QNAP Warns of OpenSSL Infinite Loop Vulnerability Affecting NAS Devices

Taiwanese company QNAP this week revealed that a selected number of its network-attached storage (NAS) appliances are affected by a recently-disclosed bug in the open-source OpenSSL cryptographic library.

“An infinite loop vulnerability in OpenSSL has been reported to affect certain QNAP NAS,” the company said in an advisory published on March 29, 2022. “If exploited, the vulnerability allows attackers to conduct denial-of-service attacks.”

Tracked as CVE-2022-0778 (CVSS score: 7.5), the issue relates to a bug that arises when parsing security certificates to trigger a denial-of-service condition and remotely crash unpatched devices.

QNAP, which is currently investigating its line-up, said it affects the following operating system versions –

  • QTS 5.0.x and later
  • QTS 4.5.4 and later
  • QTS 4.3.6 and later
  • QTS 4.3.4 and later
  • QTS 4.3.3 and later
  • QTS 4.2.6 and later
  • QuTS hero h5.0.x and later
  • QuTS hero h4.5.4 and later, and
  • QuTScloud c5.0.x

To date, there is no evidence that the vulnerability has been exploited in the wild. Although Italy’s Computer Security Incident Response Team (CSIRT) released an advisory to the contrary on March 16, the agency clarified to The Hacker News that it has “updated the alert with an errata corrige.”

The advisory comes a week after QNAP released security updates for QuTS hero (version h5.0.0.1949 build 20220215 and later) to address the “Dirty Pipe” local privilege escalation flaw impacting its devices. Patches for QTS and QuTScloud operating systems are expected to be released soon.

Source :

Is there such a thing as Spring4Shell?

Very early in the morning on March 30th (for me), my colleague DeveloperSteve posted a “Hey, have you seen this?” message in our slack channel. It was an “advance warning” of a “probable” remote code execution (RCE) in the massively popular Java Spring framework. I would come to find out that even earlier than that, the Snyk Security team started investigation a potential RCE in Spring after seeing a tweet that has since been deleted.

Details seemed sketchy at best at this point (about 1:20am EDT). There was a tweet with screenshots that had been deleted. There were references to a pull request (PR) that, as it turns out, was first put up on February 18th, but only merged on March 29th.

Various parties were trying to make the nickname “Spring4Shell” stick (or, sometimes just SpringShell), while Spring Core maintainers were adding comments to the PR saying there was no known RCE.

So, just what the heck was going on and what is going on now?

What’s the bottom line (for now)?

There’s a credible RCE vulnerability in spring-beans package, which is part of Spring Core. This is a key enabler of the inversion of control (IoC) capabilities of Spring. This is often referred to as dependency injection.

If you’ve used the @Autowired annotation or utilized the magic of constructor injection, you’ve encountered dependency injection in the Spring ecosystem.

In affected versions, an RCE is achievable by manipulating the ClassLoader via a carefully composed HTTP POST request.

At this time, the exploit is only known to be possible with a Java Runtime Environment (JRE) version 9 or greater AND Tomcat version 9 or greater.

The best immediate remediation is to deploy your application in an older version of the JRE and/or an older version of Tomcat.

We’ll continue to provide updates through our vulnerability database as the situation evolves.

Where is all the confusion coming from?

One of the first blog posts our team was alerted to in the wee hours of March 30th has since been deleted. This post referenced a tweet that was also deleted. Despite the double-delete, there was a verifiable reference to a commit to Spring Core related that is related to deserialization (a Java feature that has led to RCEs before – Log4Shell, anyone?).

The comment on this commit says:

Since SerializationUtils#deserialize is based on Java's serialization
mechanism, it can be the source of Remote Code Execution (RCE)

As the day progressed, there was more buzz (with very little verifiable fact to back it up) that we might be dealing with an RCE in Spring Core.

Further down in the comments, a Spring Core committer validated another comment stating that this commit had nothing to do with any known RCE.

And, in fact, if you look at the PR the commit resolves, it was first opened on February 18th.

Now, here’s the kicker: while all this was going on, the Interwebs was busy conflating this evolving issue with another known issue in a completely different project: Spring Cloud Function. So as to not further this confusion, I won’t go into the details of this vulnerability. Suffice it to say that if you’re reading something on vulnerabilities in Spring Cloud, you’re barking up the wrong tree for information on Spring4Shell (please, can we give it a different name?)

So, what is Spring4Shell after all?

Stay tuned

We’ll be updating this blog as we learn more about Spring4Shell (last update: March 31, 2022)

Out of an abundance of caution and not wanting to act on incomplete information, security researchers at Snyk spent time reviewing the situation over the course of the day on March 30th.

At this time, our conclusion is that there’s a credible RCE threat in the Spring Core spring-beans package. For better or worse, Spring4Shell is sticking. It makes sense as there’s already a legitimate Spring Shell project in the Spring ecosystem.

Spring4Shell remediation

A new version of the Spring Framework has been released that the current exploit does not work on. It’s version 5.2.20.

And, if you work with Spring Boot, just today version 2.5.12 was released which integrates the changes to the Spring framework and spring-beans. Note: The latest Spring Boot release, 2.6.5, does NOT have these fixes in place. The Spring Boot team is working on release 2.6.6 which will include these updates as well. We’ll keep you posted when that becomes available.

Here’s a list of remediation steps you can take in order of preference:

  • If you use Spring Framework directly, upgrade to version 5.2.20
  • If you use Spring Boot, use version 2.15.12Note: This may represent a downgrade if you are already on 2.6.x as that version has not yet been updated to integrate these fixes
  • If you can’t upgrade your version of Spring at this time, use a version 8 JRE and/or Tomcat container to mitigate the issue

It’s worth noting that there will likely be additional updates to Spring as more (and potentially different) vulnerabilities are discovered. This is often the trajectory when a high degree of focus is put on a high severity issue like this (Log4Shell, anyone?).

Snyk’s tools have already been updated to notify you if you’re project is vulnerable!

Head on over to Snyk to sign up for a free account. From there (or on the command line) you can test your project to see if it’s vulnerable to Spring4Shell.

We expect to update this post and to produce a PoC code repository to demonstrate the RCE in version 9 and greater of the JRE and Tomcat. Tune in here for updates.

Source :

New Data Centers Show Cisco’s Investment in a Global Cloud Architecture

You want a cybersecurity solution that safeguards your enterprise, not one that slows it down. So, finding a security partner that maintains a global data center network is crucial – this reduces latency and improves reliability. Fortunately, the Cisco Umbrella team backs an award-winning solution with an ever-expanding data center network that spans the globe.

Our data centers – located at key Internet Exchange Points (IXPs) around the world – improve Software-as-a-Service (SaaS) performance by up to 33% over direct internet access (DIA). And our engineers continue to build out this network to support global enterprise customers. We supplement this growing data center network with Anycast routing and a robust assortment of peering relationships, enabling Cisco Umbrella customers to experience the best of both worlds when it comes to security and performance.     

Expanding Cisco Umbrella’s Data Center Network

The Cisco Umbrella data center network allows our customers to utilize cybersecurity functionality that includes – but isn’t limited to – DNS-layer security, Secure Web Gateway (SGW), and Cloud Access Security Broker (CASB). A security efficacy test performed by AV-TEST found that Cisco Umbrella had the highest threat detection rate in the industry at 96.39%. And thanks in part to the network of data centers backing Umbrella, this security doesn’t come at the expense of performance.

The most recent additions to the Cisco Umbrella data center network include both brand-new locations and upgrades to existing facilities in:

Our team chooses new locations for their proximity to IXPs, allowing customers to take advantage of faster service. We also prioritize carrier-neutral data centers and heavily utilize colocation facilities. This gives users peace of mind, since Cisco Umbrella is fortified against downtime caused by carrier outages.

How Anycast Routing Makes a Difference

Anycast augmented routing allows our team to maximize performance for our customers. Anycast routing automatically selects the best path to a Cisco Umbrella data center, evaluating things like availability and connection quality.

Not only does Anycast routing reduce latency, but it also helps shield Cisco Umbrella users from outages. If one of the data centers in our network goes down, traffic will automatically fail over to the best available data center. Alternately, users can manually configure tunnels to a Cisco Umbrella data center of their choice to ensure ongoing availability and redundancy.  

