Category Archives: Uncategorized

Anonymous Relay when transitioning from 2010 to 2016

Posted on by
Reply

I recently worked on a project where my customer had a load balanced vip for SMTP. There were two Exchange 2010 cas-hub servers included in the vip. And the 2010 servers had a relay connector for anonymous access configured for applications like scan to email and HR applications. So how do we move this service to our lovely new Exchange 2016 servers.

  1. Create the fronted transport service relay connectors on both Exchange 2016 servers called ‘Relay’
  2. Then run this script to copy all of the relay ips to the new Exchange 2016 relay connectors
    Credit:https://gallery.technet.microsoft.com/office/Copy-a-receive-connector-b20b9bef
  3. Then on Exchange 2016 server 1 we run these commands
    Servers are contso1 & contoso2
    Set-ReceiveConnector “contso1\Relay” -PermissionGroups AnonymousUsers,Exchangeservers -DomainController FSMO DCGet-ReceiveConnector “contso1\Relay” | Add-ADPermission -User ‘NT AUTHORITY\Anonymous Logon’ -ExtendedRights MS-Exch-SMTP-Accept-Any-Recipient -DomainController FSMO DCSet-ReceiveConnector “contso2\Relay” -PermissionGroups AnonymousUsers,Exchangeservers -DomainController FSMO DCGet-ReceiveConnector “contso2\Relay” | Add-ADPermission -User ‘NT AUTHORITY\Anonymous Logon’ -ExtendedRights MS-Exch-SMTP-Accept-Any-Recipient -DomainController FSMO DC
  4. Add a server IP like the ad connect server into the relay connector scope on both contoso1 and contoso2
  5. Then run this command from the AD Connect server to each of the Contoso servers
    telnet SMTP VIP 25
    Helo
    mail from:sean@contoso.com
    rcpt to:sean.ofarrell@yahoooooo.com
    data
    Test from Sean.
  6. Once the email comes through we can then remove the Exchange 2010 server from the SMTP VIP and disable the relay connector on the Exchange 2010 servers.

Finally a lot of my customers do not trust Exchange Online Protection and use services like Mimecast , Proofpoint, Cisco Cloud Email Security and once the SPF records for the domains matches the service it can normally be much easier to set up smtp relay via these saas services.

AD Connect – Sync-rule-error-function-triggered

Posted on by
Reply

I recently worked on a project that had the following scope.

  • Migrate 6 Office365 tenants into a new single Office365 tenant
  • Migrate all users, sidhistory and computer accounts into a new AD Forest using Quest Migration Manager for Active Directory from 10 source Active Directory Forests to a new Windows Server 2019 Active Directory Forest.

14 user objects could not sync changes like adding aliases. If I extract the affected user’s immutable from the source office365 tenant it was different to the corresponding users immutableid in the new tenant.

So where is the problem? Why wont the changes sync?

When further analyzing the errors in AD Connect, I could see that the cloudanchor attribute in my new tenant had the same immutable ID as the source tenant.

So how do we fix this?

  1. Exclude the following two attributes from Quest Migration Manager for Active Directory migrations and synchronization tasks ‘mS-DS-ConsistencyGuid’ & ‘msDS-ExternalDirectoryObjectId’
  2. Then run this powershell command to export all destination  site immutable IDs

    get-aduser -filter * -SearchBase “OU=Contoso” | select samaccountname,mail,userprincipalname,objectguid,@{label=”ImmutableID”;expression={[System.Convert]::ToBase64String($_.objectguid.ToByteArray())}} | export-csv CSV LOCATION

  3. Then run the following command and replace the immutable id from the exported csv in step3 in the bold text below to convert the immuttableid to HEX format
    [system.convert]::FromBase64String(“rk4ZgeI/l0OpdRr5PiwU1g==“) | %{$a += [System.String]::Format(“{0:X}”, $_) + ” “};$result = $null;$result = $a.trimend();$result
  4. The output of this command will convert the immutable ID from the CSV to a Hex value like AE 4E 19 81 E2 3F 97 43 A9 75 1A F9 3E 2C 14 D6
  5. Next step is to populate the ‘mS-DS-ConsistencyGuid’ attribute with the hex value from step 4 and replicate domain controllers.
  6. Run a delta or initial sync on AD Connect and the issue will be resolved.

