Change default email address Office 365 group (Manual)

Office 365 Groups are easy to create. However, changing the primary domain name when creating the group might not be that easy from the GUI. However, with Power Shell you can change this easily.

First we will need to open a Power Shell Window, and connect with Exchange Online.

$Credential = Get-Credential

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $Credential -Authentication Basic -AllowRedirection

Import-PSSession $Session

Next, we just need to change the 2 value’s below, and run it. After running, you don’t get a confirmation. It might take up to 30 minutes before changes are visible in all Office 365 and/or Azure portals.

Set-UnifiedGroup –Identity "Group name" –PrimarySmtpAddress primaryaddress@2azure.nl

Sources:
https://docs.microsoft.com/en-us/powershell/module/exchange/users-and-groups/set-unifiedgroup?view=exchange-ps

Credits: Martin van de Giessen

Convert AD domain users to Azure AD users (Manual)

With the move to the cloud there might be a time where you would like to remove the Active Directory link (AD Connect) and go for a cloud only strategy. With a few simple steps you can disconnect the AD connect sync from Azure AD.

When you look in your Office 365 environment you will notice that the sync status has different symbols. One for cloud only, and one for Active Directory. To disable the link, open a PowerShell window and run the following steps.

STEP 1: First make sure that you disable the AD Connect sync service by disabling the service, or set it to staging mode.

STEP 2: Connect to your Microsoft Office 365 environment using the following command, and login to the desired environment:

connect-msolservice

STEP 3: Now run the following command to disable the sync, confirm your actions, you cannot undo this change!

Continue reading “Convert AD domain users to Azure AD users (Manual)”

Azure Risk based conditional access explained and how to set it up!

With the Azure AD Premium P2 license you are entitled for Azure AD Identity Protection. You will get the option in Conditional Access to assign risk level based options to your policies. Azure AD Identity Protection can detect six different types of suspicious sign-in activities with 3 different levels of risks.

Six suspicious sign-in activities and 3 risk levels

With the riks levels combined with conditional access policies we can protect sensitive application and data access. With this article I am going to show you how to create risk-based conditional access policies

So let’s create a Policy and get Conditional Access applied with risk levels

Step 1: Log in to the Azure Portal: https://portal.azure.com

Continue reading “Azure Risk based conditional access explained and how to set it up!”

Enforce (Azure) MFA with Conditional Access policies

Multi Factor Authentication (MFA) is an added security feature from Azure which I believe that should be enabled by default for everybody in Office 365 and Azure. There for this manual how to enforce (Azure) MFA for all users using Azure Multi Factor Authentication

MFA can prevent unauthorized access in case of the following events:

  • Leaked credentials
  • Sign-ins from anonymous IP addresses
  • Impossible travel to atypical locations
  • Sign-ins from unfamiliar locations
  • Sign-ins from infected devices
  • Sign-ins from IP addresses with suspicious activities

Using Conditional access we can ensure that your users and company data is safe. Important to know is that Office 365 MFA is free of charge, and if you have Azure AD applications an Azure AD Premium license is required.

Named location

If you want to mark your locations as trusted location, you can do that if you have a static public IP. So the first steps are there to define your office locations.

Continue reading “Enforce (Azure) MFA with Conditional Access policies”

How to solve Failed to sync the ArchiveGuid in Office 365 (Manual)

Last few weeks I’ve been struggling with an very difficult Office 365 / Exchange Online case, that got escalated to multiple Microsoft departments to be fixed. I already found one part of the solution, but Microsoft found the second part. Today I would like to take you through all the steps to fix possible causes and resolutions. So the initial problem started with the following error in the Office 365 admin portal with the affected users:

Failed to sync the ArchiveGuid 00000000-0000-0000-0000-000000000000 of mailbox MailboxGuid because one cloud archive CloudArchiveGuid exists.

Another symptom is the mailbox provisioning gets stuck, and hangs on “We are preparing a mailbox for this user”

You will only see this error with AD connect sync enabled environments. The problem occurs when the on-premise value mismatches with the Online Archive Guid. With just a few easy steps we can fix this issue.

Resolution

We will need to fill multiple Active Directory user attributes to resolve this issue.

Continue reading “How to solve Failed to sync the ArchiveGuid in Office 365 (Manual)”

How to block non-modern authentication to Office 365 services. (Manual)

With Azure Conditional access you get more control over your data, get better security and visibility! To use this feature you will need to buy and assign Azure AD Premium or EM+S E3/E5 licenses to your users.

