tag:blogger.com,1999:blog-55071586079245626092024-03-14T18:51:26.596+00:00Wave16.comMicrosoft 365, Teams, Intune, and other Office 365 services. | Blog by Oliver Moazzezi.Oliver Moazzezihttp://www.blogger.com/profile/06204760006275603297noreply@blogger.comBlogger279125tag:blogger.com,1999:blog-5507158607924562609.post-35848077931220271142020-04-03T11:01:00.003+01:002020-04-21T14:34:55.902+01:00Working from home with Microsoft Teams: Managing private viewing of PowerPoint presentations in meetingsHi<br />
<br />
Welcome to another working from home with Microsoft Teams vlog. In this circa thirty second snippet I show you how you can manage private viewing of your PowerPoint presentations to maintain impactful delivery and stopping your participants pushing on ahead.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen="" class="YOUTUBE-iframe-video" data-thumbnail-src="https://i.ytimg.com/vi/aX26gDZw3Ag/0.jpg" frameborder="0" height="600" src="https://www.youtube.com/embed/aX26gDZw3Ag?feature=player_embedded" width="800"></iframe></div>
<br />
<br />
<div style="font-family: "times new roman"; font-size: 16px; margin: 0px;">
Stay safe</div>
<div style="font-family: "times new roman"; font-size: 16px; margin: 0px;">
<a href="https://twitter.com/OliverMoazzezi" style="color: #0066cc; margin: 0px;">@OliverMoazzezi</a></div>
<br />Oliver Moazzezihttp://www.blogger.com/profile/06204760006275603297noreply@blogger.com1tag:blogger.com,1999:blog-5507158607924562609.post-31363083838571481722020-03-30T18:42:00.004+01:002020-04-21T14:35:10.894+01:00Working from home with Microsoft Teams: Help i'm new to Teams and need to understand the client!Hey all<br />
<br />
So Microsoft have continued to announce more companies and users adopting Microsoft Teams and we have even more daily users now even from last weeks announcement of 44 million daily Teams users!<br />
<br />
I have myself just helped migrate a 500 seat customer to Office 365 specifically to utilise Microsoft Teams and I have another one in planning stages with a view to an aggressive adoption schedule.<br />
<br />
So for all you new Microsoft Teams users! Check out the below video!<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen="" class="YOUTUBE-iframe-video" data-thumbnail-src="https://i.ytimg.com/vi/SLO0HpMCRW8/0.jpg" frameborder="0" height="600" src="https://www.youtube.com/embed/SLO0HpMCRW8?feature=player_embedded" width="800"></iframe></div>
<br />
<br />
<div style="font-family: "times new roman"; font-size: 16px; margin: 0px;">
Stay safe</div>
<div style="font-family: "times new roman"; font-size: 16px; margin: 0px;">
<a href="https://twitter.com/OliverMoazzezi" style="color: #0066cc; margin: 0px;">@OliverMoazzezi</a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
Oliver Moazzezihttp://www.blogger.com/profile/06204760006275603297noreply@blogger.com0tag:blogger.com,1999:blog-5507158607924562609.post-38306033036444922022020-03-27T14:34:00.001+00:002020-04-21T14:35:25.333+01:00Working from home with Microsoft Teams: Managing notificationsHey all,<br />
<br />
Microsoft Teams provides a variety of noteworthy notification settings. We can have them muted, or specify whether we want them via email, banner or both. So how do we do this and what notifications can we control?<br />
<br />
Take a look in the following video.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen="" class="YOUTUBE-iframe-video" data-thumbnail-src="https://i.ytimg.com/vi/RhVwDKNIQWs/0.jpg" frameborder="0" height="600" src="https://www.youtube.com/embed/RhVwDKNIQWs?feature=player_embedded" width="800"></iframe></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div style="font-family: "times new roman"; font-size: 16px; margin: 0px;">
Stay safe</div>
<div style="font-family: "times new roman"; font-size: 16px; margin: 0px;">
<a href="https://twitter.com/OliverMoazzezi" style="color: #0066cc; margin: 0px;">@OliverMoazzezi</a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<br />Oliver Moazzezihttp://www.blogger.com/profile/06204760006275603297noreply@blogger.com1tag:blogger.com,1999:blog-5507158607924562609.post-91642317254122270072020-03-26T09:44:00.001+00:002020-04-21T14:35:46.324+01:00Working from home with Microsoft Teams: adding Apps to ChannelsThe weather is really nice today, makes a change as I look out of the window and see some sun. Puts a brighter perspective on things.<br />
<br />
Today we will see how easy it is to add apps to your channels. If you can't see Apps don't worry - it just means your employer has locked it down for now.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen="" class="YOUTUBE-iframe-video" data-thumbnail-src="https://i.ytimg.com/vi/1E55O2J2UnQ/0.jpg" frameborder="0" height="600" src="https://www.youtube.com/embed/1E55O2J2UnQ?feature=player_embedded" width="800"></iframe></div>
<br />
<br />
<div style="font-family: "times new roman"; font-size: 16px; margin: 0px;">
Stay safe</div>
<div style="font-family: "times new roman"; font-size: 16px; margin: 0px;">
<a href="https://twitter.com/OliverMoazzezi" style="color: #0066cc; margin: 0px;">@OliverMoazzezi</a></div>
Oliver Moazzezihttp://www.blogger.com/profile/06204760006275603297noreply@blogger.com1tag:blogger.com,1999:blog-5507158607924562609.post-24065162830437642242020-03-25T18:47:00.004+00:002020-04-21T14:36:00.487+01:00Working from home with Microsoft Teams: Taking Meetings NotesHi all,<br />
<br />
Welcome back to my working from home with Microsoft Teams 30 second video series to help people that find themselves working from home for the first time with new technology.<br />
<br />
Well you've worked out how to have a meeting? How do we take meeting notes? Let's check it out in Microsoft Teams!<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen="" class="YOUTUBE-iframe-video" data-thumbnail-src="https://i.ytimg.com/vi/03lBTIwJqv0/0.jpg" frameborder="0" height="600" src="https://www.youtube.com/embed/03lBTIwJqv0?feature=player_embedded" width="800"></iframe></div>
<br />
<div style="font-family: "times new roman"; font-size: 16px; margin: 0px;">
Stay safe</div>
<div style="font-family: "times new roman"; font-size: 16px; margin: 0px;">
<a href="https://twitter.com/OliverMoazzezi" style="color: #0066cc; margin: 0px;">@OliverMoazzezi</a></div>
<br />Oliver Moazzezihttp://www.blogger.com/profile/06204760006275603297noreply@blogger.com0tag:blogger.com,1999:blog-5507158607924562609.post-11015351066436693232020-03-23T15:19:00.000+00:002020-04-21T14:36:16.200+01:00Working from home with Microsoft Teams: Adding additional participants to 1:1 chatHey everyone,<br />
<br />
Today we'll talk about simply adding another user to 1:1 chat. New users will occasionally go to the extra effort of creating a new conversation, but in this video we show how Microsoft Teams takes care of that for you to streamline the experience whilst preserving the previous conversation.
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen="" class="YOUTUBE-iframe-video" data-thumbnail-src="https://i.ytimg.com/vi/HRevB-MJMJs/0.jpg" frameborder="0" height="600" src="https://www.youtube.com/embed/HRevB-MJMJs?feature=player_embedded" width="800"></iframe></div>
<br />
<br />
<div style="font-family: "times new roman"; font-size: 16px; margin: 0px;">
Stay safe</div>
<div style="font-family: "times new roman"; font-size: 16px; margin: 0px;">
<a href="https://twitter.com/OliverMoazzezi" style="color: #0066cc; margin: 0px;">@OliverMoazzezi</a></div>
Oliver Moazzezihttp://www.blogger.com/profile/06204760006275603297noreply@blogger.com0tag:blogger.com,1999:blog-5507158607924562609.post-26944957421298412902020-03-20T12:27:00.001+00:002020-03-20T14:21:43.640+00:00Working from home with Microsoft Teams: How do I record a meeting?Welcome to day three. It's been an experience with three consistent days working from my temporary office at home - I advise to take two 30 minute breaks each day to get some fresh air. I find that helps enormously. Anyhow, how do I record a meeting in Microsoft Teams?<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen="" class="YOUTUBE-iframe-video" data-thumbnail-src="https://i.ytimg.com/vi/lNNvHSd8_yk/0.jpg" frameborder="0" height="600" src="https://www.youtube.com/embed/lNNvHSd8_yk?feature=player_embedded" width="800"></iframe></div>
<br />
<br />
<br />
<br />
<div style="font-family: "times new roman"; font-size: 16px; margin: 0px;">
Stay safe</div>
<div style="font-family: "times new roman"; font-size: 16px; margin: 0px;">
<a href="https://twitter.com/OliverMoazzezi" style="color: #0066cc; margin: 0px;">@OliverMoazzezi</a></div>
Oliver Moazzezihttp://www.blogger.com/profile/06204760006275603297noreply@blogger.com0tag:blogger.com,1999:blog-5507158607924562609.post-68429058071612455322020-03-19T09:57:00.001+00:002020-03-20T14:22:16.767+00:00Working from home with Microsoft Teams in 30 seconds: checking my audio device settings in a callHi all,<br />
<br />
Day two and today we're checking our audio device settings once we have joined a call. Take a look in the video below.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen="" class="YOUTUBE-iframe-video" data-thumbnail-src="https://i.ytimg.com/vi/TyxfzO3ocSI/0.jpg" frameborder="0" height="600" src="https://www.youtube.com/embed/TyxfzO3ocSI?feature=player_embedded" width="800"></iframe></div>
<br />
<br />
<br />
<div style="font-family: "times new roman"; font-size: 16px; margin: 0px;">
Stay safe</div>
<div style="font-family: "times new roman"; font-size: 16px; margin: 0px;">
<a href="https://twitter.com/OliverMoazzezi" style="color: #0066cc; margin: 0px;">@OliverMoazzezi</a></div>
Oliver Moazzezihttp://www.blogger.com/profile/06204760006275603297noreply@blogger.com0tag:blogger.com,1999:blog-5507158607924562609.post-59692818868369063062020-03-18T16:01:00.000+00:002020-03-20T14:22:30.315+00:00Working from home with Microsoft Teams in 30 seconds: Pinning contacts and notify when available!<br />
As we are going through a pretty unprecedented time right now I thought I would try and put some Microsoft Teams in 30 seconds videos online with some top tips every week.<br />
<br />
Here's day zero!<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen="" class="YOUTUBE-iframe-video" data-thumbnail-src="https://i.ytimg.com/vi/N-_QlL8D6wE/0.jpg" frameborder="0" height="600" src="https://www.youtube.com/embed/N-_QlL8D6wE?feature=player_embedded" width="800"></iframe></div>
<br />
<br />
<div style="font-family: "times new roman"; font-size: 16px; font-variant-east-asian: normal; font-variant-numeric: normal; margin: 0px;">
Stay safe!</div>
<div style="font-family: "times new roman"; font-size: 16px; font-variant-east-asian: normal; font-variant-numeric: normal; margin: 0px;">
<a href="https://twitter.com/OliverMoazzezi" style="color: #0066cc; margin: 0px;">@OliverMoazzezi</a><br />
<div>
<br /></div>
</div>
<br />Oliver Moazzezihttp://www.blogger.com/profile/06204760006275603297noreply@blogger.com0tag:blogger.com,1999:blog-5507158607924562609.post-89165023330185272342020-02-24T12:55:00.001+00:002020-02-24T13:04:09.656+00:00Enable Microsoft Information Protection (MIP) Label Preview for SharePoint Online and Microsoft Teams<br />
<br />
Microsoft have announced the ability to classify an Office 365 Group via the creation of a SharePoint Online Team Site, or Microsoft Team with Unified Labelling.<br />
<br />
This is a great feature to have, and effectively starts to really drive adoption of classification for these services - although the feature is in preview and still needs additional work to be a feature complete solution.<br />
<br />
So how do you enable it for your tenancy? Let's take a look!<br />
<br />
First of all ensure you have the latest preview version of the AzureAD PowerShell module. You can grab it <a href="https://docs.microsoft.com/powershell/azure/active-directory/overview?view=azureadps-2.0">here</a>. For help on installing the module, see <a href="https://docs.microsoft.com/powershell/azure/active-directory/install-adv2?view=azureadps-2.0-preview#installing-the-azure-ad-module">here</a>.<br />
<br />
Once you have the latest preview version of the AzureAD module then we'll all set to start making some configuration changes. We need to configure and enable 'EnableMIPLabels' for our Azure AD directory settings for the tenancy we're performing this work on. You can grab the below script from Microsoft <a href="https://docs.microsoft.com/en-us/microsoft-365/compliance/sensitivity-labels-teams-groups-sites">here</a>. Save this to a powershell file.<br />
<br />
<span style="direction: ltr; font-family: , "consolas" , "liberation mono" , "menlo" , "courier" , monospace; font-size: 13.93px; line-height: 19px; white-space: pre;"><b><span style="color: orange;">$setting=(Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ)
if ($setting -eq $null)
{
$template = Get-AzureADDirectorySettingTemplate -Id 62375ab9-6b52-47ed-826b-58e47e0e304b
$setting = $template.CreateDirectorySetting()
$setting["EnableMIPLabels"] = "True"
New-AzureADDirectorySetting -DirectorySetting $setting
}
else
{
$setting["EnableMIPLabels"] = "True"
Set-AzureADDirectorySetting -Id $setting.Id -DirectorySetting $setting
}</span></b><span style="color: #171717;">
</span></span><br />
<br />
<b style="color: #171717; font-family: SFMono-Regular, Consolas, "Liberation Mono", Menlo, Courier, monospace; font-size: 13.93px; white-space: pre;"><br /></b>
To check for the change, see the directory setting 'EnableMIPLabels' by running this command i <span style="color: orange;"><b>Get-AzureADDirectorySetting -Id "<span style="font-family: , "consolas" , "liberation mono" , "menlo" , "courier" , monospace; font-size: 13.93px; white-space: pre;">62375ab9-6b52-47ed-826b-58e47e0e304b</span>" | select -ExpandProp</b><b>erty values</b></span><br />
<b><br /></b>
You should see 'EnableMIPLabels' is now set to 'True'.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg9a8wTSChWa_BORh16kIGI7O6qSv_I09omze_KrzakRBaUvHWmkScH47RaaV9RZSzHmuUhAmIeygA-G4w7-r5HBZNAprYEchdMhCzNvrAu3l1lRiXbJXOmA7ioFI_w0R7R574k2SWyhEs/s1600/1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="732" data-original-width="859" height="544" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg9a8wTSChWa_BORh16kIGI7O6qSv_I09omze_KrzakRBaUvHWmkScH47RaaV9RZSzHmuUhAmIeygA-G4w7-r5HBZNAprYEchdMhCzNvrAu3l1lRiXbJXOmA7ioFI_w0R7R574k2SWyhEs/s640/1.png" width="640" /></a></div>
<br />
So what now? Well the truth of the matter is this change does take a little while to propagate across your tenant. I waited a few hours before I saw it working when creating SharePoint Online Team sites and Microsoft Teams.<br />
<br />
So what's next? Well let's create a Unified Label specifically for this test. Go the the Security & Compliance Center and create a new sensitivity label.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgeIBYG17PBaKkhXbbLkgr3yMHoWbzrFW5NhenBo0-cjBaCrhq_WxUSKC5CkQy9xO4g-3IdsgtQ-HPbY7YpT6SE9FiqnGYNhVhmYe_L7HJUnlrLj0qznkgEynxnpjiZ7XWsXZAY9RNnihU/s1600/SIC1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="867" data-original-width="1600" height="346" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgeIBYG17PBaKkhXbbLkgr3yMHoWbzrFW5NhenBo0-cjBaCrhq_WxUSKC5CkQy9xO4g-3IdsgtQ-HPbY7YpT6SE9FiqnGYNhVhmYe_L7HJUnlrLj0qznkgEynxnpjiZ7XWsXZAY9RNnihU/s640/SIC1.png" width="640" /></a></div>
<br />
You will see there's the new option to configure 'Site and group settings'<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhmoZJjO-f6-TldDTV7i9Zj2zUHk2Y58R4Unx71vwDlvAdd3v-tdFyceqHogFEzCgGVkVcRqNDC4XJOV3pNdMi-qRt_QIQeIOYlfPYeq-zmo8Px9_QgIr4CSHmSkGFDQTdYhycN6CVkM9o/s1600/SIC2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="867" data-original-width="1600" height="346" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhmoZJjO-f6-TldDTV7i9Zj2zUHk2Y58R4Unx71vwDlvAdd3v-tdFyceqHogFEzCgGVkVcRqNDC4XJOV3pNdMi-qRt_QIQeIOYlfPYeq-zmo8Px9_QgIr4CSHmSkGFDQTdYhycN6CVkM9o/s640/SIC2.png" width="640" /></a></div>
<br />
<br />
I have changed the defaults here to change the privacy to 'Private - only members can access the site', and I have disallowed external user access. I then save the label and push it to a label policy.<br />
<br />
<br />
The label may take a while to show up. However when it does and the AzureAD directory settings have also invoked you should see this in Microsoft Teams when creating a new Team.<br />
<br />
First of all you'll notice that I have the ability of selecting both a public and private team with the sensitivity label being set to 'none'.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh3Lb1OMN8TQSExfsPEiq_1EYzcq0RvEno8hyphenhyphenYnqhmdfEiEH3xgpU_Nry9IJ4J5qnBX6Zouh4PXA8nEwqS99wbGVMQ8x_5M8qec2Tc7blQ6ao2a_Dbxa5n7P0YQUDPEiYqKArR4eRyofsQ/s1600/2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="693" data-original-width="1280" height="346" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh3Lb1OMN8TQSExfsPEiq_1EYzcq0RvEno8hyphenhyphenYnqhmdfEiEH3xgpU_Nry9IJ4J5qnBX6Zouh4PXA8nEwqS99wbGVMQ8x_5M8qec2Tc7blQ6ao2a_Dbxa5n7P0YQUDPEiYqKArR4eRyofsQ/s640/2.png" width="640" /></a></div>
<br />
Now see what happens if I select the label I created.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4vsICSlzzL6sVNYVnUaM6gOhUTpdU2WPtytsYgcl5AqrlCf_Z0NgSguDftcMupJQQ8dPH1JImf1lFOGCH-DaKQf86c1izIArxUlXOimv4c4Tx6u2eAzMPH8huM1nac3ze-Knj7bqTbtQ/s1600/2.5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="693" data-original-width="1280" height="346" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4vsICSlzzL6sVNYVnUaM6gOhUTpdU2WPtytsYgcl5AqrlCf_Z0NgSguDftcMupJQQ8dPH1JImf1lFOGCH-DaKQf86c1izIArxUlXOimv4c4Tx6u2eAzMPH8huM1nac3ze-Knj7bqTbtQ/s640/2.5.png" width="640" /></a></div>
<br />
You can see Microsoft Teams immediately removes the ability for it to be Public based on the privacy settings applied to the unified label.<br />
<br />
OK so if I go ahead and create the Team how can I easily see if there's a label applied? Well you'll see it applied in the top right hand corner of the client.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiLr5ux6qQlkR07wdcNowyyvgyZdty_BML_zQwcSizgIxPtqkou8Vy2HTZKehQniNNpJofAEOwx4H6MMnqzxrx63PCz3Uege19wgR605Rp1KnqxUHiLXrdsH7ge_6xgo_B8dpcHi07LQVY/s1600/4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="693" data-original-width="1280" height="346" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiLr5ux6qQlkR07wdcNowyyvgyZdty_BML_zQwcSizgIxPtqkou8Vy2HTZKehQniNNpJofAEOwx4H6MMnqzxrx63PCz3Uege19wgR605Rp1KnqxUHiLXrdsH7ge_6xgo_B8dpcHi07LQVY/s640/4.png" width="640" /></a></div>
<br />
Can I add external users? If you remember I explicitly disallowed this in the unified label I created. Let's take a look.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhH9Cxyw3vqlen-BepX5i7zOk2KolBwppdqtYcgrPYZB6_TUoFmsm5pRNo-wvzeBu3wLtA0TiBLGfiZElumvx24tR595lMcD1RcCWDbwkP-CbrN6laEIG6vhrrfsIGKOIigRYlgkFNHZzs/s1600/MIPLabelDenyExt.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="867" data-original-width="1600" height="346" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhH9Cxyw3vqlen-BepX5i7zOk2KolBwppdqtYcgrPYZB6_TUoFmsm5pRNo-wvzeBu3wLtA0TiBLGfiZElumvx24tR595lMcD1RcCWDbwkP-CbrN6laEIG6vhrrfsIGKOIigRYlgkFNHZzs/s640/MIPLabelDenyExt.png" width="640" /></a></div>
<br />
You can see I get the same experience as if Azure Guest access isn't enabled. But it is. Let's take a look at another Team and try and add the same external user.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgkO_odzWAMzdz1YJxGhQUelsnlDwlbRD1eAJesokqnL6PoXieWDgC-V8ma59p8uidV7zUjpXZbAFpWJ6ERU7-T5ogBUYuB4-CY-Ovk45cm9qflr0I4f-mH770kcNKog2IOaUMreNfMSJ4/s1600/demoTeamExt.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="867" data-original-width="1600" height="346" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgkO_odzWAMzdz1YJxGhQUelsnlDwlbRD1eAJesokqnL6PoXieWDgC-V8ma59p8uidV7zUjpXZbAFpWJ6ERU7-T5ogBUYuB4-CY-Ovk45cm9qflr0I4f-mH770kcNKog2IOaUMreNfMSJ4/s640/demoTeamExt.png" width="640" /></a></div>
<br />
You can see it works just fine.<br />
<br />
