Conditional Access Insights and Reporting

Posted on January 6, 2021 by Sean O'Farrell

Conditional Access Schematic

One of the most desirable Conditional Access policy controls is to only grant access to cloud applications if the Windows 10 devices are Azure AD Hybrid joined.

To ensure all Windows 10 devices are Azure AD Hybrid joined can be quite tricky , It is not as simple as enabling Azure AD Hybrid join in the AD connect wizard and simply synching an organizational unit that contains all of the Window 10 machines

The Windows 10 devices must be able to communicate with the Microsoft Office365 and Intune endpoints.

Microsoft Azure AD Conditional Access Policy – Report Mode only has been available for some time, however trying to demonstrate and analyze the impact of enabling the new conditional access policy was quite difficult when trying to review the activity for the new policy in the Azure AD sign in logs or even via a csv export of the policy activity.

Microsoft released Conditional Access Insights and Reporting : Overview and setup available HERE Power BI can also connect to the Log Analytics workspace to create custom dashboards if required.

Now when attempting to review conditional access policies in report mode only and in this example the policy is a report mode only if devices were blocked from signing in unless they were Azure AD Hybrid joined.

The impact summary is simple to read and break down

The next page summarizes user sign in details and which users would be impacted most by enabling the policy and then allow IT administrators to take action and get the users \ devices compliant before enabling the policy.

How to migrate Teams Sites from Office365 tenant to another Office365 Tenant using Migration Wiz

Posted on November 18, 2020 by Sean O'Farrell

This image has an empty alt attribute; its file name is image.png

I have been working very closely with BitTitan for a number of years and BitTitan have been working very closely with Microsoft with the development of their Teams migration service.

The service was updated towards the end of August and this update brought a large number of enhancements which can be reviewed HERE

For years I have been migrating Office365 Tenants to other Office365 tenants and the problem still remains whereby a custom domain like contoso.com cannot exist in two Office365 tenants at once. So during acquisition or merger migration projects at what point do you migrate the Microsoft Teams sites. My recommendation is to take care of the following data sources first with the Migration Wiz user migration bundle.

Primary Mailbox
Archive Mailbox
OneDrive for Business
Outlook switch over via deployment pro.

Once the data sources above have been migrated , I would recommend that Outlook Web App access to the legacy source tenant mailboxes is blocked via running the following command

Get-Mailbox -resultsize unlimited | Set-CASMailbox -OWAEnabled $false
Get-Mailbox -resultsize unlimited | Set-CasMailbox -ActiveSyncEnabled $False

The official MigrationWiz migration guide is available HERE
Also follow this ARTICLE and setup the Teams-FullControlApp in each source tenant.
I recommend that you use the autodiscover method to populate the project as this will also identify any incompatible items in Teams sites or channels

First step is to create the teams site in the target tenant , and do this 24 hours in advance

Next Step is to do the data migration

Validate the data and then remove the Teams licenses from the users in the source tenants with the following powershell commands. Create a new variable for each Offfice365 licensing sku that contains Teams.

Get-MsolAccountSku

$acctSKU=”contoso:O365_BUSINESS_PREMIUM”
$x = New-MsolLicenseOptions -AccountSkuId $acctSKU -DisabledPlans “TEAMS1”

$acctSKU2=”contoso:TEAMS_EXPLORATORY”
$x = New-MsolLicenseOptions -AccountSkuId $acctSKU -DisabledPlans “TEAMS1”

$acctSKU3=”contoso:O365_BUSINESS_ESSETIALS”
$x = New-MsolLicenseOptions -AccountSkuId $acctSKU -DisabledPlans “TEAMS1”

$acctSKU4=”contoso:O365_BUSINESS_ESSENTIALS”
$x = New-MsolLicenseOptions -AccountSkuId $acctSKU -DisabledPlans “TEAMS1”

Get-MsolUser | Where-Object {$_.licenses[0].AccountSku.SkuPartNumber -eq ($acctSKU).Substring($acctSKU.IndexOf(“:”)+1, $acctSKU.Length-$acctSKU.IndexOf(“:”)-1) -and $_.IsLicensed -eq $True} | Set-MsolUserLicense -LicenseOptions $x

And now all the Teams sites have been migrated and there is no chance of split brain because the Teams license has been removed from the source tenanat.