Reference Article: https://docs.microsoft.com/en-us/archive/blogs/latam/using-the-consistencyguid

 

SPF,DKIM & DMARC for Message Hygiene Services

Posted on by
Reply

This article is about securing email transmission and I mention multiple vendors. Proofpoint recently acquired Wombat Security Technologies that provide security awareness training for end users. knowbe4 is another excellent security awareness training provider and the Gartner leader in security awareness training.

None of the vendors I mention in this article can provide zero day vulnerabilities protection and I still think one of the best line of defences for any organisation is security awareness training for end users.

SPF The Sender Policy Framework (SPF) is an email-authentication technique which is used to prevent spammers from sending messages on behalf of your domain. With SPF an organisation can publish authorized mail servers.
Ref: https://www.dmarcanalyzer.com/spf/

DKIM (Domain Keys Identified Mail) is an email authentication technique that allows the receiver to check that an email was indeed sent and authorized by the owner of that domain. This is done by giving the email a digital signature. This DKIM signature is a header that is added to the message and is secured with encryption.
Ref: https://www.dmarcanalyzer.com/dkim/

DMARC : DMARC, which stands for “Domain-based Message Authentication, Reporting & Conformance”, is an email authentication, policy, and reporting protocol. It builds on the widely deployed SPF and DKIM protocols, adding linkage to the author (“From:”) domain name, published policies for recipient handling of authentication failures, and reporting from receivers to senders, to improve and monitor protection of the domain from fraudulent email.
Ref: https://dmarc.org/

With the combination of SPF,DKIM and DMARC , these standards improve the reputation of an email like contoso.com. But most importantly they can help an organisation like contoso.com from being a victim of a phishing or an email spoofing campaign.

A lot of my enterprise customers and early adopters of Exchange Online chose not to use Exchange Online Protection because it quite simply wasn’t good enough at the time they moved to Exchange Online. Exchange Online Protection has really matured in the last number of years with some excellent features like:

  • Office365 ATP
  • Zero Hour Purge
  • Automated Investigation and Response (AIR)

In my view the two best locations for technical guidance on configuring Exchange Online Protection

  1. https://office365itpros.com/
  2. https://www-undocumented–features-com.cdn.ampproject.org/c/s/www.undocumented-features.com/2019/08/13/exchange-online-protection-eop-best-practices-and-recommendations/?amp

DKIM and DMARC should be configured on the last hop of email messages transmission.

Microsoft have documented how to configure DKIM for Exchange Online HERE
Microsoft have documented how to configure DMARC for Exchange Online HERE

Symantec Email Security Cloud DKIM
Symantec Email Security Cloud DMARC

Mimecast DKIM
Mimecast DMARC

Proofpoint DKIM
Proofpoint DMARC
Note: DMARC Not supported on ProofPoint Essentials

Cisco Cloud Email Security DKIM
Cisco Cloud Email Security DMARC

ForcePoint Email Security DKIM
ForcePoint Email Security DMARC

Switch from SCCM Co-Management Hybrid to Intune

Posted on by
1

I recently had to break co-management of SCCM & Intune Co-Management Hybrid and migrate to Intune for mobile devices that were managed by SCCM\Intune.

I followed Gerry Hampson’s blog POST on how to do this. Gerry is a Microsoft MVP in Enterprise Client Management.

I faced a problem. How do I translate an SCCM device collection that has no information on users, to a security group that I can assign an Intune Application Protection Policy to. In my particular instance there was only two policies required.

  1. Intune_Exec_AppProtection_Policy
  2. All users except the Exec users

Azure Active Directory has the ability to create complex dynamic user or device security groups. So in my instance I created two Intune Application Protection Policies that are listed above.

I created one on-premise synced AD Security group that contained the Exec users, this group would be assigned to Intune Application Protection Policy 1. I then wanted to create a security group that I could assign to all non exec users and any new users. So I created an Azure dynamic user security group that queried Azure AD for any user that has an Intune license. The query for the Azure dynamic security group is listed below.

user.assignedPlans -any (assignedPlan.servicePlanId -eq “c1ec4a95-1f05-45b3-a911-aa3fa01094f5” -and assignedPlan.capabilityStatus -eq “Enabled”)

This type of dynamic security group can be applied to any Microsoft cloud service. The list of all Microsoft servicePlanId’s is available HERE

 

 

Conditional Access and Azure Active Directory License Management

Posted on by
Reply

Azure AD group based license assignment was made generally available in Feb 2018. It really is a superb way of managing and assigning licenses for services like Office365.