Similarly if I try and edit the settings of the Team to public from it's current private setting you'll see the label continues to push your compliance on the Team.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjU5t8J9HEkEyRYEFU3IVqCdXMchqtavw4hkwXiXx2MPTMgNAcTSDK1-o9iByvxqL-YgFNub3VBvPGI3glXOBlRPbBa4ZE513DKSM7rhyphenhyphen-h8NLmAMrP-5gV07Gi3onG0esFBCZRqMylvEk/s1600/MIPLabelDenyPublic.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="867" data-original-width="1600" height="346" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjU5t8J9HEkEyRYEFU3IVqCdXMchqtavw4hkwXiXx2MPTMgNAcTSDK1-o9iByvxqL-YgFNub3VBvPGI3glXOBlRPbBa4ZE513DKSM7rhyphenhyphen-h8NLmAMrP-5gV07Gi3onG0esFBCZRqMylvEk/s640/MIPLabelDenyPublic.png" width="640" /></a></div>
<br />
<br />
So what's SharePoint Online look like? Currently the sensitivity label support is only present in the SharePoint Admin Center when you create a new Team site, rather than directly in SharePoint Online for users to be able to take advantage of - like the current Microsoft Teams experience. Let's take a look.<br />
<br />
Go to the SharePoint Admin Center | Sites | Active Sites and select 'Create'. When selecting a Team Site you will see under 'advanced settings' that sensitivity label support is now present.<br />
<br />
Let's take a look with the Public label selected - you will notice the privacy settings are Public.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg95w1G3Fepgh4BFcbxh3_zLbE-sm9IK1SW23ioC_zohlc65jbmxnJckoA5sbLIGitDgdkXmDEkEvKZtyhEmjMr7h4K6chhjcGhSzSW8JLHBkmxWeX8MYwfCq3nh39wkW8JmzBGIx11_sA/s1600/SPO-Public.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="867" data-original-width="1600" height="346" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg95w1G3Fepgh4BFcbxh3_zLbE-sm9IK1SW23ioC_zohlc65jbmxnJckoA5sbLIGitDgdkXmDEkEvKZtyhEmjMr7h4K6chhjcGhSzSW8JLHBkmxWeX8MYwfCq3nh39wkW8JmzBGIx11_sA/s640/SPO-Public.png" width="640" /></a></div>
<br />
Versus my unified label where I specified Private.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhrCyP-zfgvre-AAT1MyMuWw71RX-toWJ2jXOsSH4SUKQ4wbKr64IQZ47SZRvAVNdBuU2Z5wYvezPEuTcLZVq7hwm4ROaHR2L-s1yuUHEjkBvlJLbeK331FsKqXie-D2EwfyoXSzLp91ms/s1600/SPO-Private.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="867" data-original-width="1600" height="346" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhrCyP-zfgvre-AAT1MyMuWw71RX-toWJ2jXOsSH4SUKQ4wbKr64IQZ47SZRvAVNdBuU2Z5wYvezPEuTcLZVq7hwm4ROaHR2L-s1yuUHEjkBvlJLbeK331FsKqXie-D2EwfyoXSzLp91ms/s640/SPO-Private.png" width="640" /></a></div>
<br />
<br />
So the Preview appears to be off to a flying start, but as stated more work is needed. Giving SharePoint Online the same end user creation capability for a Team Site with label that Microsoft Teams gets will be a welcome addition. And there's a fundamental issue where files aren't currently protected with the label that you set in the document stores, for example I can share files to an external user if I so wished, but I am sure these will be improvements that get baked into the functionality as it matures and comes out of Preview and generally available.<br />
<br />
If this is all to much for your production tenant, then simply revert 'EnableMIPLabels' back to 'False'. I would suggest testing on a demo tenant to ensure you are happy if you want to enable and play with preview features.<br />
<br />
<br />
<div style="font-family: "times new roman"; font-size: 16px; font-variant-east-asian: normal; font-variant-numeric: normal; margin: 0px;">
Have fun!</div>
<div style="font-family: "times new roman"; font-size: 16px; font-variant-east-asian: normal; font-variant-numeric: normal; margin: 0px;">
<a href="https://twitter.com/OliverMoazzezi" style="color: #0066cc; font-variant-east-asian: normal; font-variant-numeric: normal; margin: 0px;">@OliverMoazzezi</a><br />
<div>
<br /></div>
</div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />Oliver Moazzezihttp://www.blogger.com/profile/06204760006275603297noreply@blogger.com2tag:blogger.com,1999:blog-5507158607924562609.post-57378089864699872332019-11-18T11:47:00.000+00:002019-11-19T09:53:33.736+00:00Working with Read Receipts in Microsoft TeamsMicrosoft announced in July 2019 that Read Receipts would be coming to Teams. This roll out has been gradual and offers administrative control over the feature, as well as user control via the Teams client.<br />
<a href="https://tomtalks.blog/2019/06/microsoft-teams-read-receipts-know-when-a-private-chat-message-was-read-by-the-recipients/"><br /></a>
<a href="https://mvp.microsoft.com/en-us/PublicProfile/4034894?fullName=Tom%20%20Arbuthnot">Microsoft MVP Tom Arbuthnot</a> talks about the control of the Administrive side in his <a href="https://tomtalks.blog/2019/06/microsoft-teams-read-receipts-know-when-a-private-chat-message-was-read-by-the-recipients/">blog here</a>, in this post i'll show you how the user experience looks for a user that has the feature enabled within their Teams client.<br />
<br />
<br />
Your Teams client should inform you the feature is now available to you. It will be turned on by default so you will immediately benefit from the feature.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTbMX270mQk8QFcSC5Ckw0UCL6UkrZRUIn5dVIgKyqG0OZSKLsMD1fDT52WopXEQy1uhNkei9vT6gqrXhGWxahKOarqCZ_GCLxl19GBFRCwhyphenhyphenrLZIzpr0QN0MRKsOVwa5VwwNLM5y1B3g/s1600/1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="899" data-original-width="1600" height="358" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTbMX270mQk8QFcSC5Ckw0UCL6UkrZRUIn5dVIgKyqG0OZSKLsMD1fDT52WopXEQy1uhNkei9vT6gqrXhGWxahKOarqCZ_GCLxl19GBFRCwhyphenhyphenrLZIzpr0QN0MRKsOVwa5VwwNLM5y1B3g/s640/1.png" width="640" /></a></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
If you want to disable it, simply go to 'Settings' | 'Privacy' and you can disable it if you so wish.</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQQzhsTm_X8f9MT_1sqAwu3NjxUiW2ac-yiaUqmn3PENALPjGlSoerklXsChLbl_TZt6zQmtihPbt5ZqFRYbqz2nqdxlTn_gQpdRRKGbnuyn7EwiIFY9Svxj_C31OwfUDo41NJZ0ar5O0/s1600/2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="899" data-original-width="1600" height="358" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQQzhsTm_X8f9MT_1sqAwu3NjxUiW2ac-yiaUqmn3PENALPjGlSoerklXsChLbl_TZt6zQmtihPbt5ZqFRYbqz2nqdxlTn_gQpdRRKGbnuyn7EwiIFY9Svxj_C31OwfUDo41NJZ0ar5O0/s640/2.png" width="640" /></a></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
If a user you are chatting with hasn't got the feature, even if they see your message your icon will only ever show as 'Sent'. Which is a little dissapointing. You can see in this shot the user has responsed and obviously seen my message but if they hadn't of responded I would have been none the wiser.</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiPXPykLReptgz5eYqujfQAniVEZFwBLktkQ9K8MZSsfaubCekivHBYKUHIeVDM7GvyaTuZ3nLWXNG_yURug_VXTNroXohzMh2hSWYhBat01XziB70u85EcmUPde-kfiJfUfvc2jyjyXsk/s1600/3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="899" data-original-width="1600" height="358" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiPXPykLReptgz5eYqujfQAniVEZFwBLktkQ9K8MZSsfaubCekivHBYKUHIeVDM7GvyaTuZ3nLWXNG_yURug_VXTNroXohzMh2hSWYhBat01XziB70u85EcmUPde-kfiJfUfvc2jyjyXsk/s640/3.png" width="640" /></a></div>
<div>
<br /></div>
<div>
However a user that has been enabled for the service will have read receipts working in your favour. You can see from the below screen shots that the message goes from 'Sent', to the eye emoticon that designates 'Seen'.</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEij_09fj9soAaBPt52uISf5nQIVLtF2QpUlizllKybhQw7B375QB7ntdvKS0GN5T1QK4d1XXNSTGneAi-AfE5cSCG8BFoPtuuQZQZs-PyPmGArXx0x7y2n37JGsrQNiVJe3K4HWnVNn-tc/s1600/4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="899" data-original-width="1600" height="358" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEij_09fj9soAaBPt52uISf5nQIVLtF2QpUlizllKybhQw7B375QB7ntdvKS0GN5T1QK4d1XXNSTGneAi-AfE5cSCG8BFoPtuuQZQZs-PyPmGArXx0x7y2n37JGsrQNiVJe3K4HWnVNn-tc/s640/4.png" width="640" /></a></div>
<div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgCvHoOBDMDLQlLkJMTn1aXIpEORZZMRvJBpIVcCFXiDrKc_11XuGioJS1dK14DnXyL1dh7nHt6T-LKtUegowfbRS7zL-l1tOcggiYt8PswuTMi34YpPwkuMTGnCNwP2SBOpqJhaLXfu0Q/s1600/5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="899" data-original-width="1600" height="358" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgCvHoOBDMDLQlLkJMTn1aXIpEORZZMRvJBpIVcCFXiDrKc_11XuGioJS1dK14DnXyL1dh7nHt6T-LKtUegowfbRS7zL-l1tOcggiYt8PswuTMi34YpPwkuMTGnCNwP2SBOpqJhaLXfu0Q/s640/5.png" width="640" /></a></div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div>
<br /></div>
<div>
<br /></div>
<div>
The feature works well, although I expected it to work and provide receipt clarity on users that aren't using the feature, however I expect it will update and improve over time.</div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<div style="-webkit-text-stroke-width: 0px; background-color: transparent; color: black; font-family: Times New Roman; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; letter-spacing: normal; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px; orphans: 2; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">
Have fun,</div>
<div style="-webkit-text-stroke-width: 0px; background-color: transparent; color: black; font-family: Times New Roman; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; letter-spacing: normal; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px; orphans: 2; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">
<a href="https://twitter.com/OliverMoazzezi" style="background-color: transparent; color: #0066cc; font-family: "times new roman"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; letter-spacing: normal; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px; text-align: left; text-decoration: underline; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">@OliverMoazzezi</a></div>
<b></b><i></i><u></u><sub></sub><sup></sup><strike></strike><br /></div>
<b></b><i></i><u></u><sub></sub><sup></sup><strike></strike><br />
<br />
<br />
<br />
<br />Oliver Moazzezihttp://www.blogger.com/profile/06204760006275603297noreply@blogger.com0tag:blogger.com,1999:blog-5507158607924562609.post-26812514042828048742019-08-02T16:34:00.001+01:002019-08-02T16:34:37.397+01:00Azure AD Registered Devices, Intune, Sync could not be Initiated (0x82ac019e) and Port 444Greetings!<br />
<br />
I've been very busy so a new blog post a little later than I really wanted to.. But this should help people that get the terrible error for <a href="https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-azure-ad-register">Azure AD Registered</a> Windows 10 devices of <b>'The sync could not be initiated (0x82ac019e)'.</b><br />
<b></b><br />
Nearly every post on the internet for this error relates to an unlicensed user. However that's not actually always the case, in this instance it was a firewall configuration issue.<br />
<br />
The device was Azure AD Registered by simply connecting a Work or School account to the device, however upon doing so and trying to force a 'sync'. This error presented itself.<br />
<br />
<br />
<br />
<div style="text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjhNzQOyZjmVea7fD6TqAvX9BRrDpMLR99izZsgMPWJ_ij-Bq3V331ak9Kz3_JS5NP5RCwco0kZ2xcmDp-aE2-QLSw0mGOvTbtfcCr7O-U1dh8_cDAPblmTpwMbvw52QAh6OF98tuBXOwE/s1600/SyncNotInitiated.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="347" data-original-width="832" height="266" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjhNzQOyZjmVea7fD6TqAvX9BRrDpMLR99izZsgMPWJ_ij-Bq3V331ak9Kz3_JS5NP5RCwco0kZ2xcmDp-aE2-QLSw0mGOvTbtfcCr7O-U1dh8_cDAPblmTpwMbvw52QAh6OF98tuBXOwE/s640/SyncNotInitiated.png" width="640" /></a></div>
Checking Event Viewer under | Applications and Services Logs | Microsoft | Windows | DeviceManagement-Enterprise-Diagnostics-Provider | Event ID 201 stated there was an issue registering succesfully.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjKdiJGfoX21vcqK_rCcSzfau7BK49QOPrPbLB_Iqkke1NXCI9JgGmM2I1Xx1n8P7hcHYG2tuSXlMfEmoZ9z1_yEGB82P_TQOVsA7zlocfhPNi1NKSwJaj44VCxWwt9GsbYjLrwJC86zMA/s1600/3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="767" data-original-width="1018" height="482" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjKdiJGfoX21vcqK_rCcSzfau7BK49QOPrPbLB_Iqkke1NXCI9JgGmM2I1Xx1n8P7hcHYG2tuSXlMfEmoZ9z1_yEGB82P_TQOVsA7zlocfhPNi1NKSwJaj44VCxWwt9GsbYjLrwJC86zMA/s640/3.png" width="640" /></a></div>
<br />
<br />
<br />
Trying to get to the Azure AD registration url <a href="https://wip.mam.manage.microsoft.com:444/">https://wip.mam.manage.microsoft.com:444</a> gave the following error.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjhgSMSdHYES7mDf0w78LvTjQMTOdyCqrGbqysO7EHzTTGyoPk5vTWjTaiIInJpzSpn_E_FzdQ7h_RXeSN4LRyW9OkrAQSTDckmifPKWOkZuoSr-EifDOpdcMHWHZg7VneFDQB_wi3caS8/s1600/1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="768" data-original-width="1018" height="482" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjhgSMSdHYES7mDf0w78LvTjQMTOdyCqrGbqysO7EHzTTGyoPk5vTWjTaiIInJpzSpn_E_FzdQ7h_RXeSN4LRyW9OkrAQSTDckmifPKWOkZuoSr-EifDOpdcMHWHZg7VneFDQB_wi3caS8/s640/1.png" width="640" /></a></div>
<br />
Similarly after installing the Telnet Client the Windows 10 device couldn't open a connection.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhMbqkKU4hhyphenhyphengcUs94EQ5SG8ZRoy4Rh7zr04PDyBtak9-j3ZOmpZtUQZd22_RR1Zqu4qqk8uni5NzVAzbUX-wG2_uve8cqTIvROYwGpdeosyuk0QNp97QN5UV2RFS-SjA84Wg0DLLBnR7I/s1600/2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="756" data-original-width="1022" height="472" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhMbqkKU4hhyphenhyphengcUs94EQ5SG8ZRoy4Rh7zr04PDyBtak9-j3ZOmpZtUQZd22_RR1Zqu4qqk8uni5NzVAzbUX-wG2_uve8cqTIvROYwGpdeosyuk0QNp97QN5UV2RFS-SjA84Wg0DLLBnR7I/s640/2.png" width="640" /></a></div>
<br />
This became evidentally clear that this was a port issue, most likely firewall related. After opening port 444 the Windows 10 device could talk successfully to <span style="background-color: transparent; color: black; display: inline; float: none; font-family: "times new roman"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; letter-spacing: normal; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;"><a href="https://wip.mam.manage.microsoft.com:444/">https://wip.mam.manage.microsoft.com:444</a></span><br />
<span style="background-color: transparent; color: black; display: inline; float: none; font-family: "times new roman"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; letter-spacing: normal; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgbwcfe4JHY6Ze4JOfaNiZKDVBoVM3nrX5hfS77o8iSX0S7gQMwsx-W_MJWH6YvcJqjswUE-IT1gwDctc5rpPzeT5sy83LYU-Vdy0xKNgTqsGhyphenhyphenrl6HLYKT_gC8jSHyYzHv0Z3gbtfcdZI/s1600/4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="771" data-original-width="1019" height="484" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgbwcfe4JHY6Ze4JOfaNiZKDVBoVM3nrX5hfS77o8iSX0S7gQMwsx-W_MJWH6YvcJqjswUE-IT1gwDctc5rpPzeT5sy83LYU-Vdy0xKNgTqsGhyphenhyphenrl6HLYKT_gC8jSHyYzHv0Z3gbtfcdZI/s640/4.png" width="640" /></a></div>
<span style="background-color: transparent; color: black; display: inline; float: none; font-family: "times new roman"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; letter-spacing: normal; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgeiYQdMXBopQOoAp6ndEtrSWOgZNnhEW1Rj9GK91yMyfwOwAg5MXw6-eBOtO508ge90eDHKiCsqKJ__HGsjOpNHVgz22F9daVHfvuipepvObUtmtKUaBBbWkuASdbEpk1vCxCUhvLwQJY/s1600/5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="769" data-original-width="1017" height="482" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgeiYQdMXBopQOoAp6ndEtrSWOgZNnhEW1Rj9GK91yMyfwOwAg5MXw6-eBOtO508ge90eDHKiCsqKJ__HGsjOpNHVgz22F9daVHfvuipepvObUtmtKUaBBbWkuASdbEpk1vCxCUhvLwQJY/s640/5.png" width="640" /></a></div>
<br />
and Event ID 209 showed a succesfully registration<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjKNVNlTaAWLa1lZTHI5ZI7DktcMY8l3WjuAbOzWLAizp5k2KW3u8EFeKPIHuOMHwMWcvI_AB-AOQuEsPvARsIb78gb-lBFhSwqtm4AZP1swk2MoAt99LpcRMaAKJEY2K4nv8WnQyw0QIc/s1600/7.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="771" data-original-width="1018" height="484" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjKNVNlTaAWLa1lZTHI5ZI7DktcMY8l3WjuAbOzWLAizp5k2KW3u8EFeKPIHuOMHwMWcvI_AB-AOQuEsPvARsIb78gb-lBFhSwqtm4AZP1swk2MoAt99LpcRMaAKJEY2K4nv8WnQyw0QIc/s640/7.png" width="640" /></a></div>
<br />
And under | Settings | Accounts and sign-in | Connected Accounts | Info | If I selected 'Sync', it would now synchronise succesfully.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhXxJm-oFuxW_QTxzAsBw4RsltsOzl-Trgf0G4HgifDOGJb7xshxkTNlVTmH8vzuI3HLF8yGBB_vr0Z55574v_sGqaveIxxzn0vTGlX1kt8etILBKR-cdUHERbKoAYv3BeqyvIRey1Rjvw/s1600/6.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="770" data-original-width="1018" height="484" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhXxJm-oFuxW_QTxzAsBw4RsltsOzl-Trgf0G4HgifDOGJb7xshxkTNlVTmH8vzuI3HLF8yGBB_vr0Z55574v_sGqaveIxxzn0vTGlX1kt8etILBKR-cdUHERbKoAYv3BeqyvIRey1Rjvw/s640/6.png" width="640" /></a></div>
<br />
<br />
And my device was succesfully Azure AD registered!<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3epj4MukAfPj-gcaJgAYGwSwIuHoH_fhawZGNXppaAxGKfd2xuDz74UwZgP3cWZHHXhB76CGykA8zujE4W3uT5k7jwATWSqmZyITWsXIpCIG3kAdbDrp7_czZeDDi5bNGB5uCx3Two2s/s1600/Device+list+Intune.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="867" data-original-width="1600" height="346" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3epj4MukAfPj-gcaJgAYGwSwIuHoH_fhawZGNXppaAxGKfd2xuDz74UwZgP3cWZHHXhB76CGykA8zujE4W3uT5k7jwATWSqmZyITWsXIpCIG3kAdbDrp7_czZeDDi5bNGB5uCx3Two2s/s640/Device+list+Intune.png" width="640" /></a></div>
<br />
<br />
As there were already succesfully Azure AD joined devices it became clear that there is a difference in the way both operate. Azure AD joined devices talk over port 443 which is almost always open on the firewall for outbound traffic.<br />
<br />
Azure AD registered devices talk on port 444. You will most likely find this port is blocked in enterprise environments, and if it is, you'll need to open it.<br />
<br />
Have fun,<br />
<a href="https://twitter.com/OliverMoazzezi" style="-webkit-text-stroke-width: 0px; background-color: transparent; color: #0066cc; font-family: Times New Roman; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; letter-spacing: normal; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px; orphans: 2; text-align: left; text-decoration: underline; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">@OliverMoazzezi</a><b></b><i></i><u></u><sub></sub><sup></sup><strike></strike><br />
<b></b><i></i><u></u><sub></sub><sup></sup><strike></strike><br />
<div align="left" class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<br />Oliver Moazzezihttp://www.blogger.com/profile/06204760006275603297noreply@blogger.com0tag:blogger.com,1999:blog-5507158607924562609.post-28567348561245261492019-04-16T10:02:00.001+01:002019-04-16T10:27:54.612+01:00I have AADConnect Directory Synchronisation and users do not provision for Skype for Business Online<br />
Just a quick one this morning. I recently I had an issue where a customer did not have users being provisioned for Skype for Business Online. The customer had remnants of a legacy Lync 2013 on-premises deployment and they were using AADConnect for directory synchronisation.<br />
<br />
Digging in the tenant I could see that even with the Skype for Business Online license enabled, even after waiting several hours if I used Get-CsOnlineUser in the Skype for Business Online Management Shell, no users were there.<br />
<br />
This led me to my good friend <a href="https://jaapwesselius.com/2015/12/15/users-do-not-show-up-in-lync-online/#more-2775">Jaap Wesselius Blog Post here </a>- Aha, a possible eureka moment! This must be the issue. Unfortunately it wasn't, however it was this attribute that ultimately resolved the issue and led me to the resolution.<br />
<br />
It appears since Jaap's post further logic and evolution has occured in the service, and these previous on-premises Lync enabled users could not be enabled for Skype for Business Online anymore using the above solution.<br />
<br />
