Microsoft Authentication Prompts

When securing cloud services like Office365 with Azure MFA , End User education and adoption is absolutely critical. Not all organisations’ can afford Azure Active Directory Premium Edition Plan 2 or M365 E5 subscriptions.

Azure Identity Protection provides dynamic protection against the following scenarios.

  • Atypical travel
  • Anonymous IP address
  • Unfamiliar sign-in properties
  • Malware linked IP address
  • Leaked Credentials
  • Azure AD threat intelligence

In the event of credentials being compromised the bad actor must get past the next level of authentication which will normally be the Microsoft Authenticator App or a text message.

It is critical to educate end users : DO NOT APPROVE random authentication requests. If an end user is on leave and not attempting to access their cloud resources there should be no reason to approve multi factor authentication challenges.

Locking down Azure Active Directory

Azure Active Directory has excellent security with conditional access being one of the most widely used tool to protect Azure Active Active Directory.

The sceen shot below shows the default settings for an Azure AD Premium Plan 2 tenant.

The information tab on the user consent to apps accessing company data on their behalf reads like this:

If this option is set to yes, then users may consent to allow applications which are not published by Microsoft to access your organization’s data, if the user also has access to the data. This also means that the users will see these apps on their Access Panels.
If this option is set to no, then admins must consent to these applications before users may use them.

So in the scenario where a phishing email slipped through the cracks and an end user grants access to a non Microsoft application to their organizations’s data. We do not want that to happen!!!!

The correct setting is listed below
Application administrators should be granted the application administrator role in Azure Active Directory , Then the next time an and user wants to add an application, the application administrator will receive an email and can approve from his\her Outlook client.

The next time an end user or IT staff member wants to add an application to Azure AD, Do not just simply grant the global administrator role.

User Azure Privileged Identity Management and Application Administrator Roles!

Quest Migration Manager for AD – UPN change mid project

I recently encountered a unique scenario when using Quest Migration Manager for Active Directory. I was in the process of migrating 3 AD Forests into a new AD Forest. I had already migrated 1200 users into the new AD Forest and at the time of migration the UPN’s were contoso.com.

My customer then decided to change all UPN’s and primary smtp domains to @fabrikam.com in the middle of the project. This caused a big problem when computer accounts were being migrated. After the computer account had completed migration to the new domain, the user’s UPN was @contoso.com. Which meant the user had to change their UPN to login instead of just simply entering their existing AD password that they were previously using.

So how do we resolve this issue.Right click on the properties of the domain pair as per image below
Next change target domain to contoso.com or a fqdn of a domain controller in contoso.com

Next modify the security settings and set the domain suffix to fabrikam.com
Finally stop and start the synchronization task.

Once this has been completed, when computer accounts are migrated the correct UPN will be populated and users simply need to enter their existing AD password.

Dynamically Assign AIP Policies

In a previous post on how to dynamically assign Intune licenses using Azure dynamic user security groups.

When an organisation has configured global labels like the default labels displayed below. An organisation can choose to apply a policy to all users or all Azure Information Protection Plan 1 licensed users or all Azure Information Protection Plan 2 licensed users.

Azure Information Protection Plan 1 Azure Security Group

Create an Azure Active Directory Dynamic User Security Group , Edit the query and enter the query below for Azure Information Protection Plan 1 licensed users.

user.assignedPlans -any (assignedPlan.servicePlanId -eq “6c57d4b6-3b23-47a5-9bc9-69f17b4947b3” -and assignedPlan.capabilityStatus -eq “Enabled”)

Azure Information Protection Plan 2 Azure Security Group

Create an Azure Active Directory Dynamic User Security Group , Edit the query and enter the query below for Azure Information Protection Plan 2 licensed users.

user.assignedPlans -any (assignedPlan.servicePlanId -eq “689bec4-755d-4753-8b61-40975025187c” -and assignedPlan.capabilityStatus -eq “Enabled”)

If the during the creation of the group , it fails with an error , delete the “” that encapsulates the “guid” and “enabled” within the query and use your keyboard to replace the “” if you are copying them from this blog post.

So this solution enables administrators to apply policies to all AIP plan 1 and plan 2 licensed users and because it is dynamic , it will catch all new employees in the organisation.