One really important point to note: MigrationWiz match users from the source to the destination based on the user prefix which is so useful when you are moving one domain from an Office365 tenant to another for example in a merger or aquistion.

How to delete Teams Chats and Meeting Chat Moderation Settings

Posted on October 18, 2020 by Sean O'Farrell

A customer recently asked me how can we delete chat history in Microsoft Teams and the answer was really simple. Provided the tenant has the correct Office365 licensing. The solution was to create a retention policy and delete all chat history older than 1 day.

How to delete Teams Chats and Meeting Chat Moderation Settings

https://www.microsoft.com/en-us/microsoft-365/roadmap?filters=&searchterms=67175

Exchange Online to Exchange On-Prem Free \ Busy Not Working

Posted on September 5, 2020 by Sean O'Farrell

Free busy not working in an Exchange 2016 CU17 Hybrid environment.

When a customer forgets to tell you that they previously configured Exchange Hybrid using the Modern hybrid agent, The modern hybrid agent leaves behind some configuration settings that prevent free-busy working from EOL to EOP.

I always use the classic hybrid wizard for organisations that require long term rich co-existence.

The frustrating this with this issue is that the Exchange Remote Connectivity analyzer tests WORK, which would lead you to believe everything is ok and configured correctly. But when you attempt to query availability requests for a user or resource from OWA or Outlook , the look up fails.

What does the Hybrid Agent leave behind in Exchange Online?

Two values are populated that will prevent free \ busy from EOL to EOP working.

OrganizationRelationship -targetsharingepr
Intraorgconnector -targetsharingepr

When you query these values , You may see a value like https://a75aa21a-2f8d-4b2e-85fe-1234.resource.mailboxmigration.his.msappproxy.net/EWS/E
xchange.asmx

To resolve the issue run the following commands

set-intraorgconnector -TargetSharingEpr $null
set-OrganizationRelationship “Name of Org Relationship” -TargetSharingEpr $null

Teams Calendar Integration with on-premise Exchange calendars

Posted on August 21, 2020 by Sean O'Farrell

One of the pre-requisites for Teams (online) integration with Exchange on-premise calendars is oauth authentication.

Sometimes solution providers just install a single or multiple Exchange 2016 servers to ensure the oauth pre-requisite is delivered. However if the project scenario requires Exchange on-premise mailboxes to be migrated as quickly as possible to Exchange Online then it may seem overkill to implement Exchange 2016 servers during this transition period.

Exchange 2013 CU24 and above does not complete the oauth authentication part of the Hybrid wizard, however Microsoft do have an article on how to configure OAUTH for Exchange 2013.

Configure OAUTH for Exchange 2013 :
https://docs.microsoft.com/en-us/exchange/configure-oauth-authentication-between-exchange-and-exchange-online-organizations-exchange-2013-help

This solution works perfectly and allows an organization to transition from Exchange 2013 to Exchange Online without the requirement for Exchange 2016 servers and enables Teams to interact with Exchange 2013 on-premise calendars.

Azure AD Conditional Access Policies Best Practices

Posted on July 12, 2020 by Sean O'Farrell

Every organisation is different and has different requirements. I have been working with conditional access for quite some time and have settled on the following policies for every organisation.

Create a security group that contains users that are permitted to access the organisations cloud services when outside of trusted locations.

Blocked Countries Conditional Access Policy

All Users
Exclude Break Glass Admin account
All Cloud Apps
Location : Blocked Countries that have been setup in the named locations section of Azure Conditional Access.
Access Control : Block Access

Blocked External Access

All users , except Break Glass Admin account and security group that contains users that are permitted access.
All Cloud Apps
Locations : Any location except trusted locations
Access Control : Block Access

Permit External Access

Users : security group that contains users that are permitted access.
All Cloud Apps
Locations : Any location except trusted locations
Client Apps
Browser
Mobile apps and desktop clients
Modern authentication clients
Grant Access : Require all of these controls
Require Multi factor Authentication
Require Hybrid Azure AD joined device
Require approved client app
Terms of Use

Mobile Device Access

Users : security group that contains users that are permitted access.
Exchange Online
Locations : Any location except trusted locations
Device Platforms : Android & IOS
Client Apps
Browser
Mobile apps and desktop clients
Modern authentication clients
Grant Access : Require all of these controls
Require Multi factor Authentication
Require device to be marked as compliant (Enrolled in Intune)
Require approved client app

Terms of Use

Why still enable MFA for the mobile device access policy. When the Microsoft Authenticator application is installed on an Android or IOS device. It acts like an SSO broker and can communicate with the modern authentication Microsoft Outlook client.