What I had to do was actually set the <b>msRTCSIP-DeploymentLocator</b> attribute to 'sipfed.online.lync.com' - once this was done the user would provision. Interesting as no previous Lync Hybrid deployment was in-place or had been attempted. It appears to be logic in the service for users that were previously enabled for Lync or Skype for Business on-premises.<br />
<br />
Anyhow to cut a long story short, I wrote a little script to do this. I utilised a CSV file to import my users, as I didn't want to perform this operation across all user objects in the Active Directory. Similarly if you are planning to perform a cutover from on-premises Lync or Skype for Business rather than a Hybrid deployment and migration - again this will come in handy before you deprovision the users in the on-premises service. Just make sure you export the list of users via <b>Get-CsUser</b> first. Of course if you do plan on wanting to write across all user objects then substitute the first line "$users =" with <b>Get-AdUser </b>or similar rather than <b>Import-CSV</b>.<br />
<br />
It's fairly self explanatory - And remember, even if you don't plan on using Skype for Business - be aware that <a href="https://docs.microsoft.com/en-gb/MicrosoftTeams/migration-interop-guidance-for-teams-with-skype">Microsoft Teams still has some reliance on the service</a> for services such as voice. So you will want to ensure there's no issues to provide your tenant and users a smooth Teams experience.<br />
<b></b><i></i><u></u><sub></sub><sup></sup><strike></strike><br />
<span style="background-color: white;"><span style="color: red;">$users</span> =<span style="color: blue;"> Import-CSV -Path</span> <span style="color: purple;">C:\yourfilehere.CSV</span></span><br />
<span style="background-color: white;"><span style="color: blue;">ForEach (</span><span style="color: red;">$user <span style="color: blue;">in</span> $users</span><span style="color: blue;">){</span></span><br />
<span style="background-color: white;"><span style="color: red;">$u <span style="color: blue;">=</span> $User</span><span style="color: blue;">.samaccountname -replace '"','' </span></span><br />
<span style="background-color: white;"><span style="color: blue;">Set-ADuser -Identity</span> <span style="color: red;">$u</span> <span style="color: blue;">-Replace @{</span>'<span style="color: purple;">msRTCSIP-DeploymentLocator' = "sipfed.online.lync.com"</span><span style="color: blue;">}}</span></span><br />
<span style="color: blue;"><span style="background-color: white;"></span></span><span style="color: blue;"><br /></span>
<span style="color: #000055;"><br /></span>
<br />
<div class="separator" style="-webkit-text-stroke-width: 0px; background-color: transparent; clear: both; color: black; font-family: Times New Roman; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; letter-spacing: normal; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px; orphans: 2; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">
<br /></div>
<div class="separator" style="-webkit-text-stroke-width: 0px; background-color: transparent; clear: both; color: black; font-family: Times New Roman; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; letter-spacing: normal; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px; orphans: 2; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">
<a href="https://twitter.com/OliverMoazzezi" style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">@OliverMoazzezi</a></div>
<b></b><i></i><u></u><sub></sub><sup></sup><strike></strike><br />
<br />
<br />Oliver Moazzezihttp://www.blogger.com/profile/06204760006275603297noreply@blogger.com0tag:blogger.com,1999:blog-5507158607924562609.post-50124445686487536032019-04-11T16:02:00.001+01:002019-04-12T09:52:05.253+01:00Enabling Azure Information Protection Unified Labelling PreviewMicrosoft currently have Unified Labelling in preview, but if you are looking at migrating your <a href="https://portal.azure.com/#blade/Microsoft_Azure_InformationProtection/DataClassGroupEditBlade/globalBlade" target="_blank">Azure Information Protection labels</a> over to the <a href="https://protection.office.com/homepage" target="_blank">Compliance Center</a> what do you need to do?<br />
First and foremost I would advise against do this in a real in-life tenant right now unless you are well prepared and ready for users to utilise it in Office. <br />
<br />
Migrating the labels and having a Unified Labelling experience is one thing, but currently not all settings are migrated and you have to check each migrated label with care and attention - and reconfiguring the labels as and where necessary.<br />
<br />
If you have a test Office 365 tenant however, this is a great place to test the unified experience to help plan for when the service becomes generally available, and will also allow you to test out the experience in Microsoft Office clients with the <a href="https://www.microsoft.com/en-us/download/details.aspx?id=57440">Unified Label plug-in</a>.<br />
<br />
So - how do we unify the label experience to help us plan for the change as a administrator for when Microsoft push this change to the service later in the year?<br />
<br />
First things first, let's take a look at what's in the <a href="https://protection.office.com/">Compliance Center </a>| Classifications | Labels. You will see these have now been split into 'Sensitivity' and 'Retention'.<br />
<br />
<span style="display: inline; float: none; font-family: "times new roman"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; letter-spacing: normal; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;"><span style="background-color: #eeeeee;"></span><span style="color: black;"></span><span style="color: #eeeeee;"></span><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjVa970xmSp3HZYiz3E4i0BX0CCsYu7srd-xcwlrBlshli7IvtRQQ8nxcpTNvnoVBeP-tDVLX7NiQ1BKhmhkAPDtwGtJpYg1UwCRyKWIqqh_j-9dj37186-j_fbTYrlo8dgxkwI8niEW9Y/s1600/1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="background-color: #eeeeee; color: #eeeeee;"><img border="0" data-original-height="867" data-original-width="1600" height="346" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjVa970xmSp3HZYiz3E4i0BX0CCsYu7srd-xcwlrBlshli7IvtRQQ8nxcpTNvnoVBeP-tDVLX7NiQ1BKhmhkAPDtwGtJpYg1UwCRyKWIqqh_j-9dj37186-j_fbTYrlo8dgxkwI8niEW9Y/s640/1.png" width="640" /></span></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
In my test tenant, any previous labels I had created before this change would have been for Retention only, as Sensitivity was not an option. So you can see I have zero Sensitivity labels available.</div>
<span style="background-color: black;"><span style="color: #eeeeee;"><span style="color: #eeeeee;"><span style="display: inline; float: none; font-family: "times new roman"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; letter-spacing: normal; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;"><br /></span></span></span></span>
<span style="background-color: black;"><span style="color: #eeeeee;"><span style="color: #eeeeee;"><span style="display: inline; float: none; font-family: "times new roman"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; letter-spacing: normal; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">
</span></span></span></span><span style="display: inline; float: none; font-family: "times new roman"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; letter-spacing: normal; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;"><b></b><i></i><u></u><sub></sub><sup></sup><strike></strike><span style="color: #f3f3f3;"></span><span style="color: black;"></span><span style="background-color: #eeeeee;"></span><span style="background-color: #eeeeee;"></span><span style="color: black;"></span><span style="background-color: black;"></span><span style="color: black;"></span><span style="color: #eeeeee;"></span><span style="color: #eeeeee;"></span><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTVqNa7q2eh5CYKe4L9fRZwk5kC4_WKWUUpSmlx7jcP-RXW3UVCU6f8h-xk1yqn9bC63RTcikh1locGOh-FzIPs7Wu2FLp_owi_KCGNcpVY-TpHbI3lX9AcvjVxE_VNxYOSZzNeE6H7UQ/s1600/2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="background-color: #eeeeee; color: #eeeeee;"><img border="0" data-original-height="867" data-original-width="1600" height="346" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTVqNa7q2eh5CYKe4L9fRZwk5kC4_WKWUUpSmlx7jcP-RXW3UVCU6f8h-xk1yqn9bC63RTcikh1locGOh-FzIPs7Wu2FLp_owi_KCGNcpVY-TpHbI3lX9AcvjVxE_VNxYOSZzNeE6H7UQ/s640/2.png" width="640" /></span></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
So how do we migrate labels from the Azure Portal to Compliance Center? If we login to the Azure Portal and select Azure Information Protection, you'll see 'Unified labeling (Preview)' at the bottom of the blade. You'll see that it is a one way process and cannot be undone was activated, you'll see any labels with duplicate names across the service will be renamed (so best to check this, or test it out like I did). The one thing it doesn't state is not all your settings are migrated over! Which is pretty poor to be honest and something it should absolutely state You can read up about this further at this <a href="https://www.blogger.com/[‎11/‎04/‎2019%2015:47]%20%20Wayne%20Hollomby:%20%20%20https://docs.microsoft.com/en-us/azure/information-protection/configure-policy-migrate-labels">docs.microsoft.com AIP documentation</a>. </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Let's take a look and then activate.</div>
<span style="background-color: #eeeeee;"></span><span style="color: black;"></span><span style="color: #eeeeee;"></span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEijE16rKLPSR7Tc7YmL2lwLjx1yTam5iD2f5VV64tOPc97pAYjuXgOG26eJntq5JpK0lkJ_j0VEL83TGwFp9AyPEqL8yF-Wxoq9AbH3atD93xuHG8u3_OU3zrNTzrTvambY4KRzgQSZyRw/s1600/3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="background-color: #eeeeee; color: #eeeeee;"><img border="0" data-original-height="867" data-original-width="1600" height="346" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEijE16rKLPSR7Tc7YmL2lwLjx1yTam5iD2f5VV64tOPc97pAYjuXgOG26eJntq5JpK0lkJ_j0VEL83TGwFp9AyPEqL8yF-Wxoq9AbH3atD93xuHG8u3_OU3zrNTzrTvambY4KRzgQSZyRw/s640/3.png" width="640" /></span></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
Once activated you will see your AIP labels appear in Compliance Center under 'Sensitivity'.<br />
<span style="background-color: #eeeeee;"></span><span style="color: black;"></span><span style="color: #eeeeee;"></span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjatQfGwQD0sdhLUv8q5O0Gx8wFZOsCS9uTSfQh29xDhIXBHQGoJYi6UBRiDRpJHbZzQI6Yer5kgP-yyv7EK4JV3w_IOvWFiXA16e33kK6rv2xmhN2zYAL_wHKb_iPZOFbi5Mrv9xCaMqE/s1600/Migrated.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="background-color: #eeeeee; color: #eeeeee;"><img border="0" data-original-height="867" data-original-width="1600" height="346" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjatQfGwQD0sdhLUv8q5O0Gx8wFZOsCS9uTSfQh29xDhIXBHQGoJYi6UBRiDRpJHbZzQI6Yer5kgP-yyv7EK4JV3w_IOvWFiXA16e33kK6rv2xmhN2zYAL_wHKb_iPZOFbi5Mrv9xCaMqE/s640/Migrated.png" width="640" /></span></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
So comparing the migrated labels you'll see some settings are migrated, and others are not. So make sure you verify each and every migrated label. However it is generally pretty good at carrying most things over. Confirm all protection settings and headers and footers to re-affirm your configuration settings. </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
You can see for example the encryption settings and users specified for a label have been carried over succesfully in this example label.</div>
<span style="background-color: #eeeeee;"></span><span style="color: black;"></span><span style="color: #eeeeee;"></span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiDJSaIu6C_q_ThJQl_ebS3gHnvmPU0foEW_7ale5pgpegs-4J4g3qJL0pP3RKYNwdt4-E4eyI6f8AihaFQ8xG-wiWRprLN4dxOGkN5I_xnPSxFj35ho9HSUytg6d1FyyNeJaGhfuhM4WU/s1600/oldlabel.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="background-color: #eeeeee; color: #eeeeee;"><img border="0" data-original-height="867" data-original-width="1600" height="346" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiDJSaIu6C_q_ThJQl_ebS3gHnvmPU0foEW_7ale5pgpegs-4J4g3qJL0pP3RKYNwdt4-E4eyI6f8AihaFQ8xG-wiWRprLN4dxOGkN5I_xnPSxFj35ho9HSUytg6d1FyyNeJaGhfuhM4WU/s640/oldlabel.png" width="640" /></span></a></div>
<span style="background-color: #eeeeee;"></span><span style="color: black;"></span><span style="color: #eeeeee;"></span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhKq4zQJSRQ2DKBBwSJh6ReiHadlYljCXy4uDUJNisXkpKEx-cpLqnaRjHvwSQCGhWrAnbJkdnCYDwvSEInGuWOqQq_Km_QB2cDGW4C2y_MnciUHURBk0SvynEC_KombOBoYUxgoNKBXsU/s1600/newlabel1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="background-color: #eeeeee; color: #eeeeee;"><img border="0" data-original-height="867" data-original-width="1600" height="346" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhKq4zQJSRQ2DKBBwSJh6ReiHadlYljCXy4uDUJNisXkpKEx-cpLqnaRjHvwSQCGhWrAnbJkdnCYDwvSEInGuWOqQq_Km_QB2cDGW4C2y_MnciUHURBk0SvynEC_KombOBoYUxgoNKBXsU/s640/newlabel1.png" width="640" /></span></a></div>
<span style="background-color: #eeeeee;"></span><span style="color: black;"></span><span style="color: #eeeeee;"></span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEibKxJ9whf3XYDZqXpYazZ3tjKgBMxIzHKs_ptiiFkEcwbun-jdYml2DGkizlJfn7dBAELKL5iW0geVu9sJ2-prvGmmS_Lf9lUmrZCvMllhu9XRmTchcIZzRZpqZQzXIryS_6QZWMLupdY/s1600/newlabel2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="background-color: #eeeeee; color: #eeeeee;"><img border="0" data-original-height="867" data-original-width="1600" height="346" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEibKxJ9whf3XYDZqXpYazZ3tjKgBMxIzHKs_ptiiFkEcwbun-jdYml2DGkizlJfn7dBAELKL5iW0geVu9sJ2-prvGmmS_Lf9lUmrZCvMllhu9XRmTchcIZzRZpqZQzXIryS_6QZWMLupdY/s640/newlabel2.png" width="640" /></span></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
So once you have tested the experience, you now need to ensure you have downloaded and installed the unified label plug-in for Microsoft Office. It requires a specific version of .Net and there's a specific KB to install to allow it to work on Windows 7 machines. It also supports Office 2010 which is a surprise too - <a href="https://docs.microsoft.com/en-us/azure/information-protection/rms-client/install-unifiedlabelingclient-app">you'll find all the caveats to these here.</a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Have fun!</div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://twitter.com/OliverMoazzezi">@OliverMoazzezi</a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<u><span style="color: #000120;"><b></b><i></i><sub></sub><sup></sup><strike></strike><span style="background-color: #eeeeee;"></span><span style="color: black;"></span><span style="color: #eeeeee;"></span><br /></span></u>
Oliver Moazzezihttp://www.blogger.com/profile/06204760006275603297noreply@blogger.com0tag:blogger.com,1999:blog-5507158607924562609.post-26474134398853011392019-02-15T17:15:00.000+00:002019-02-15T17:15:04.335+00:00Using Azure MFA Server as an SSL LDAP Proxy<br />
This post outlines the steps required to initiate your on-premises Azure MFA Server deployment as an SSL LDAP proxy for Active Directory. This allows MFA to be put 'in-line' for anything authenticating to Active Directory via LDAP - a useful solution for legacy on-premises applications that cannot support MFA through an update or migration to an Azure MFA supported solution such as an Azure Enterprise Application.<br />
<br />
This post assumes your Azure MFA solution is deployment and working on-premises. From this base working profile, we perform the following steps to enable it as an SSL LDAP Proxy.<br />
<br />
<br />
In the Multi-Factor Authentication Server console select 'LDAP Authentication'. From here we need to select 'Enable LDAP Authentication. Standard LDAP port of 389 and SSL LDAP of 636 should be entered.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi6lotu-wHR6HCHyPSMs6_KHcOKkN_8NpDtOzl2pRVSeB-tpzWgug_UgdSMM-ihw8mW_JrC2TElbmt3Kre6NyuN5prvHk9HylbGFwPponsDu6CFMhPRM7ic8SAd7vzd_oTnmp_ZtXsjMBM/s1600/1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="763" data-original-width="1023" height="476" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi6lotu-wHR6HCHyPSMs6_KHcOKkN_8NpDtOzl2pRVSeB-tpzWgug_UgdSMM-ihw8mW_JrC2TElbmt3Kre6NyuN5prvHk9HylbGFwPponsDu6CFMhPRM7ic8SAd7vzd_oTnmp_ZtXsjMBM/s640/1.png" width="640" /></a></div>
<br />
<br />
If using SSL LDAP, we must enter a trusted third party certificate or one that is provided from a valid internal PKI infrastructure, such as Active Directory certificate services. If it is a self signed certificate, please note the service will not start and you will cause issue for your LDAP proxy and it will not listen on either 389 or 636 (or alternative ports if you have configured them). Please also note that you must restart the server at this stage to have the LDAP Proxy service start.<br />
<span style="background-color: transparent; color: black; display: inline; float: none; font-family: "times new roman"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; letter-spacing: normal; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;"><span style="color: white;"></span><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEigUEvMkZ5iuXrF9JfS9-KXBr50NxnvSzOlyzQspCoB1KTewMU2GjpeVEU0zAWRvayCYOHH1eVdNeoeGPh7y29pQuvE0ELWCnqcIyQrSHxtsuok7Ykc5QnLOsWhfHRE52QxQnATA7kUjBY/s1600/2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="763" data-original-width="1023" height="476" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEigUEvMkZ5iuXrF9JfS9-KXBr50NxnvSzOlyzQspCoB1KTewMU2GjpeVEU0zAWRvayCYOHH1eVdNeoeGPh7y29pQuvE0ELWCnqcIyQrSHxtsuok7Ykc5QnLOsWhfHRE52QxQnATA7kUjBY/s640/2.png" width="640" /></a></div>
<br />
<br />We then need to also 'authorise' clients that can connect to the LDAP Proxy service. Simply select 'Add' under the clients section and add the IP address and specify an application name to provide a basis of understanding for the client that is connecting.<br />
<span style="background-color: white;"><span style="color: black;"><span style="display: inline; float: none; font-family: "times new roman"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; letter-spacing: normal; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;"><br /></span></span></span>
<span style="background-color: transparent; color: black; display: inline; float: none; font-family: "times new roman"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; letter-spacing: normal; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;"><span style="background-color: white;"></span><span style="color: white;"></span><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjxr9K_6Mom3pcf9uljmSrIfG4iqvyoPkub4JRGZi-0K4B1TxfB6swOZ62an9jCE4isZITvPcpoEE8TKyNihRFZhLjtMFj0BiPBqFgYj1QzNXRMqGv3-F52xq7OyBXOhMmRUb1uw4eTnw0/s1600/3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="744" data-original-width="1021" height="466" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjxr9K_6Mom3pcf9uljmSrIfG4iqvyoPkub4JRGZi-0K4B1TxfB6swOZ62an9jCE4isZITvPcpoEE8TKyNihRFZhLjtMFj0BiPBqFgYj1QzNXRMqGv3-F52xq7OyBXOhMmRUb1uw4eTnw0/s640/3.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<span style="background-color: transparent; color: black; display: inline; float: none; font-family: "times new roman"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; letter-spacing: normal; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;"><div class="separator" style="clear: both; text-align: center;">
<br /></div>
</span><div>
One thing to remember here is if you want the LDAP Proxy to only support users that have enrolled for MFA, you should select 'Require Multi-Factor Authentication user match'. If you leave this unchecked it will allow users that haven't been enrolled for MFA to also be able to use the LDAP Proxy, and of course be allowed to authenticate with only their username and password. This is a good setting if you want to front the LDAP Proxy immediately and slowly enroll users into MFA.<br />
