With the Azure AD Premium P2 license you are entitled for Azure AD Identity Protection. You will get the option in Conditional Access to assign risk level based options to your policies. Azure AD Identity Protection can detect six different types of suspicious sign-in activities with 3 different levels of risks.
With the riks levels combined with conditional access policies we can protect sensitive application and data access. With this article I am going to show you how to create risk-based conditional access policies
So let’s create a Policy and get Conditional Access applied with risk levels
Multi Factor Authentication (MFA) is an added security feature from Azure which I believe that should be enabled by default for everybody in Office 365 and Azure. There for this manual how to enforce (Azure) MFA for all users using Azure Multi Factor Authentication
MFA can prevent unauthorized access in case of the following events:
Sign-ins from anonymous IP addresses
Impossible travel to atypical locations
Sign-ins from unfamiliar locations
Sign-ins from infected devices
Sign-ins from IP addresses with suspicious activities
Using Conditional access we can ensure that your users and company data is safe. Important to know is that Office 365 MFA is free of charge, and if you have Azure AD applications an Azure AD Premium license is required.
If you want to mark your locations as trusted location, you can do that if you have a static public IP. So the first steps are there to define your office locations.
Last few weeks I’ve been struggling with an very difficult Office 365 / Exchange Online case, that got escalated to multiple Microsoft departments to be fixed. I already found one part of the solution, but Microsoft found the second part. Today I would like to take you through all the steps to fix possible causes and resolutions. So the initial problem started with the following error in the Office 365 admin portal with the affected users:
Another symptom is the mailbox provisioning gets stuck, and hangs on “We are preparing a mailbox for this user”
You will only see this error with AD connect sync enabled environments. The problem occurs when the on-premise value mismatches with the Online Archive Guid. With just a few easy steps we can fix this issue.
We will need to fill multiple Active Directory user attributes to resolve this issue.
With Azure Conditional access you get more control over your data, get better security and visibility! To use this feature you will need to buy and assign Azure AD Premium or EM+S E3/E5 licenses to your users.
This manual can be used to enforce the use of the Outlook app on IOS and Android devices by blocking all apps that do not support Modern Authentication like iOS mail and Google mail client.
Step 1: In the Azure Portal go to Conditional Access. On the first page that you get create a New policy
With the transition to Azure AD, you might want to connect your AAD joined devices to the traditional file server as explained in this article: Go Azure AD Joined with on-prem DC and fileserver The next step is to map some network drives with Intune!
Step 1: The first step is to create a PowerShell script that will do the actual drive mappings. This script will be placed on a Azure Blob storage (or your internal domain) where you will be able to manage and maintain the script. This script will be run using a second script that we will deploy with Intune. For your convenience I’ve already prepared the script:
When moving your applications to the cloud, it makes sense to start using Azure Services to get the best service, highest availability (SLA) and worry free maintenance provided by Azure. The next step is to use Azure AD identities with Azure SQL Database.
Within a few steps you will have Azure AD user authentication setup.
We all know that phishing is going on all the time. But how to defend your organization against these criminals that want to get your login information! The answer is simple, Office 365 Advanced Threat Protection, or short: ATP.
Microsoft released Lighthouse last weekend, and since this is a great feature, I wanted to implement it as soon as possible, but the Microsoft docs might be a bit confusing, so I wanted to simplify the manual, so here it is! We will be using PowerShell, as this makes life so much easier, and faster.
Your admin tenant needs to have a valid Azure subscription
You need to have a native user account with the new Owner role in the tenant that you want to manage (Customer tenant)
Azure PowerShell module: AZ (Install-Module -Name az)
If you have a ADFS server for your user authentication in Office 365 / Azure AD, and you want to use Pass Through Authentication and/or password Hash Synchronization we will need to change a few things and run a few Powershell commands.
So before we can change the domain to managed, verify if your domain has password sync enabled using the AD connect wizard:
If you have an AD Connect server, you sometimes require a faster sync than the default 30 minutes. This can be done very easily by entering one Powershell command. Open a Powershell window, and load the AD Connect Sync Powershell module:
Once imported, you have 2 options. For a full sync, type the following command:
Wouldn’t be cool to migrate all your laptops and desktops to Azure AD, but still have your on-premise file server for the people that can’t say goodbye to their network drives?
Now it is possible! Azure is supporting out of the box, Azure AD domain joined devices to connect with their on-premise domain joined counterparts with credentials (Kerberos) to the good old file and print server!
To be able to set this up, you will still need a traditional domain controller with a file/print server. On top of that you will need to synchronize the identities to Azure AD. Make sure that you enable password sync, and start joining the devices to Azure AD.
One other important thing, your device needs to be Windows 10 1607 or higher! Older versions of Windows 10 do not support the Kerberos authentication.
If you now want to map a network drive with the existing NTFS permissions, just map the drive, and start using like you used to do before!
