About Sean O'Farrell

Behind the scenes of this blog is me, Seán O'Farrell. I am a Solution Architect with Evros Technology Group in Dublin, Ireland. You can find me on Linkedin My blog posts are completely my own views & provide no warranty. My blog posts are in no way affiliated with my current employer, Microsoft, Quest or any vendor’s technologies mentioned in my blog. I started my blog in 2009 and at this point in time I was not even aware of the Microsoft MVP programme, having a family and a very busy career in some ways held me back from the commitment it takes to obtain the prestigious MVP award. A lot of my colleagues that I have worked with for over 10 years are MVPs. Over the years some of my clients have presented my blog posts by searching the net to resolve problems and some vendors have officially published some of my blog posts. I acquired the domain informationprotection.ie, I was surprised the domain name was available, given all the so called GDPR experts that have suddenly appeared. I have focused on Office365 since before BPOS and the Office365 platform is now a mature platform, the Office365 skillset is not so special anymore and a standard requirement for most IT professionals, Since the start of 2018 nearly all of my professional services engagements have been focused on Office365 & Azure security. I am going to try and focus on Microsoft cloud security with this blog and invite guest peers to post security blog postings. I do not want to post generic material and always want to post items that are unique and will help people in the industry. If you have found the blog helpful in any way, and/or like what I am doing, please nominate me for the Microsoft MVP award here. It's very quick and easy, fill in your own details, then the details in the screen grab below for me. Thank you!

Exchange Online to Exchange On-Prem Free \ Busy Not Working

Free busy not working in an Exchange 2016 CU17 Hybrid environment.

When a customer forgets to tell you that they previously configured Exchange Hybrid using the Modern hybrid agent, The modern hybrid agent leaves behind some configuration settings that prevent free-busy working from EOL to EOP.

I always use the classic hybrid wizard for organisations that require long term rich co-existence.

The frustrating this with this issue is that the Exchange Remote Connectivity analyzer tests WORK, which would lead you to believe everything is ok and configured correctly. But when you attempt to query availability requests for a user or resource from OWA or Outlook , the look up fails.

What does the Hybrid Agent leave behind in Exchange Online?

Two values are populated that will prevent free \ busy from EOL to EOP working.

  • OrganizationRelationship -targetsharingepr
  • Intraorgconnector -targetsharingepr

When you query these values , You may see a value like   https://a75aa21a-2f8d-4b2e-85fe-1234.resource.mailboxmigration.his.msappproxy.net/EWS/E

To resolve the issue run the following commands

  1. set-intraorgconnector -TargetSharingEpr $null
  2. set-OrganizationRelationship “Name of Org Relationship” -TargetSharingEpr $null

Teams Calendar Integration with on-premise Exchange calendars

One of the pre-requisites for Teams (online) integration with Exchange on-premise calendars is oauth authentication.

Sometimes solution providers just install a single or multiple Exchange 2016 servers to ensure the oauth pre-requisite is delivered. However if the project scenario requires Exchange on-premise mailboxes to be migrated as quickly as possible to  Exchange Online then it may seem overkill to implement Exchange 2016 servers during this transition period.

Exchange 2013 CU24 and above does not complete the oauth authentication part of the Hybrid wizard, however Microsoft do have an article on how to configure OAUTH for Exchange 2013.

Configure OAUTH for Exchange 2013 :

This solution works perfectly and allows an organization to transition from Exchange 2013 to Exchange Online without the requirement for Exchange 2016 servers and enables Teams to interact with Exchange 2013 on-premise calendars.

Azure AD Conditional Access Policies Best Practices

Every organisation is different and has different requirements. I have been working with conditional access for quite some time and have settled on the following policies for every organisation.

Create a security group that contains users that are permitted to access the organisations cloud services when outside of trusted locations.