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgzvN5V__KV0OY4OYuU2eCkpnwjrK_Gimepi-WPHKbODBQoKS00dveehNzN1fOIH430vL1wTG3nmWKAW_0saKP6GKLVWKkcs16UMyXWNWIWayDKzNenYdLhsfuuNtu-2CXUpQTxa3rRGG0/s1600/4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="347" data-original-width="620" height="358" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgzvN5V__KV0OY4OYuU2eCkpnwjrK_Gimepi-WPHKbODBQoKS00dveehNzN1fOIH430vL1wTG3nmWKAW_0saKP6GKLVWKkcs16UMyXWNWIWayDKzNenYdLhsfuuNtu-2CXUpQTxa3rRGG0/s640/4.png" width="640" /></a></div>
<div>
<span style="background-color: transparent; color: black; display: inline; float: none; font-family: "times new roman"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; letter-spacing: normal; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;"><br /></span></div>
<span style="background-color: transparent; color: black; display: inline; float: none; font-family: "times new roman"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; letter-spacing: normal; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;"><br /></span>
<span style="background-color: transparent; color: black; display: inline; float: none; font-family: "times new roman"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; letter-spacing: normal; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;"></span><br />
We now need to change 'Directory Integration' from 'Use Active Directory', to 'Use specific LDAP configuration'. You will need to specify a server, Base DN of your Directory and use a sufficient account to perform a BIND with on behalf of the Azure MFA Server Proxy service. You can then use 'Test' to test a succesful connection and bind operation to your Active Directory.<br />
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjjb5adqHHf6cS5a_mEMb5lamt5wDb1_tq7EYvGN3WihStf3G0UJice9SSPbtHO7fedZAlR3Z4ipCiafkRzm3DSXpCQNWL3_NqFzSfc5lFqkmU2QWHYo4hevtwbClhyphenhyphen5Lq441BM4UE6KVs/s1600/5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="734" data-original-width="1021" height="460" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjjb5adqHHf6cS5a_mEMb5lamt5wDb1_tq7EYvGN3WihStf3G0UJice9SSPbtHO7fedZAlR3Z4ipCiafkRzm3DSXpCQNWL3_NqFzSfc5lFqkmU2QWHYo4hevtwbClhyphenhyphen5Lq441BM4UE6KVs/s640/5.png" width="640" /></a></div>
<div>
<br /></div>
<div>
And that's it, the LDAP Proxy service is configured. So how can we test it before pointing applications that use LDAP authentication to it? Well we could use test applications of course, but you can always use LDP.exe to perform a simple LDAP authentication test.</div>
<div>
<br /></div>
<div>
Open LDP.exe and select 'Connect', enter the IP address of the LDAP Proxy and specify the port and whether you have implemented SSL or not.</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjkXvz1z9npryqoadNeDzBp3r95Hi5QI41G4FFNXkeATM7sfHGQH6VN9doPVanGLsWiZ6NvOl2zSf-Q3vkP2A_SfjVqzGjb6Wc8-aYTubwdUa82uL31cxGLBldCX3rq3nTpa1O7NLjtjZ0/s1600/6.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="722" data-original-width="1018" height="452" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjkXvz1z9npryqoadNeDzBp3r95Hi5QI41G4FFNXkeATM7sfHGQH6VN9doPVanGLsWiZ6NvOl2zSf-Q3vkP2A_SfjVqzGjb6Wc8-aYTubwdUa82uL31cxGLBldCX3rq3nTpa1O7NLjtjZ0/s640/6.png" width="640" /></a></div>
<div>
<br /></div>
<div>
Once connected perform a BIND using the credentials of a user you want to test. If you have configured the LDAP Proxy to allow authentication for users not registered for MFA then you will authenticate as normal - just as if you had pointed LDP.exe at a Domain Controller.</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhDpry8OX64e9PzaSlNXA377jGAJdv-6-okxv4nZVe9h-rjgvRWeThC9_QDPqgjSwUaS4CAthI4eoI5RndXCrlrrAaP2Jhx-x-JMm5PDREb4rpsFiPfs4AZDxYqXLamn5nKOsEDBkXts2s/s1600/7.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="731" data-original-width="1021" height="458" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhDpry8OX64e9PzaSlNXA377jGAJdv-6-okxv4nZVe9h-rjgvRWeThC9_QDPqgjSwUaS4CAthI4eoI5RndXCrlrrAaP2Jhx-x-JMm5PDREb4rpsFiPfs4AZDxYqXLamn5nKOsEDBkXts2s/s640/7.png" width="640" /></a></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
If however the user has been enrolled for MFA, prior to getting authenticated to the directory you will be prompted on your multi factor authentication device! Either phone, text of the Microsoft Authenticator App. I of course use the App as it provides the best experience, so after selecting 'Approve', I am authenticated.</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjBUetcLKwnNXHJWa4lw_H3MWmbueMRl7WA0BpbeOGiQMRnlfPxEvokjUg-QdQPT3vx52narn0t9LOYc4a73Qw1r8eM4uZnuIP5n-go8ZAIQKHGU1UrgpCiDA449gPKJ-2R30lxGrLMen4/s1600/8.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="767" data-original-width="1020" height="480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjBUetcLKwnNXHJWa4lw_H3MWmbueMRl7WA0BpbeOGiQMRnlfPxEvokjUg-QdQPT3vx52narn0t9LOYc4a73Qw1r8eM4uZnuIP5n-go8ZAIQKHGU1UrgpCiDA449gPKJ-2R30lxGrLMen4/s640/8.png" width="640" /></a></div>
<div>
<br /></div>
<br />
If you are using phone or text as a second factor mechanism - consider upping the timeout settings to 30-60 seconds to not receive a timeout before the user has a chance to respond.<br />
<br />
<br />
Finally I wanted to talk about enabling the LDAP Proxy service when you have Azure MFA Server and you are using ADFS. If Azure MFA Server is installed on your ADFS server farm, combining Azure MFA Server and ADFS is a supported topology. However if you plan to deploy a non-SSL LDAP Proxy service and plan to use port 389 this will conflict with ADFS and break it.<br />
<br />
It is best to seperate Azure MFA Server when using LDAP Proxy rather than have it installed on an ADFS server. You will most likely have to split Azure MFA Server to dedicated servers as using non-specific ports may make use of the service less than ideal with your applications that require LDAP authentication.<br />
<br />
<br />
<div style="-webkit-text-stroke-width: 0px; background-color: transparent; color: black; font-family: "times new roman"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; letter-spacing: normal; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px; orphans: 2; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">
<div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
Have fun!</div>
</div>
<div style="-webkit-text-stroke-width: 0px; background-color: transparent; color: black; font-family: "times new roman"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; letter-spacing: normal; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px; orphans: 2; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">
<div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<a href="https://twitter.com/OliverMoazzezi" style="background-color: transparent; color: #0066cc; font-family: "calibri","helvetica",sans-serif; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; letter-spacing: normal; text-align: left; text-decoration: underline; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;" target="_blank">@OliverMoazzezi</a></div>
</div>
</div>
<br />
<br />
<b></b><i></i><u></u><sub></sub><sup></sup><strike></strike><br />
<br />
<br />
<br />Oliver Moazzezihttp://www.blogger.com/profile/06204760006275603297noreply@blogger.com0tag:blogger.com,1999:blog-5507158607924562609.post-7735843794105743802019-02-08T17:43:00.000+00:002019-02-08T17:43:23.696+00:00Using the Win32 Application Packaging Tool for Intune deploymentFirst of all Happy 2019!<br />
<br />
Hopefully by now you are using Microsoft Intune to manage some of your device estate - even if the concentration is purely for mobile and tablet MDM purposes. Intune is a great way to manage Windows 10 devices - especially with Autopilot and AAD joins. But how do you push Win32 apps to your devices?<br />
<br />
In comes the Win32 Application packaging tool. You can get the build <a href="https://github.com/Microsoft/Intune-Win32-App-Packaging-Tool" target="_blank">from Github here.</a><br />
<br />
It's fairly easy to use to convert your msi and exe files to the .intunewin standard for uploading into the Intune console.<br />
<br />
In this example I am packaging Notepad++, in the root of the folder that houses the IntuneWinAppUtil.exe create a folder that houses the application you want to convert, ensuring any ancillary files are included, and also create another folder to push the converted file format out to.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhWEe3NvljTOKgR3IGWN7J1VxXPJwCfSqAE7mUvKOC4l6ErOSUmwrHiSrPqM5Iego6w1mqj86rFRFLhP5SC6qVsoJGQyPCp239HQe1TkccSrselUk2d-IKShw2I4zOIUsGjtWaJNFLV1cc/s1600/0.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="561" data-original-width="870" height="412" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhWEe3NvljTOKgR3IGWN7J1VxXPJwCfSqAE7mUvKOC4l6ErOSUmwrHiSrPqM5Iego6w1mqj86rFRFLhP5SC6qVsoJGQyPCp239HQe1TkccSrselUk2d-IKShw2I4zOIUsGjtWaJNFLV1cc/s640/0.png" width="640" /></a></div>
<br />
From here open PowerShell or the command prompt and run:<br />
<br />
<b>"IntuneWinAppUtil.exe -c "Source Folder containing the application files" -s The name of the .exe -o "The output folder to put the .intunewin package to"</b><br />
<div>
<b><br /></b></div>
<div>
The switches are explained below, and -h is for help.</div>
<div>
<br /></div>
<div>
<i>Sample commands to use for the Microsoft Win32 Content Prep Tool:</i></div>
<div>
<i>IntuneWinAppUtil -h<br />This will show usage information for the tool.<br />IntuneWinAppUtil -c <setup_folder> -s <source_setup_file> -o <output_folder> <-q><br />This will generate the .intunewin file from the specified source folder and setup file.<br />For MSI setup file, this tool will retrieve required information for Intune.<br />If -q is specified, it will be in quiet mode. If the output file already exists, it will be overwritten.<br />Also if the output folder does not exist, it will be created automatically.<br />IntuneWinAppUtil<br />If no parameter is specified, this tool will guide you to input the required parameters step by step.<br />Command-line parameters available</-q></output_folder></source_setup_file></setup_folder></i></div>
<div>
<i>-h Help<br />-c <setup_folder> Setup folder for all setup files. All files in this folder will be compressed into .intunewin file.<br />Only the setup files for this app should be in this folder.<br />-s <setup_file> Setup file (e.g. setup.exe or setup.msi).<br />-o <output_file> Output folder for the generated .intunewin file.</output_file></setup_file></setup_folder></i></div>
<div>
<i><br /></i></div>
<div>
It will then package your file.</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhf5CzBDZoe1C1NAV8x58lEjdN2pQn6GuAkPNfIZb5KbNPuwuLKnsrvI3iumldFMjFOKjx1C9oVcsBRRAy9-1CumlyTx9TwKzaPltZm-zidqp80siqiKE79omObSTSTe_74QiP13ZYHpfk/s1600/1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="512" data-original-width="979" height="334" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhf5CzBDZoe1C1NAV8x58lEjdN2pQn6GuAkPNfIZb5KbNPuwuLKnsrvI3iumldFMjFOKjx1C9oVcsBRRAy9-1CumlyTx9TwKzaPltZm-zidqp80siqiKE79omObSTSTe_74QiP13ZYHpfk/s640/1.png" width="640" /></a></div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhOFLmk8oKqpdUGEILU5AzahgiDGKnh95diRO3GQ5jF7DGO-srxBQ3oDgQ_16y3Bptnlb1hMYEWuei2yRDDvEcHyXDul8X-6t1_sk1O_addiOjBE7I3QIyBmhJFHy0U5R9t4f8wLMMNTLA/s1600/2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="512" data-original-width="979" height="334" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhOFLmk8oKqpdUGEILU5AzahgiDGKnh95diRO3GQ5jF7DGO-srxBQ3oDgQ_16y3Bptnlb1hMYEWuei2yRDDvEcHyXDul8X-6t1_sk1O_addiOjBE7I3QIyBmhJFHy0U5R9t4f8wLMMNTLA/s640/2.png" width="640" /></a></div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhohQf2YJOZ7sf8jMA31NO8fkWm5zbgkH5eZG_Rmkcj3LtfC6t1vtl80CjOiERmYTycVJxMHqc09uSWnOp0HZz-wdgraWdY7K65Gyw4rFf-BA9GNA67QrKmmeudpwe4C8o6417eDX1XSBs/s1600/3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="512" data-original-width="979" height="334" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhohQf2YJOZ7sf8jMA31NO8fkWm5zbgkH5eZG_Rmkcj3LtfC6t1vtl80CjOiERmYTycVJxMHqc09uSWnOp0HZz-wdgraWdY7K65Gyw4rFf-BA9GNA67QrKmmeudpwe4C8o6417eDX1XSBs/s640/3.png" width="640" /></a></div>
<div>
<br /></div>
<div>
And you'll have your .intunewin packcage to upload to Intune.</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi_Bd_XWiVqYOVICIHxncO448CwZ7ljuPzGUVgp42U8olcC1kK0CKHuecM-0J-Cv95q0RukONwhgPSGHO1frtZh807GHphWyNvZdm85wzG4FU7B7AGxgQPHbBS3_OVu1_FX7HOx4WFajQQ/s1600/4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="561" data-original-width="870" height="412" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi_Bd_XWiVqYOVICIHxncO448CwZ7ljuPzGUVgp42U8olcC1kK0CKHuecM-0J-Cv95q0RukONwhgPSGHO1frtZh807GHphWyNvZdm85wzG4FU7B7AGxgQPHbBS3_OVu1_FX7HOx4WFajQQ/s640/4.png" width="640" /></a></div>
<div>
You'll now be able to upload the package to the Intune console.</div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<i><br /></i></div>
<div>
<div style="-webkit-text-stroke-width: 0px; background-color: transparent; color: black; font-family: Times New Roman; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; letter-spacing: normal; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px; orphans: 2; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">
Have fun!</div>
<div style="-webkit-text-stroke-width: 0px; background-color: transparent; color: black; font-family: "times new roman"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; letter-spacing: normal; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px; orphans: 2; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">
<div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<a href="https://twitter.com/OliverMoazzezi" style="background-color: transparent; color: #0066cc; font-family: "calibri","helvetica",sans-serif; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; letter-spacing: normal; text-align: left; text-decoration: underline; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;" target="_blank">@OliverMoazzezi</a></div>
</div>
<b></b><i></i><u></u><sub></sub><sup></sup><strike></strike><br /></div>
<b></b><b></b><i></i><u></u><sub></sub><sup></sup><strike></strike><br />Oliver Moazzezihttp://www.blogger.com/profile/06204760006275603297noreply@blogger.com0tag:blogger.com,1999:blog-5507158607924562609.post-16604215731645731622018-12-19T18:27:00.002+00:002018-12-19T18:30:34.184+00:00Why does AzureAD advanced reporting and Azure Identity Protection give me conflicting alerts?<br />
This is for any Office 365 Administrator that is using the advanced reporting features of Azure AD Premium P1 and also Azure Identity Protection as part of Azure AD Premium P2.<br />
<br />
If you are using this reporting functionality from AADP1 and AADP2 you will no doubt be getting reporting conflicts where Azure Identity Protection is reporting suspicious activity even though you have ring fenced your networks and locations in the Azure Portal. This is a confusing and annoying anomaly that will frustrate you, but here's the answer to the issue. Azure Identity Protection, also known as the Cloud App Security Portal, doesn't honour any of the name locations or trusted locations you have setup in Azure Conditional Access | Named Locations.<br />
<br />
<br />
Let's take a look!<br />
<br />
Here you can see I am in the Azure AD Admin Center. Utilising the advanced reporting features of Azure Ad Premium P1 allows me to get more granular reporting capability from Azure on what is happening in my tenant and how users are authenticating and access Azure and Office 365 services. One of the great features here is adding 'known IP address ranges'. As shown below.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgt1PzD337x29rGkJyvAsMCawLmEYWTHQtpEwZ6CDCWcaA6sTocIPmedTZVQcxNThuc7B3HBzVGd8Jq5VXThUzVXZ2Z0_0OlxgGFQa2VrUKuSNeqMuKpyk6YpxwSf-yFRl06myyecaNl64/s1600/0.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="577" data-original-width="1060" height="348" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgt1PzD337x29rGkJyvAsMCawLmEYWTHQtpEwZ6CDCWcaA6sTocIPmedTZVQcxNThuc7B3HBzVGd8Jq5VXThUzVXZ2Z0_0OlxgGFQa2VrUKuSNeqMuKpyk6YpxwSf-yFRl06myyecaNl64/s640/0.png" width="640" /></a></div>
<br />
<br />
Selecting this takes me to Azure Conditional Access, where I can configure named locations. You can see I have configured my locations below as any good administrator should as this information is used to filter alerts and give information to the system to provide fine tuned alerting to you. When you add a named location in you also have the option of making it trusted - for example to bypass MFA requirements for 'trusted locations' rather than having to specify individual locations that come from this list.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiDhDd-2t8-LACpJjxIIkWtLHGqPdwsXA4xvgrGxOaxgOowXi-3o1XFwifFJ-mPPVZGWHyzSbHviKkXJq8x_yxjtOqOvhyVGtwrHIisqwvAxLSWCn5Rib4rx3X9QpOQ8oFqvOihhosci-U/s1600/1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="577" data-original-width="973" height="378" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiDhDd-2t8-LACpJjxIIkWtLHGqPdwsXA4xvgrGxOaxgOowXi-3o1XFwifFJ-mPPVZGWHyzSbHviKkXJq8x_yxjtOqOvhyVGtwrHIisqwvAxLSWCn5Rib4rx3X9QpOQ8oFqvOihhosci-U/s640/1.png" width="640" /></a></div>
<br />
So once I have populated all of this information my advanced reporting features of Azure AD Premium P1 will start to use them - and my alerts will take into account the configuration I have placed here. But what about Azure Identity Protection which is a feature of Azure AD Premium P2?<br />
<br />
Well the truth is it doesn't use this configuration data at all - which is a crying shame. You have to configure it all over again. Let's log in and take a look.<br />
<br />
<br />
You can see I am getting alerts for my Washington Office here, even though it's configured and trusted in the named location section of Azure Conditional Access in the Azure Portal.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhGDMJZM8W5zkFKprRpSyaiiWHTHu4B8v3euGO6sxvtJ-CQLUIBpDalwPimUB1DivGn7CQGe4Mxefqo_qYQppScaf3-LvGsuhyphenhyphen0eAwhEEvRqOCN9uMbCJ5S164xAYrAiT2GdbQNpZdsKU8/s1600/2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="649" data-original-width="1600" height="258" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhGDMJZM8W5zkFKprRpSyaiiWHTHu4B8v3euGO6sxvtJ-CQLUIBpDalwPimUB1DivGn7CQGe4Mxefqo_qYQppScaf3-LvGsuhyphenhyphen0eAwhEEvRqOCN9uMbCJ5S164xAYrAiT2GdbQNpZdsKU8/s640/2.png" width="640" /></a></div>
<br />
So how do I remedy this so I have a unified advanced alerting capability and identity protection platform?<br />
<br />
Well you need to add the locations into the Cloud App Security Portal. Specify the cog in the upper right area of the Cloud App Security Portal and select 'IP address ranges'<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhUXBCH2cVHtqmvLiyqpQfDvndE0d_wt4ujioPJfQyizFafWp6p_2rEOUH08DBw10hJEVi-30nYjywgKw9HyQ9bSNFSt2ld_go-dW6G4gdj-F2iaMaICzPNfp-zRM0jwXri5pK_HNJfuq8/s1600/3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="610" data-original-width="1600" height="242" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhUXBCH2cVHtqmvLiyqpQfDvndE0d_wt4ujioPJfQyizFafWp6p_2rEOUH08DBw10hJEVi-30nYjywgKw9HyQ9bSNFSt2ld_go-dW6G4gdj-F2iaMaICzPNfp-zRM0jwXri5pK_HNJfuq8/s640/3.png" width="640" /></a></div>
<br />
From here you will have to enter your locations once more.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi1LpHQ0QS52IkI8Bv6TxZouWBzjd_gBK1BX_0pytrLBFOpyuAM3FmphJCgfPFtKmV5nMCR3iLUBcl-iyermPeMO3pdqZ9qcMRgFuWciHDgg5AHZKYv_NXTYfKdmUFolz3VyKPn76CvDGw/s1600/4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="642" data-original-width="1600" height="256" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi1LpHQ0QS52IkI8Bv6TxZouWBzjd_gBK1BX_0pytrLBFOpyuAM3FmphJCgfPFtKmV5nMCR3iLUBcl-iyermPeMO3pdqZ9qcMRgFuWciHDgg5AHZKYv_NXTYfKdmUFolz3VyKPn76CvDGw/s640/4.png" width="640" /></a></div>
<br />
<br />