Reducing Latency With Peering Partners

Of course, a robust data center network isn’t the only factor affecting latency within a cybersecurity solution. That’s why Cisco Umbrella maintains peering partnerships with 1,000+ internet service providers (ISPs), Content Delivery Networks (CDNs), and Software-as-a-Service (SaaS) providers. These partnerships result in more than 6,000 peering sessions with our premier partners.

Text reading "Some of our peering partners." Underneath the text are logos for AT&T, BT Media & Broadcast, GoogleFiber, Verizon, Amazon, Netflix, Dell Services, Huawei, Microsoft, Alibaba.com, SalesForce, Google, Facebook, Box, Baidu, and Cisco Webex.

Peering partnerships serve as a valuable shortcut between customer networks, ISPs, CDNs, and SaaS solutions. This reduces routing hops and shrinks latency, allowing customers to enjoy enhanced performance without ever sacrificing Cisco Umbrella’s world-class security.

Ready to See the Cisco Umbrella Data Center Network In Action?

Explore the full potential of Cisco Umbrella when you sign up for a free, personalized demo today!

Source :

Google Issues Urgent Chrome Update to Patch Actively Exploited Zero-Day Vulnerability

Google on Friday shipped an out-of-band security update to address a high severity vulnerability in its Chrome browser that it said is being actively exploited in the wild.

Tracked as CVE-2022-1096, the zero-day flaw relates to a type confusion vulnerability in the V8 JavaScript engine. An anonymous researcher has been credited with reporting the bug on March 23, 2022.

Type confusion errors, which arise when a resource (e.g., a variable or an object) is accessed using a type that’s incompatible to what was originally initialized, could have serious consequences in languages that are not memory safe like C and C++, enabling a malicious actor to perform out-of-bounds memory access.

“When a memory buffer is accessed using the wrong type, it could read or write memory out of the bounds of the buffer, if the allocated buffer is smaller than the type that the code is attempting to access, leading to a crash and possibly code execution,” MITRE’s Common Weakness Enumeration (CWE) explains.

The tech giant acknowledged it’s “aware that an exploit for CVE-2022-1096 exists in the wild,” but stopped short of sharing additional specifics so as to prevent further exploitation and until a majority of users are updated with a fix.

CVE-2022-1096 is the second zero-day vulnerability addressed by Google in Chrome since the start of the year, the first being CVE-2022-0609, a use-after-free vulnerability in the Animation component that was patched on February 14, 2022.

Earlier this week, Google’s Threat Analysis Group (TAG) disclosed details of a twin campaign staged by North Korean nation-state groups that weaponized the flaw to strike U.S. based organizations spanning news media, IT, cryptocurrency, and fintech industries.

Google Chrome users are highly recommended to update to the latest version 99.0.4844.84 for Windows, Mac, and Linux to mitigate any potential threats. Users of Chromium-based browsers such as Microsoft Edge, Opera, and Vivaldi are also advised to apply the fixes as and when they become available.

Source :

What’s New in System Center 2022?

Launched in “early preview” in November 2021 the next version of System Center is going to be released in the first quarter of 2022.

In this article, we’ll look at what’s new in each of the main components, Virtual Machine Manager, Operations Manager and Data Protection Manager and make some predictions around the finished product.

Virtual Machine Manager 2022

If you have a medium to large deployment of Hyper-V clusters, VMM is a must for management. Somewhat equivalent to vCenter in the VMware world this is the server product that lets you manage templates for VMs, including templates with multiple VMs (called a service) and other artefacts as well as automated deployments. VMM also manages your Software Defined Networking (SDN) stack and your backend storage (SANs and S2D). Notably, it also manages VMware virtualization hosts and clusters and can also integrate with Azure for light VM management.

SC Virtual Machine Manager 2022 Installation

SC Virtual Machine Manager 2022 Installation

There are a few new features in this version but the running theme throughout System Center 2022 (unless there’s a surprise reveal at GA) is that this is mostly about finishing little details and ensuring compatibility with current platforms. VMM 2022 runs on Windows Server 2022 and can manage Windows Server 2022 hosts.

On the networking side, the SDN stack gets support for dual-stack IPv4 and IPv6. You’ll need to be using the SDN v2 stack but that’s been where any new features have appeared since System Center 2016. In case you’re not familiar, up to System Center 2012R2 / Windows Server 2012R2 Microsoft built their own network virtualization stack and protocol but in 2016 they offered VXLan from VMware as an alternative. They also switched to an Azure inspired architecture where there’s a set of Network Controller VMs running on your cluster, managing all the virtualized networks. There are also Software Load Balancer VMs managing incoming network traffic, plus a Gateway providing connectivity from a virtualized network to the wider world. The dual-stack support covers all of these components, including site to site VPN (IPSec, GRE tunnel and L3 tunnels) so if your datacenter is adopting IPv6 – VMM is all ready to go. Note that you’ll need to provide both IPv4 and IPv6 address pools when setting this up.

VMM Logical Network with IPv4 and IPv6 subnets

VMM Logical Network with IPv4 and IPv6 subnets

The other big-ticket item is support for Azure Stack HCI (version 20H2 and 21H2) and Windows Server 2022. Note that VMM 2019 Update Release 3 (UR3) does provide support for Azure Stack HCI 20H2. If you missed our Windows Server 2022 webinar and haven’t heard of Azure Stack HCI realize that it’s got very little to do with Azure. This is a special version of Windows Server and Hyper-V that you cluster on top of Storage Spaces Direct (S2D) which you can then manage from Azure. The benefit of Azure Stack HCI is that all the latest features in Windows Server (and Hyper-V) are released for it (unlike “normal” Windows Server) and the downside is that you pay a subscription fee per core, per month, for it.

You can add existing Azure Stack HCI clusters, and you can also create new ones from within VMM. You can manage the entire VM lifecycle, set up VLAN based networks, deploy/manage the SDN controller and manage storage, creation of virtual disks and cluster shared volumes (CSVs) and application of storage QoS. There are new PowerShell cmdlets to handle Azure Stack HCI (Register-SCAzStackHCI).

Note that disaggregated Azure Stack HCI clusters (for Scale Out File Server, SOFS) aren’t supported, nor is Live Migration from an Azure Stack HCI cluster to a Windows Server cluster (although quick migration should work).

I installed the “early preview” on a Windows Server 2022 VM, and it works as advertised, with no visual differences from VMM 2019.

Operations Manager

Apart from VMM, I think SCOM is probably the strongest part of System Center. This venerable product keeps an eye on everything in your virtualized datacenter. Using Dell/HP/Lenovo servers? Just install the free management pack and you’ll get hardware monitoring, down to individual fans in your servers. The same goes for your networking and storage gear. Properly configured, SCOM provides visibility into your entire datacenter stack, from physical hardware to user-facing application code.

There are two new RBAC roles: Read-only Administrator which does what it says on the tin, including reporting. The Delegated Administrator profile doesn’t include report viewing but you can customize exactly what it should be able to do by adding one or more of:

  • Agent management
  • Account management
  • Connector Management
  • Global settings
  • Management pack authoring
  • Notification management
  • Operator permissions
  • Reporting permissions

If you have disabled NTLM in your organization, SCOM 2016/2019 reporting services are impacted, 2022 has a new authentication type (Windows Negotiate) that fixes this issue.

An interesting twist is the ability to choose the alert closure behavior, in 2019 you can’t close an alert when the underlying monitor is unhealthy, now you can choose to be able to close the alert and reset the monitor health, which will let you bulk close alerts. This brings back the behavior from earlier versions of SCOM. Alternatively, you can choose to stay with the 2019 behavior.

There are improvements to the upgrade process where registry key settings and custom install location of the Monitoring Agent is maintained when going from SCOM 2019 to 2022.

Alerts can now be sent to Teams channels, instead of Skype for Business.

SCOM can also monitor Azure Stack HCI deployments, using a new MP, which is actually a grouping of current Management Packs (BaseOS, Cluster, Hyper-V, SDN and Storage).