Blocked Countries Conditional Access Policy

  • All Users
  • Exclude Break Glass Admin account
  • All Cloud Apps
  • Location : Blocked Countries that have been setup in the named locations section of Azure Conditional Access.
  • Access Control : Block Access

Blocked External Access

  • All users , except Break Glass Admin account and security group that contains users that are permitted access.
  • All Cloud Apps
  • Locations : Any location except trusted locations
  • Access Control : Block Access

Permit External Access 

  • Users : security group that contains users that are permitted access.
  • All Cloud Apps
  • Locations : Any location except trusted locations
  • Client Apps
    Mobile apps and desktop clients
    Modern authentication clients
  • Grant Access : Require all of these controls
    Require Multi factor Authentication
    Require Hybrid Azure AD joined device
    Require approved client app
    Terms of Use

Mobile Device Access

  • Users : security group that contains users that are permitted access.
  • Exchange Online
  • Locations : Any location except trusted locations
  • Device Platforms : Android & IOS
  • Client Apps
    Mobile apps and desktop clients
    Modern authentication clients
  • Grant Access : Require all of these controls
    Require Multi factor Authentication
    Require device to be marked as compliant (Enrolled in Intune)
    Require approved client app

Why still enable MFA for the mobile device access policy. When the Microsoft Authenticator application is installed on an Android or IOS device. It acts like an SSO broker and can communicate with the modern authentication Microsoft Outlook client.

Block Legacy Protocols

Simply replicate the legacy : Baseline policy: Block legacy authentication (Preview)

Azure Privileged Identity Management to lock down provision of Virtual Machines in Azure

In my previous post on how to secure Office 365 Roles and this post is about how to secure Azure Resources.

Office365 and Azure Active Directory have a number of roles that are familiar like global administrator , compliance administrator etc. One of the most common use cases for Azure PIM it to request just in time access to the global administrator role

As organisations extend their networks into Azure , Azure subscription’s costs can sometimes spiral out of control. And this post will demonstrate the technical steps required to lock down the ‘virtual machine contributor’ role with Azure Privileged Identity Management, so that it requires finance department or senior it approval to create virtual machines in Azure, and the process around making technical admin staff eligible for the ‘virtual machine contributor role’

An example of how Azure costs could spiral , An Azure Admin , provisions the most expensive high performance virtual machine available in Azure, makes the VM geo-redundant, adds in a few ultra disks and a few Terra Bytes of Azure Blob Strage.

If there are multiple Azure subscriptions, The eligible users and app-rovers will need to be configured per subscription.In the image below we want to manage Azure Resources.

We click on Azure Resources and then click on settings.

Add the app-rovers for the role and ensure the app-rovers have mailboxes so that they receive the email notification
Next step is to add eligible users for the virtual machine contributor role.
Now any admin that needs to provision a virtual machine in Azure has to follow a workflow and can only do so when senior IT resources or finance department users have approved the provision of the virtual machine

SAML Single Sign On SSO WordPress Using Azure AD

Mini Orange is a great plugin for SAML SSO integration into Azure AD.
Their documentation is located HERE

The documentation misses a few key points.

Microsoft Authentication Prompts

When securing cloud services like Office365 with Azure MFA , End User education and adoption is absolutely critical. Not all organisations’ can afford Azure Active Directory Premium Edition Plan 2 or M365 E5 subscriptions.

Azure Identity Protection provides dynamic protection against the following scenarios.

  • Atypical travel
  • Anonymous IP address
  • Unfamiliar sign-in properties
  • Malware linked IP address
  • Leaked Credentials
  • Azure AD threat intelligence

In the event of credentials being compromised the bad actor must get past the next level of authentication which will normally be the Microsoft Authenticator App or a text message.

It is critical to educate end users : DO NOT APPROVE random authentication requests. If an end user is on leave and not attempting to access their cloud resources there should be no reason to approve multi factor authentication challenges.

Locking down Azure Active Directory

Azure Active Directory has excellent security with conditional access being one of the most widely used tool to protect Azure Active Active Directory.

The sceen shot below shows the default settings for an Azure AD Premium Plan 2 tenant.

The information tab on the user consent to apps accessing company data on their behalf reads like this:

If this option is set to yes, then users may consent to allow applications which are not published by Microsoft to access your organization’s data, if the user also has access to the data. This also means that the users will see these apps on their Access Panels.
If this option is set to no, then admins must consent to these applications before users may use them.