Once entered, Azure Identity Protection will be able to use these locations in any of the pre-canned policies, or indeed any custom ones you create, to provide the same insight data that you are getting from the advanced reporting feature of Azure AD Premium P1.<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg5L-JEq6uaLp8LxN29c1xpybEiNVsvpzpu0T21PxRaXdsnxGdwi13lDeqb-5xL-EFdwD14flv2SwJ0-HC2mRiRKlL5ne03ES_T52BmueRMeYqIPTcrw2eO1fCqLPe3QSuUFOjJhAOurAU/s1600/5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="548" data-original-width="1600" height="218" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg5L-JEq6uaLp8LxN29c1xpybEiNVsvpzpu0T21PxRaXdsnxGdwi13lDeqb-5xL-EFdwD14flv2SwJ0-HC2mRiRKlL5ne03ES_T52BmueRMeYqIPTcrw2eO1fCqLPe3QSuUFOjJhAOurAU/s640/5.png" width="640" /></a></div>
<br />
And that's it. No more alert conflicts between the two systems where advanced reportings understands that a network is trusted and you get conflicted information from Azure Identity Protection.<br />
<br />
The only downside is you will need to remember to update both until Microsoft ingest Azure Identity Protection fully into the Azure Portal (which I hope they will do!) and they share the same metrics and configuration data. Until that time, administer both.<br />
<br />
Have fun!<br />
<div style="-webkit-text-stroke-width: 0px; background-color: transparent; color: black; font-family: Times New Roman; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; letter-spacing: normal; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px; orphans: 2; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">
<a href="https://twitter.com/OliverMoazzezi" style="background-color: transparent; color: #0066cc; font-family: "calibri","helvetica",sans-serif; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; letter-spacing: normal; text-align: left; text-decoration: underline; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;" target="_blank">@OliverMoazzezi</a></div>
<b></b>Oliver Moazzezihttp://www.blogger.com/profile/06204760006275603297noreply@blogger.com0tag:blogger.com,1999:blog-5507158607924562609.post-74434439776559525702018-11-22T16:02:00.002+00:002018-11-27T10:32:36.723+00:00Mitigating Azure MFA issues during outages for Azure MFA, Azure Conditional Access and Azure MFA ServerMicrosoft suffered a very unfortunate Azure Multi Factor Authentication issue on November 19th which affected thousands of their customers for many hours. In a world where MFA is a must, even if most tenants still don't use this fantastic feature, and the service breaks, how do we mitigate the service issue that we experienced?<br />
<br />
Well the first thing to understand is what version of Azure MFA are you using? There's effectively 3 versions in Office 365 which provide additional features and functionality via licensing: Azure MFA, Azure MFA Premium - although this cannot be purchased anymore as of October 2018, and Azure Conditional Access which allows MFA in it's workflows. On top of this there's also Azure MFA Server, an on-premises product to contend with as well - which was also affected by the outage.<br />
<br />
So in a future scenario where we could have another Azure MFA outage, what steps as an Administrator can we take to gain access to our tenancy as well as mitigate user sign-in issues?<br />
<br />
Let's take a look..<br />
<br />
So from a user perspective, and we're just using the standard Azure MFA solution here, they won't be able to sign-in as MFA will be enforced. If you have legacy Azure MFA Premium licenses in play still or have Azure AD Premium licensing you'll find you can add trusted locations under 'service settings'.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDLhwLlj2LRcaXAWbqBkuvQXNXNA3g2VqrVpMuVFHR5rWuca7AJHDpDe5I4_o6sBvGKM8sZPrjR_PKk5OrOk46Jqy1FECoscEJQjHyWF3W6-JtIUZCgTDH_SRO_WTMtovF-PkMc5OmxAY/s1600/1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="605" data-original-width="1008" height="384" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDLhwLlj2LRcaXAWbqBkuvQXNXNA3g2VqrVpMuVFHR5rWuca7AJHDpDe5I4_o6sBvGKM8sZPrjR_PKk5OrOk46Jqy1FECoscEJQjHyWF3W6-JtIUZCgTDH_SRO_WTMtovF-PkMc5OmxAY/s640/1.png" width="640" /></a></div>
<br />
<br />
So we now have two options, providing the service is still honouring trusted locations, which on the November 18th outage it was, we can setup some additional locations like the IP address of the user that's working from home. Or we can temporarily disable the user. Once the outage has recovered we can then go back and enable them once more. Remember to select 'restore multi-factor authentication on all remembered devices' so they won't have to re-register their device which can cause employee confusion.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhgk-LVtM2ghanKw1g1A1NhW9afNm972oXtfK0JqHDmlIOnTZtHJUq0pN3Rz3YMsYzjPPY7-K7La3104k5VbzXbF-Ezs23OllC4KScgOkhqrb5_s43udt-3fB2BTfVQ8M2xlHJc4rb4iGE/s1600/2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="606" data-original-width="1009" height="384" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhgk-LVtM2ghanKw1g1A1NhW9afNm972oXtfK0JqHDmlIOnTZtHJUq0pN3Rz3YMsYzjPPY7-K7La3104k5VbzXbF-Ezs23OllC4KScgOkhqrb5_s43udt-3fB2BTfVQ8M2xlHJc4rb4iGE/s640/2.png" width="640" /></a></div>
<br />
<br />
If the users are logging into Office 365 and we have utilised Azure Conditional Access to create an MFA workflow, then the legacy Azure MFA page as shown above will show the users as disabled for MFA - but they will very much be enabled. To get this information on who is enabled you will have to dig through Azure AD Powershell.<br />
<br />
In regards to getting the users access to their services again will require you to relax the MFA workflow in the Azure Conditional Access rule set, or disabling the rule altogether until the outage is over.<br />
<br />
To relax the MFA requirement search under | Access Controls | Require multi-factor authentication<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgeS_-AjGkzaTQ0Gp82oKhSTSDEYnDKBeNjRPQLx71V3CTaCwySUMrGqP406OCy966ZYcBfBCKE5W-_Dj4iLanUsUHtmZpV-CapVlOEaF3QPuO6nCgqLhU_ksj40edF9yWLCcwpq-JRJ1k/s1600/3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="647" data-original-width="1009" height="410" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgeS_-AjGkzaTQ0Gp82oKhSTSDEYnDKBeNjRPQLx71V3CTaCwySUMrGqP406OCy966ZYcBfBCKE5W-_Dj4iLanUsUHtmZpV-CapVlOEaF3QPuO6nCgqLhU_ksj40edF9yWLCcwpq-JRJ1k/s640/3.png" width="640" /></a></div>
<br />
<br />
To disable the conditional access rule simply toggle it to OFF under | Enable policy<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhMFOn6EruDe-q4TvMldYmreg3T86LDf2vo9m7ZxLXyoO9DmfnAPmWohSYAOwx1F-fc3tkxkocYuOESrx2CSXaCz5MiMHgDJFdQF_VaknaGv5SMxtmTvSRPyTjmz88pVJyC_ADWnhTX69g/s1600/4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="647" data-original-width="1009" height="410" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhMFOn6EruDe-q4TvMldYmreg3T86LDf2vo9m7ZxLXyoO9DmfnAPmWohSYAOwx1F-fc3tkxkocYuOESrx2CSXaCz5MiMHgDJFdQF_VaknaGv5SMxtmTvSRPyTjmz88pVJyC_ADWnhTX69g/s640/4.png" width="640" /></a></div>
<br />
<br />
So your users sign-in issues are now resolved, what about your administrators? The answer here will lie somewhere above depending if you simply use the standard Azure MFA management page or if you manage an MFA workflow through Azure Conditional Access - however I would expect you to have a seperate conditional access rule for your Administrators, VIPs, Finance Teams etc.<br />
<br />
If you are in the position where you cannot actually login to your tenant at all to make the above changes then you should have an account that allows Global Administrator access to your tenancy where it's details are unknown and locked into your BCS process. I recommend the standard *.onmicrosoft.com account here. If you are utilising Azure Conditional Access ensure you have setup an exclusion policy - which is actually Microsoft best practice for this very reason.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiF7dzWG-Jau2FCZxAz97IZIORKHUy7I38gakAOVWs2ub8YIzhoZAImQkV_TYOrnGLUGNBKYfe5g2yuG2V5qvPsKLADhnWUbxBjldMUVtmQWUg1U_povl9m6MiEskMuSmJDb6OdAt0NnKg/s1600/5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="606" data-original-width="1275" height="304" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiF7dzWG-Jau2FCZxAz97IZIORKHUy7I38gakAOVWs2ub8YIzhoZAImQkV_TYOrnGLUGNBKYfe5g2yuG2V5qvPsKLADhnWUbxBjldMUVtmQWUg1U_povl9m6MiEskMuSmJDb6OdAt0NnKg/s640/5.png" width="640" /></a></div>
<br />
<br />
This is especially important if you have Customer Lockbox enabled - as Microsoft won't be easily able to help you gain access to your tenancy!<br />
<br />
So finally that leaves Azure MFA Server. In the scenario encountered on November 19th how can we mitigate sign-in issues when Azure MFA Server is in use and users are enabled through it?<br />
<br />
Simply open the Multi-Factor Authentication Server console, select Users | User and we can disable MFA altogether if we so wish until we want it enabled once more.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgWyEoq9u6YbkmfiXrAIhkyJoBIhdVURVSjF_ctubJKxnyUiddmDhmoUA6awiDTcLz951RSCbD0Z_lPKHtDChflxlfHON3tZGVxtJVUAht63dTOwlSSPgrisgXJdwOsXhzN_LtN-AMLE6o/s1600/6.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="730" data-original-width="1027" height="454" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgWyEoq9u6YbkmfiXrAIhkyJoBIhdVURVSjF_ctubJKxnyUiddmDhmoUA6awiDTcLz951RSCbD0Z_lPKHtDChflxlfHON3tZGVxtJVUAht63dTOwlSSPgrisgXJdwOsXhzN_LtN-AMLE6o/s640/6.png" width="640" /></a></div>
<br />
We also can utilise Trusted IPs and skip MFA requirements for them - just like in the Azure MFA service. We must however configure the IP addresses in the Multi-Factor Authentication Server console. Select | User Portal | Trusted IPs | and enter them here.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQDdzJeCbd6GVuqxdOjb5eOg7GTQJ6Eek7uC2MQ226KBX9f5Ljv8mb628UPEjHgUyFcyI-bA-zJ4C1hoy8OGpzcZQCg7UweV60HrVESuq7vEXzPQ7xoQ8XXF0Fb68OyXO2PmjcbB18N9Y/s1600/Trusted+IPs.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="721" data-original-width="1022" height="450" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQDdzJeCbd6GVuqxdOjb5eOg7GTQJ6Eek7uC2MQ226KBX9f5Ljv8mb628UPEjHgUyFcyI-bA-zJ4C1hoy8OGpzcZQCg7UweV60HrVESuq7vEXzPQ7xoQ8XXF0Fb68OyXO2PmjcbB18N9Y/s640/Trusted+IPs.png" width="640" /></a></div>
<br />
<br />
However there are other ways still. We could simply enable 'one time bypass' so MFA is still enabled but the user when they try and login to Office 365 during the outage will not get prompted for MFA. <br />
<br />
Ensure you have an account that is a Portal Administrator<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhE_2uIKyDDME9k8hGYhabDYs1sSKg0nKk5R0z8JLtz134xhhGp_crLij8leqYGU05DgH3bTx7pNp8e5wEx2uh86twlDPCeTXr9pOy6EFfxmR-mAHbiQL_OBz8m7j6UWbigKIiAMvVfZRY/s1600/7.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="730" data-original-width="1027" height="454" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhE_2uIKyDDME9k8hGYhabDYs1sSKg0nKk5R0z8JLtz134xhhGp_crLij8leqYGU05DgH3bTx7pNp8e5wEx2uh86twlDPCeTXr9pOy6EFfxmR-mAHbiQL_OBz8m7j6UWbigKIiAMvVfZRY/s640/7.png" width="640" /></a></div>
<br />
Once the admin is logged into the User Portal they can simply find the user and initiate 'one time bypass' and a time in seconds it will stay active before turning off the bypass. 300 seconds is the default. The next time the user logs in, MFA is not required, and then subsequently enforced once more.<br />
<br />
So is there any other ways? Yes - and one from the outage that it is worth ensuring you keep enabled. Ensure under | User Portal | Settings | Use security questions for fallback | is checked. This will allow a standard security question response in the event of Azure MFA failure.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgfUvM76yDjlU8zSg-mWKAXSSj_VyNW_fI6P-p8rNtY1H9WQKhV49Lw8OOmzm0D7TQJEBU8RXpFTpUXOkFEyMQj48BxddE9Okdhpyh9sGKopBDk9o1V654lEHng-ws_YN9g_VKDvr9Ykbc/s1600/9.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="720" data-original-width="1018" height="452" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgfUvM76yDjlU8zSg-mWKAXSSj_VyNW_fI6P-p8rNtY1H9WQKhV49Lw8OOmzm0D7TQJEBU8RXpFTpUXOkFEyMQj48BxddE9Okdhpyh9sGKopBDk9o1V654lEHng-ws_YN9g_VKDvr9Ykbc/s640/9.png" width="640" /></a></div>
<br />
<br />
<br />
Take care,<br />
<a href="https://twitter.com/OliverMoazzezi" style="-webkit-text-stroke-width: 0px; background-color: transparent; color: #0066cc; font-family: "calibri","helvetica",sans-serif; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration: underline; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;" target="_blank">@OliverMoazzezi</a><b></b>Oliver Moazzezihttp://www.blogger.com/profile/06204760006275603297noreply@blogger.com0tag:blogger.com,1999:blog-5507158607924562609.post-80152141535811439182018-09-28T11:46:00.002+01:002018-09-28T11:46:30.944+01:00Controlling access to the Outlook on the Web Beta Experience<br />
Exchange Online customers are now having users being asked to trial the new Beta experience for the service once more. But what happens if this causes confusion in the work-place and introduces higher help desk calls? What happens if you are the IT Administrative function and you want to control when this experience is rolled out to your users?<br />
<br />
Well the good news is we can control it with Outlook Web App policies and some Powershell..<br />
<br />
<br />
Users are now getting asked to trial the new experience in the upper right area of their Outlook on the Web experience as Microsoft has pretty much rolled this out to all tenants in Office 365. Users will have been accustomed to the below experience for quite some time<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj2PoI_1M02cF7H75XmSVIgWoKlpHznrY1hteR8lz2txdwX_Wf2a_JmoHvAoIxbNW3aAXPfUzxrT5jJ9xSAy60T-6vhVtMVk4IWmDt0gIjs0ASOIYd3pplPLfCPzMf852FfX01S2-RA3LA/s1600/1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="768" data-original-width="1368" height="358" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj2PoI_1M02cF7H75XmSVIgWoKlpHznrY1hteR8lz2txdwX_Wf2a_JmoHvAoIxbNW3aAXPfUzxrT5jJ9xSAy60T-6vhVtMVk4IWmDt0gIjs0ASOIYd3pplPLfCPzMf852FfX01S2-RA3LA/s640/1.png" width="640" /></a></div>
<br />
The new 'beta' experience, introduces a look and feel that is almost exactly what consumer users of Outlook.com have been experiencing for the last 6 months.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhcHdFftaocAYTa6yXspCHa8M-f6wjEjfHH2CartLVkJq3_xVeiFWkZBSa2twaibIlcnM-6ktajVKr6-Nf_I1cTQmRQbbfbpvQNtFGLbH3L7JfIv7e8R5Lmwwzjh9uXHwUdlj37yiCDb20/s1600/2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="768" data-original-width="1368" height="358" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhcHdFftaocAYTa6yXspCHa8M-f6wjEjfHH2CartLVkJq3_xVeiFWkZBSa2twaibIlcnM-6ktajVKr6-Nf_I1cTQmRQbbfbpvQNtFGLbH3L7JfIv7e8R5Lmwwzjh9uXHwUdlj37yiCDb20/s640/2.png" width="640" /></a></div>
<br />
We can control this by removing the option to users by utilising Powershell and editing the default Outlook Web App mailbox policy or creating a new one and assigning it to users. You may even have multiple policies already in place and need to make multiple changes. Here's what a user logged into Outlook on the Web looks like with the option removed.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjtWFHoHMM8INQCqwjiUpW35m-2v6UIqPxUeFvmoyqhVkdDWKl6otcGVFeeaIudZ6GzMoL3YywKXD5GijIsvrDZJ0ySbZawbl9aF3gMsAsBklJUgSKeLwpI20ofzCibR1VOIfmsg6bJT8g/s1600/final.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="768" data-original-width="1368" height="358" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjtWFHoHMM8INQCqwjiUpW35m-2v6UIqPxUeFvmoyqhVkdDWKl6otcGVFeeaIudZ6GzMoL3YywKXD5GijIsvrDZJ0ySbZawbl9aF3gMsAsBklJUgSKeLwpI20ofzCibR1VOIfmsg6bJT8g/s640/final.png" width="640" /></a></div>
<br />
So why do we need to use Powershell to modify this feature? This is because you cannot control the Outlook Beta Experience in the Exchange Administrative Center - the feature control isn't there.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjEdSFkA_uaRPLSPfuSzzMngT7e2vI2TiJoBm5Ckjt7WHDoxJgEdkeK5nLPwD86AGdVAEq6bYT1_-Y9_ZTdiIHVGmBSrgVDAdZvIBCEN6Uy0N9mioRW6sF_148Kkcosw6PrRYvEz14n480/s1600/OWAMailboxPolicyinEAC.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="728" data-original-width="929" height="500" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjEdSFkA_uaRPLSPfuSzzMngT7e2vI2TiJoBm5Ckjt7WHDoxJgEdkeK5nLPwD86AGdVAEq6bYT1_-Y9_ZTdiIHVGmBSrgVDAdZvIBCEN6Uy0N9mioRW6sF_148Kkcosw6PrRYvEz14n480/s640/OWAMailboxPolicyinEAC.png" width="640" /></a></div>
<br />
So open a Powershell connection to your Exchange Online tenant and let's use<b> Get-OwaMailboxPolicy</b> to check the policies you have in-place. You will most likely just have the default policy, unless you have created additional ones in the past.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiymOP0tVvk4cAO0a7tY1V5d5ai2OOgRLSQEbttBuwSXQFtcRL5fQ3oDHkuZtpe7RRkO5EWc4QyJPMWcb91-fvJb9zuFp1lBu0yq9uS6uetCrR1Mgwsm-CkCSffbaLWvfprieAkD5WdQhY/s1600/3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="484" data-original-width="1070" height="288" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiymOP0tVvk4cAO0a7tY1V5d5ai2OOgRLSQEbttBuwSXQFtcRL5fQ3oDHkuZtpe7RRkO5EWc4QyJPMWcb91-fvJb9zuFp1lBu0yq9uS6uetCrR1Mgwsm-CkCSffbaLWvfprieAkD5WdQhY/s640/3.png" width="640" /></a></div>
<br />
We're specifically looking for<b> 'OutlookBetaToggleEnabled'</b><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiXL3MC7fAAZJ-wzZ2o_UO-nrzPvLTceq3P9aQeDkNzSoCPvHFOfq0X-KaPEbKPgsCxW-RUfgn_gOUJNnTDV_M-qoKP0BqsdPNY9nX8UqyqZDTfcmcHdQ7J86BSSYWcJWaJjbo8MTfsMeE/s1600/4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="484" data-original-width="1070" height="288" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiXL3MC7fAAZJ-wzZ2o_UO-nrzPvLTceq3P9aQeDkNzSoCPvHFOfq0X-KaPEbKPgsCxW-RUfgn_gOUJNnTDV_M-qoKP0BqsdPNY9nX8UqyqZDTfcmcHdQ7J86BSSYWcJWaJjbo8MTfsMeE/s640/4.png" width="640" /></a></div>
<br />
If you want to make the change against the default policy simply utilise this command<br />
<br />
<b>Set-OwaMailboxPolicy -Identity </b><b>OwaMailboxPolicy-default -OutlookBetaToggleEnabled $false</b><br />
<br />
And that's it we're done. If you have multiple policies in play then make sure you do it for each, or if you want to control roll out you can create a new policy with the feature disabled, then set it to specific users using the <b>Set-CasMailbox</b> cmdlet. For example: <br />
<b>Set-CASmailbox -Identity user@domain.com -OwaMailboxPolicy "Policy Here"</b><br />
<br />
<br />
Don't forget though, this change is coming and will wholly affect Kiosk and F1 plan users - so don't remove the feature and forget about it. Utilise this to control the experience whilst you inform users of the change.<br />
<br />
Until next time<b>,</b><br />
<br />
<a href="https://twitter.com/OliverMoazzezi" style="font-family: calibri, helvetica, sans-serif; font-size: 16px;" target="_blank">@OliverMoazzezi</a><br />
<br />
<b> </b><br />
<br />
<b> </b><br />
<b> </b>Oliver Moazzezihttp://www.blogger.com/profile/06204760006275603297noreply@blogger.com0tag:blogger.com,1999:blog-5507158607924562609.post-67489417697891600702018-09-20T11:11:00.000+01:002018-09-20T15:52:30.715+01:00The importance of Multi-Factor authentication with the prominence of phishing scams<br />
Phishing scams are one of the largest threats to Office 365 user credentials out there. Why? Well it's one of the easist and yet most effective efforts hackers can do to obtain user credentials to provide access to corporate data. There have been a number of prominent phishing attacks targeted specifically for Office 365 in the last two years, most likely due to the huge success Microsoft has had with the platform.<br />
<br />
I was alerted to a rather sneaky new phish yesterday, where a phishing emails were made to look as if they were coming from the Microsoft.<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEidlg_t6J3wZPA80JToM6K0klr1bYwIbZjUV0KHUSPP8eGo62XemfyzrFmv_KxER0kwy_UJ827o3RRjVukKsWFOFYjrrx28wS86ArEYBgz4MqUbEjQSDYBwoJyWLn0SSiSFpTx4ByTW0jc/s1600/Email.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="461" data-original-width="1148" height="256" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEidlg_t6J3wZPA80JToM6K0klr1bYwIbZjUV0KHUSPP8eGo62XemfyzrFmv_KxER0kwy_UJ827o3RRjVukKsWFOFYjrrx28wS86ArEYBgz4MqUbEjQSDYBwoJyWLn0SSiSFpTx4ByTW0jc/s640/Email.png" width="640" /></a></div>