There are also some other minor fixes such as running the SCOM database on SQL Always On (no post configuration changes required), SHA256 encryption for certificates for the Linux agent, the FQDN source of alerts is now shown when tuning Management Packs and you can view the alert source for active alerts. Newer Linux distros such as Ubuntu20, Debian 10 and Oracle Linux 8 are also now supported for monitoring.

The dependency on the LocalSystem account on Management Servers has been removed and just like the other System Center components, SCOM 2022 runs on Windows Server 2022.

Data Protection Manager

Apart from running on Windows Server 2022, there are a few improvements in DPM. The main one (depending on your restore scenarios) is removing the requirement of file catalogue metadata for individual file and folder restores and instead uses an iSCSI based approach which improves backup times and restores.

If you’re using DPM to protect VMware vCenter you can now restore VMs in parallel, the default value is up to 8 VM simultaneously but you can up that limit with a simple registry change. Speaking of vCenter, VMware 7.0, 6.7 and 6.5 are supported and you can now separate the VDDK logs that relate to VMware operations from the rest of the DPM logs and store them in a user-defined file.

Another “big” improvement is the change of the maximum data storage for a DPM server from 120 TB to 300 TB. As before, it’s recommended to have tiered storage with a small amount of SSD cache and the rest hard-drive-based and use the ReFS file system.

Should you be Excited?

It seems that System Center Orchestrator will come in a 64-bit version although the bits weren’t part of the Early Preview, nor were System Center Service Manager 2022.

Overall, for me there’s nothing that we’ve covered in this article that’s a “must-have” to entice me to upgrade but if I’m upgrading to Windows Server 2022 anyway, or considering Azure Stack HCI, it’s a natural step.

I often express it like this – System Center is on life support. Microsoft isn’t looking to gain more market share against other datacenter management suites, they’re simply keeping System Center up to date and able to manage the latest OSs so that if you’re already a customer – you have a comfortable upgrade path. All System Center products also incorporate various levels of Azure/Microsoft 365 integration to tick the box of being “hybrid” and helping enterprises in their journey to the cloud.

Source :

Deep Dive on Microsoft 365 Defender

The best way to protect a business of any size today against cyber risks is with an integrated suite of tools. Microsoft 365 Defender is one such service that we’ll look at in this article.

For many years the conventional wisdom, especially in larger organizations, was to buy best of breed solutions for each area. So, you ended up with the “best” (defining the “best” solution is hard, and changes quite quickly) email hygiene solution, the best anti-malware solution, the best firewall etc. And because none of them natively integrated with each other, and manual integration is hard and time-consuming, you ended up with multiple consoles and multiple data silos where low fidelity signals were ignored, while they could actually have told you about a breach in progress if you’d been able to correlate those individual low severity signals between each of the systems. A way to solve this issue is via Security Orchestration and Automation Response (SOAR) solutions that act as a “glue” between each product. Another is to buy an already integrated suite of tools such as Microsoft 365 Defender. The promise is eXtended Detection and Response (XDR), which is an extension of Endpoint Detection and Response (EDR) to indicate that not only endpoints but all systems are included in the protection and response.

Microsoft 365 Defender Main Dashboard

Microsoft 365 Defender Main Dashboard

Name changes

In late 2020, Microsoft changed the names of nearly all of their security products so if you’re used to hearing about Advanced Threat Protection (ATP) or Microsoft Threat Protection (MTP), those have all been replaced. There’s now Microsoft 365 Defender which is the umbrella term for the Defenders in M365, as well as a unified console. There’s also Microsoft Defender for Identity (formerly Azure ATP), Microsoft Defender for Office 365 (formerly Office 365 Advanced Threat Protection), Defender for Endpoint (formerly Microsoft Windows Defender, then Microsoft Defender).

These products all tie into Microsoft 365 Defender (M365D) and are commonly abbreviated MDI, MDO and MDE. Microsoft’s Cloud App Security Broker (CASB) was renamed to Defender for Cloud Apps (MDCA?) at the Ignite conference in November 2021, it was previously known as Cloud App Security (MCAS). This makes a whole lot of sense as it’s part of the Defender family and can feed logs into the unified console.

Whilst not strictly a security product, and not bearing the Defender moniker, Azure Active Directory (AAD) and its security features also tie strongly into Microsoft 365 Defender.

There’s also Azure Defender for your IaaS and PaaS workloads in Azure, which also changed its name at Ignite in November 2021 to Microsoft Defender for Cloud. Also, separate from all of these security products but eminently capable of working with all of them is Azure Sentinel – a cloud-based Security Information and Event Management (SIEM).

Meet the Defenders

We have deep-dive articles on MDI, MDO and MDE here in the M365 Dojo but understanding what each of them does is crucial to understanding how Microsoft 365 Defender ties them all together.

MDI is a cloud-based service that monitors your on-premises Active Directory for specific indicators of compromised identities and attacker operations. Anytime an attacker gains a foothold in your organization, one of their first goals is to move laterally and elevate privileges, preferably reaching Domain Dominance. This last stage, where your entire on-premises identity infrastructure is completely under the criminal’s control, takes on average 48 hours. MDI relies on agents on your Domain Controllers (DCs) or if your security team can’t stomach that, a member server that receives forwarded event log data from each DC and catches network traffic using port mirroring. MDI will catch attacker activity during five phases: ReconnaissanceCompromised credentialsLateral movementDomain dominance and Exfiltration. Because MDI is laser-focused on AD (and AD Federation Services ADFS, after the Solarwinds attacks), it produces high fidelity alerts with very specific data to catch and contain miscreants on your network. Examples of attacks detected include Account enumeration reconnaissance, AS-REP Roasting, Identity theft (pass-the-hash), Skeleton Key attack and Data exfiltration over SMB and many, many others.

Threat and Vulnerability Management dashboard

MDO is all about providing advanced protection for your Office Online workloads. So, after incoming emails and attachments have been scanned by Exchange Online Protection (EOP) which includes three AV engines to provide a base level of protection if an attachment has never been seen before it’ll be opened in a VM and automatically inspected for malicious behaviour to catch zero-day attacks. MDO also looks at every URL in emails to see if they lead to compromised sites. It also provides time-of-click scanning as attackers will frequently compromise a benign website, send out their emails with links that won’t raise flags as they’re delivered (since the site isn’t displaying malicious indications at this point), then activate the malicious payload on the website. By checking the link atthe time of actually clicking on it, MDO provides stronger protection for your end-users. MDO comes in two flavours, plan 1 covers the above features, whereas plan 2 adds Threat Trackers (intelligence on current attacks in the wild), Threat Explorer (also known as Explorer, shows you recent threats in your tenant), Automated Investigation and Response (AIR) and Attack simulation training (to train your users to recognize dangerous phishing emails).

MDE on the other hand is a full-fledged EDR and anti-malware solution for your endpoints, including Windows, MacOS, Android, iOS and Linux. On Windows there’s no agent to deploy, it’s simply a matter of activating the bits already in the OS through onboarding, either with a script or Configuration Manager, Intune, or Group Policy at scale. Apart from local and cloud-based Machine Learning (ML) models to identify new threats, MDE also offers AIR and a complete Threat and Vulnerability Management (TVM) solution.

Threat and Vulnerability Management dashboard

TVM inventories all software installed on your endpoints (Windows 8.1, 10 (1709+), 11 and Windows Server 2008R2+, MacOS and Linux) and compares against known software vulnerabilities. Using signals such as the risk of the vulnerability being exploited, the number of devices in your organization where it’s installed and the usage of the application it’ll give you a prioritized list of programs to upgrade. As this is often a task for the endpoint/desktop team rather than the security team, there’s built-in functionality to create a task in Intune with links to the relevant upgrades etc.

Until recently there was only one version of MDE, but in August 2021 Microsoft announced a new version called Plan 1, while the full-featured version became Plan 2. Plan 1 is in preview and brings Next-generation protection (anti-malware/virus), Attack surface reduction, Manual response actions, Centralized management, Security reports and API access. Plan 2 adds Device discovery, TVM as above, AIR, Advanced hunting, full EDR and Microsoft Threat Experts (MTE). This last one is a managed SOC service by Microsoft which gives you two services, targeted attack notifications where analysts have identified an ongoing attack in your environment and access to experts on-demand to help your SOC if you need them.