This manual can be used to enforce the use of the Outlook app on IOS and Android devices by blocking all apps that do not support Modern Authentication like iOS mail and Google mail client.

Step 1: In the Azure Portal go to Conditional Access. On the first page that you get create a New policy

Continue reading “How to block non-modern authentication to Office 365 services. (Manual)”

Create a drive mapping using Intune on Azure AD joined devices (Manual)

With the transition to Azure AD, you might want to connect your AAD joined devices to the traditional file server as explained in this article: Go Azure AD Joined with on-prem DC and fileserver The next step is to map some network drives with Intune!

Step 1: The first step is to create a PowerShell script that will do the actual drive mappings. This script will be placed on a Azure Blob storage (or your internal domain) where you will be able to manage and maintain the script. This script will be run using a second script that we will deploy with Intune. For your convenience I’ve already prepared the script:

Continue reading “Create a drive mapping using Intune on Azure AD joined devices (Manual)”

Azure SQL configure Azure AD user authentication (Manual)

When moving your applications to the cloud, it makes sense to start using Azure Services to get the best service, highest availability (SLA) and worry free maintenance provided by Azure. The next step is to use Azure AD identities with Azure SQL Database.

Schematic overview of Azure SQL with AAD integration, and optionally synced from on-premise AD.

Within a few steps you will have Azure AD user authentication setup.

Continue reading “Azure SQL configure Azure AD user authentication (Manual)”

Set up Office 365 ATP anti-phishing policies

We all know that phishing is going on all the time. But how to defend your organization against these criminals that want to get your login information! The answer is simple, Office 365 Advanced Threat Protection, or short: ATP.

Image result for office 365 atp

So lets get started and start implementing anti-phishing policies. First go to https://protection.office.com/antiphishing and create a new policy.

Continue reading “Set up Office 365 ATP anti-phishing policies”

How to setup Azure Lighthouse (Manual)

Microsoft released Lighthouse last weekend, and since this is a great feature, I wanted to implement it as soon as possible, but the Microsoft docs might be a bit confusing, so I wanted to simplify the manual, so here it is! We will be using PowerShell, as this makes life so much easier, and faster.

Requirements:

  • Your admin tenant needs to have a valid Azure subscription
  • You need to have a native user account with the new Owner role in the tenant that you want to manage (Customer tenant)
  • Azure PowerShell module: AZ (Install-Module -Name az)
Continue reading “How to setup Azure Lighthouse (Manual)”

AD Connect Force synchronization

If you have an AD Connect server, you sometimes require a faster sync than the default 30 minutes. This can be done very easily by entering one Powershell command. Open a Powershell window, and load the AD Connect Sync Powershell module:

Import-Module ADSync

Once imported, you have 2 options. For a full sync, type the following command:

Start-ADSyncSyncCycle -PolicyType Initial

For just syncing the changes, type the following:

Start-ADSyncSyncCycle -PolicyType Delta

Go Azure AD joined with on-prem DC and fileserver!

Wouldn’t be cool to migrate all your laptops and desktops to Azure AD, but still have your on-premise file server for the people that can’t say goodbye to their network drives?

Now it is possible! Azure is supporting out of the box, Azure AD domain joined devices to connect with their on-premise domain joined counterparts with credentials (Kerberos) to the good old file and print server!

Requirements

To be able to set this up, you will still need a traditional domain controller with a file/print server. On top of that you will need to synchronize the identities to Azure AD. Make sure that you enable password sync, and start joining the devices to Azure AD.

One other important thing, your device needs to be Windows 10 1607 or higher! Older versions of Windows 10 do not support the Kerberos authentication.

If you now want to map a network drive with the existing NTFS permissions, just map the drive, and start using like you used to do before!

Let’s go password less, because passwords are bad! Part 2

Last week we talked about why passwords are bad. Today we will continue with part 2, how to get the passwords gone, and we will zoom in on Windows Hello for Business!

Afbeeldingsresultaat voor windows hello logo

So what is Windows Hello? Windows Hello is a modern way of authenticating users on their laptop, where this will be a two factor authentication. The first factor is the integrated TPM chip in the device, and the 2nd factor is the bio-metric of the user.

By enabling the TPM chip and the bio-metric data from the end user we will eliminate the need of a password on the users device. Off course the user can use his password to unlock the device in case bio-metric verification fails because of different reasons.