<div style="clear: both; text-align: left;">
<br />
Message tracing immediately proved otherwise, but it took the user, should the user click on the link, to a sophisicated phishing site hosted on Azure asking the user to login.</div>
<div style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh7lAt7Pwt74a1xSxmntDsM6x87cEAooV-8PdbA4XUelIww7t28r0I9VrD9Mvc_jHwN0sH4lLCT5ICvaNzVDwHWe02pNG9Q0DIjSkN1UqnLFzhygpNtGZecjTVZfGZb1k2qL_7kMdLABJk/s1600/bobatbob.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="703" data-original-width="1357" height="330" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh7lAt7Pwt74a1xSxmntDsM6x87cEAooV-8PdbA4XUelIww7t28r0I9VrD9Mvc_jHwN0sH4lLCT5ICvaNzVDwHWe02pNG9Q0DIjSkN1UqnLFzhygpNtGZecjTVZfGZb1k2qL_7kMdLABJk/s640/bobatbob.PNG" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
You could alter the url to provide any username in the login box that you wanted</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhUDcOafOE4w57sYkfNSenVPKvHdkVG6EbnPjDz7dPt1XhRkdDrfypIB2_XKD2V9sarbzPksCF-8LkfBmBBqlkDWBJN0dtph8SFXE66d8bWFmSBCHHj9oxXgUaFAxLjyDKU9DWB_8DRi3g/s1600/billatgates.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="700" data-original-width="1358" height="328" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhUDcOafOE4w57sYkfNSenVPKvHdkVG6EbnPjDz7dPt1XhRkdDrfypIB2_XKD2V9sarbzPksCF-8LkfBmBBqlkDWBJN0dtph8SFXE66d8bWFmSBCHHj9oxXgUaFAxLjyDKU9DWB_8DRi3g/s640/billatgates.PNG" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<br />
If a user fell to the phishing attempt it would fail login with a simple 'loading' screen<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi5YvN3O-cNo-JhhuzgvK1CQFfCjDGMcvJpJnIMJB23JoJcj61NwlHgVZ2iYBCgua5vn4y0dZ038VsFb58mew6YrwJIjTnqWpkkwaIBiT6JnmeG1vwREg3mrZuRBCQ94g38FKY3dnz59Cc/s1600/Loading+screen.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="613" data-original-width="967" height="404" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi5YvN3O-cNo-JhhuzgvK1CQFfCjDGMcvJpJnIMJB23JoJcj61NwlHgVZ2iYBCgua5vn4y0dZ038VsFb58mew6YrwJIjTnqWpkkwaIBiT6JnmeG1vwREg3mrZuRBCQ94g38FKY3dnz59Cc/s640/Loading+screen.PNG" width="640" /></a></div>
<br />
All together a clever attack, and one no doubt harvesting lots of Office 365 credentials. But what can they do with the credentials if there is no second factor authentication in-place? Well the answer to that ultimately lies in what security you have configured for your Office 365 tenancy - for example no second factor authentication but conditional access policies only allowing login from known locations or compliant devices would help - but an unlikely scenario! The most likely scenario is the attacker gains access to your Office 365 tenant through the compromised credentials.<br />
<br />
The single biggest improvement you can make is enabling multi-factor authentication, whilst you can't fully control the behaviours of your users - one can only hope they listen and comply when potentially falling foul of phishing attempts - you can strengthen their login to Office 365 by enabling Azure MFA. This service comes in three flavours, the standard free service included with certain Office 365 SKUs, Azure Multi Factor Premium and then the MFA functionality in Azure Conditional Access. It's a no-brainer, implement MFA to protect your data and user identities - this stops phishing scams in their tracks.<br />
<br />
User education is still a requirement however, users shouldn't be complicit in security just because they believe they are protected with MFA - they need to be versed in understanding attack types that could be launched against them. As should Administrators take advantage of reporting capabilities in Azure Active Directory to identify risky sign-ins and check sign-in locations, as part of daily or weekly tasks. Microsoft give you all of these features to help you protect your tenant - use them.<br />
<br />
So what other improvements can we make to enhance security for Office 365? Well <a href="https://support.office.com/en-gb/article/Introducing-the-Office-365-Secure-Score-c9e7160f-2c34-4bd0-a548-5ddcc862eaef" target="_blank">Secure Score</a> is a great start, this will provide a variety of suggestions on improving the security of your tenant. From simple things such as disabling auto-forwarding on mailboxes, or setting OneDrive for Business and SharePoint Online sharing links with expiry limits as-well-as removing anonymous access to them; to suggestions that require greater planning such as just in time access and implementing granular access with RBAC.<br />
<br />
Other improvements you can make is enabling ATP (Advanced Threat Protection), whilst this havesting website was still online I ran it through an ATP enabled tenant and ATP correctly flagged the site as malicious - note that if you are interested in ATP, this actual feature is called 'Safe Links', and needs to be manually enabled and applied.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi3efAvyDC2TNV4YY4P7PyRtAbdRVbh1FkJ1PA6LKlvWmehtjeBiWMLFDCPvna3iFXUJUkD3_aPviy4niBbnCCEzVRT27L8qitbeR0N1bixaFcEvMNGdHFGwCjpD5vL7ITxjZQV3Sqw5l8/s1600/ATP-protected.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="690" data-original-width="1362" height="324" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi3efAvyDC2TNV4YY4P7PyRtAbdRVbh1FkJ1PA6LKlvWmehtjeBiWMLFDCPvna3iFXUJUkD3_aPviy4niBbnCCEzVRT27L8qitbeR0N1bixaFcEvMNGdHFGwCjpD5vL7ITxjZQV3Sqw5l8/s640/ATP-protected.png" width="640" /></a></div>
<br />
Don't forget to enable the enhanced protection it provides to OneDrive for Business and SharePoint Online documents, and Office click-to-run.<br />
<br />
Finally, with your user education initiatives in the fight against scammers, train your users to submit malicious sites or phishing scams and spam to Microsoft as well as alerting adiministrators so internal communication and technical checking processes can be completed.<br />
<br />
<a href="https://docs.microsoft.com/en-gb/office365/SecurityCompliance/submit-spam-non-spam-and-phishing-scam-messages-to-microsoft-for-analysis" target="_blank">Report for Office 365 here</a><br />
<br />
<a href="https://www.microsoft.com/en-us/wdsi/support/report-unsafe-site/" target="_blank">Report for Windows Defender Security Intelligence here</a><br />
<br />
Stay safe out there,<br />
<a href="https://twitter.com/OliverMoazzezi" style="font-family: calibri, helvetica, sans-serif; font-size: 16px;" target="_blank">@OliverMoazzezi</a><br />
<br />Oliver Moazzezihttp://www.blogger.com/profile/06204760006275603297noreply@blogger.com0tag:blogger.com,1999:blog-5507158607924562609.post-89405082879337309472018-09-12T16:44:00.002+01:002018-09-12T16:47:10.044+01:00Creating App Protection policies in Microsoft Intune<br />
Microsoft Intune provides a great service in managing devices, whether they are iOS, Android, MacOS or Windows (and yes, including Windows Mobile to an extent for the time being..), but what happens if you want a lighter way or providing security governance to corporate data without having to manage the whole device? Well.. that would be Microsoft Intune App Protection.<br />
<br />
You can have app protection policies in-place even if you have fully managed devices by Intune - however the service supports an unmanaged device having managed apps with protection wrapped around the apps to provide corporate governance - so how exactly do we set this up?<br />
<br />
Let's take a look.<br />
<br />
In the <a href="https://portal.azure.com/">Azure Portal</a>, open Microsoft Intune. From here, let's drill down into 'Client Apps'<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRjaQB57NaZ0tB5QG7hTxhCK5LFRTqd80_qwlRB0dD1aWbJugwyIfo-cD3WsX9OlUx3R1k9jWXzyPTt34jJ5mdDS_IQonlTYYWwYikYKawlD18ucmGZvDg8MC94pCU3QsiIC-Yj-Nc7-s/s1600/1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="867" data-original-width="1600" height="346" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRjaQB57NaZ0tB5QG7hTxhCK5LFRTqd80_qwlRB0dD1aWbJugwyIfo-cD3WsX9OlUx3R1k9jWXzyPTt34jJ5mdDS_IQonlTYYWwYikYKawlD18ucmGZvDg8MC94pCU3QsiIC-Yj-Nc7-s/s640/1.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
From here we have a variety of options from app configuration policies to pushing apps out to devices. What we are looking for in this instance however is 'App protection policies'<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgb6eSkP8x3tyJTqCI4CEQlXvOGaF_GeOU-VYKyXIE15DiK_fBmrKGr2dKRYjtyQ7jwhVDYBAuRhIx3HXhzCnB7tcycL_qHgsO99VzuDD9ZAAlXfLKcSKaLgheZ2n4SFSTTx3_RZ3YNje0/s1600/2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="893" data-original-width="1600" height="356" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgb6eSkP8x3tyJTqCI4CEQlXvOGaF_GeOU-VYKyXIE15DiK_fBmrKGr2dKRYjtyQ7jwhVDYBAuRhIx3HXhzCnB7tcycL_qHgsO99VzuDD9ZAAlXfLKcSKaLgheZ2n4SFSTTx3_RZ3YNje0/s640/2.png" width="640" /></a></div>
<br />
Select this and then select 'Add Policy'<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgyz6iMa-RS6fwyhHn5utfVBiMRVUzYM03RDElR54T5xMTpCtoNW-oNWySguExfoS9BLEHh2PPbSxHdC0r4Ei3cMIg41HQr1zoTIop8TBb751xlfpEbhE5BM2fmrUyTkFe9d8nHMBHEDSE/s1600/3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="904" data-original-width="1600" height="360" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgyz6iMa-RS6fwyhHn5utfVBiMRVUzYM03RDElR54T5xMTpCtoNW-oNWySguExfoS9BLEHh2PPbSxHdC0r4Ei3cMIg41HQr1zoTIop8TBb751xlfpEbhE5BM2fmrUyTkFe9d8nHMBHEDSE/s640/3.png" width="640" /></a></div>
<br />
We now need to name our policy, select what OS it is for (this example is for Android), provide a description if necessary (always a good idea!) and select the required Apps. In this instance I am creating a policy for Outlook, but in this example I have shown you can multi-select Apps into a single protection policy if you so wish. Be warned they'll all share the same protection policy configuration. If you need Apps with different configurations, create seperate policies.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZDtrV4ySUj6QQM_APMZRJEy0wMipUuefRmZ9-zuHDV7bhRrqn03bdoOOGgSvwgRtRHVbq7bC7Ebsiux5r6Fg9g3CDTu8mbiwJaHPWq52SxFvTjzgyB8zARdVpyCOTnqunwvt5kEho_5k/s1600/4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="903" data-original-width="1600" height="360" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZDtrV4ySUj6QQM_APMZRJEy0wMipUuefRmZ9-zuHDV7bhRrqn03bdoOOGgSvwgRtRHVbq7bC7Ebsiux5r6Fg9g3CDTu8mbiwJaHPWq52SxFvTjzgyB8zARdVpyCOTnqunwvt5kEho_5k/s640/4.png" width="640" /></a></div>
<br />
There are a variety of options available to configure. In this example I am specifying that a device backup cannot back up any of the App data. I also have options to disable data transfer to other apps, as well as specifying user data transfer - I am specifying here 'Policy managed apps with paste in' here. The options available and what they mean are detailed below<br />
<br />
<b>Blocked: Do not allow cut, copy, and paste operations between this app and other apps.</b><br />
<b><br /></b>
<b>Policy managed apps: Only allow cut, copy, and paste operations between this app and other restricted apps.</b><br />
<b><br /></b>
<b>Policy managed apps with paste in: Allow data cut or copied from this app only to be pasted into other restricted apps. Allow data cut or copied from any app to be pasted into this app.</b><br />
<b><br /></b>
<b>Any app: No restrictions to cut, copy, and paste operations to or from this app.</b><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhvQYpWCTuiHM2OWYiG4_9A3TmM4RUV02dO14ABWwZbK2Y4Bx4FnyELUgvsR6H759bi8CXjQoHd59QWphHeLjezKReoVIAJTiupac36vxYHnfWTi0qYJY4HfSx_IIMvV_2_neg57JZUkk0/s1600/5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="906" data-original-width="1600" height="362" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhvQYpWCTuiHM2OWYiG4_9A3TmM4RUV02dO14ABWwZbK2Y4Bx4FnyELUgvsR6H759bi8CXjQoHd59QWphHeLjezKReoVIAJTiupac36vxYHnfWTi0qYJY4HfSx_IIMvV_2_neg57JZUkk0/s640/5.png" width="640" /></a></div>
<br />
In 'Access Actions' I specify whether access requires a password or pin, you can see I can protect the app with a variety of security options, even enforcing full credential requirements if warranted. There is however a level or security versus productiy, so in this example I am specifying a 4 digit pin.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi7PYUn_kSJGCVutTCrjJ6W3Pcu5EgQYgDVdW_xzDet98lArd5A1yTwomDAD_L2nZw2Pdkj01p5J7MqTkdrTRmw1_cvGH3GNjXDSxMPGMnjj9pu7dyiolw0y_4dxFZXXlDuR2qpPjy5_WY/s1600/6.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="905" data-original-width="1600" height="362" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi7PYUn_kSJGCVutTCrjJ6W3Pcu5EgQYgDVdW_xzDet98lArd5A1yTwomDAD_L2nZw2Pdkj01p5J7MqTkdrTRmw1_cvGH3GNjXDSxMPGMnjj9pu7dyiolw0y_4dxFZXXlDuR2qpPjy5_WY/s640/6.png" width="640" /></a></div>
<br />
We can also set sign-in security requirements, we have the option at leaving them at the defaults or changing their values and actions. Actions are defined, and we select them from pre-defined capabilities. We can also delete each one if we believe they are not a requirement for our protection policy. <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhnLp9jrADkW_3JGh_AlAwr8qG744EPPXdJRK_o1QsnUzWFV1t_GQVcQVBQ1KdhyLxtw4ZOTzr3_iHDWajm3OWYVxDIwxHLeJ3d1dpIuVfiKQeSgNqAzLaAR1Ew9UTa__6zqs8OlMGOgHE/s1600/7.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="885" data-original-width="1600" height="352" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhnLp9jrADkW_3JGh_AlAwr8qG744EPPXdJRK_o1QsnUzWFV1t_GQVcQVBQ1KdhyLxtw4ZOTzr3_iHDWajm3OWYVxDIwxHLeJ3d1dpIuVfiKQeSgNqAzLaAR1Ew9UTa__6zqs8OlMGOgHE/s640/7.png" width="640" /></a></div>
Once you have saved the policy you'll see the policy under 'Client Apps | App protection policies<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEis2rWcXCGZNorr9dv81S565KvCl7XIyoskSAzDFPSrIDiV-y9TpUIp7WY3Re65kb4eRhIsBOhpxPLOr0H4uEOCrSQ6QSSHIWZIoPpAqD057Fa6mRr1kLcucV0twVFax__BNTN2FZJd4u4/s1600/8.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="900" data-original-width="1600" height="360" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEis2rWcXCGZNorr9dv81S565KvCl7XIyoskSAzDFPSrIDiV-y9TpUIp7WY3Re65kb4eRhIsBOhpxPLOr0H4uEOCrSQ6QSSHIWZIoPpAqD057Fa6mRr1kLcucV0twVFax__BNTN2FZJd4u4/s640/8.png" width="640" /></a></div>
<br />
I will now assign this to a select Azure AD group I have created. I drill into the policy and select 'Assignments'<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhB3x-sfgVkNchG194XQtT-BkfENMzI4IADqUwS6HAZpWl-lFAjkd2q-d0Cq5LLFNH5Xd9Bs7hywTJNckRA7nOhcMQoxINyUaUN_d4brDH5VslMl1nZOej7LxMzRaNDcbYYU3nfrAM4H0U/s1600/9.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="900" data-original-width="1600" height="360" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhB3x-sfgVkNchG194XQtT-BkfENMzI4IADqUwS6HAZpWl-lFAjkd2q-d0Cq5LLFNH5Xd9Bs7hywTJNckRA7nOhcMQoxINyUaUN_d4brDH5VslMl1nZOej7LxMzRaNDcbYYU3nfrAM4H0U/s640/9.png" width="640" /></a></div>
<br />
I specify my Azure AD Group and save it.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgI09B95WfRR8sSz_P0B880bc5oGjH3bx1tZHO95s3DRWQi6aLn8x8tXqUxisiOJ2HotZ1Et7DlSVwdwEjqh__ILbuUwoJxKM_cHXQa2eXveeeaWdwo2OFvBHQ7PC8pdBr1K-yRlss4tkw/s1600/10.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="900" data-original-width="1600" height="360" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgI09B95WfRR8sSz_P0B880bc5oGjH3bx1tZHO95s3DRWQi6aLn8x8tXqUxisiOJ2HotZ1Et7DlSVwdwEjqh__ILbuUwoJxKM_cHXQa2eXveeeaWdwo2OFvBHQ7PC8pdBr1K-yRlss4tkw/s640/10.png" width="640" /></a></div>
<br />
So my App protection policy is all set! Assuming my user has an Intune license assigned how does an App within the protection policy behave? Let's take a look.<br />
<br />
I'm using Outlook as the example. I'll download it from the store and open it.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhPVnpNg4txix_tbZg37yfAHZGOVmmRhNT1B9I4GX3Pg63jI_C8c6IX2fWNLuzQeJIimHkgQU9aBvSah3MEc7l7o1U6VduBBsZTonZ_aBjKHqiIl1iWXZGddjkxhrNB918-KvSGStTDA9I/s1600/m1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="854" data-original-width="480" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhPVnpNg4txix_tbZg37yfAHZGOVmmRhNT1B9I4GX3Pg63jI_C8c6IX2fWNLuzQeJIimHkgQU9aBvSah3MEc7l7o1U6VduBBsZTonZ_aBjKHqiIl1iWXZGddjkxhrNB918-KvSGStTDA9I/s400/m1.png" width="223" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: left;">
Once I sign-in with my Office 365 credentials I am prompted I need to activate a device administrator</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjZks0txVfOVRd8qwOz8fDZzSlm_aRjnZSkyvI4vFs2WCY4G4kZ22x68GiutdJS7ni6o9m8b3XTYeMka8zBqrGaQjCVu4IP9heCPLbQHR3bSPjGYhLYBXfPPd8ZbQlmfNOeFeRicOZkuxk/s1600/m2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="854" data-original-width="480" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjZks0txVfOVRd8qwOz8fDZzSlm_aRjnZSkyvI4vFs2WCY4G4kZ22x68GiutdJS7ni6o9m8b3XTYeMka8zBqrGaQjCVu4IP9heCPLbQHR3bSPjGYhLYBXfPPd8ZbQlmfNOeFeRicOZkuxk/s400/m2.png" width="223" /></a></div>
I select 'Activate' to continue the process<br />
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiEb506DBc7gc38zzjvpIetjBajbiclE38azpyM3GYmdVjK30bCDl7rVXbCiosIQfH5zVbinuhfqp3AfBEM79Oa8iyB-4kFkolVwTJ_a4zcsXvsnyyd4NmA3XNUmzpVve2kWFsABO05EhQ/s1600/m3%252B4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="855" data-original-width="960" height="355" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiEb506DBc7gc38zzjvpIetjBajbiclE38azpyM3GYmdVjK30bCDl7rVXbCiosIQfH5zVbinuhfqp3AfBEM79Oa8iyB-4kFkolVwTJ_a4zcsXvsnyyd4NmA3XNUmzpVve2kWFsABO05EhQ/s400/m3%252B4.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<br />
<div class="" style="clear: both; text-align: left;">
It will give me information on what device adminstrator will do - a collection of policies from my App protection policy.</div>
<div class="" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEib7d7QpGGPxQ_d56Zt82wEy-UfUjW_JSQDISEI52BtKDf976fnCaJRXKPbVU-cvPoF7bg3qeoHHvUN3tyNIC3e0K4qvkZGWGK2V8b5jnV29TS9Gfrn7y9ajC2TlgOvK1LpsCZHlEbJLbM/s1600/m5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="854" data-original-width="480" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEib7d7QpGGPxQ_d56Zt82wEy-UfUjW_JSQDISEI52BtKDf976fnCaJRXKPbVU-cvPoF7bg3qeoHHvUN3tyNIC3e0K4qvkZGWGK2V8b5jnV29TS9Gfrn7y9ajC2TlgOvK1LpsCZHlEbJLbM/s400/m5.png" width="223" /></a></div>
<div class="" style="clear: both; text-align: left;">
<br /></div>
<div class="" style="clear: both; text-align: left;">
It will then take me through setting up the requirements for access to the App.</div>
<div class="" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjVJ9WjIz-OmJ7Sax2KANCBlSJzqEYgx1fPn7w3A0LECs-pEie3aiS2osZ1PxXjE-yjN6uKYekP_nhG2Cb3uwFJR8Mbpi-rUEmsQoqAypn3RuCwwNnz__A4aNvKq7lj00FlgPJTwTqT1KA/s1600/m6.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="854" data-original-width="480" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjVJ9WjIz-OmJ7Sax2KANCBlSJzqEYgx1fPn7w3A0LECs-pEie3aiS2osZ1PxXjE-yjN6uKYekP_nhG2Cb3uwFJR8Mbpi-rUEmsQoqAypn3RuCwwNnz__A4aNvKq7lj00FlgPJTwTqT1KA/s400/m6.png" width="223" /></a></div>
<div class="" style="clear: both; text-align: left;">
<br /></div>
<div class="" style="clear: both; text-align: left;">
For both Android and iOS there is a requirement to have the Company Portal app installed. The app doesn't have to be signed into or the device to become managed, but at this time it's needed. Select 'Keep Account' and we'll then download the App.</div>
<div class="" style="clear: both; text-align: left;">
<br /></div>
<div class="" style="clear: both; text-align: left;">
So that's it. So what happens when I open Outlook? The answer is I am asked to enter a 4 digit pin - just what I configured in the policy. On top of this my data transfer settings and app paste in options are also configured and honoured. </div>