At the Ignite 2021 conference, these two siblings (Plan 1 & Plan 2) were joined by a cousin, Microsoft Defender for Business which will (it’s “coming to preview soon”) protect your Windows, macOS, iOS, and Android endpoints for up to 300 users in a business. Unlike Plan 1, it comes with TVM, and AIR and full EDR so the only things that are missing are Linux support, MTE and advanced hunting. It’ll be available as part of Microsoft 365 Business Premium or as a standalone license at $3 per user per month. It’ll also integrate with Microsoft 365 Lighthouse.

A common misunderstanding is between MDE and the built-in security features that every Windows 10 user can take advantage of Microsoft Defender Security Center and Microsoft Defender Antivirus. These basic protection features are used by MDE, but it adds many advanced features on top as outlined above.

There are good alternatives to Microsoft’s services, if you’re looking for email hygiene, archiving / journaling, zero-day protection and email continuity even if Exchange Online is unavailable, plus optional backup, 365 Total Protection is excellent.

Microsoft 365 Defender

MDE used to have its own portal, separate from other security products (securitycenter.windows.com) and while it’s still there it comes with a banner strongly suggesting redirecting users to the main M365 Defender portal (security.microsoft.com). MDI’s previous portal is completely retired and its functionality was moved into the Defender for Cloud Apps portal quite some time ago and MDO is already housed in the M365 Defender portal. The work to integrate MDI into the main Microsoft 365 Defender portal is extensive and is likely to take some time. There’s more to the integration than just a single portal, although that’s a good start.

If you are using MCAS, you can integrate its telemetry into Microsoft 365 Defender.

First, there’s a unified alerts queue, so you’re not looking in one place for an email threat that might have snuck past your mail filtering, and in another place for endpoints where that same email attachment might have been opened, it’s all in the same place. The same goes for the unified user page, a user account is an object in MDI (AD) but also an entity in MDO (has a mailbox, OneDrive for Business storage etc.) and of course an object in MDE on whatever devices they’re logged in to.

The unified investigation page is my favourite, the ability to see details of automated actions (AIR) along with options to further investigate myself is very powerful, especially as it spans all the different Defenders. By popular demand, there’s also an email entity page that lets you investigate suspicious emails, including previewing them if they’re stored in an Exchange online mailbox.

Email entity page

Email entity page

There are two ways of controlling access to M365 Defender data using RBAC, either using built-in Azure AD roles or if you want to control access very granularly in a large environment, using Custom role access.

You don’t need to have all the different Defenders enabled to take advantage of M365 Defender, as soon as you enable one workload it works, as you add more services, more of the portal will light up.

Do you like to Hunt?

The coolest benefit of the integration however is the ability to do advanced hunting across all the data flowing into Microsoft 365 Defender. This is a sign of a mature security organization where it’s not all about dealing with alerts and incidents raised by the security systems but where there’s also time for an analyst to say, “I wonder if that attack against a company similar to us last week could have hit us too – let me grab the Indicators of Compromise (IOCs) and look through our logs”. All Microsoft security products rely on Kusto Query Language (KQL) with a similar syntax to SQL for searching through large amounts of security log data and the ability to look in one query over email data (MDO), identity data (MDI), endpoint processes and actions (MDE) as well as third party cloud service logs (MCAS) is incredibly powerful.

There’s a new Advanced Hunting UI, recently released, which offers tabs for each query you’re working with and feedback on the performance of each query run.

Here I’m looking to see if any suspicious PowerShell activity was launched within 30 minutes of a known malicious email being received in the last 7 days.

Advanced Hunting in Microsoft 365 Defender

Advanced Hunting in Microsoft 365 Defender

If you find events of interest during hunting, you can now use them to create an incident or add them as alerts to an existing incident. You can also bring in external data into hunting queries from lists of IP addresses, accounts etc.

Microsoft 365 Defender also offers a Secure Score across identities, devices and apps, giving you an overview of where you have strong controls in place and areas where you can improve your tenant’s overall security posture.

Microsoft 365 Defender Secure Score

Microsoft 365 Defender Secure Score

There’s also a unified view of Alerts and Incidents, actions taken by AIR and reports for endpoints, emails, identity, and overall security.

Alternative Solutions

While Microsoft 365 Defender is a comprehensive security solution it’s not the only game in town. There are many other providers that offer various solutions for email hygiene that integrate neatly with Exchange Online and provide features Microsoft doesn’t. There are also services for email continuity (when Exchange Online is down), encryption of sensitive data, long term archiving of emails for compliance, signature services, backup of Office 365 data and many other EDR and XDR solutions on the market. One reason for choosing a different provider is the perceived conflict of interest when Microsoft is both providing the collaboration platform and the security services on top. Another reason could be to pick a best of breed solution for a particular threat – just make sure the integration to the rest of the security stack you need is available.


The power of an integrated suite that looks for malicious activity across email, identity and endpoints cannot be underestimated. There are a few things to keep in mind, however: Microsoft 365 Defender is focused on Microsoft 365 (it’s in the name) but most organizations have many other platforms and services to secure and monitor which is where a SIEM like Azure Sentinel comes into play. It can ingest data from Microsoft 365 Defender and many other Microsoft services, along with 100+ third-party data sources for a true single view of your digital estate. There’s also bi-directional synchronization between them so if you close an incident in Microsoft 365 Defender, it closes in Azure Sentinel and vice versa. Log retention is only 30 days in Microsoft 365 Defender whereas Azure Sentinel gives you 90 days for free, with several different options for storing security log data for longer.

Secondly, most features in the Defender family require Microsoft 365 E5 licensing (or M365 E3 plus add-ons) which isn’t cheap, especially in medium to large organizations. There’s definitely a conversation to be had about the role of Microsoft providing the platforms and then charging extra on top for the advanced security features, rather than just ensuring that the platform itself has the required security in place. An alternative is a trusted third-party solution such as Hornet Security’s 365 Total Protection which is also considerably more cost-effective.

Source :

OneDrive for Business: Tips and Tricks for High-Performing Admins

This article focuses on administration and management exclusively for OneDrive for Business. We will cover advice and best practices from my extensive experience working with service ideal for system admins and those actively working with it on a daily basis.

What is Microsoft OneDrive?

Microsoft has two different, but similar services called OneDrive, both of which offer cloud file storage for users. A free version of OneDrive is available to everyone and is often called the “consumer” version. The business version is “OneDrive for Business” and requires a subscription to Microsoft 365 or Office 365. Both look a lot alike but are managed very differently. To add to the mix, Microsoft often refers to OneDrive for Business as simply “OneDrive” in their documentation and even in the UI.
Note: I may refer to OneDrive instead of OneDrive for Business from time to time in this article for the sake of brevity, but I always mean OneDrive for Business unless otherwise stated.

OneDrive for Business has company-wide administration in mind. A service administrator can control the deployment of the synchronization app, network performance, and many other settings. With OneDrive (consumer), there is no management framework. The individual using the service controls their settings.

Where Should Users Save Files?

OneDrive for Business makes it very easy to share files with others, but if you find yourself sharing lots of files, it is recommended to use Teams or SharePoint instead. Teams and SharePoint are simply better for collaboration. For example, with OneDrive, you can’t check-in and check-out a document. Also, in Teams, any document you upload to Teams is available to the entire Team by default, whereas documents you upload to OneDrive are private by default. Also, in Teams, a conversation about a document is shared in a Teams channel rather than via email. The general guidance is if you are working on a file without others involved use OneDrive for Business. If you need others involved, use a more collaborative service – Teams or SharePoint.

OneDrive for Business uses SharePoint Online as Service

As the service administrator, one of the most important concepts to master is that OneDrive for Business is a special purpose SharePoint document library created automatically for every user in your company. When a user is assigned an Office 365 or Microsoft 365 license, the services automatically create a personal OneDrive for Business document library.

The URL for OneDrive for Business is formatted as follows:

https://<company base name>-my.sharpoint.com/personal/<user-id>

OneDrive For Business SharePoint Library

The landing page (shown above) for OneDrive for Business shows “My Files” which are your files. You can also navigate from here to any SharePoint asset, including SharePoint Document Libraries, files hosted for Teams, or other SharePoint content.