Quite often on projects that I deliver ,  I will work with my customer to build a profile which could be for example standard user, power user , exec user and these groups can assign some or all of the M365 suite of services.

So this means we would have 3 security groups to match each user profile and each organisation can modify their new starter process to add new users into their relevant security group or use Identity Management tools like Microsoft Identity Manager 2016 SP1 to manage the user life cycle.

One of the quickest and most powerful conditional access policy is as follows

  • Assignment : All users , except license groups and break glass admin account
  • Cloud Apps :  All Apps
  • Conditions : Default , NO CHANGE
  • Access Controls \ Grant : BLOCK

So the assignment to all users is the key , If a new user is not setup properly and follows the new user creation process then they cannot access the organisation’s cloud apps that are integrated with Azure AD.

This is a policy to block all unlicensed users.

All licensed users would expect to have the following items configured as a minimum requirement.

  • MFA
  • SSPR
  • Combined SSPR & MFA registration
  • Azure Password Protection Service
  • Microsoft Advanced Threat Protection integration with CASB
  • Azure AD P2 license , Identity Protection policies enabled
  • Azure AD Hybrid joined machines
  • Intune managed bitlocker encrypted devices
  • Intune managed devices with security baselines

Block sending of messages based on real-time content inspection in SASS with Cloud APP Security

Posted on by
Reply

This post demonstrates how to integrate Facebook Workplace with Azure AD and enable single sign on, and CASB protection for keywords that users post in a Facebook Workplace site.

The process would be exactly the same for any SAAS application and this post demonstrates the power of CASB integration with SAAS applications. For example , when using CASB to protect SAAS applications like GMAIL, Salesforce, Service Now, CASB can block real time key words and inspect files for sensitive information types defined by an organisation and integrate with Azure Information Protection.

There is a Microsoft tutorial on how to integrate Azure AD with Facebook workplace but I found the guide difficult to follow.

So I will try and structure this post in order to block a keyword from being posted to Facebook Workplace.

  1. Sign up for a Facebook Workplace account and sign in. Then click on the admin panel , security and authentication settings.
  2. Click on the Add new SSO Provider
  3. After you click on the link displayed above , scroll down and copy the audience URL which is the unique identifier.
  4. Next we add a new tab in the browser and go to Azure Active Directory , Enterprise Applications and add Facebook Workplace from the gallery.
  5. Add the users or security group that will have access to this published application within Azure AD
  6. Create a conditional access policy and do the following
    Select Facebook Workplace as the app
    Select the users in scope for testing
    Select session control and select the settings displayed in the image below
    There is obviously a lot more protection that can be applied with this conditional access policy, like location protection , azure hybrid joined machines etc..  For the purpose of this blog we are simply demonstrating the interaction with CASB and conditional access session policies.
  7. As I always use Chrome until Edge Chromium is GA , the next step is to to open a new tab and install the My Apps Secure Sign-in Extension for Chrome and sign in with the credentials that you are signed into the Azure Portal with.
  8. Within Azure AD , Select Facebook Workplace and select single sign on and select SAML
  9. Edit basic saml configuration and paste in the following urls
    A:Identifier (Entity ID) :  The audience url captured in step 3
    B:Reply URL (Assertion Consumer Service URL) : https://my.workplace.com/work/saml.php
    C:Sign On Url : https://my.workplace.com/work/saml.php
  10. Exit the SAML basic configuration and then move to step 5 in the SAML configuration and click on ‘Setup WorkPlace for Facebook’
  11. When we click on ‘Setup WorkPlace by Facebook’ , The browser will redirect the session to the Facebook WorkPlace authentication settings and click on the ‘Single Sign On  (SSO) button
  12. Wait a few seconds and the Chrome add in we discussed in step 7 will display the following screen which will auto populate the Azure SAML configuration automatically into Facebook WorkPlace.
  13. The next pop up requests the admin to test SSO and then save the changes.
  14. The next window will re-direct the Facebook Workplace login url through CASB
  15. Click on close on the next page
  16. Next really important step , Go back to the Facebook Workplace tab and select save changes
  17. Next steps are to create the Cloud App Security Policy to block a key word using this template :Block sending of messages based on real-time content inspection
  18. The activities in the policy are displayed below
  19. The content inspection config of the policy uses contoso as the keyword
  20. The action is to block and notify the user with the organisation’s terms and conditions for usage of cloud apps or a custom response
  21. Finally , Facebook WorkPlace will be available for the users in scope to use the application in the https://myapps.microsoft.com portal