<div class="" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhMph5QCS0Dc1UV021GDJOrAlxYTWtzcyVy3F-SeEYBGW_7IfLtCC0eVaJ4W87Wu-x1IZh2oFQWozostkPuBA9QSEF_iJp91RIgic4_p-gEzfcaGMVgNtNU5I_lxa0kXl3RxNFOV7lWERY/s1600/m7.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="854" data-original-width="480" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhMph5QCS0Dc1UV021GDJOrAlxYTWtzcyVy3F-SeEYBGW_7IfLtCC0eVaJ4W87Wu-x1IZh2oFQWozostkPuBA9QSEF_iJp91RIgic4_p-gEzfcaGMVgNtNU5I_lxa0kXl3RxNFOV7lWERY/s400/m7.png" width="223" /></a></div>
<div class="" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
That's it - take care :)</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
Have fun!<br />
<a href="https://twitter.com/OliverMoazzezi" style="font-family: calibri, helvetica, sans-serif; font-size: 16px;" target="_blank">@OliverMoazzezi</a><br />
<br />
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<br />
<br />
<br />
<br />Oliver Moazzezihttp://www.blogger.com/profile/06204760006275603297noreply@blogger.com0tag:blogger.com,1999:blog-5507158607924562609.post-14425720048394266722018-09-03T16:42:00.002+01:002018-09-03T16:45:30.360+01:00Creating Azure AD Groups with Azure Guest user exclusions<br />
As Azure Guest access becomes more and more prevalent in an Office 365 tenant, certain Managers and Administrators are looking for a way to have 'employee only' Groups. Enter Azure Active Directory dynamic groups - a feature of Azure AD Premium P1 and above.<br />
<br />
You can create a dynamic group in the Azure Portal, specifically | Azure Active Directory | Groups | + New Group. Let's take a look:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhNMeyvLOcSLmUwXwb1ZzYTjpFyltuBZcx-oYEEUgmsL4_TSDEAVJ6R1EWctbnaeB2TL0h629bnTH9YRh3hoAgQPyk35s-j-8L48WZMEXDtIiRtrTcCphW-FetbqPuEdAObRvevj57U31o/s1600/0.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="867" data-original-width="1600" height="346" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhNMeyvLOcSLmUwXwb1ZzYTjpFyltuBZcx-oYEEUgmsL4_TSDEAVJ6R1EWctbnaeB2TL0h629bnTH9YRh3hoAgQPyk35s-j-8L48WZMEXDtIiRtrTcCphW-FetbqPuEdAObRvevj57U31o/s640/0.png" width="640" /></a></div>
<br />
<br />
When creating the group, simply ensure the 'Membership type' is set to 'Dynamic User', you can then add your dynamic query, for example this one specifically looks for users with a mail add that contains 'wave16.com' - handy if you want to put users into groups based on primary SMTP address.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhpfzW7bkbUz2xfhyphenhyphenjvy19JzdhBee9wZvdA3xG1k9mr9yZmgXmJs54BFmqm8ZZUM_8UQuyTt-Iae_xjJvomc0tepuh682KajtWSNqq_hEJtXS93fx4Ik6Vp9CN1IHIwuIrvGSF0JfFChvw/s1600/1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="867" data-original-width="1600" height="346" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhpfzW7bkbUz2xfhyphenhyphenjvy19JzdhBee9wZvdA3xG1k9mr9yZmgXmJs54BFmqm8ZZUM_8UQuyTt-Iae_xjJvomc0tepuh682KajtWSNqq_hEJtXS93fx4Ik6Vp9CN1IHIwuIrvGSF0JfFChvw/s640/1.png" width="640" /></a></div>
<br />
<br />
To specifically include or exclude Azure Guest Users - we're looking for 'UserType' where we'll match it, or not match it, or a variety of other options, with 'Guest'.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhyzTWA9s84ejfVfuoYN_UCPbSTGBACkhhpQCOXt6I68B9VQ_m09EohH8MHOYrITaMnxYHU_52D5U_VKyd18SXnZcSvJyLslRQ0ppuKX5YExbf4L6sKfbZ7fli7ZaQBh_4fT1WEtrqbWlU/s1600/1-2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="867" data-original-width="1600" height="346" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhyzTWA9s84ejfVfuoYN_UCPbSTGBACkhhpQCOXt6I68B9VQ_m09EohH8MHOYrITaMnxYHU_52D5U_VKyd18SXnZcSvJyLslRQ0ppuKX5YExbf4L6sKfbZ7fli7ZaQBh_4fT1WEtrqbWlU/s640/1-2.png" width="640" /></a></div>
<br />
Once the Group is created it will take a while before you'll see the results of your dynamic group - more on that later, but drilling back into the Group we can confirm the dynamic membership rules query. We have the option of a simple rule or an advanced one, advanced allows us to join a variety or rules together to fine tune our dynamic membership<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhiNOb4jOrUYaNNbKbvrtgleyg71hd8CUfgIAMITmRXxO8wvps45ZCxA-ivUbWUQEeWisaDdVmdhc8euJQNYSrms13zCziodffJqDwE20osUVRcs6zQPI9XdSilO-CHU_8BZBWsbOCsVUM/s1600/2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="867" data-original-width="1600" height="346" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhiNOb4jOrUYaNNbKbvrtgleyg71hd8CUfgIAMITmRXxO8wvps45ZCxA-ivUbWUQEeWisaDdVmdhc8euJQNYSrms13zCziodffJqDwE20osUVRcs6zQPI9XdSilO-CHU_8BZBWsbOCsVUM/s640/2.png" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhIFdjWiFfOa8QVA9DXsrB3Xcw8jyyBQQjx9T-XjRqF4ET29KB-c0ZIoippdGINyktri6FEbWJA2_VSTw4ertWdEFTRmBXW5O7001QIOmBvM6_mvztlzslVpORI98REFCVS15XjmaUhLsg/s1600/2-2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="867" data-original-width="1600" height="346" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhIFdjWiFfOa8QVA9DXsrB3Xcw8jyyBQQjx9T-XjRqF4ET29KB-c0ZIoippdGINyktri6FEbWJA2_VSTw4ertWdEFTRmBXW5O7001QIOmBvM6_mvztlzslVpORI98REFCVS15XjmaUhLsg/s640/2-2.png" width="640" /></a></div>
<br />
Once the dynamic group has had time to be processed it will show the objects contained within based on the rules you have created<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhMdutiTdHaNbOPfRIIg2pq1RiXlm2oKYATyBAeQOqMXtaMFKu2a9e6I6rUnVnxYPoKQoFXEZvqdxge9nN7zE6_AteCsIvlOcXGoPIDEK3TTL4V0trKqtZWsm072JUPEXAjL9wK6Nglmqs/s1600/4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="867" data-original-width="1600" height="346" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhMdutiTdHaNbOPfRIIg2pq1RiXlm2oKYATyBAeQOqMXtaMFKu2a9e6I6rUnVnxYPoKQoFXEZvqdxge9nN7zE6_AteCsIvlOcXGoPIDEK3TTL4V0trKqtZWsm072JUPEXAjL9wK6Nglmqs/s640/4.png" width="640" /></a></div>
<br />
So can we use Powershell to create Dynamic Groups? The answer is yes <a href="https://www.powershellgallery.com/packages/AzureAD/2.0.1.10">using the AzureAD Powershell module.</a><br />
<br />
Once you have succesfully connected you can view your groups using <b>Get-AzureADMSGroup </b><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhqDnrVjfPFqYSLLNEmRnQl9P7OUKo6zsJKZBwZinkhOY2T36PvKhC_N1eh8pLs_quTtwdod_rCrudC5LLxDZAn4e18uKOC9cI3knxPU0jvyKmpQtYHGdt483kuMWvbSQH-9Yt0kVfOsK8/s1600/Get-AzureADMSGroup.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="600" data-original-width="1023" height="374" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhqDnrVjfPFqYSLLNEmRnQl9P7OUKo6zsJKZBwZinkhOY2T36PvKhC_N1eh8pLs_quTtwdod_rCrudC5LLxDZAn4e18uKOC9cI3knxPU0jvyKmpQtYHGdt483kuMWvbSQH-9Yt0kVfOsK8/s640/Get-AzureADMSGroup.png" width="640" /></a></div>
<br />
<b> </b>We can specifically look for dynamic groups by looking for the 'GroupTypes' attribute<br />
<br />
<b>Get-AzureADMSGroup |select DisplayName, GroupTypes </b><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhK6MfdeXkARbHHiMIfvFnmIfQW4_czlJj1NjQSy0T1bJbRwcDk6TVzx8MBmA1G3qQ64NMyvcbXTSlTZGZKUPB8XDsbMwmMMQDiWP7PODM0VithyrC3M1uxLziGtt6y_7REhitexug8Wes/s1600/Get-AzureADMSGroup+GroupTypes.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="600" data-original-width="1023" height="374" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhK6MfdeXkARbHHiMIfvFnmIfQW4_czlJj1NjQSy0T1bJbRwcDk6TVzx8MBmA1G3qQ64NMyvcbXTSlTZGZKUPB8XDsbMwmMMQDiWP7PODM0VithyrC3M1uxLziGtt6y_7REhitexug8Wes/s640/Get-AzureADMSGroup+GroupTypes.png" width="640" /></a></div>
<br />
And we can also actually create them, I find Powershell far easier creating a dynamic group when wanting to match multiple rules.<br />
<br />
In this Powershell example I am specifically creating a Sales Group and also ensuring no Azure Guest users will be hiding within it. There's a few more considerations to bear in mind here as ww have to include <b>-MailEnable -MailNickname</b> and <b>-MembershipRuleProcessingState</b><br />
<br />
<b>New-AzureADMSGroup -DisplayName "Oliver Test Dynamic Group" -GroupTypes dynamicmembership -MembershipRule '(user.userType -notMatch "Guest" -and user.department -eq "Sales")' -MailEnabled $false -MailNickname $false -SecurityEnabled $true -MembershipRuleProcessingState On </b><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEijawzif0gArITssTQ-PGjcpNetRHjemR0f9avnyKQKo1G4AIYl7yFEfD3x7-XuB8LIvtF6sGV8W3KPtWe3JEP2hyphenhyphengniQ7sjDKuRXV2GiYD3yraoEw0FcJD_6MgUbOOmW4UyxeOQqVOuAM/s1600/ps1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="600" data-original-width="1023" height="374" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEijawzif0gArITssTQ-PGjcpNetRHjemR0f9avnyKQKo1G4AIYl7yFEfD3x7-XuB8LIvtF6sGV8W3KPtWe3JEP2hyphenhyphengniQ7sjDKuRXV2GiYD3yraoEw0FcJD_6MgUbOOmW4UyxeOQqVOuAM/s640/ps1.png" width="640" /></a></div>
<span style="background-color: white; color: black; font-family: "calibri" , "helvetica" , sans-serif; font-size: small; font-style: normal; letter-spacing: normal; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;"><span style="font-size: 12pt;"><br /></span></span><b>-MembershipRuleProcessingState </b>states whether it will start processing the group or whether you want to pause the processing of the rule for the time being. The options available are 'On' or 'Paused' - Paused makes sense if you're using Powershell to script the creation of your on-premises dynamic groups to Azure AD, you may have a lot and want to slowly control which ones start processing.<br />
<br />
<b></b>
More on understanding your on-premises dynamic groups and how to create them in Azure AD in my next post.<br />
<br />
<br />
Have fun!<br />
<a href="https://twitter.com/OliverMoazzezi" style="font-family: calibri, helvetica, sans-serif; font-size: 16px;" target="_blank">@OliverMoazzezi</a><br />
<br />
<b></b>
<b> </b><br />
<br />
<br />Oliver Moazzezihttp://www.blogger.com/profile/06204760006275603297noreply@blogger.com0tag:blogger.com,1999:blog-5507158607924562609.post-12823359510610519552018-07-31T18:57:00.000+01:002018-08-01T09:37:23.990+01:00Getting Azure AD Guest Users with the Azure AD Preview PowerShell moduleAzure Guest access is a great concept primarily wrapped in the Microsoft Teams, SharePoint and Onedrive experience, however reporting and keeping a lid on Azure Guest access accounts can be a daunting task. Luckily there's a few ways to poll Azure Guest accounts, with PowerShell providing the best experience so far.<br />
<br />
Accessing <a href="https://portal.azure.com/">https://portal.azure.com</a> and selecting Azure Active Directory | All Users | and then selecting 'Show: Guest Users Only' will give you a list of the current Azure AD Guest Users in your directory. Unfortunately however, the UI is very limited in being able to get more information than what is presently shown.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhgex88gcu_BMHCZsXdiJDxIbHMpUsejYJ64k0oRcWNGAS-inL2KJzPAfVdyY-ReB8JVr8t-Oncrdh1wn54maYKc5CMOHcetOXnQpEkVINcc6-aKW4WXLaNTCx6i4AEVYeuVhI8YUafAP0/s1600/0.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="867" data-original-width="1600" height="346" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhgex88gcu_BMHCZsXdiJDxIbHMpUsejYJ64k0oRcWNGAS-inL2KJzPAfVdyY-ReB8JVr8t-Oncrdh1wn54maYKc5CMOHcetOXnQpEkVINcc6-aKW4WXLaNTCx6i4AEVYeuVhI8YUafAP0/s640/0.png" width="640" /></a></div>
<br />
<br />
Luckily the new <a href="https://social.technet.microsoft.com/wiki/contents/articles/28552.microsoft-azure-active-directory-powershell-module-version-release-history.aspx">Azure AD PowerShell Preview module</a> can provide better insight to guest users for your Directory and we can utilise the shell to create a report for administrative purposes.<br />
<br />
Let's take a look; once you have the module installed, utilise <b>Connect-AzureAD, </b>the module supports modern authentication by default so if you're looking to pre-enter credentials utilise the <b>-credential </b>parameter and <b>$Credential = Get-Credential</b> for scripting purposes.<br />
<b><br /></b>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEihh2_tC9jy4nMQiaZu6Fq-fSXqF7-ompV5AdRGRKJLfQhGxLDQ1GH_rh_-O0vDNv_KgbbwGIlwl0pk7xWj4OH-iJPKydzfdnbRNcgbXyga2qgFgxcu9bqkGOIdZacUizOI9vqYwxrLsg4/s1600/1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="577" data-original-width="859" height="428" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEihh2_tC9jy4nMQiaZu6Fq-fSXqF7-ompV5AdRGRKJLfQhGxLDQ1GH_rh_-O0vDNv_KgbbwGIlwl0pk7xWj4OH-iJPKydzfdnbRNcgbXyga2qgFgxcu9bqkGOIdZacUizOI9vqYwxrLsg4/s640/1.png" width="640" /></a></div>
<b><br /></b>
We can simply list all users with <b>Get-AzureADUser</b><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj2Mg4DoFAc4wLqJP7V-Dj_dG2LEQ43NBo9evQQclPC3Kdd1wUQLdab_TcY3TDbdl9rCeRvMVaKer1umn1matj0Ovg1Zn9OPDTvmqXDXvJpdd0K5bpZBhY3-HWp_HXmssiNlQyQGD59Oqc/s1600/2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="577" data-original-width="859" height="428" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj2Mg4DoFAc4wLqJP7V-Dj_dG2LEQ43NBo9evQQclPC3Kdd1wUQLdab_TcY3TDbdl9rCeRvMVaKer1umn1matj0Ovg1Zn9OPDTvmqXDXvJpdd0K5bpZBhY3-HWp_HXmssiNlQyQGD59Oqc/s640/2.png" width="640" /></a></div>
<br />
We can get more information on a user by utilising <b>-ObjectID</b> and utilising the Azure AD User objects ObjectID GUID. For example <b>Get-AzureADUser -ObjectID "object guid" |FL</b><br />
<b><br /></b>
What we see here is the parameter <b>UserType </b>- this is how we can differenciate a normal user to a Guest.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhyuDv4XUo52swK1o2bWyPD_JzDIyns52xj1PbroLv34rmY6L4K7LLJWoIRfQSXETOY8lfCTmEQYpowpRQLLA1HLv82FQoC6_AIozDx7aZXiwYrVOXnAY5Y9lZAmTOHC7MeoMRGdjMcNk4/s1600/3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="846" data-original-width="859" height="628" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhyuDv4XUo52swK1o2bWyPD_JzDIyns52xj1PbroLv34rmY6L4K7LLJWoIRfQSXETOY8lfCTmEQYpowpRQLLA1HLv82FQoC6_AIozDx7aZXiwYrVOXnAY5Y9lZAmTOHC7MeoMRGdjMcNk4/s640/3.png" width="640" /></a></div>
<br />
With a simple where statement we can specify all Guest users.<br />
<br />
<b>Get-AzureADUser |where {$_.UserType -eq 'Guest'}</b><br />
<b><br /></b>
The <b>'CreationType'</b> attribute will also list if the account was created from an invitation from a user.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjb-3jOsRAwj0Z5KymEbd5mREKV5jsiD4W1gfGDNMtTa12QoWxjl-HtvdSqFI_dZLBDls9z29WsMQeNniQmWxRx_8jWG0JFb5YjtrVaeMc4Q6LYawyIM65itIUSxpjukc4k-SM8K3Hma0A/s1600/4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="846" data-original-width="859" height="628" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjb-3jOsRAwj0Z5KymEbd5mREKV5jsiD4W1gfGDNMtTa12QoWxjl-HtvdSqFI_dZLBDls9z29WsMQeNniQmWxRx_8jWG0JFb5YjtrVaeMc4Q6LYawyIM65itIUSxpjukc4k-SM8K3Hma0A/s640/4.png" width="640" /></a></div>
<br />
With a fairly simply PowerShell one liner we can retrieve all Azure Guest Users and format their most appropriate attributes easily.<br />
<br />
<b>Get-AzureADUser |where {$_.UserType -eq 'Guest'} |Select DisplayName, UserPrincipalName, AccountEnabled, mail |FT</b><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgT48PdRbSaRpDQZwy_2CQt1lvQGETFHaw_PKWoKMqaHfOyWNtTaS_JqEM9xUuRXJUMQik6azaeQnRUO8XTLnVZdV09RxmJewHhyphenhyphenpe6vkJrmslS_O2zXRbWGD4R0RFUSQL4RKiyA9VrTwM/s1600/5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="537" data-original-width="859" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgT48PdRbSaRpDQZwy_2CQt1lvQGETFHaw_PKWoKMqaHfOyWNtTaS_JqEM9xUuRXJUMQik6azaeQnRUO8XTLnVZdV09RxmJewHhyphenhyphenpe6vkJrmslS_O2zXRbWGD4R0RFUSQL4RKiyA9VrTwM/s640/5.png" width="640" /></a></div>
<br />
We can utilise <a href="https://portal.azure.com/">https://portal.azure.com </a> | Azure Active Directory | Users | Audit Logs to see who has invited the external users and also when an external user accepted the invite. Just filter on the activity and specify <b>'Invite external user'</b> and <b>'Redeem esxtgernal user invite'</b>.<br />
<br />
Selecting the audit log will show you more information including the time and date of the activities.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3RXLjeT4yoFDHmXQzHVjg9MicRa8J5Fw3N8iqat9-bGaDrts923QVnZJ8LvW4spJfufGj3QSM5PN248M9PkVDnSlgmk8X8xit3efxtEiBwrEuhu4slie9yGwPfsYJvJblUbsJd2dMMaQ/s1600/6.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="867" data-original-width="1600" height="346" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3RXLjeT4yoFDHmXQzHVjg9MicRa8J5Fw3N8iqat9-bGaDrts923QVnZJ8LvW4spJfufGj3QSM5PN248M9PkVDnSlgmk8X8xit3efxtEiBwrEuhu4slie9yGwPfsYJvJblUbsJd2dMMaQ/s640/6.png" width="640" /></a></div>
<br />
If I check Azure Active Directory | Users | Sign-ins I can see audit logs for user sign-in. I can specify user search terms to get more detailed information on an Azure Guest User accessing my Office 365 tenant. Note I can get immediate access to Sign-in Info, Device Info and whether they had to have any 2nd factor authentication or conditional access rules apply.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiE0oP4ULJqI9Gpu7im2cJjnFSFJpbcVDUOpbG2q2F9ro5TNUOqfnrx842yEejfuhAeq3hV12wZnqrllrpbnNgC6LVKC9xr7tS4tA7jYI1cREH8K0WRQPWDyhFWfLUFJOoCAx6B5qVAtgs/s1600/7.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="867" data-original-width="1600" height="346" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiE0oP4ULJqI9Gpu7im2cJjnFSFJpbcVDUOpbG2q2F9ro5TNUOqfnrx842yEejfuhAeq3hV12wZnqrllrpbnNgC6LVKC9xr7tS4tA7jYI1cREH8K0WRQPWDyhFWfLUFJOoCAx6B5qVAtgs/s640/7.png" width="640" /></a></div>
<br />
And whilst both the Audit Log and Sign-ins allow me to download reports, Sign-ins provides richer integration with Power BI once you've configured it (which i'll detail in a future blog post).<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgXuVXJKfCsNQtynGVbzkQg9J6orbO67q9QXhOraYQnnYI6AaJerQW93_V2BDAqUXgW_vKuSovGfJX8pSmfQUyNPk1MTvhn19hmCQWoJ0B0gdzIV0XYxiipmgpIuIGR2Eu3hyglcXP20iE/s1600/8.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="867" data-original-width="1600" height="346" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgXuVXJKfCsNQtynGVbzkQg9J6orbO67q9QXhOraYQnnYI6AaJerQW93_V2BDAqUXgW_vKuSovGfJX8pSmfQUyNPk1MTvhn19hmCQWoJ0B0gdzIV0XYxiipmgpIuIGR2Eu3hyglcXP20iE/s640/8.png" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhvpSxLlIUCHNG5Wzg_c9cCiRjrQUTG67A7x7yEcIkoWssAeRxjsS0YCbdy7yKJqsg-GCVJ08xElmUEGktkkvu0l6clGRvjl4A5btYd7CWkWmvp7Ckvzk9Yy5N-qUSS5JAP-fZwwsfNJgU/s1600/9.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="867" data-original-width="1600" height="346" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhvpSxLlIUCHNG5Wzg_c9cCiRjrQUTG67A7x7yEcIkoWssAeRxjsS0YCbdy7yKJqsg-GCVJ08xElmUEGktkkvu0l6clGRvjl4A5btYd7CWkWmvp7Ckvzk9Yy5N-qUSS5JAP-fZwwsfNJgU/s640/9.png" width="640" /></a></div>
<br />
So, getting back to creating a nice list of Azure Guest Users, we can utilise the Azure AD Preview PowerShell module to get this data and wrap it up in an email to send to us as and when needed. I've written a script and uploaded it to the <a href="https://gallery.technet.microsoft.com/Retrieve-Azure-Active-9c6e0be4">TechNet Gallery here</a>.<br />
<br />
You can use it to get a list of Azure Guest users in the session window<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjgs96ZPCSJAm-m5wCVdDkgcSeudx62M4nTQijwNuSCGHQDwbIdE8ssCJ3cCIrkSW8RVqdJksmHhH5-WohE42KV8W4javHbCvCgFyL9BFH5swStyN6WOYpPGudbAAX7yDlqcw88jrGtm_M/s1600/script1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="600" data-original-width="1023" height="374" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjgs96ZPCSJAm-m5wCVdDkgcSeudx62M4nTQijwNuSCGHQDwbIdE8ssCJ3cCIrkSW8RVqdJksmHhH5-WohE42KV8W4javHbCvCgFyL9BFH5swStyN6WOYpPGudbAAX7yDlqcw88jrGtm_M/s640/script1.png" width="640" /></a></div>
<br />
Or use the -email switch where you'll be able to use it as a scheduled task - be aware the password needs to be in the script, however a standard user will work as all they need is read access which they have by default.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj6fSqZDjpijX07U2z023w3H-UDCk1YYOu11nonNwDGhOyXs7z4Q0w8zNNaVeMMK_I8bHLQzLXeUpygc_DlQeUDeIghpXTwXstMqhGrkZZEUeeNU-QoDKxWzkqoSOrB41Jy58zOJ6JxNQM/s1600/script2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="600" data-original-width="1023" height="374" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj6fSqZDjpijX07U2z023w3H-UDCk1YYOu11nonNwDGhOyXs7z4Q0w8zNNaVeMMK_I8bHLQzLXeUpygc_DlQeUDeIghpXTwXstMqhGrkZZEUeeNU-QoDKxWzkqoSOrB41Jy58zOJ6JxNQM/s640/script2.png" width="640" /></a></div>