Now that you know OneDrive for Business is using SharePoint under the hood, the following guidance makes sense:

To manage the OneDrive sharing settings for your organization, use the Sharing page of the new SharePoint admin center, instead of the Sharing page in the OneDrive admin center. It lets you manage all the settings and latest features in one place.

In this way, settings related to file sharing on SharePoint are aligned with those for OneDrive for Business (and Teams, which also uses SharePoint as a file store). OneDrive picks up many features from SharePoint, such as the ability to do File RestoresRestore a previous version of file, and synchronize files to your desktop.

Easy Anonymous Access

One main reason OneDrive for Business is well-liked is that it’s so easy to share a document with anyone. You can send someone a URL to a document and relax. It just works, and you won’t hear the dreaded “I can’t open the document” (which is all too common and a huge productivity sink).

The screenshot below exemplifies my point. What’s being shown is the side-by-side sharing experience in Teams vs. OneDrive. Take note! There is no Share option in Teams. You can copy the link to the file, but you must know if the user you send it to has rights to view the document in the Teams library. In OneDrive for Business, however, there is a Share option that allows you to send a URL to anyone. This is called Anonymous Access and is one of the primary reasons users share from OneDrive rather than Teams.

OneDrive For Business, Microsoft Teams

Also, in OneDrive, if you click on Anyone with the link can edit, you can further refine the Sharing options.

OneDrive For Business Sharing Options

As a side note, users frustrated by Teams’ lack of sharing controls can easily open a document or folder in SharePoint instead of Teams (as shown below). In SharePoint, you can share the file with anyone just like in OneDrive. There’s no need to copy a file in Teams to OneDrive to share anonymously. Just open it in SharePoint instead!

SharePoint Document Sharing

<>Controlling Default Permissions

Many businesses prefer to control who can open company documents. You can change the default settings in the OneDrive administration center, but let’s follow Microsoft’s advice to use SharePoint administration instead.

OneDrive SharePoint Admin Center

There are separate controls for External Sharing for SharePoint and OneDrive, ranging from Only people in your Organization to Anyone. However, what a static snapshot does not reveal is that the OneDrive settings cannot be more permissive than SharePoint. If you lower the permission on SharePoint, the permission also lowers on OneDrive. OneDrive can be more restrictive than SharePoint but never less restrictive. Since SharePoint hosts OneDrive files, this makes sense.

These settings are company-wide. Let users know before you make changes to global settings that cause changes in expected behavior. You WILL hear from them, and it generally won’t be a happy face emoji.

When guest users are needed, as they frequently are, consider securing the environment with the guidance provided by Microsoft in the documentation page titled Create a secure guest sharing environment.

Savvy admins can control sharing using options available when you click on More external sharing settings on the same screen shown above:

OneDrive SharePoint External Sharing Settings

The option Limit external sharing by domain lets you allow or deny sharing to a particular domain. This can be a great way to go when you want to constrain sharing to a specific set of partners or external resources.

Allow only users in specific security groups to share externally lets you control who can share files with people outside your organization. A security group is an Azure AD object that is generally a collection of users and other groups. After populating the security group with users, you can assign permissions and policies to the group, such as granting the group access to a SharePoint site, a mailbox, or forcing members of the group to use 2-factor authentication.

Consider the following scenario. Marketing is involved with a lot of external sharing, so we want to enable sharing for members of Marketing but deny everyone else, AND we don’t want to have to make adjustments every time someone moves into or out of marketing.

To illustrate how this can be achieved with security groups, I created a security group in Azure AD named Marketing-Org and added four users. As employees come and go, members of marketing are added to and removed from this group. (If you haven’t created security groups in Azure AD, it’s straightforward.)

Next, (shown below) I created another security group called External-Sharing.

Azure AD External Sharing

Security groups can have other security groups as members! By adding Marketing-Org to External-Sharing, the users in Marketing-Org automatically inherit External-Org permissions and policies

After that, I assigned the sharing permissions to the External-Org group. Returning to the SharePoint admin center Policies->Sharing->More external sharing settings-> Allow only users in specific security groups to share externally. Then, by clicking on Manage Security Groups (shown below)I added the External-Sharing group and set them so they can share with Anyone. To limit the ability of everyone else, I added the built-in security group Everyone except external users and set them to share with Authenticated guests only.

SharePoint Admin Center Manage Security Groups

In this way, everyone in the company can only share with authenticated guests, whereas only the members of External-Sharing can share with anyone.

The screenshot below shows the result. The user on the left is not a member of the External-Sharing group (the Anyone option is grey and cannot be selected). However, the user on the right can.

OneDrive For Business External Sharing

Once configured, effective administrators can manage membership of the security groups using PowerShell with the Add-AzureADGroupMember and associated cmdlets.

Storage space per user

Most Microsoft 365 and Office 365 plans come with 1TB of storage per user for OneDrive. If there are more than 5 users on a plan, 1TB can be increased by administrators to 5TB. You can even go to 25TB on a user-by-user basis by filing a support ticket with Microsoft.

To increase the storage limit for all users, browse to the OneDrive administration console, and select Storage. Change the setting from 1024 to the new limit. Shown below is updating the limit to 5TB. There are no additional charges for the increase in capacity.

OneDrive For Business Storage Limit

A global or SharePoint admin can change storage quotas with PowerShell after you connect to SharePoint using the SharePoint Online Management Shell and run the following command:

Set-SPOSite -Identity <user’s OneDrive URL> -StorageQuota <quota>.

You have to construct the OneDrive URL from the company name and user name, as mentioned earlier. Then, find the user name from the list of active users in the Office or Microsoft 365 admin center.

For <Quota>, enter a number between 1024 (1MB is the minimum) and 5242880 (for 5 TB). Values are rounded up. 1TB is 1048576.

As of this writing, OneDrive allows files up to 100GB.

Request Files

In some scenarios, you may want to collect files from others, rather than send files to others. OneDrive for Business makes this easy with the Request Files feature. With this feature, users can send an email asking others to upload content to a specific folder.

To set up a request files email, in the OneDrive UI, select a folder, click on the ellipses (…), and click Request files. You will see a window similar to the one shown below.

OneDrive For Business Request Files

After clicking Next, you will see the Send file request window:

OneDrive For Business Send File Request

The email sent by this form provides a URL for uploading content to the OneDrive for Business folder. Request files is a great way to collect and concentrate needed files into a single location for processing. That said, you need to make sure to enable uploads for the folder locations in the request.

Of course, a savvy administrator is thinking, “Hmm, does this provide a way for these users to upload content forever to this location?”

Shown below is the SharePoint admin center for Policies, Sharing.

SharePoint Admin Center Policies Sharing

With these settings, you can put some boundaries around the ability to upload files to location access given in the Request files invitation. These settings apply to anonymous links sent from OneDrive and SharePoint as well. As a best practice, if you permit users to send links to Anyone, which is enabled by default, you should expire those links. Otherwise, over a period of years, there can be hundreds or thousands of URLs that provide access to your content making access control distressingly challenging or impossible without disabling anonymous access altogether.

Folders must be set to View, edit, and upload as shown above to allow users to upload files in response to a file request.


One of the main features of OneDrive for Business is the ability to synchronize files from a user’s PC or laptop with OneDrive. With the synch service running, users can work on files locally, and the changes are sent to the cloud. Also, well-known folder locations such as Documents can be synchronized, ensuring essential documents are both local and in the cloud. You can easily sync Teams File Repositories as well as SharePoint Document Libraries.

The synchronization service is part of Windows 10, so you do not generally need to download it individually. Users can install the service by clicking Start and typing OneDrive.

One Drive For Business App Windows 10
OneDrive For Business Sign In

Click on the OneDrive app to launch the setup. OneDrive is then accessible in the taskbar as the cloud icon (shown before logging in, below).

Alternatively, users can enable the client by logging into onedrive.microsoft.com and clicking Sync.

When installed, users can enjoy the integration of OneDrive with Windows File Explorer. A OneDrive location is visible in the File listing. The OneDrive file listing is unique as you can see if a file is in the cloud (cloud icon), local and in the cloud (checkmark), or synchronizing (arrows). Also, when you right-click on a file in the OneDrive folder, you can Share a file, View online, and check the version history.