Block Legacy Protocols

Simply replicate the legacy : Baseline policy: Block legacy authentication (Preview)

Azure Privileged Identity Management to lock down provision of Virtual Machines in Azure

Posted on July 4, 2020 by Sean O'Farrell

In my previous post on how to secure Office 365 Roles and this post is about how to secure Azure Resources.

Office365 and Azure Active Directory have a number of roles that are familiar like global administrator , compliance administrator etc. One of the most common use cases for Azure PIM it to request just in time access to the global administrator role

As organisations extend their networks into Azure , Azure subscription’s costs can sometimes spiral out of control. And this post will demonstrate the technical steps required to lock down the ‘virtual machine contributor’ role with Azure Privileged Identity Management, so that it requires finance department or senior it approval to create virtual machines in Azure, and the process around making technical admin staff eligible for the ‘virtual machine contributor role’

An example of how Azure costs could spiral , An Azure Admin , provisions the most expensive high performance virtual machine available in Azure, makes the VM geo-redundant, adds in a few ultra disks and a few Terra Bytes of Azure Blob Strage.

If there are multiple Azure subscriptions, The eligible users and app-rovers will need to be configured per subscription.In the image below we want to manage Azure Resources.

We click on Azure Resources and then click on settings.

Add the app-rovers for the role and ensure the app-rovers have mailboxes so that they receive the email notification
Next step is to add eligible users for the virtual machine contributor role.
Now any admin that needs to provision a virtual machine in Azure has to follow a workflow and can only do so when senior IT resources or finance department users have approved the provision of the virtual machine

SAML Single Sign On SSO WordPress Using Azure AD

Posted on June 11, 2020 by Sean O'Farrell

Mini Orange is a great plugin for SAML SSO integration into Azure AD.
Their documentation is located HERE

The documentation misses a few key points.

The SP-EntityID / Issuer url must be: https://wordpresssite.com/wp-content/plugins/miniorange-saml-20-single-sign-on and not https://wordpresssite.com/wp-content/plugins/miniorange-saml-20-single-sign-on/
Attribute Mapping
User Name: Email Address
Email: Email Address
First Name: Given Name
Last Name: Surname

Microsoft Authentication Prompts

Posted on April 29, 2020 by Sean O'Farrell

When securing cloud services like Office365 with Azure MFA , End User education and adoption is absolutely critical. Not all organisations’ can afford Azure Active Directory Premium Edition Plan 2 or M365 E5 subscriptions.

Azure Identity Protection provides dynamic protection against the following scenarios.

Atypical travel
Anonymous IP address
Unfamiliar sign-in properties
Malware linked IP address
Leaked Credentials
Azure AD threat intelligence

In the event of credentials being compromised the bad actor must get past the next level of authentication which will normally be the Microsoft Authenticator App or a text message.

It is critical to educate end users : DO NOT APPROVE random authentication requests. If an end user is on leave and not attempting to access their cloud resources there should be no reason to approve multi factor authentication challenges.

Locking down Azure Active Directory

Posted on April 16, 2020 by Sean O'Farrell

Azure Active Directory has excellent security with conditional access being one of the most widely used tool to protect Azure Active Active Directory.

The sceen shot below shows the default settings for an Azure AD Premium Plan 2 tenant.

The information tab on the user consent to apps accessing company data on their behalf reads like this:

If this option is set to yes, then users may consent to allow applications which are not published by Microsoft to access your organization’s data, if the user also has access to the data. This also means that the users will see these apps on their Access Panels.
If this option is set to no, then admins must consent to these applications before users may use them.

So in the scenario where a phishing email slipped through the cracks and an end user grants access to a non Microsoft application to their organizations’s data. We do not want that to happen!!!!

The correct setting is listed below
Application administrators should be granted the application administrator role in Azure Active Directory , Then the next time an and user wants to add an application, the application administrator will receive an email and can approve from his\her Outlook client.

The next time an end user or IT staff member wants to add an application to Azure AD, Do not just simply grant the global administrator role.

User Azure Privileged Identity Management and Application Administrator Roles!

Cloud-Secure.ai

Boost your security posture with the power of ai