Intune Endpoints Through Proxies or Corporate Firewalls

Microsoft previously submitted all the urls  and ip ranges for the Office365 platform on docs.microsoft.com. Now there is a new Office365 IP Web Service , HERE 

It would be great if this dynamic ip services covered all services in Office365  that can be updated in firewalls and proxies. Unfortunately it does not.

Intune is an amazing service from Microsoft but if you do not white-list the endpoints listed HERE

Features like Bitlocker, x86 custom app deployments, Windows 10 Security Baselines will fail.

Microsoft Cloud Service for Global Enterprise Organisation

Even I get confused when it comes to all the different options available with Microsoft cloud services.Some of my global customers have engaged with business analyst to perform the task of user profiling to try and establish what licenses end user really need per division.

One of my customers refused to buy AD premium for all users because they could lock down access by IP-range with ADFS and don’t need to license 23k users for AD premium. This is a very valid use case when you do the numbers and saves a lot of money.

Some of my customers want conditional access but do not have a compatible version of Office or OS and when the cost associated with bringing the desktop to a suitable level for conditional access for 10, 20k user sites, they are most often binned.

For global roll outs of Office365 , I aways recommend the use of a business analyst for user profiling to get the best value for your client or customer.

Microsoft always get their money!!!

Exchange On-Premise Mailbox will not MIGRATE

I recently encountered an issue which I have seen before but never this bad and more commonly with Public Folders. My customer had a 50GB mailbox that also had an archive mailbox. The mailbox would get so far and just stall and never complete.

So I tried all of some of the usual methods to repair the mailbox to no avail.
Repair the mailbox with PowerShell & Migrate the mailbox to another Exchange database

So we asked the customer could we review the mailbox and found thousands of folder in the format of 16/04/2019. Exchange does not like / , Exchange normally sees / as the top of the information store. So my first attempt to resolve this was powershell and could not seem to crack it. Thanks to my colleague Mark Doyle  ,We resolved this issue with an Outlook Macro.

So if you ever encounter this unique issue , Please follow these steps.

  1. Browse to the Outlook Trust Center
  2. Macro Settings, Select Notifications for all Macros
  3. Press Alt + F11 to open Visual Basic
  4. Double click “This Outlook Session” under Microsoft Outlook Objects
  5. Paste  this TEXT below into the window
  6. Click on the folder or inbox that you want , And run the Macro
  7. Input character we want to replace in this case will be /
  8. Then select . as the replacement character
  9. Finally task complete

Final Comment

This is in no means an enterprise solution and I asked Microsoft for help and didn’t get anywhere. Once we removed the / , We could see when checking get-moverequeststatistics (mailbox) , that it was getting past the ‘create folder hierarchy’ stage in a mailbox move. And we did not need to tell our customer , Sorry this mailbox cannot be migrated!

Azure AD Combined security information registration

One of the glaring holes in the SSPR and MFA registration process was when bad actors that had compromised credentials could register for SSPR or MFA if the compromised account had not already registered.

One of my customers highlighted this to me and the way we overcame the vulnerability was to populate Active Directory with mobile numbers and through powershell force the authentication method to text message and not give an end user the choice.

Finally Microsoft have released a feature that can lock down the SSPR an MFA registration process to a corporate ip or ip ranges, the following slides show how we enable this in a conditional access policy.

  1. Select all users and exclude the tenant Office365 admin breakglass account.
  2. Select cloud apps or actions and select the ‘Register Security information (preview)’ option.
  3. In location select from any location
  4. Exclude all trusted locations
  5. In the controls section , Select ‘Grant Access’ and ‘Require multi-factor authentication.

Reference: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Conditional-access-for-the-Azure-AD-combined-MFA-and-password/ba-p/566348

Office365 & Intune White list URL and IP Range

For years I have fought tooth and nail with Security vendors on my enterprise customer sites that will typically have a corporate proxy or silent proxy like Palo Alto by tryng to get them to grant the customer,site or project access to Office365.

Microsoft have made the Office365 endpoints dynamically available as a web link which all enterprise firewall vendors support like Cisco, Juniper, Palo Alto can connect to.

Palo Alto guide HERE

Microsoft site Office 365 URLs and IP address ranges
Dynamic URL for firewalls and proxies 

I have faced on numerous occasions , issues with ip ranges that are outside the published Microsoft ranges. When my customer asked me what is this IP address , I cannot say it is mine and then need Microsoft to verify via a service ticket that they own the ip address.

My recommendation is also to white list the urls and ip ranges listed in this Microsoft article when using Intune. Intune network configuration requirements and bandwidth

Microsoft IP ranges outside the published ip ranges have affected me on customer project sites with Office365 ProPlus activation and Intune managed BitLocker encryption.

Hybrid Azure AD Joined Devices

Anyone familiar with conditional access, will have noticed this access control in Conditional Access policies. So what does it mean , How can I enable this, Is this a good feature.

This is not a good feature, it is an excellent feature. The best way to describe this control requirement is as follows. DO NOT GRANT access unless the machine is DOMAIN JOINED. Many enterprise companies have corporate wifi rolled out and only permit access to the corporate wifi via credentials and a machine certificate issued by the local certificate authority.

AD Connect keeps getting better and better and Microsoft have made it so easy to enable this feature. The following screenshots ill demonstrate how easy it is to enable this feature.

Modify the configuration of AD Connect and select ‘Configure Device Options’

Enter Azure AD Credentials

Note: Only select the second option ‘Supported Windows domain level domain-joined devices if you are using Azure Seamless Sign On, Azure Seamless Sign on provides the functionality to support Windows 7 and above operating systems.

Then enter enterprise admin on-premise credentials as per the image below.

Download and run the PowerShell script using on-premise enterprise admin credentials that AD Connect has prepared as per image above.

Next step is to follow this Microsoft Article : To enable auto enrollment of Windows Devices.

Now that we have enabled device auto enrollment into Intune, What are the benefits?

  • Intune Device Management – Intune can manage 5 devices per user license
  • Conditional Access Policy Control : Hybrid Azure AD objects
  • Intune – Bitlocker Management
  • Azure Dynamic Machine groups can be a useful method for managing global or large enterprise organisations.
  • Windows 10 Security Base Lines
  • Intune integration with Windows Defender ATP

These are just a small number of benefits , Open to comments on more benefits.

Update: 24.05.2019

Follow THIS Microsoft guide and block downloading from SharePoint Online on no domain joined devices

eDiscovery for Exchange Online Data at Rest

  • It is not possible to search for sensitive information types when selecting Exchange Online mailboxes as the data source , Office 365 User Voice REQUEST
  • It is possible to search for the items specified in this Microsoft ARTICLE and via KeyWord

The screen shot below is from an Office365 E5 Advanced eDiscovery query that shows these types of searches are not supported

LETS HOPE MICROSOFT RESOLVE THIS ONE!