OneDrive Windows File Explorer

Pay particular attention to the following icons. Shown below is a screenshot from one that appears during the installation of the OneDrive client.

OneDrive Client Installation

TAKE NOTE – File on demand enabled by default!

Imagine this scenario. You are working on an important project with several others. A Teams site is used for collaboration. You’re headed out for an important meeting with your clients, and a colleague posts several important files to Teams. You’ve installed the sync client, and you’re headed off to the airport, so you think “no worries, I’ve got them synced to my laptop, and I can view them in flight.” Aloft, you open your laptop and see there is a cloud icon next to files. Clicking on a file, it’s not accessible. What happened?

What happened is the Files On-Demand is enabled by default.

Files On-Demand marks content that appears in the cloud as cloud-only. A file added to a Teams File Repository will not automatically sync locally. It’s not available offline until you open the file, or set the file or folder to Always keep on this device. Optionally, you could also disable Files On-Demand, which we’ll get to in a minute.

For an important file or folder, right-click in Windows Explorer and select Always keep on this device. Users can also disable Files On-Demand in the OneDrive client by opening the client and clicking More->Settings->Settings, then clear the checkbox that reads Files On-Demand.

Microsoft OneDrive Files On-Demand

When you clear the checkbox, a pop-up message says that, indeed, the files will download to your PC instead of being cloud-only.

Microsoft OneDrive Disable Files On-Demand

Be advised that as the message above states, if your files in OneDrive for Business take up, say, 1TB, then that 1TB will be downloaded to your PC. Local storage needs to allow for this. Also, administrators need to consider the impact on bandwidth should you disable Files On-Demand for many users at the same time.

As an alternative, consider instructing users to mark files and folders they want to always be available offline “Always available on this device” using Windows File Explorer as previously discussed. Then you can keep Files On-Demand enabled to preserve bandwidth as only the designated files and folder will be permanently synched, while those you open, will be temporarily synched. All others will reside in the cloud.

Using Policy

For small businesses, administrators can manage OneDrive for Business effectively with the OneDrive for Business administration console. Larger organizations will be interested in using policy. The policy system for Microsoft and Office 365 is considered the most efficient way to manage many settings including those for OneDrive for Business. Policy-based administration provides administrators control, scale, repeatability, and flexibility.

Policy automation can be a complicated topic and breaks into different scenarios depending on your network architecture and configuration. For those with on-premise Active Directory environments, you manage policy via SCCM or Azure AD Domain Services.

If your environment is cloud-only (meaning, you are not using domain controllers locally), using Microsoft’s InTune service lets you deploy the OneDrive sync service to desktops using the Microsoft Endpoint Manager admin center.

Microsoft Endpoint Manager admin center.

You can also create and apply profiles to users that control OneDrive behavior. Shown below is a policy profile limiting the client upload rate to a percentage of available bandwidth. This one of many possible settings to control OneDrive policies in Microsoft Endpoint Manager.

OneDrive policies in Microsoft Endpoint Manager

Previously, you saw how you can limit sharing with anonymous users to members of a specific security group. Similarly, you can apply different policy profiles to different security groups.

Microsoft EndPoint Manager Security Groups

In this way, you manage the behavior of OneDrive and many other aspects of your cloud service by membership in security groups. It’s easy to imagine uses for this practice with a group for New Hires, Legal-Review-Team, Alliance Partners, Vendors, or other typical roles with differing needs in a busy organization.

Network Impact

In regards to OneDrive, you want to be thoughtful about bandwidth consumption in your company, especially on the initial deployment of OneDrive for Business. More than one company has had issues with essential business services becoming sluggish when hundreds or even thousands of newly deployed OneDrive for Business sync clients start downloading content at the same time. Files On-Demand, as discussed earlier, helps significantly to reduce the initial bandwidth hit as files located in the cloud are not automatically downloaded to clients when enabled.

Known folder moves (discussed next) can also impact network performance by automatically uploading users’ local folders to the cloud when the client is deployed.

To help manage network impacts, the OneDrive sync client has bandwidth controls built-in. For a small business, you may want to adjust these settings on each users’ system. Right-click on the OneDrive for Business sync client, then click Settings->Network to see the settings.

Microsoft OneDrive Sync Client

In a larger business, you can use policy to push the desired settings, including the ability to mark OneDrive network traffic with QoS settings.

Known Folder Moves

Finally, a feature called Known Folder Moves is of keen interest to administrators as it can help reduce support desk calls and ease users’ transitions to new computers when replaced or upgraded.

As you probably know, specific folders in Windows, such as Documents, Desktop, and Pictures, and others are unique. These are “known folders” as they are in the same location in the file system on every Windows operating system.

OneDrive includes a feature where known folder locations are synced to OneDrive for Business. When a user needs a file in one of these locations and their PC is not available, they can access it from any device, including a mobile device that has an internet connection. Also, when a user moves to a new PC or laptop, all the previous documents, images, and important files are online and can easily be synched back to the new device.

Known Folder Moves can be enabled in the sync client by clicking on Setting->Backup->Manage Backup.

Microsoft OneDrive Known Folder Moves

Of course, you can also use policy with the methods previously discussed. Should you decide to roll this out, be mindful of bandwidth impacts and network performance,all that content will be uploaded to the cloud.


OneDrive for Business is an exceptionally useful service. In this article, we’ve discussed many of the key considerations, benefits, best practices, and capabilities of OneDrive for Business so you can effectively manage the service for users. A capable administrator will understand the business use cases for sharing as well as the network impact of OneDrive for Business, and be familiar with how to administer the service including using policy to enforce the desired settings for your Business.

When set up, users will enjoy cloud access to essential files, including their Desktop, Document, Pictures, Team sites, and other files of importance, allowing them to share content quickly and work locally or collaboratively.

Of course, Microsoft is continuously updating OneDrive for Business, so as a last tip, bookmark the Microsoft official OneDrive blog to keep up-to-date.

Source :

The Real Cost of Microsoft 365 Revealed

Estimating the real cost of a technology solution for a business can be challenging. There are obvious costs as well as many intangible costs that should be taken into account.

For on-premises solutions, people tend to include licensing and support maintenance contract costs, plus server hardware and virtualization licensing costs. For Software as a Service (SaaS) cloud solutions, it seems like it should be easier since there’s no hardware component, just the monthly cost per licensed user but this simplification can be misleading.

In this article we’re going to look at the complete picture of the cost of Microsoft 365 (formerly Office 365), how choices you as an administrator make can directly influence costs, and how you can help your business maximize the investment in OneDrive, SharePoint, Exchange Online and other services.

The Differences Between Office 365 & Microsoft 365

As covered in our article about the death of Office 2019 there are naming changes afoot in the Office ecosystem. The personal Office 365 subscriptions have changed and are now called Microsoft 365 Family (up to six people) and Personal along with the Office 365 Business SKUs, that top out at 300 users, has also been renamed. The new SKUs are Microsoft 365 Business Basic, Apps, Standard, and Premium.

There’s no reason to believe that this name change won’t eventually extend to the Enterprise SKUs but until it does, from a licensing cost perspective it’s important to separate the two. Office 365 E1, E3 and E5 gives you the well-known “Office” applications, either web-based or on your device, along with SharePoint Online, Exchange Online and OneDrive for Business in the cloud backend.

Microsoft 365 F3, E3 and E5, on the other hand, includes everything from Microsoft 365 plus Azure Active Directory Premium features (identity security), Enterprise Mobility & Security (EMS) / Intune for Mobile Device Management (MDM) and Mobile Application Management (MAM) along with Windows 10 Enterprise.

Comparing M365 plans

Comparing M365 plans

So, a decision that needs to be looked at early when you’re looking to optimize your cloud spend is whether your business is under 300 users and likely to stay that way for the next few years. If that’s the case you should definitely look at the M365 Business SKUs as they may fulfil your business needs, especially as Microsoft recently added several security features from AAD Premium P1 to M365 Business.