<br />
<br />
<br />
Have fun!<br />
<a href="https://twitter.com/OliverMoazzezi" style="font-family: calibri, helvetica, sans-serif; font-size: 16px;" target="_blank">@OliverMoazzezi</a><br />
<br />
<br />
<br />Oliver Moazzezihttp://www.blogger.com/profile/06204760006275603297noreply@blogger.com1tag:blogger.com,1999:blog-5507158607924562609.post-89319871723768565562018-07-26T17:34:00.001+01:002018-07-26T17:39:32.799+01:00Configuring Azure Password Protection with Active Directory<br />
Firstly apologies that this is a few days later than I originaly planned but my trip to Microsoft Inspire really messed up my spare time to get this out there - having said that, welcome to the final part of my Azure Password Protection Preview review where we'll take a look at how to configure this with an on-premises Active Directory.<br />
<br />
Pre-requisites require AADConnect and Windows Server 2012 R2 or above Domain Controllers, as well as the member server that will be running the Azure Password Protection Proxy.<br />
<br />
You can download both the Proxy and Password Agent at <a href="https://www.microsoft.com/en-us/download/details.aspx?id=57071">this link.</a> As previously stated Windows Server 2012 R2 is needed as the minimum supported operating system. The Proxy agent will flat out refuse to start on a Windows 2008 R2 server, but I did have success with the DC Agent. However this is not supported - ensure you are at Windows Server 2012 R2 or above.<br />
<br />
<br />
Firstly we need to install the Proxy service. You can have up to two Proxy services installed per Active Directory Forest, with the DC Agent installed on every DC in the Forest/Domain. Run the install, although you can perform a silent install with<br />
<br />
<b> msiexec.exe /i AzureADPasswordProtectionProxy.msi /quiet /qn</b><br />
<b><br /></b>
However in this example I am using the UI. Deploy the agent<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh1DBE1dAVjbSB77fhp_4ehtNsCz0lN2bDn11TPgjyIU5hXKarXjH0NhAZgUqNkdJmI9GCxkQa0OkEYvuSUq_okY20nZTbC0gzCQUcrY9B19FQFPOdeWuF_jbbJJIOVIAdMU6hv8bRhY_k/s1600/1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="400" data-original-width="510" height="500" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh1DBE1dAVjbSB77fhp_4ehtNsCz0lN2bDn11TPgjyIU5hXKarXjH0NhAZgUqNkdJmI9GCxkQa0OkEYvuSUq_okY20nZTbC0gzCQUcrY9B19FQFPOdeWuF_jbbJJIOVIAdMU6hv8bRhY_k/s640/1.png" width="640" /></a></div>
<br />
Simply accept the terms and select 'Install'<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJcaDRLl5jpDykG_4AUs-qeZepRkiv0tP9BlvB2l9idlt1almjK47tW2Q-X_V1nKY7PwnCc9PbSb90KcPrmN38oQtDtLGUTWoHVOY7yvdSaHFoY5JY_o__FDzIw4n-8QJ0y1CyrzJQlIY/s1600/2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="399" data-original-width="510" height="500" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJcaDRLl5jpDykG_4AUs-qeZepRkiv0tP9BlvB2l9idlt1almjK47tW2Q-X_V1nKY7PwnCc9PbSb90KcPrmN38oQtDtLGUTWoHVOY7yvdSaHFoY5JY_o__FDzIw4n-8QJ0y1CyrzJQlIY/s640/2.png" width="640" /></a></div>
<br />
And that is it, the Proxy service is installed. However it is not configured with the service just yet. However you should be able to see it running in the Services snap-in.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEii6tWb1g8TB1RRureYGntMVRdoLvI3_MaaGgVRhXBQka5y90udMR2Wopw9B2jWQIqq_ShcxIlLiAC31bjaVOvyJua-W5EIVChJAGXCGd9nreAXWZIy5jMP3T1mavIzGHxHqFlnZhxjBQI/s1600/3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="699" data-original-width="1011" height="442" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEii6tWb1g8TB1RRureYGntMVRdoLvI3_MaaGgVRhXBQka5y90udMR2Wopw9B2jWQIqq_ShcxIlLiAC31bjaVOvyJua-W5EIVChJAGXCGd9nreAXWZIy5jMP3T1mavIzGHxHqFlnZhxjBQI/s640/3.png" width="640" /></a></div>
<br />
What we now need to do is open a PowerShell session on the server, the install deploys a PowerShell Module called 'AzureADPasswordProtection' which we need to load.<br />
<br />
<b>Import-Module AzureADPasswordProtection</b>, and then,<br />
<b>Register-AzureADPasswordProtectionProxy </b><br />
<b><br /></b>
You must ensure at this point that the account that is running this elevated PowerShell session is both a Domain Admin AND also a Global Administrator for your Office 365 tenant. This is very important. If you have ADFS then you will not get further unless you have password hash synchronisation in place - then it will work.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjEL8mtEkjEZao67fUrGV3y1WhGd9bKICaWG3rfNbY3KkBoVxZCuQsO6YJOkqYq2f48N778RK3Oxp0eZkUBHP82TdgtwqqumJb_MF3FauAZq18iZhxhlI_4actEf6hz3AnoKFmqeoTM0vo/s1600/4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="637" data-original-width="872" height="466" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjEL8mtEkjEZao67fUrGV3y1WhGd9bKICaWG3rfNbY3KkBoVxZCuQsO6YJOkqYq2f48N778RK3Oxp0eZkUBHP82TdgtwqqumJb_MF3FauAZq18iZhxhlI_4actEf6hz3AnoKFmqeoTM0vo/s640/4.png" width="640" /></a></div>
<br />
As long as the account confirms to both a Domain Admin and Global Administrator the service registers succesfully without much fuss.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgd4uHbDajdPIkFmjaPNKPTiQhnmYkB9L-apN2vaMtcIUvGGx7kG9oCa40uqtHFdvl6xqHmtkzUpOEKjZY2qQHyUW7O4ZgGAbBwwTu-h0zeS88VPrgr9XjuG91ukv8yJFZE4YcFlDIfpR0/s1600/5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="640" data-original-width="873" height="468" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgd4uHbDajdPIkFmjaPNKPTiQhnmYkB9L-apN2vaMtcIUvGGx7kG9oCa40uqtHFdvl6xqHmtkzUpOEKjZY2qQHyUW7O4ZgGAbBwwTu-h0zeS88VPrgr9XjuG91ukv8yJFZE4YcFlDIfpR0/s640/5.png" width="640" /></a></div>
<br />
From here on in, if you are in a single Forest scenario you are done. You are supported to install a second Proxy but you do not have to register the service, the above step is a once per Forest scenario. If you are running a multi Forest Active Directory, then you repeat the registration process once per Forest - and each Forest can have two Proxy agents.<br />
<br />
We can check the service is still running and also the configuration of the service using these PowerShell commands:<br />
<br />
<b>Get-Service AzureADPasswordProtectionProxy |FL</b><br />
<b><br /></b>
<b>Get-AzureADPasswordProtectionProxyConfiguration</b><br />
<b><br /></b>
For this above command you'll see that we can configure a static port if you require this in extremely restrictive outbound Firewall scenarios. Having the port set at 0 means it is dynamic, if you need to set it to a specific port simply use:<br />
<br />
<b>Set-AzureADPasswordProtectionProxyConfiguration -StaticPort 'port number'</b><br />
<b><br /></b>
Using the above command and setting the -StaticPort parameter back to 0 will make the service use a dynamic range once more.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgufb1Kzna7sl5FN68FhL3iYnuktxnLFlWjqZ3cK3-dsqkQ9Ts792stPM_RGHcOB5GQ_mibP1K4LLyD9L-5TPg5vx6B4pdCFvg5nljHp-SAnnJpfWPfgDfKCnvzovZsyzDbFs5bKrhxj74/s1600/6.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="640" data-original-width="874" height="468" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgufb1Kzna7sl5FN68FhL3iYnuktxnLFlWjqZ3cK3-dsqkQ9Ts792stPM_RGHcOB5GQ_mibP1K4LLyD9L-5TPg5vx6B4pdCFvg5nljHp-SAnnJpfWPfgDfKCnvzovZsyzDbFs5bKrhxj74/s640/6.png" width="640" /></a></div>
<br />
So now we have our Proxy in a healthy state we can deploy our DC Agents, again the installer is a extermely simple affair, accept the terms and then we're completed - note that you'll have to restart your Domain Controllers. This is because it installs a password listening DLL to allow Azure Password Protection to work with your on-premises Active Directory. Deploy the Agent to each Domain Controller in the Forest. We can again quietly deploy should you so wish using<br />
<br />
<b>msiexec.exe /i AzureADPasswordProtectionDCAgent.msi /quiet /qn</b><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiGMVQ6FMZ-RNZ8rthxWDdtxRBQLertZSvAEHZQU8aydH712rLDBSrPp4KH46APWeA2BUIWtPKLOKkeMXbtb26ApkU2HKLAKoh4_Bj0_b_ERZI8X3or1AwLj8WBC_y8r8B3q0CW0O3OZ_k/s1600/7.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="396" data-original-width="508" height="498" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiGMVQ6FMZ-RNZ8rthxWDdtxRBQLertZSvAEHZQU8aydH712rLDBSrPp4KH46APWeA2BUIWtPKLOKkeMXbtb26ApkU2HKLAKoh4_Bj0_b_ERZI8X3or1AwLj8WBC_y8r8B3q0CW0O3OZ_k/s640/7.png" width="640" /></a></div>
<br />
Now we are in a position to enable password protection for Windows Server Active Directory. Go to the Azure Portal and in Password Protection enable it, ensure you select Save to keep your changes.<br />
<br />
Microsoft recommends deploying in Audit mode only and that's what I have initally done. We'll enforce the policy later in this post.<br />
<br />
I have found during testing this can take up to 60 minutes before it starts pushing the policy out and the on-premises agents reporting they are recieving a policy from Azure. Microsoft states it may sometimes take a lot longer than that, but we can check Event Viewer on the on-premises Domain Controllers to see when the policy has pushed down. More on that later.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhSvDZ7luaIBoSdCrnNaSxrjIECP9YNVEuhXR0itB9kLrgI4txogruRMaDChIrS6R-kuSERRxnm0dzSCQCYBQqatZsatXUhtwVuOvRy-LaF4_Rnn7bwFZRKVE6oThwrJx7E6aq2I-01aIQ/s1600/8.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="561" data-original-width="941" height="380" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhSvDZ7luaIBoSdCrnNaSxrjIECP9YNVEuhXR0itB9kLrgI4txogruRMaDChIrS6R-kuSERRxnm0dzSCQCYBQqatZsatXUhtwVuOvRy-LaF4_Rnn7bwFZRKVE6oThwrJx7E6aq2I-01aIQ/s640/8.png" width="640" /></a></div>
<br />
<br />
We will now be in a scenario - even if the Azure Password Protection policy hasn't been pushed to on-premises that you'll be able to see a summary report of password changes. Use the PowerShell command <b>Get-AzureADPasswordProtection SummaryReport -DomainController 'DC'</b> (where DC is the Domain Controller you want to check)<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhB4jh0kLEdiO5TdstDiBkF2Hb4edny8UmvMkqYbL3GwuIDSSlOuRXf1X1OpIF94vLlOS-t_upGTnSuHENNrjdjLciHG9GdN4XylYzuw0mZPXrM5cu4cjy9f_zl-hExOydswCmrszxOzIU/s1600/9.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="639" data-original-width="876" height="466" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhB4jh0kLEdiO5TdstDiBkF2Hb4edny8UmvMkqYbL3GwuIDSSlOuRXf1X1OpIF94vLlOS-t_upGTnSuHENNrjdjLciHG9GdN4XylYzuw0mZPXrM5cu4cjy9f_zl-hExOydswCmrszxOzIU/s640/9.png" width="640" /></a></div>
<br />
If you check Event Viewer under | Application and Services Logs | Microsoft | AzureADPasswordProtection | you'll see either DCAgent, ProxyService, or both depending on how you have built your Proxy and Agent infrastructure. To confirm the Azure policy has pushed to your on-premises infrastructure check the DCAgent log and search for Event ID '30006', you'll get a nice notice telling you that your Azure Password Policy is now being enforced. All DC Agents should get this at roughly the same time as communication comes from the Proxy.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgm85-XvzBBJleABk-8mlkRNDMTg-XnPgPF9dsbuwigNJawYVzlwvnPgK9N03KWxNRDxg1QquU1B2fbedVs6UdgnixPcgFdzIUV8N51Wa2dQtQc-EKDJZ1DEd4NyGrQtU8dF6FUfTQEPK8/s1600/10.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="586" data-original-width="982" height="380" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgm85-XvzBBJleABk-8mlkRNDMTg-XnPgPF9dsbuwigNJawYVzlwvnPgK9N03KWxNRDxg1QquU1B2fbedVs6UdgnixPcgFdzIUV8N51Wa2dQtQc-EKDJZ1DEd4NyGrQtU8dF6FUfTQEPK8/s640/10.png" width="640" /></a></div>
<br />
As we're in Audit mode we can now see Azure Password Protection working without explicitly denying users password changes. This is a great way to get an undersanding of the service, get a confidence it is working and perform testing of password changes whilst looking at the audit logs. Look for Event ID 10025 or utilise the previous <b>Get-AzureADPasswordProtection SummaryReport - </b>but the Event Logs will give you a richer report experience.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiubHhyn_RGK2WSkJ5ikuSFrPe081oFzslWQX_IUsu9TI3nXZm9OmoAMTKKcuZ9h3MUg9U9lZgrUNN4qs37fkDJY2saP4D7CrgOTqQQLTTZ2ptevX9cJHfWNP9vDvO7TrGftIFR3IpNXlE/s1600/11.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="618" data-original-width="972" height="406" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiubHhyn_RGK2WSkJ5ikuSFrPe081oFzslWQX_IUsu9TI3nXZm9OmoAMTKKcuZ9h3MUg9U9lZgrUNN4qs37fkDJY2saP4D7CrgOTqQQLTTZ2ptevX9cJHfWNP9vDvO7TrGftIFR3IpNXlE/s640/11.png" width="640" /></a></div>
<br />
Once you are happy the Proxy and Agents are working as expected and your testing in Audit mode confirms the Azure Password Protection service is working as expected, we can take the service out of Audit mode and push for Enforcement. Go back into Azure and simply select 'Enforced'<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8qq69TJ1d2D72iTn-TxkExA89-2Fj8-wtrIHUSrf2_pwtuUx5ky03kJ7BUYWsn59_z4hQRTOTZWYlK29g4rFx-Ad0FbkUr6kI4nLGECz68rdoUrWk560MUzt9DB0i1EZRWJE0rkHLxng/s1600/enforced.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="462" data-original-width="949" height="310" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8qq69TJ1d2D72iTn-TxkExA89-2Fj8-wtrIHUSrf2_pwtuUx5ky03kJ7BUYWsn59_z4hQRTOTZWYlK29g4rFx-Ad0FbkUr6kI4nLGECz68rdoUrWk560MUzt9DB0i1EZRWJE0rkHLxng/s640/enforced.png" width="640" /></a></div>
<br />
<br />
I found I have to wait around an hour or so for the service to come out of Audit mode and Enforcement come into play. You can of course restart the DC Agents to immediately pick up policy change but if the Azure Password Policy hasn't been pushed to the Proxy yet from Azure it won't make a difference. You'll need to sit and wait and check for Event ID 30006. Once out of Audit mode, the event will show 'AuditOnly: 0' - interestingly 'Enforce tenant policy' is always at 1.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhLGzq2X28r8A2_FBS9PHPf8TsPgCZw0ePS57IdY5OvCQbXiVHLQ4oFC5rcg1sY9EoqZve-P5Xaq6M_IXAsey2YPPLe6CNwMppdCh_SCcgTRs7UlpAmPA6ZrjDUJEHmGj2cDZ__6vSYEGg/s1600/12.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="446" data-original-width="888" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhLGzq2X28r8A2_FBS9PHPf8TsPgCZw0ePS57IdY5OvCQbXiVHLQ4oFC5rcg1sY9EoqZve-P5Xaq6M_IXAsey2YPPLe6CNwMppdCh_SCcgTRs7UlpAmPA6ZrjDUJEHmGj2cDZ__6vSYEGg/s640/12.png" width="640" /></a></div>
<br />
So what happens if we now change a password of the user? Well you'll not only going to get all of the auto-protection from Azure of their default password protection policies but your custom banned password policy is also invoked. If we now try to change a password we'll see the below:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh81d3KuiBBLOul0cAnK6yNhuj46bEC8DgDcddfX1bg0auSzgVxkcylQrQhkwnCy1Tfte6AcpeChzJfOIm0VpF5-9-MFNygrSmMYivCz-PofpiiC4PHQjEbtizsZAEw3bxLKPfygOx-4xI/s1600/13.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="629" data-original-width="1006" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh81d3KuiBBLOul0cAnK6yNhuj46bEC8DgDcddfX1bg0auSzgVxkcylQrQhkwnCy1Tfte6AcpeChzJfOIm0VpF5-9-MFNygrSmMYivCz-PofpiiC4PHQjEbtizsZAEw3bxLKPfygOx-4xI/s640/13.png" width="640" /></a></div>
<br />
And Event ID 10017 will show the Enforcement at work.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiEMbDIteNm6tLLHZC6cNMGipStyjYTx0swfF1EYnCqiOF9aQviOWh7gJ7ibfltYMkQaAx0Dh_HboNjuOffU9SJNH32eqqwcEEYB8Elfzd_mM_yO9qc3WmYU86rH9IvX0mC8tUooB4PkcM/s1600/14.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="516" data-original-width="951" height="346" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiEMbDIteNm6tLLHZC6cNMGipStyjYTx0swfF1EYnCqiOF9aQviOWh7gJ7ibfltYMkQaAx0Dh_HboNjuOffU9SJNH32eqqwcEEYB8Elfzd_mM_yO9qc3WmYU86rH9IvX0mC8tUooB4PkcM/s640/14.png" width="640" /></a></div>
<br />
And of course back in PowerShell we can again use the summary reports. We'll now see numbers against password changes rejected or password sets rejected depending on the password change type.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgi3ucSwrR2dcwwFg_k_AVeXiq3h_FPkWvjx82XOek4g5RmubGi5rwoqaVGRIIXF8Uk-beNAgQqyYgMgEcLgYYFXmMJTR0YBlOvD8CHW0aOk49Mqf5r0Z_NVFTr0Euf87Ov3oWyq8CoqCo/s1600/Final.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="636" data-original-width="873" height="466" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgi3ucSwrR2dcwwFg_k_AVeXiq3h_FPkWvjx82XOek4g5RmubGi5rwoqaVGRIIXF8Uk-beNAgQqyYgMgEcLgYYFXmMJTR0YBlOvD8CHW0aOk49Mqf5r0Z_NVFTr0Euf87Ov3oWyq8CoqCo/s640/Final.png" width="640" /></a></div>
<br />
<br />
I have to say I am impressed with the solution and look forward to it coming out of Preview. I do hope they'll add a few improvements to the service however.<br />
<br />
Firstly from a user experience point of view when Azure Password Protection blocks your password change you are not informed, you just get the usual 'your password does not meet the complexity requirements' jargon. I've been informed that this is going to be improved so it can give a more granular informational alert experience.<br />
<br />
Secondly pushing the audit log experience into Azure as well would also be great - akin to the Azure Self Service Password Experience with Password Writeback and AADConnect.<br />
<br />
Lastly I think the registration experience can be improved, including visibility that both the Proxy and DC agents are online and working as expected. Pushing this visibility into the Azure Portal - something similar to Azure Pass-through Authenticaton when you can see your PTA agents being online and the FQDN of the DC/AADConnect box would be a welcome additition, along with notifications to administrators if an agent goes offline.<br />
<br />
Have fun!<br />
<a href="https://twitter.com/OliverMoazzezi" style="font-family: calibri, helvetica, sans-serif; font-size: 16px;" target="_blank">@OliverMoazzezi</a><br />
<br />
<br />
<br />Oliver Moazzezihttp://www.blogger.com/profile/06204760006275603297noreply@blogger.com0tag:blogger.com,1999:blog-5507158607924562609.post-25403717372139599492018-07-26T15:59:00.002+01:002018-09-03T16:52:11.793+01:00My 4 days of Microsoft Inspire!<br />
I recently got back from Las Vegas for my first Microsoft Inspire event. I took a wash-up video each day and posted them on Twitter. I've added them here as a nice single place to find them all.<br />
<br />
<br />
I signed up to attend the pre-day on the Sunday - this was a great opt-in benefit I suggest you sign up for if you can in the future.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen="" class="YOUTUBE-iframe-video" data-thumbnail-src="https://i.ytimg.com/vi/DKuvbvTHBxU/0.jpg" frameborder="0" height="600" src="https://www.youtube.com/embed/DKuvbvTHBxU?feature=player_embedded" width="800"></iframe></div>
<br />
<br />
Day 1 - my day revolved around Skype to Teams roadmaps and Azure<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen="" class="YOUTUBE-iframe-video" data-thumbnail-src="https://i.ytimg.com/vi/gOxNSKgNC3Y/0.jpg" frameborder="0" height="600" src="https://www.youtube.com/embed/gOxNSKgNC3Y?feature=player_embedded" width="800"></iframe></div>
<br />
Day 2 - I spent a lot of time on GDPR functionality enhancements in Office 365<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen="" class="YOUTUBE-iframe-video" data-thumbnail-src="https://i.ytimg.com/vi/SSfZllZ2Xz0/0.jpg" frameborder="0" height="600" src="https://www.youtube.com/embed/SSfZllZ2Xz0?feature=player_embedded" width="800"></iframe></div>
<br />
Day 3 - A great final day, with a fantastic keynote. I doubled down on Azure incentives for SQL and Windows server migrations to Azure.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen="" class="YOUTUBE-iframe-video" data-thumbnail-src="https://i.ytimg.com/vi/xL8We0tBg_A/0.jpg" frameborder="0" height="600" src="https://www.youtube.com/embed/xL8We0tBg_A?feature=player_embedded" width="800"></iframe></div>
<br />
<br />
Have fun!<br />
<a href="https://twitter.com/OliverMoazzezi" style="font-family: calibri, helvetica, sans-serif; font-size: 16px;" target="_blank">@OliverMoazzezi</a>Oliver Moazzezihttp://www.blogger.com/profile/06204760006275603297noreply@blogger.com0