Last week we talked about why passwords are bad. Today we will continue with part 2, how to get the passwords gone, and we will zoom in on Windows Hello for Business!
So what is Windows Hello? Windows Hello is a modern way of authenticating users on their laptop, where this will be a two factor authentication. The first factor is the integrated TPM chip in the device, and the 2nd factor is the bio-metric of the user.
By enabling the TPM chip and the bio-metric data from the end user we will eliminate the need of a password on the users device. Off course the user can use his password to unlock the device in case bio-metric verification fails because of different reasons.
If you have a on-premise domain with Windows Hello for business enabled, it is also possible to enable the convenience PIN, however, I wouldn’t recommend it, as Microsoft has disabled this in Azure AD as well. In short:
Windows Hello for Business is: An asymmetric key-pair protected and stored in the TPM, unlock with PIN or Bio-metric Authentication
In the Azure portal you can reset the password of a user, but this is always a temporary password. But PowerShell to the resque again, lets set the password in Azure AD with PowerShell with a predefined password! On your Windows device open a PowerShell prompt and connect to Azure AD. (Click here if you don’t know how to)
First we need to get the object ID from the user where we want the password to be reset. Run the following command (replace emailadres):
Today we will learn how to deploy Azure AD Domain services. So let’s go to the Azure portal and let’s get you started!
Step 1: Go to Azure AD Domain Services and create a new Azure AD Domain services!
Step 2: Now we can start te setup of ADDS, fill in your preferred domain name. You can leave the default which is the same as your Azure Active Directory name ending with .onmicrosoft.com, but I would recommend a public URL like in my case adds.2azure.nl.
Where Azure MFA is only included in the paid Azure Active Directory Premium subscriptions (P1/P2 and EM+S suites), there is a free version for the Office 365 apps.
It is always a good idea to enable multi factor authentication, in case your credentials get stolen, the thief will not be able to use them because of the 2nd authentication factor. Microsoft is encouraging all their users to start using MFA, so the made it free of charge for all the apps of the office 365 suite, including Outlook, Teams, Excel, Word and many more.
The 2 factor authentication can be setup up fairly easily by the end users self. This can be enforced by the administrator by requiring 2 factor authentication. The first time a user logs on, he or she will get a notification message to setup MFA. Or you can redirect your users to the following portal to setup MFA: https://aka.ms/mfasetup
How to setup MFA for your end users?
In the office 365 portal go to the Active Users tab, and go to the Setup multifactor authentication page (see below)
Enterprise Mobility + Security is a Microsoft solution specially developed for management and securing users, company data and applications. This gives you and your users always secured access to your company information without ever worrying about security!
With EM+S we are moving from a managed device to data management and security. This means that it will not only protect your device, but most important, it will take care of security on a document level where you can prevent that confidential data is readable by unauthorized persons.
By using this security suite you can prevent abuse of stolen credentials when one of your users is tricked by a phishing email. You can limit access to company data to only trusted devices (Company and BYOD) by using the Intune portal. But we can limit access to it as well with IP black / white listing. This includes Geoblocking as well, it is impossible to travel from the Netherlands to Russia for example in 5 minutes.
To protect your valuable company data I recommend to always use EM+S for optimal protection. If you want the security to be at its best, E5 is your way to go!
Simple management and security of your devices
Multifactor authentication (MFA)
Selfservice portal for password reset en securitygroep management
Application company portal
Mobile device management (MDM)
Integrated device management (Laptop/Desktop)
Securing company data en restrict access to company data
Conditional access (geo-blocking and more)
Advanced Threat Protection with reporting
Risk-Based conditional access (E5 only)
Privileged identity management (E5 only)
Intelligent data classification and labeling (E5 only)
Recently we created an AAD tenant that has no on-premises AD domain counterpart. Now we are facing an issue where we want to be able to use the identities in this tenant to log into some servers. It would appear that we would need to domain join these servers, but we can’t do this without AD. The question is, how can we continue to setup these servers?
But today we are going to install a new domain on-premise. The domain name isn’t relevant for the sync with Azure AD / Office 365. But the UPN for the end users is important! So first we can add the UPN domains by going to the Domain and Trusts console. Add the required domain names.
Within Azure there are multiple ways to setup MFA. Where you would install MFA server in the past, there is a new extension. Microsoft is going to leave the MFA server behind in the near future (security updates will remain being published for now).
Besides the NPS extension and the MFA on-premise server the best practice is to run MFA from the Azure cloud where possible. But that isn’t always an option. So let’s move on to the NPS extension. Lets start with the requirements.
Requirements: – Server 2016/2019 with ADFS version 4 – Server 2016/2019 hosting NPS services which performs Radius authentication. – Users must be synchronized between local Active directory and Azure Active Directory – Azure AD Premium or EM+S license must be assigned to the user – NPS Extension for Azure MFA (Download link: https://aka.ms/npsmfa)