Final note , SAAS applications that support SCIM will be much easier to on-board into Azure Active Directory and CASB. I hope this blog post shows how easy it is to on-board SAAS apps into Azure AD and CASB.

 

Remove a public domain name from an Office365 Tenant – The QUICK WAY

Posted on by
Reply

I have worked recently on a lot of Office365 tenant to tenant migrations and the biggest challenge in all of these migrations is where the same domain name eg. contoso.com cannot exist in two tenants at once.

I always use the Migration Wiz Bundle which can migrate primary mailbox, archive mailbox , ODFB sites and Deployment Pro which manages the Outlook Profile transition to the new tenant.

Migration Wiz have an interesting co-existence solution which you can review HERE

If using a migration tool like Migration Wiz and all data has been migrated a really quick way of removing all traces from contoso.com from the legacy tenant is to run through the following process

WARNING ALL DATA MUST BE MIGRATED BEFORE ATTEMPTING TO USE THIS PROCESS. This process does not delete any data. It removes all references to the public domain that is required in the target tenant in this example that domain name is CONTOSO.COM. If users still need to access data in a Sharepoint Site in the legacy tenant the user me informed on what their new UPN is.

  1. Connect to Azure AD Connect server
  2. Disable-ADSyncExportDeletionThreshold  and then enter Office365 Global Admin Credentials
  3. Next steps are to de-select all the OUs that were previously in scope for synchronization
  4. Then run this command on the Start-ADSyncSyncCycle -PolicyType Initial
    (Run the command twice)
  5. This will place all objects that were synced to Office365 in the recycle bin.
  6. Change UPN for any cloud identity objects that remain
    Get-MsolUser -All | ? {$_.UserPrincipalName -match “contoso.com” -and $_.UserPrincipalName -notmatch “admin”} | % {Set-MsolUserPrincipalName -ObjectId $_.objectId -NewUserPrincipalName ($_.UserPrincipalName.Split(“@”)[0] + “@contoso.onmicrosoft.com”); $dataout += “$($_.UserPrincipalName)” ; $_.UserPrincipalName };$dataout | out-file “CSV FILE NAME AND PATH”}}
  7. Set the primary smtp address for all remaining mail enabled objects to contoso.onmicrosoft.com
    $AllMailboxes = Get-Mailbox -ResultSize Unlimited
    Foreach ($Mailbox in $AllMailboxes){
    # Creating NEW E-mail address that concatenate in the following way: Take the existing recipient Alias name + use the NEW Domain name as a domain suffix + “Bind” the Alias name + the NEW Domain name suffix.$NewAddress = $Mailbox.Alias + “@contoso.onmicrosoft.com”Set-Mailbox -Identity $Mailbox.Alias -WindowsEmailAddress $NewAddress 
    }
  8. Remove all contoso.com aliases
    $Records = Get-mailbox -ResultSize Unlimited| where {$_.emailaddresses -like “smtp:*@contoso.com”} | Select-Object DisplayName,@{Name=“EmailAddresses”;Expression={$_.EmailAddresses |Where-Object {$_ -like “smtp:*contos.com”}}}foreach ($record in $Records){    write-host “Removing Alias” $record.EmailAddresses “for” $record.DisplayName

        Set-Mailbox $record.DisplayName -EmailAddresses @{Remove=$record.EmailAddresses}

    }

  9. Remove Contoso.com from any groups
    Get-Msolgroup -All | where {$_.emailaddress -match “contoso.com”} | Remove-MsolGroup –Force
  10. Change the default domain in the Admin.Microsoft.com portal to contoso.onmicrosoft.com
  11. Remove Contoso.com
    Remove-MsolDomain -DomainName “contoso.com” –Force
  12. Next we can add Contoso.com into the new Office365 tenant and update the mx records for Contoso.com
  13. Last but not least , We modify AD Connect configuration and re-enable the sync of all the objects that were previously synced and are now in the Office365 recycle bin ,they will all be restored and have the ability to access their data via a contoso.onmicrosoft.com UPN.

