subscription option or
Netwrix Auditor dramatically simplifies the task of stay-
native feature to save customized searches.
ing on top of activity in your IT environment, as well as
enabling you to proactively prevent issues and keep data
▪ Most properties are lumped into one JSON — The Au-
organized. The solution provides increased visibility into
ditData JSON can contain different properties depend-
activity and configurations in your OneDrive for Business,
ing on the auditing event. This produces a lot of unnec-
SharePoint Online and Exchange Online environments, as
essary noise between you and the important details
well as Azure AD.

10
 Contents SysAdmin Magazine April 2020

Methods for Sharing

Office 365 File

▪ OneDrive, a cloud storage platform that is meant pri-
marily for personal files. An individual’s OneDrive files You can share files from OneDrive for Business or add
are private unless they are explicitly shared with others. them to your SharePoint team site:

Sharing Security:
Underneath the covers, OneDrive is actually just a doc-
▪ OneDrive folder — One way to share a file is to send
ument library in a SharePoint site collection.
a link from OneDrive. Generating a file sharing link is

OneDrive for
easy and enables the user to specify exactly who they
Office 365 allows sharing of both files and folders. When
want to share the file with and to allow or deny editing
you share a file, you grant access to a single file only; users

Business, SharePoint
and downloading of the file.
that have access to the file will not have access to other files,
even those located in the same folder, unless you share ▪ SharePoint — SharePoint folders make sharing ex-

and MS Teams
those files too. When you share a folder, you grant access tremely simple. SharePoint team sites are automati-
to the folder and every file and subfolder within it, including cally created when you create a group in your admin
any new ones you later create in the shared folder. center. Once a file is in the SharePoint folder, it can be
accessed by anyone in the group.
Jeff Melnick Sharing raises some important challenges for system ad-
IT Security Expert, Blogger mins who shepherd sensitive data. Here, we’ll cover the Restricting Sharing
basics of how to share files and folders internally and ex- Administrators can allow or block file sharing in the follow-
ternally. Then we’ll discuss methods admins can use to en- ing applications:
Office 365 is optimized for collaboration. It is a powerful
sure sharing happens securely.
tool for your organization’s teams, especially now that so ▪ SharePoint Online
many folks work together virtually, meet online remotely ▪ OneDrive for Business
and share digital files. ▪ Microsoft Teams

Internal and External Sharing ▪ Office 365 Groups

Office 365 file sharing involves two systems:
Sharing can be internal or external. Internal sharing is lim- When users need to send documents outside of your orga-
ited to the network of users in your Azure Active Directory nization (external sharing), more care is needed to ensure
▪ SharePoint Online, an advanced collaboration tool
(AD) domain. External sharing involves sending documents that access is granted appropriately. Guest users have the
built for working on files with others and publishing
outside of your organization, same access rights to files as team members unless spe-
files for everyone to see.

11
 Contents SysAdmin Magazine April 2020

cific parameters are set up on the front end. Guest users Center also offers a variety of options for customizing
become actual users in your Azure AD, and admins can controls for guest access based on data labels. In par- Monitoring Best Practices
grant access to guests for Microsoft Teams conversations, ticular, set up policies for which types of content can be No matter how carefully you design your environment,
SharePoint Online sites or data on OneDrive. shared with external users. procedures and policies, you also need insight into what is
happening in order to protect your sensitive and regulated
▪ Create a separate SharePoint team for files intend- data properly. In particular, be sure to audit the following:
ed to be shared externally. You can create a new team
Security Tips for File and Folder for each customer or partner, for example. This way,
▪ Data access attempts — This is especially critical when
users are allowed to share files and folders with exter-
Sharing customers and partners have access to only the Share-
nal guests.
Point shared documents specifically meant for them.
The following best practices will help you reduce the risks
that come with sharing files and folders: ▪ Group membership changes — To adhere to the
▪ Protect against uploading of malicious files. When
least-privilege principle, you need to know when users are
▪ Disable third-party storage services. You can prevent a guest user is given access to your Office 365 shared
added to groups, especially any group that allows them
files from being shared via Dropbox or other services folder, they are allowed to upload files as well. In the
access to more data or confers admin-level privileges.
outside of your purview. Log on to the admin center Microsoft 365 Security admin center, you can set up
and go to the Settings page. Then select “Office on the Advanced Threat Protection (ATP) for SharePoint, One-
▪ Activity around Office 365 applications — You also
web” from the Services tab, deselect “third-party stor- Drive and Microsoft Teams; ATP scans uploaded docu-
need insight into application activity. Microsoft offers
age” and save your changes. ments for malicious content.
several native monitoring options, but they have import-
ant limitations. In particular, reports must be run individ-
▪ Require multi-factor authentication. You have pro- ▪ Set expiration dates on links — Sharing of files should
ually and have only a handful of predefined options.
tocols for your own team members to ensure their ac- be limited to the period of collaboration. This option is
counts aren’t compromised, but guest users may not available in the Advanced Settings when you set up file
live up to your standards. Requiring multi-factor au- sharing.
thentication for guest accounts improves security.
▪ Follow the principle of least privilege — Granting each
▪ Enable data classification. Classifying data enables user only the bare minimum permissions they need to
you to set up security controls and policies based on complete their work goes a long way towards mitigating
how sensitive your data is. The Microsoft Compliance the risks of OneDrive and SharePoint file sharing.

12
 Contents SysAdmin Magazine April 2020

Getting Help
Netwrix solutions deliver the deep visibility you need into
HOW-TO
your SharePoint and OneDrive for Business environments.
Netwrix Auditor provides insight into permissions, chang-
es and access activity so you know who has access to your
organization’s files and what they’re doing with their ac-
cess. It also sends alerts when potential threats arise so How to Get a
SharePoint Online
you can take action before it’s too late.