Transitioning to Outlook Mobile

I always recommend the Outlook mobile client to my customers as this application can be included in an Intune app configuration & protection policy to protect and encrypt corporate data.

One of the features that the native IOS & Android mail client provides to end users is the illusion that the global address list of the organisation that they work for is in their native contacts. So when an end user searches for users in their company they expect to get the contact information instantly. Users must use Outlook Mobile.

End users mostly complain about loosing this feature but the argument is security comes first and Outlook Mobile is more secure!  It is very difficult to find the balance between security and productivity.

Android Outlook Mobile Cheat Sheet
IOS Outlook Mobile Cheat Sheet
Deploying Outlook for iOS and Android app configuration settings

Why use Outlook Mobile?

Content via Ignite 2019 Slide Deck

  • Consistent new features and security patches from Microsoft
  • In BYOB scenario , Corporate email profiles are encrypted via Intune App Protection policy
  • Azure Information Protection integration
  • Sensitivity Labels
  • Add a share mailbox to Outlook Mobile


Azure AD Connect 1.4.38.0 authentication error

I started to notice that Azure AD connect was failing and had a look in the console and seen the error message in the console displayed in the image below

Then when I tried to run the command Start-ADSyncSyncCycle -PolicyType delta ,  I received a long list of authentication errors.

To resolved the issue browse into properties of the Azure Active Directory account and copy the account name onto the clipboard.

Next add this account in as an excluded account from conditional access policies the same way a break glass cloud identity admin account would be excluded from conditional access policies.

As soon as the sync account has been added to the exclusions , syncs will resume

Maintaining Exchange on-premise storage during migrations

Now that Microsoft have announced that Exchange 2010 support will end in October 2020 a lot of organisations are moving to Exchange 2016, 2019 or hopefully Exchange Online.

For enterprise organisations , the migration topology will include two Exchange 2016 servers that are load balanced via an F5 , Citrix Net Scaler or my preferred choice a Kemp load balancer. Autodiscover services for the smtp domains will be transferred to the new virtual IP and the service will be provided by the new Exchange 2016 servers that will proxy access requests to Exchange 2010 hosted mail resources.

The new virtual IP for load balancing services will become the target for the Exchange Online migration endpoint.

The Exchange Online Hybrid wizard licenses the new Exchange 2016 servers as part of the Hybrid configuration process , the Hybrid license does not permit the hosting of mailboxes. One of the problems with Exchange server since Exchange 2013 is log file growth. This post will demonstrate a scheduled task i always create on Hybrid servers.

The task schedules Edward van Biljon script available to download HERE

These log files are mostly IIS log files and not Exchange database log files as no mailboxes are hosted on the Hybrid server. But if an organisation is moving thousands of mailboxes to Exchange Online and not clearing down these logs, then they will run into issues. I have often reclaimed 20 -30GB of disk storage from running this script as a scheduled task.

Drawing1

The next section to consider is Exchange Database logs. Most vendors like

  • Commvault
  • Veeam
  • Veritas

perform an excellent backup service and are typically scheduled to run outside of business hours. Exchange backups are critical to truncate logs and become even more critical in an Exchange DAG. I have worked on previous projects that migrated Lotus Notes or Groupwise to Exchange and the log files grew too quick and could not wait till the daily evening backup. This issue can also arise in Exchange Hybrid native migrations due to the volume of traffic being migrated.

Most Exchange backup vendors communicate with VSS , It is critical that Exchange truncates the mailbox database logs , as there will be corruption in the databases’ if Exchange cannot perform this task.

If there is a scenario where the Exchange database and log volume is running out of space , Microsoft have an excellent utility called diskshadow which has been around for a long time. So essentially we trick Exchange into thinking a full backup has been performed and here are the simple steps if an Exchange Server database was installed on the system volume.

DiskShadow

This process should only be used in emergencies, Business as Usual backup schedules should normally ensure Exchange volumes do not run out of space but during migrations from an Exchange 2010 to Exchange Online or Lotus Notes to Exchange on-premise or online , the log files fill up really quick and even more so if there 3 or more databases that are members of a DAG

The final option for reclaiming space is offline de-fragmentation databases to claim white space. And only choose this option when all mailboxes have been migrated as it can take a long time and requires downtime.