If you’re close to 300, expecting to grow or already larger, you’re going to have to pick from the Enterprise offerings. The next question is then, what’s the business need – do you just need to replace your on-premises Exchange and SharePoint servers with the equivalent cloud-based offerings? Or is your business looking to manage corporate-issued mobile devices (smartphones and tablets) with MDM or protect data on employee-owned devices? The latter is known as Bring Your Own Device (BYOD), sometimes called Bring Your Own Disaster. If you have those needs (and no other MDM in place today), the inclusion of Intune in M365 might be the clincher. If on the other hand, you need to protect your on-premises Active Directory (AD) against attacks using Azure Advanced Threat Protection (AATP) or inspect, understand and manage your users’ cloud usage through Microsoft Cloud App Security (MCAS) you’ll also need M365 E5, rather than just O365.

Microsoft 365 Cloud app security dashboard

Cloud app security dashboard

The difference is substantial, outfitting 1000 users with O365 E3 will cost you $ 240,000 per year, whereas moving up to M365 E3 will cost you $ 384,000. And springing for the whole enchilada with every security feature available in M365 E5 will cost you $ 684,000, nearly 3X the cost of O365 E3. Thus, you need to know what your business needs and tailor the subscriptions accordingly (see below for picking individual services to match business requirements).

Note that if you’re in the education sector you have different options (O365 A1, A3, and A5 along with M365 A1, A3, and A5) that are roughly equivalent to the corresponding Enterprise offerings but less costly. And charities/not-for-profits have options as well for both O365 and M365M365 Business Premium is free for up to 10 users for charities and $ 5 per month for additional users.

A la carte Instead of Bundles

There are two ways to optimize your subscription spend in O365 / M365. Firstly, you can mix licenses to suit the different roles of workers in your business. For instance, the sales staff in your retail chain stores are assigned O365 E1 licenses ($8 / month) because they only need web access to email and documents, the administrative staff in head office use O365 E3 ($20 / month) and the executive suite and other high-value personnel use the full security features in E5 ($35 / month). Substitute M365 F3, E3, and E5 in that example if you need the additional features in M365.

Secondly, you don’t have to use the bundles that are encapsulated in the E3, E5, etc. SKUs, and you can instead pick exactly the standalone services you need to meet your business needs. Maybe some users only need Exchange Online whereas other users only need Project Online. The breakdown of exactly what features are available across all the different plans and standalone services is beyond the scope of this article but the O365 and M365 service descriptions are the best places to start investigating.

Excerpt from the O365 Service Description

Excerpt from the O365 Service Description

And if you’re a larger business (500 users+) you’re not going to pay list prices and instead these licenses will probably be part of a larger, multi-year, enterprise agreement with substantial discounts.

If You Hate Change

If you want to stay on-premises Exchange Server 2019 is available (only runs on Windows Server 2019), as is SharePoint Server 2019 and you can even buy the “boxed” version of Office 2019 with Word, Excel, etc. with no links to the cloud whatsoever. This is an option that moves away from the monthly subscription cost of M365 (there’s no way to “buy” M365 outright) and back to the traditional way of buying software packages every 2-5 years. Be aware that these on-premises products do NOT offer the same rich features that O365 / M365 provides, whether it’s the super-tight integration between Exchange Online and SharePoint Online, cloud-only services like Microsoft Teams that build on top of the overall O365 fabric or AI-powered design suggestions in the O365 versions of Word or PowerPoint. There’s no doubt that Microsoft’s focus is on cloud services, these are updated with new features on a daily basis, instead of every few years. If your business is looking to digitally transform, towards tech intensity (two recent buzzwords in IT with a kernel of truth in them) using on-premises servers and boxed software licensing is NOT going to get you there. But if you want to keep going like you always have, it’s an option.

And if you’re looking at this from a personal point of view, a free Microsoft account through Outlook.com does give you access to Office Online: Word, Excel, and PowerPoint in a browser. There’s even a free version of Microsoft Teams available.

Transforming your Business

There’s a joke going around at the moment about the Covid-19 pandemic bringing digital transformation to many businesses in weeks that would have taken years to achieve without it. There’s no doubt that adopting the power of cloud services has the power to truly change how you run your business for the better. A good example is moving internal communication from email to Teams, including voice and video calls and perhaps even replacing a phone system with cloud-based phone plans.

But these business improvements depend on the actual adoption of these new tools. And that requires a mindset shift for everyone. Start with your IT department, if they still see M365 as just cloud-hosted versions of their old on-premises servers they’re missing the much bigger picture of the integrated platform that O365 has become. Examples include services such as Data Loss Prevention (DLP), unified labeling and automatic encryption/protection of documents and data, and unified audit logging that spans ALL the workloads. So, make sure you get them on board with seeing O365 as a technology tool to transform the business, not just a place to store emails and documents in OneDrive. And adding M365 unlocks massive security benefits, enabling zero-trust (incredibly important as everyone is working from home), identity-based perimeters, and cloud usage controls. But if your IT or security folks aren’t on board with truly adopting these tools, they’re not going to make you any more secure. Here’s free IT administrator training for them.

Finally, you’re going to have to bring all the end-users on board with a good Adoption and Change Management (ACM) program, helping everyone understand these new services and what they can do to make their working lives better. This includes training but make sure you look to short, interactive, video-based modules that can be applied just when the user needs coaching on a particular tool, not long classroom-based sessions.

And all of that, for all the different departments, isn’t a once-off when you migrate to O365, it’s an ongoing process because the other superpower of the cloud is that it changes and improves ALL the time. This means you’ll need to assign someone to track the changes that are coming/in preview and ensure that the ones that really matter to your business are understood and adopted. The first place to look is the Microsoft 365 Message Center in the portal where you can also sign up for regular emails with summaries of what’s coming. Another good source is the Office 365 Weekly Blog.

M365 portal Message Center

M365 portal Message Center

To help you track your usage and adoption of the different services in O365 there is a usage analytics integration with PowerBI. Use this information to firstly see where adoption can be improved and take steps to help users with those services and secondly to identify services and tools that your business isn’t using and perhaps don’t need, giving you options for changing license levels to optimize your subscription spend.

PowerBI Offie 365 Usage Analytics

PowerBI O365 Usage Analytics (courtesy of Microsoft)

Closing Notes

There’s another factor to consider as you’re moving from on-premises servers to Microsoft 365 and that’s the changing tasks of your IT staff. Instead of swapping broken hard drives in servers these people now need to be able to manage cloud services and automation with PowerShell and most importantly, see how these cloud services can be adopted to improve business outcomes.

A further potential cost to take into account is backup. Microsoft keeps four copies of your data, in at least two datacentres so they’re not going to lose it but if you need the ability to “go back in time” and see what a mailbox or SharePoint library looked like nine months ago, for instance, you’ll need a third-party backup service, further adding to your monthly cost.

And that’s part of the overall cost of using O365 or M365, training staff, adopting new features, different tasks for administrators and managing change requires people and resources, in other words, money. And that’s got to be factored into the overall cost using Microsoft 365, it’s not just the monthly license cost.

The final question is of course – is it worth it? Speaking as an IT consultant with clients (including a K-12 school with 100 students) who recently moved EVERYONE to work and study from home, supported by O365, Teams, and other cloud services, the answer is a resounding yes! There’s no way we could have managed that transition with only on-premises infrastructure to fall back on.

Source :

UniFi – USW: Which SFP Modules Can be Used

The Ubiquiti UFiber modules are officially supported and compatible with all EdgeSwitch, EdgeRouter, UniFi Switch, UniFi Dream Machine Pro and UniFi Security Gateway models that have SFP or SFP+ ports. Multi-mode and single-mode SFP and SFP+ models are available, including single-mode BiDi models.

SKU (Model)1G (SFP)10G (SFP+)25G
UDC-1 (1m)UDC-2 (2m)UDC-3 (3m)* 
UC-DAC-SFP+ (0.5m)* 
UC-DAC-SFP28 (0.5m)  **

*Ports can be set manually to 1000mbps for compatibility between SFP+ and SFP ports. |  ***SFP28 to SFP28 (max data rate 25Gbps)

The list below includes third-party SFP/SFP+ transceivers that have been tested by community members. Please note that these should work, but we cannot assure that they will. Some modules will have multiple hardware revisions, and while one revision may work (i.e. 1.0), it’s possible that a newer revision (i.e. 1.1, 1.2, etc.) of the same module may not work.