Permissions
Meanwhile, Netwrix Data Classification automatically clas-

Network Security
sifies and tags data across your various repositories, mak-
ing it easier to implement appropriate controls and poli-
cies, and improving the effectiveness of both native tools
Report
like Microsoft Information Protection (MIP) and third-party
security solutions. Best Practices
Learn More

13
 Contents SysAdmin Magazine April 2020

How-to for IT Pro

HOW TO FIND ILLICIT APPLICATIONS IN AZURE AD

1. From the Azure portal menu, select Monitoring, or search for and select Monitoring from any page. 3. Filter the report to show only application-related events by pick-
ing ApplicationManagement in the Category column’s search
2. Select Audit Logs.
section. The Target(s) column shows the application name.

Date Service Category Activity Status Target(s) Initiated by (actor)

04/08/2020, Core Application- Consent to Success Enterprise J.Carter@company. 4. Review the event details in the Details tab at the bottom of the
6:27:24 PM Directory Management application Actions onmicrosoft.com
page.
04/08/2020, Core Application- Consent to Success Enterprise AzureAdm@company.
6:23:24 PM Directory Management application Forms onmicrosoft.com Note: If you want to filter out whitelisted applications, you will have
to pull the log data into a CSV file and analyze it manually, since the
04/08/2020, Core User- Update user Success J.Smith@company. AzureAdm@company.
5:24:09 PM Directory Management onmicrosoft.com onmicrosoft.com native event log filters don’t have an exclude function.

04/08/2020, Core User- Enable Success J.Smith@company. AzureAdm@company.

5:24:09 PM Directory Management account onmicrosoft.com onmicrosoft.com

04/07/2020, Core User Add member Success Internal Users jack.smith@enterprise.

08:30:26 PM Directory Management to group onmicrosoft.com

04/06/2020, Core Application- Consent to Success Azure App azureAdm@enterprise.

07:03:13 PM Directory Management application onmicrosoft.com

04/03/2020, Core Application- Consent to Success Netwrix Auditor AzureAdm@company.

5:44:05 PM Directory Management application for Azure AD onmicrosoft.com

04/03/2020, Core User- Add app role Success Netwrix Auditor for AzureAdm@company.
5:42:04 PM Directory Management assignment Azure AD, Azure- onmicrosoft.com
grant to user Adm@company.
onmicrosoft.com

14
 Contents SysAdmin Magazine April 2020

Free SharePoint monitoring to stay aware of changes and data access events in your SharePoint Online and on-premises Share-
Point environment
FREE COMMUNITY EDITION

Netwrix Auditor for SharePoint

Activity Summary

Added 1
Removed 1

Netwrix Auditor Modified 1

for SharePoint Action

Added
Object type

File
What

http://sp.enterprise.com/
Item

http://sp.enterprise.
Where

http://sp.
When

4/17/2018
Workstation

81.89.03.122
sites/Management/2018/ com/sites enterprise. 3:02:44 AM
Release Plan.docx com:4755

Download Free Tool

Removed Folder http://sp.enterprise.com/ http://sp.enterprise. http://sp. 4/17/2018 81.89.03.122
sites/Management/ com/sites enterprise. 3:04:56 AM
Contact Info com:4755

Modified Site http://sp.enterprise.com/ http://sp.enterprise. http://sp. 4/17/2018 81.89.03.122

Collection sites/Management/ com/sites enterprise. 3:05:14 AM
com:4755
Site Collection Administrators: Added: “[email protected]”

This message was sent by Netwrix Auditor from au-srv-fin.enterprise.com.

15
 Contents SysAdmin Magazine April 2020

[On-Demand Webinar]

While we’re all trying to adapt to the new “work from home” reality, hackers are eagerly seizing

Remote Workers 101: the opportunity to get into your network through your expanded attack surface. The key to pro-
tecting your valuable assets is knowing exactly what types of attacks to look for.

Top 10 Things to Keep Watch the series, where cybersecurity experts share tips on how to prevent data leakage and

Track of
detect suspicious activity in cloud applications:

• Ways to identify covert attacks by monitoring VPN logon attempts in cloud apps
• Common techniques that exploit the weaknesses of remote employees, including credential
Ilia Sotnikov Bradford Eadie
phishing, malicious links in emails, and websites infected with malware
Vice President, Product Systems Engineer
Management • 5 things you need to closely monitor to prevent data breaches

Watch Now

16
 About Netwrix
What did you think Netwrix is a software company that enables information security and governance professionals to reclaim control over
of this issue? sensitive, regulated and business-critical data, regardless of where it resides.
What did you think of this content?
Over 10,000 organizations worldwide rely on Netwrix solutions to secure sensitive data, realize the full business value of
enterprise content, pass compliance audits with less effort and expense, and increase the productivity of IT teams and
knowledge workers.

For more information visit www.netwrix.com

CORPORATE HEADQUARTER: PHONES: OTHER LOCATIONS:

300 Spectrum Center Drive 1-949-407-5125 Spain: +34 911 982608 Switzerland: +41 43 508 3472 Hong Kong: +852 5808 1306
Suite 200 Irvine, CA 92618 Toll-free (USA): 888-638-9749 Italy: +39 02 947 53539
Netherlands: +31 858 887 804 France: +33 9 75 18 11 19

Sweden: +46 8 525 03487 Germany: +49 711 899 89 187

565 Metro Place S, Suite 400 1-201-490-8840
Dublin, OH 43017

5 New Street Square +44 (0) 203 588 3023 SOCIAL: netwrix.com/social
London EC4A 3TW