Select Page

Enabling DKIM and DMARC in Office365

This turned out to be really simple; and there are some really good tools and docs at https://dmarcian.com/

  • set up DKIM DNS records
    • CNAME selector1._domainkey –> selector1-{domain}._domainkey.{office365domain}.onmicrosoft.com
    • CNAME selector2._domainkey –> selector2-{domain}._domainkey.{office365domain}.onmicrosoft.com
  • set up DMARC DNS records
    • TXT _dmarc –> correct DMARC policy

Then enable DKIM signing in the Defender portal https://security.microsoft.com

Email and Collaboration –> Policies and Rules –> Threat Policies –> Email Authentication settings

  • select the domain, click on “sign messages for this domain with DKIM signatures”

It might take a while for the DNS records to propagate.

Finally test the DMARC and DKIM settings, I used the DMARC Record Checker https://dmarcian.com/domain-checker

If you end up looking to use DMARC reporting, and sending to a third party/alternate domain – you also need to set up DNS records in the receiving domain:

  • set up External Domain Verification (EDV) records in DNS
    • TXT {domain}._report._dmarc –> v=DMARC1

Azure, Log Analytics Workspace, Kusto

If you’ve worked with Azure for any real length of time, there are limitations to what is stored in the Azure Activity Log – both in terms of content and retention.

The solution is to send Azure logs to a Log Analytics Workspace, and retain that for as long as you needed.

Today I needed to dig into an event that occured back in the summer, featuring Bastion. A simple Kusto query with the date range and searchable text got me results in a few moments. Some display filtering of the correct columns got me to a happy place.

// Log Analyics query
search “BastionHost” // search is case-insensitive
| where TimeGenerated between (datetime(2023-06-01) .. datetime(2023-06-15)) // date ranges
| project TimeGenerated, Caller, CorrelationId, SubscriptionId, ResourceGroup, OperationNameValue, Properties_d.resource, ActivityStatusValue
// just show the columns we care about (comment the entire line if you want all)

PSZoom revisited

Zoom have deprecated their JWT authentication against the backend API, and moved to OAuth.

Happily – Joseph McEvoy has updated the PSZoom module for PowerShell – and it’s working just great.

Create a new Server-to-Server OAuth through the Zoom App Marketplace, and you’re set:

image

Your usage will vary, but there is a really nice role based model (or “Scope”) for the API – I gave this just read access to meetings – and it’s been fine.

import-module PSZoom

# get the values from the Zoom Marketplace
#   Develop –> Build App –> Server-to-Server OAuth

$AccID = ‘from Zoom’
$ClientID = ‘from Zoom’
$ClientSecret = ‘from Zoom’

Connect-PSZoom -AccountID $AccID -ClientID $ClientID -ClientSecret $ClientSecret

$MeetingID = ‘meetingID’

$ZoomRegistrants = Get-ZoomMeetingRegistrants $MeetingID -pagesize 300

$reghashtable = $zoomregistrants.registrants

write-host $reghashtable.count

$outputs = $reghashtable |foreach-object {
return [pscustomobject]@{
     fname = “$($_.first_name)”
     lname = “$($_.last_name)”
     email = “$($_.email)”
     regtime = “$($_.create_time)”

    }
     }
$outputs | sort-object regtime | export-csv “zoom-meeting.csv” -notypeinformation