Extending corporate network to untrusted device using Windows 10 and how to prevent it

At a customer site I discovered patterns of unexpected network traffic to various Google and Apple sites. The policy doesn't allow for unmanaged devices (BOYD mobile phones etc. til access the WiFi network, and this traffic pattern looks like mobile devices, but there weren't any mobile devices associated on the wifi.

What actually happened is that dual radio Windows 10 devices are able to have a Mobile Hotspot where mobile phones connects on 5GHz while maintaining a WiFi connection on 2.4GHz. This allows unmanaged devices to access the corporate network.

To prevent this "feature", we decided to disable Mobile Hotspot sharing on the Windows 10 devices. Using Intune device configuration we used this setting:

Setting this entry: ./Vendor/MSFT/Policy/Config/WiFi/AllowInternetSharing to 0 disables the Mobile Hotspot button on Windows 10 devices.

Azure ATP sensor not starting

In one of my customers Azure ATP dashboard this health error has emerged:

On the domain controller in question, the Azure ATP Sensor (aatpsensor) service was in a starting loop and event 7031 was flooding the System eventlog.

Having a look at the Microsoft.Tri.Sensor-Errors.log file (in %programfiles%\Azure Advanced Threat Protection Sensor\<version>\Logs\), the problem is indicated:

Error WinPcapDeviceList SharpPcap.PcapException: No interfaces found! Make sure libpcap/WinPcap is properly installed on the local machine.

WinPcap... as the one from Wireshark?? Indeed. 

Wireshark is installed on the domain controller with the sensor problem, it is not needed anymore, so I uninstalled all Wireshark components and the Azure ATP Sensor and reinstalled the Azure ATP sensor. 

Now the sensor works again.

There is an issue with running Wireshark on the domain controller where Azure ATP Sensor is installed, as the WinPcap component is used by both applications.

Teams naming policy

I have come across a few organizations, where the creation of new teams in Microsoft Teams is limited to a few administrators. This is off course a method to make sure the administrators still have work to do, but a rather ineffective way to control the names being used.

As you might know, when creating a Teams team an Office 365 Group, a Sharepoint site, and a mailbox is created as well.

In this case we want to make sure any Teams team created is following this naming policy:
"Team [GroupName] [Company] [Department]", so if a user from Engineering in Contoso creates a team called ProjectX, the name of the Teams team will be: "Team ProjectX Contoso Engineering".

Supported Azure AD attributes are [Department], [Company], [Office], [StateOrProvince], [CountryOrRegion] and [Title]. [GroupName] is a mandatory entry in the policy.

1. Make sure you have the newest AzureADPreview Powershell module installed.

Uninstall-Module AzureADPreview
Install-Module AzureADPreview

2.
Import the module and connect to Azure AD.

Import-Module AzureADPreviewConnect-AzureAD

Sign-in to your account.

3. Fetch the current settings

$Setting = Get-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id
$Setting.Values

If the $Setting.Values returns an entry proceed to step 5

4.
Get the settings template

$Template = Get-AzureADDirectorySettingTemplate -Id
(Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id

Create a new settings object based o the template

$Setting = $template.CreateDirectorySetting()
New-AzureADDirectorySetting -DirectorySetting $setting 

5.
Save the setting for the team naming policy

$Setting["PrefixSuffixNamingRequirement"] =“Teams [GroupName] [Company] [Department]"
Set-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id -DirectorySetting $Setting

That´s it.
Now we can see the new PrefixSuffixNamingRequirement is in place

(Get-azureADDirectorySetting | Where-Object {$_.displayname -eq "Group.Unified"}).values

Our next problem is no one is allowed to use the word ProjectX in our Teams. Also words as CEO, NextLevel and payroll is not accepted.

Fetch the settings again.

$Setting = Get-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id

Set the blocked words list - the words are case insensitive, note that substrings are not checked, so Class will be permitted even is Lass is blocked.

$Setting["CustomBlockedWordsList"]=“ProjectX,CEO,NextLevel,payroll"

And save the settings again

Set-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id -DirectorySetting $Setting

Now also the BlockedWords List is updated.

All these settings are also available in the Azure portal now.

When a user creates a new team, this is the user experience in Teams.

When a user tries to create a new team with a blocked word, like ProjectX.