We forgot to mention Public Folders. Migration Wiz have a separate tool for public folder migrations which is very simple to use. I always prefer to convert public folders into resource mailboxes.

Credit: The domain removal powershell migration scripts are publicly available in Migration  Wiz Knowledge Base articles.

Exchange 2010 – 2016 Hyrid – Outlook not connecting

Posted on by
Reply

I have wrote many articles  about the Exchange Hybrid process. There are lots of excellent articles on line about this process. This blog post is aimed it simplifying the whole process and ensuring 2010 clients can still connect when using Exchange 2016 servers for autodiscover.

The Exchange Online Hybrid wizard has greatly improved over the years and the Exchange Hybrid Modern Agent is an amazing step forward and provides a mechanism to quickly migrate mailboxes to Exchange Online.

Exchange 2010  support will Expire in October 2020. I have recently been performing a lot of Hybrid migrations using Exchange 2010 and Exchange 2016 as the hybrid server

I always use this powershell SCRIPT to install the pre-requisites for each new Exchange server.

Autodiscover services are typically  transferred from the Exchange 2010 servers to Exchange 2016 servers.

Simply updating the autodiscover.consto.com A record to point at the new Hybrid server and expecting clients to connect without any issues is a big mistake.

If the Exchange 2010 organisation has a load balanced virtual ip , this IP cannot be simply reused for the Exchange 2016 server. The main reason for this is that,mapi has transitioned to mapi over http from Exchange 2013 versions and higher.

Exchange 2016 has different virtual directories and also has health check urls per Exchange virtual directory.

  • Kemp – Kemp have templates for Exchange 2016
  • F5 – Have templates for Exchange 2016
  • Netscaler – Follow this article to load balance Exchange 2016 via Netscaler HERE

When the Exchange Hybrid has been installed and configured , Run this SCRIPT
And set all of the virtual directories to your corporate domain eg. autodiscover.contoso.com

On the Exchange 2010 server , get an inventory of databases hosted on the Exchange 2010 servers. And then run this command to set the rpc client access server per Exchange 2010 database,

Set-MailboxDatabase –Identity “<Database Name>” –RPCClientAccessServer “exch2010-01.contoso.local”

This is the most important task, Exchange 2016 receives autodiscover requests and proxies them to the Exchange 2010 client access servers for mailboxes that are still hosted on Exchange 2010.

Now is the time to update the two DNS records autodiscover.contoso.com and mail.contoso.com to point to the new Hybrid server.

Exchange Online users that have been migrated and are working outside of their company offices will query the public autodiscover.contoso.com record which will point to the hybrid server, the hybrid server will respond with the correct autodiscover xml via http redirect to Exchange Online.

Intune Endpoints Through Proxies or Corporate Firewalls

Posted on by
Reply

Microsoft previously submitted all the urls  and ip ranges for the Office365 platform on docs.microsoft.com. Now there is a new Office365 IP Web Service , HERE 

It would be great if this dynamic ip services covered all services in Office365  that can be updated in firewalls and proxies. Unfortunately it does not.

Intune is an amazing service from Microsoft but if you do not white-list the endpoints listed HERE

Features like Bitlocker, x86 custom app deployments, Windows 10 Security Baselines will fail.

Microsoft Cloud Service for Global Enterprise Organisation

Posted on by
Reply

Even I get confused when it comes to all the different options available with Microsoft cloud services.Some of my global customers have engaged with business analyst to perform the task of user profiling to try and establish what licenses end user really need per division.

One of my customers refused to buy AD premium for all users because they could lock down access by IP-range with ADFS and don’t need to license 23k users for AD premium. This is a very valid use case when you do the numbers and saves a lot of money.

Some of my customers want conditional access but do not have a compatible version of Office or OS and when the cost associated with bringing the desktop to a suitable level for conditional access for 10, 20k user sites, they are most often binned.

For global roll outs of Office365 , I aways recommend the use of a business analyst for user profiling to get the best value for your client or customer.

Microsoft always get their money!!!