So in the scenario where a phishing email slipped through the cracks and an end user grants access to a non Microsoft application to their organizations’s data. We do not want that to happen!!!!

The correct setting is listed below
Application administrators should be granted the application administrator role in Azure Active Directory , Then the next time an and user wants to add an application, the application administrator will receive an email and can approve from his\her Outlook client.

The next time an end user or IT staff member wants to add an application to Azure AD, Do not just simply grant the global administrator role.

User Azure Privileged Identity Management and Application Administrator Roles!

Quest Migration Manager for AD – UPN change mid project

I recently encountered a unique scenario when using Quest Migration Manager for Active Directory. I was in the process of migrating 3 AD Forests into a new AD Forest. I had already migrated 1200 users into the new AD Forest and at the time of migration the UPN’s were contoso.com.

My customer then decided to change all UPN’s and primary smtp domains to @fabrikam.com in the middle of the project. This caused a big problem when computer accounts were being migrated. After the computer account had completed migration to the new domain, the user’s UPN was @contoso.com. Which meant the user had to change their UPN to login instead of just simply entering their existing AD password that they were previously using.

So how do we resolve this issue.Right click on the properties of the domain pair as per image below
Next change target domain to contoso.com or a fqdn of a domain controller in contoso.com

Next modify the security settings and set the domain suffix to fabrikam.com
Finally stop and start the synchronization task.

Once this has been completed, when computer accounts are migrated the correct UPN will be populated and users simply need to enter their existing AD password.

Dynamically Assign AIP Policies

In a previous post on how to dynamically assign Intune licenses using Azure dynamic user security groups.

When an organisation has configured global labels like the default labels displayed below. An organisation can choose to apply a policy to all users or all Azure Information Protection Plan 1 licensed users or all Azure Information Protection Plan 2 licensed users.

Azure Information Protection Plan 1 Azure Security Group

Create an Azure Active Directory Dynamic User Security Group , Edit the query and enter the query below for Azure Information Protection Plan 1 licensed users.

user.assignedPlans -any (assignedPlan.servicePlanId -eq “6c57d4b6-3b23-47a5-9bc9-69f17b4947b3” -and assignedPlan.capabilityStatus -eq “Enabled”)

Azure Information Protection Plan 2 Azure Security Group

Create an Azure Active Directory Dynamic User Security Group , Edit the query and enter the query below for Azure Information Protection Plan 2 licensed users.

user.assignedPlans -any (assignedPlan.servicePlanId -eq “689bec4-755d-4753-8b61-40975025187c” -and assignedPlan.capabilityStatus -eq “Enabled”)

If the during the creation of the group , it fails with an error , delete the “” that encapsulates the “guid” and “enabled” within the query and use your keyboard to replace the “” if you are copying them from this blog post.

So this solution enables administrators to apply policies to all AIP plan 1 and plan 2 licensed users and because it is dynamic , it will catch all new employees in the organisation.

Transitioning to Outlook Mobile

I always recommend the Outlook mobile client to my customers as this application can be included in an Intune app configuration & protection policy to protect and encrypt corporate data.

One of the features that the native IOS & Android mail client provides to end users is the illusion that the global address list of the organisation that they work for is in their native contacts. So when an end user searches for users in their company they expect to get the contact information instantly. Users must use Outlook Mobile.

End users mostly complain about loosing this feature but the argument is security comes first and Outlook Mobile is more secure!  It is very difficult to find the balance between security and productivity.

Android Outlook Mobile Cheat Sheet
IOS Outlook Mobile Cheat Sheet
Deploying Outlook for iOS and Android app configuration settings

Why use Outlook Mobile?

Content via Ignite 2019 Slide Deck

  • Consistent new features and security patches from Microsoft
  • In BYOB scenario , Corporate email profiles are encrypted via Intune App Protection policy
  • Azure Information Protection integration
  • Sensitivity Labels
  • Add a share mailbox to Outlook Mobile