About Sean O'Farrell

Behind the scenes of this blog is me, Seán O'Farrell. I am a Solution Architect with Evros Technology Group in Dublin, Ireland. You can find me on Linkedin My blog posts are completely my own views & provide no warranty. My blog posts are in no way affiliated with my current employer, Microsoft, Quest or any vendor’s technologies mentioned in my blog. I started my blog in 2009 and at this point in time I was not even aware of the Microsoft MVP programme, having a family and a very busy career in some ways held me back from the commitment it takes to obtain the prestigious MVP award. A lot of my colleagues that I have worked with for over 10 years are MVPs. Over the years some of my clients have presented my blog posts by searching the net to resolve problems and some vendors have officially published some of my blog posts. I acquired the domain informationprotection.ie, I was surprised the domain name was available, given all the so called GDPR experts that have suddenly appeared. I have focused on Office365 since before BPOS and the Office365 platform is now a mature platform, the Office365 skillset is not so special anymore and a standard requirement for most IT professionals, Since the start of 2018 nearly all of my professional services engagements have been focused on Office365 & Azure security. I am going to try and focus on Microsoft cloud security with this blog and invite guest peers to post security blog postings. I do not want to post generic material and always want to post items that are unique and will help people in the industry. If you have found the blog helpful in any way, and/or like what I am doing, please nominate me for the Microsoft MVP award here. It's very quick and easy, fill in your own details, then the details in the screen grab below for me. Thank you!

Microsoft Cloud Service for Global Enterprise Organisation

Even I get confused when it comes to all the different options available with Microsoft cloud services.Some of my global customers have engaged with business analyst to perform the task of user profiling to try and establish what licenses end user really need per division.

One of my customers refused to buy AD premium for all users because they could lock down access by IP-range with ADFS and don’t need to license 23k users for AD premium. This is a very valid use case when you do the numbers and saves a lot of money.

Some of my customers want conditional access but do not have a compatible version of Office or OS and when the cost associated with bringing the desktop to a suitable level for conditional access for 10, 20k user sites, they are most often binned.

For global roll outs of Office365 , I aways recommend the use of a business analyst for user profiling to get the best value for your client or customer.

Microsoft always get their money!!!

Exchange On-Premise Mailbox will not MIGRATE

I recently encountered an issue which I have seen before but never this bad and more commonly with Public Folders. My customer had a 50GB mailbox that also had an archive mailbox. The mailbox would get so far and just stall and never complete.

So I tried all of some of the usual methods to repair the mailbox to no avail.
Repair the mailbox with PowerShell & Migrate the mailbox to another Exchange database

So we asked the customer could we review the mailbox and found thousands of folder in the format of 16/04/2019. Exchange does not like / , Exchange normally sees / as the top of the information store. So my first attempt to resolve this was powershell and could not seem to crack it. Thanks to my colleague Mark Doyle  ,We resolved this issue with an Outlook Macro.

So if you ever encounter this unique issue , Please follow these steps.

  1. Browse to the Outlook Trust Center
  2. Macro Settings, Select Notifications for all Macros
  3. Press Alt + F11 to open Visual Basic
  4. Double click “This Outlook Session” under Microsoft Outlook Objects
  5. Paste  this TEXT below into the window
  6. Click on the folder or inbox that you want , And run the Macro
  7. Input character we want to replace in this case will be /
  8. Then select . as the replacement character
  9. Finally task complete

Final Comment

This is in no means an enterprise solution and I asked Microsoft for help and didn’t get anywhere. Once we removed the / , We could see when checking get-moverequeststatistics (mailbox) , that it was getting past the ‘create folder hierarchy’ stage in a mailbox move. And we did not need to tell our customer , Sorry this mailbox cannot be migrated!

Azure AD Combined security information registration

One of the glaring holes in the SSPR and MFA registration process was when bad actors that had compromised credentials could register for SSPR or MFA if the compromised account had not already registered.

One of my customers highlighted this to me and the way we overcame the vulnerability was to populate Active Directory with mobile numbers and through powershell force the authentication method to text message and not give an end user the choice.

Finally Microsoft have released a feature that can lock down the SSPR an MFA registration process to a corporate ip or ip ranges, the following slides show how we enable this in a conditional access policy.

  1. Select all users and exclude the tenant Office365 admin breakglass account.
  2. Select cloud apps or actions and select the ‘Register Security information (preview)’ option.
  3. In location select from any location
  4. Exclude all trusted locations
  5. In the controls section , Select ‘Grant Access’ and ‘Require multi-factor authentication.