We do, however, offer direct support for our own modules.

  • Addon 1000BASE-LX SFP MMF
  • Addon 1000BASE-SX SFP MMF
  • Brocade  10G-SFPP-TWX-0101
  • Cisco GLC-LH-SM 30-1299-01 SFP
  • Cisco GLC-SX-MM
  • Cisco GLC-SX-MM 1000BASE-SX SFP
  • Cisco SFP-H10GB-CU1M
  • Dell FTLF1318P3BTL
  • Dell FTLF8519P2BNL
  • Dell FTLX1371D3BCL
  • Dell FTLX8571D3BCL
  • FCI 10110818-2030LF
  • Finisar FTLF8524P2BNL
  • HP J4858C
  • MaxxWave MX-SX-MM-US 10G + 1.25G
  • MGB-SX 1000Base-SX
  • Mikrotik S-3553LC0D
  • Mikrotik S+31DLC10D
  • Mikrotik S+85DLC03D
  • Solid-Optics ‘SFP-GE-L-SO’ 1000Mbps
  • SourceLight SLS-1285-S5-D


  • FiberStore SFP1G-LX-31 1310nm (Single-mode SFPs): with the 8-Port switch set the Negotiation to 1G fixed. On the 24-port autonegotiation works fine.
  • Finisar FTLX1471D3BCV (dual rate – single-mode)
  • HP J4859B – (Finisar FTRJ1319P1BTL-PT Rev A)
  • HP J4859C – (Intel TXN221200000005) – no OTDR output (show fiber-ports optical-transceiver all)


  • Cisco MGBSX1 Gigabit SX Mini-GBIC SFP Transceiver
  • Fiberstore SFP-1G85-5M (multi-mode)
  • Finisar FTLF8524P3BNL (multi-mode)
  • HP J4858A (3rd party) – (FINISAR FTRJ-8519-7D) – no OTDR output


  • Cisco GLC-T – (CISCO-FINISAR FCMJ-8521-3-CSC Rev 4)
  • Delta LCP-1250RJ3SR – (DELTA LCP-1250RJ3SR Rev 0000) 
  • Fiberstore SFP-GB-GE-T Module
  • Mikrotik S-RJ01 (not compatible)


  • Finisar FTLX1471D3BCV (dual rate – single-mode)


  • Cisco SFP-10G-SR
  • Fiberstore SFP-10G85-3M (multi-mode)
  • Finisar FTLX8571D3BCL (multi-mode)


  • Addon SFP-10G-PDAC1M-AO
  • Juniper ex-sfp-10ge-dac-1m – (Amphenol 584990001 Rev A)
    • This is a 10g DAC that appears to link up at 1g when both ends are plugged into the two SFP slots of the ES-24-250W
    • I haven’t tested sending traffic over this cable, as I only have one ES-24-250W, and Juniper equipment wants to link up at 10g when using this DAC
  • MikroTik S+DA0001
  • Molex 74742-0001
  • Fibrestore 10G DAC cables

The following SFP/SFP+ transceivers have been tested by community members, but may not work reliably. They are not recommended for use with UniFi switch.

  • TP-LINK TL-SM311LS ** may not work on newer firmware, may also depend on module version
  • TP-LINK TL-SM311LM ** may not work on newer firmware, may also depend on module version

    Source :

UniFi – Supported PoE Output and Input Modes


This article provides tables with information on the supported Power over Ethernet (PoE) output and input modes for Ubiquiti UniFi Switches, Access Points, Cloud Keys and Cameras.NOTES & REQUIREMENTS:

  • See each device’s Datasheet, available in their store product page or in the Downloads section, for more information on the supported PoE modes.
  • See our PoE Adapters page for more information on Ubiquiti PoE adapters/injectors that can be used to power on devices.
  • There is more information on PoE in the Power Over Ethernet (PoE) article.

Table of Contents

  1. Introduction
  2. UniFi Switches – Supported PoE Output Modes
  3. UniFi Access Points – Supported PoE Input Modes
  4. UniFi Cloud Key – Supported PoE Input Modes
  5. UniFi Cameras – Supported PoE Input Modes
  6. UniFi Switches – Supported PoE Input Modes
  7. Related Articles


One of the challenges with large PoE deployments is figuring out how to provide power to your UniFi Access Points. When you have many access points it becomes less viable to power devices using AC PoE injectors. With non-PoE capable switches, you can add a Midspan device which acts as a collection of individual PoE injectors by receiving Ethernet from the switch with only data being transmitted and adding power out over Ethernet through the connection. Such a piece of equipment takes up additional space on your rack, while also costing you a lot of money.

To help with such deployments, UniFi Switches come in a few different models with varying numbers of ports from 8, 16, 24 and 48. These switches are endspan devices as they act as both the switch and provide PoE to devices. UniFi switches give you greater functionality when used with the different UniFi Access Point (UAP), UniFi Dream Machine (UDM), and UniFi Security Gateway (USG) models, and cost well under the amount of the midspan device alone.

UniFi Switches – Supported PoE Output Modes

Ubiquiti devices use Active PoE output. This means that the voltage the Powered Device (PD) needs is negotiated. There are three output modes:

  • PoE: Uses IEEE 802.3af standard to deliver up to 15.4W.
  • PoE+: Uses IEEE 802.3at standard to deliver up to 30W.
  • PoE++: Uses IEEE 802.3bt standard to deliver up to 60W.

Different switches provide different output methods, so it’s important to learn what power method the UniFi switches support and compare it with the power method needed to power the different UniFi devices: eg. UniFi access points, cameras or Cloud Keys.

It’s important to note that each switch has a maximum power consumption which should be considered when powering multiple UniFi devices via PoE. For example, a US-16-150W has a 150W maximum power consumption, even though it has 16 ports. The UAP-HD has a maximum power consumption of 17W. Therefore, if you were to power 16 UAP-HD on a US-16-150W, there is a possibility that the wattage could exceed what the switch is capable of supplying in certain conditions. Find each device’s power consumption in their Datasheets, found in the Downloads page, within each product’s Documentation section.

USW-Pro-48-PoE(Ports 41-48)
USW-48-PoE(Ports 1-32)(Ports 1-32)
USW-Pro-24-PoE(Ports 17-24)
USW-24-PoE(Ports 1-16)(Ports 1-16)
USW-16-PoE(Ports 1-8)(Ports 1-8)
USW-Lite-16-PoE(Ports 1-8)(Ports 1-8)
USW-Lite-8-PoE(Ports 1-4)– 
USW‑Industrial(Ports 1-8)(Ports 1-8)(Ports 1-8)
US-8(Port 8)– – 
US-8-60W(Ports 4-8) –– 
US-8-150W –
USW-Flex – – 

UniFi Access Points – Supported PoE Input Modes

UAP-AC-LR** (Mode A)–  –
UAP-AC-LITE*** (Mode A) –– 
UAP-AC-M (Mode A) –– 
UAP-nanoHD– – 
UAP-XG–  –

NOTES: * The IW models only support PoE Pass-Through when powered by 802.3at.** UAP-AC-LRs with a date code prior to 1634 or board revision before 17 only support 24V passive PoE.
*** UAP-AC-LITEs with a date code prior of 1634 or board revision before 33 only support 24V passive PoE.


Legacy Devices – Power Methods

UAP– – – 
UAP-LR – –– 
UAP-AC– – 
UAP-AC-Outdoor– – 
UAP-Outdoor –– – 
UAP-Outdoor5– –  –
UAP-IW** –

NOTE: * The UAP-IW only supports PoE Pass-Through when powered by 802.3at.

UniFi Cloud Key – Supported PoE Input Modes

UC‑CK–  –
UCK-G2 –– 

UniFi Cameras – Supported PoE Input Modes

UVC-G3–  –
UVC-G3-AF–  –

NOTE: * Supported when using the included 802.3af Instant PoE Adapter. See the QSG for more information. 

UniFi Switches – Supported PoE Input Modes

US-8 – 
USW-Flex-Mini – 

Source :