If you have a on-premise domain with Windows Hello for business enabled, it is also possible to enable the convenience PIN, however, I wouldn’t recommend it, as Microsoft has disabled this in Azure AD as well. In short:

  • Windows Hello for Business is: An asymmetric key-pair protected and stored in the TPM, unlock with PIN or Bio-metric Authentication
Continue reading “Let’s go password less, because passwords are bad! Part 2”

Let’s go password less, because passwords are bad! Part 1

Quite a statement, passwords are bad? Today I’d like to explain why you should work on better security by using other authentication methods than just 1 password.

Gerelateerde afbeelding

Why passwords are bad

Password are problematic, very often you see that passwords fall in the hands of unpleasant people. Here are a few things that might happen with a password:

Continue reading “Let’s go password less, because passwords are bad! Part 1”

Reset Azure AD User password with a predefined password

In the Azure portal you can reset the password of a user, but this is always a temporary password. But PowerShell to the resque again, lets set the password in Azure AD with PowerShell with a predefined password! On your Windows device open a PowerShell prompt and connect to Azure AD. (Click here if you don’t know how to)

First we need to get the object ID from the user where we want the password to be reset. Run the following command (replace emailadres):

Get-AzureADUser -filter "userPrincipalName eq 'username@2azure.nl'"

Copy the ObjectId from the user where you want to have the password reset. And run the following commands (replace the password text for the new password):

$password = ConvertTo-SecureString 'Please enter the new password' -AsPlainText -Force

Set-AzureADUserPassword -ObjectId  "a8d5e982-6c3d-406e-a533-a21b275e3d37" -Password $password

How to deploy Azure Active Directory Domain Services (AD DS)

Today we will learn how to deploy Azure AD Domain services. So let’s go to the Azure portal and let’s get you started!

Step 1: Go to Azure AD Domain Services and create a new Azure AD Domain services!

Step 2: Now we can start te setup of ADDS, fill in your preferred domain name. You can leave the default which is the same as your Azure Active Directory name ending with .onmicrosoft.com, but I would recommend a public URL like in my case adds.2azure.nl.

Continue reading “How to deploy Azure Active Directory Domain Services (AD DS)”

Office 365 MFA is free of charge!

Where Azure MFA is only included in the paid Azure Active Directory Premium subscriptions (P1/P2 and EM+S suites), there is a free version for the Office 365 apps.

It is always a good idea to enable multi factor authentication, in case your credentials get stolen, the thief will not be able to use them because of the 2nd authentication factor. Microsoft is encouraging all their users to start using MFA, so the made it free of charge for all the apps of the office 365 suite, including Outlook, Teams, Excel, Word and many more.

First Sign in screen

The 2 factor authentication can be setup up fairly easily by the end users self. This can be enforced by the administrator by requiring 2 factor authentication. The first time a user logs on, he or she will get a notification message to setup MFA. Or you can redirect your users to the following portal to setup MFA: https://aka.ms/mfasetup

How to setup MFA for your end users?

In the office 365 portal go to the Active Users tab, and go to the Setup multifactor authentication page (see below)

In the preview version of the admin center, the More menu on the Active Users page, with Setup Azure multi-factor auth selected.
Continue reading “Office 365 MFA is free of charge!”

What is Microsoft Enterprise Mobility + Security (EM+S)?

Enterprise Mobility + Security is a Microsoft solution specially developed for management and securing users, company data and applications. This gives you and your users always secured access to your company information without ever worrying about security!

With EM+S we are moving from a managed device to data management and security. This means that it will not only protect your device, but most important, it will take care of security on a document level where you can prevent that confidential data is readable by unauthorized persons.

By using this security suite you can prevent abuse of stolen credentials when one of your users is tricked by a phishing email. You can limit access to company data to only trusted devices (Company and BYOD) by using the Intune portal. But we can limit access to it as well with IP black / white listing. This includes Geoblocking as well, it is impossible to travel from the Netherlands to Russia for example in 5 minutes.

To protect your valuable company data I recommend to always use EM+S for optimal protection. If you want the security to be at its best, E5 is your way to go!

Main features

  • Simple management and security of your devices
  • Multifactor authentication (MFA)
  • Selfservice portal for password reset en securitygroep management
  • Application company portal
  • Mobile device management (MDM)
  • Integrated device management (Laptop/Desktop)
  • Securing company data en restrict access to company data
  • Conditional access (geo-blocking and more)
  • Advanced Threat Protection with reporting
  • Risk-Based conditional access (E5 only)
  • Privileged identity management (E5 only)
  • Intelligent data classification and labeling (E5 only)
Continue reading “What is Microsoft Enterprise Mobility + Security (EM+S)?”