Reference: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Conditional-access-for-the-Azure-AD-combined-MFA-and-password/ba-p/566348

Office365 & Intune White list URL and IP Range

For years I have fought tooth and nail with Security vendors on my enterprise customer sites that will typically have a corporate proxy or silent proxy like Palo Alto by tryng to get them to grant the customer,site or project access to Office365.

Microsoft have made the Office365 endpoints dynamically available as a web link which all enterprise firewall vendors support like Cisco, Juniper, Palo Alto can connect to.

Palo Alto guide HERE

Microsoft site Office 365 URLs and IP address ranges
Dynamic URL for firewalls and proxies 

I have faced on numerous occasions , issues with ip ranges that are outside the published Microsoft ranges. When my customer asked me what is this IP address , I cannot say it is mine and then need Microsoft to verify via a service ticket that they own the ip address.

My recommendation is also to white list the urls and ip ranges listed in this Microsoft article when using Intune. Intune network configuration requirements and bandwidth

Microsoft IP ranges outside the published ip ranges have affected me on customer project sites with Office365 ProPlus activation and Intune managed BitLocker encryption.

Hybrid Azure AD Joined Devices

Anyone familiar with conditional access, will have noticed this access control in Conditional Access policies. So what does it mean , How can I enable this, Is this a good feature.

This is not a good feature, it is an excellent feature. The best way to describe this control requirement is as follows. DO NOT GRANT access unless the machine is DOMAIN JOINED. Many enterprise companies have corporate wifi rolled out and only permit access to the corporate wifi via credentials and a machine certificate issued by the local certificate authority.

AD Connect keeps getting better and better and Microsoft have made it so easy to enable this feature. The following screenshots ill demonstrate how easy it is to enable this feature.

Modify the configuration of AD Connect and select ‘Configure Device Options’

Enter Azure AD Credentials

Note: Only select the second option ‘Supported Windows domain level domain-joined devices if you are using Azure Seamless Sign On, Azure Seamless Sign on provides the functionality to support Windows 7 and above operating systems.

Then enter enterprise admin on-premise credentials as per the image below.

Download and run the PowerShell script using on-premise enterprise admin credentials that AD Connect has prepared as per image above.

Next step is to follow this Microsoft Article : To enable auto enrollment of Windows Devices.

Now that we have enabled device auto enrollment into Intune, What are the benefits?

  • Intune Device Management – Intune can manage 5 devices per user license
  • Conditional Access Policy Control : Hybrid Azure AD objects
  • Intune – Bitlocker Management
  • Azure Dynamic Machine groups can be a useful method for managing global or large enterprise organisations.
  • Windows 10 Security Base Lines
  • Intune integration with Windows Defender ATP

These are just a small number of benefits , Open to comments on more benefits.

Update: 24.05.2019

Follow THIS Microsoft guide and block downloading from SharePoint Online on no domain joined devices

eDiscovery for Exchange Online Data at Rest

  • It is not possible to search for sensitive information types when selecting Exchange Online mailboxes as the data source , Office 365 User Voice REQUEST
  • It is possible to search for the items specified in this Microsoft ARTICLE and via KeyWord

The screen shot below is from an Office365 E5 Advanced eDiscovery query that shows these types of searches are not supported


Office365 & AIP Sensitive Information Types

  • Sensitive Information Types defined in Azure Information Protection are not visible in the Office365 Security Center
  • Sensitive Information Types defined in the Office365 Security and Compliance center are not visible in Azure Information Protection
  • So this means sensitive information types need to be defined in each service.
  • @MSignite2018 Microsoft announced a change in search technology in Exchange Online and Exchange 2019 , they will now use Bing technology. The front end of the Office365 Security and Compliance Center seems to be using SharePoint search technology. I would love Microsoft to enable Exchange Online, AIP, & Sharepoint Online to use the same search technology used in Azure Log Analytics.
  • Microsoft state that when creating custom sensitive information types via an XML file and then importing them into the Security and Compliance center that it is not possible to have multiple regex values. It is possible to combine multiple regex values by using the PIPE value |. When combining multiple regex values , they can be tested in Office365 and in RegEx101.com
  • Using multiple regex values in AIP can also be combined by using the PIPE value |
  • This is an example of a regex for different pattern types for Irish mobile phone numbers that could be used in the Security and Compliance center GUI or the AIP GUI when defining regex sensitive information types.
    notice the | that defines the different type of patterns.