SPF,DKIM & DMARC for Message Hygiene Services

This article is about securing email transmission and I mention multiple vendors. Proofpoint recently acquired Wombat Security Technologies that provide security awareness training for end users. knowbe4 is another excellent security awareness training provider and the Gartner leader in security awareness training.

None of the vendors I mention in this article can provide zero day vulnerabilities protection and I still think one of the best line of defences for any organisation is security awareness training for end users.

SPF The Sender Policy Framework (SPF) is an email-authentication technique which is used to prevent spammers from sending messages on behalf of your domain. With SPF an organisation can publish authorized mail servers.
Ref: https://www.dmarcanalyzer.com/spf/

DKIM (Domain Keys Identified Mail) is an email authentication technique that allows the receiver to check that an email was indeed sent and authorized by the owner of that domain. This is done by giving the email a digital signature. This DKIM signature is a header that is added to the message and is secured with encryption.
Ref: https://www.dmarcanalyzer.com/dkim/

DMARC : DMARC, which stands for “Domain-based Message Authentication, Reporting & Conformance”, is an email authentication, policy, and reporting protocol. It builds on the widely deployed SPF and DKIM protocols, adding linkage to the author (“From:”) domain name, published policies for recipient handling of authentication failures, and reporting from receivers to senders, to improve and monitor protection of the domain from fraudulent email.
Ref: https://dmarc.org/

With the combination of SPF,DKIM and DMARC , these standards improve the reputation of an email like contoso.com. But most importantly they can help an organisation like contoso.com from being a victim of a phishing or an email spoofing campaign.

A lot of my enterprise customers and early adopters of Exchange Online chose not to use Exchange Online Protection because it quite simply wasn’t good enough at the time they moved to Exchange Online. Exchange Online Protection has really matured in the last number of years with some excellent features like:

  • Office365 ATP
  • Zero Hour Purge
  • Automated Investigation and Response (AIR)

In my view the two best locations for technical guidance on configuring Exchange Online Protection

  1. https://office365itpros.com/
  2. https://www-undocumented–features-com.cdn.ampproject.org/c/s/www.undocumented-features.com/2019/08/13/exchange-online-protection-eop-best-practices-and-recommendations/?amp

DKIM and DMARC should be configured on the last hop of email messages transmission.

Microsoft have documented how to configure DKIM for Exchange Online HERE
Microsoft have documented how to configure DMARC for Exchange Online HERE

Symantec Email Security Cloud DKIM
Symantec Email Security Cloud DMARC

Mimecast DKIM
Mimecast DMARC

Proofpoint DKIM
Proofpoint DMARC
Note: DMARC Not supported on ProofPoint Essentials

Cisco Cloud Email Security DKIM
Cisco Cloud Email Security DMARC

ForcePoint Email Security DKIM
ForcePoint Email Security DMARC

Switch from SCCM Co-Management Hybrid to Intune

I recently had to break co-management of SCCM & Intune Co-Management Hybrid and migrate to Intune for mobile devices that were managed by SCCM\Intune.

I followed Gerry Hampson’s blog POST on how to do this. Gerry is a Microsoft MVP in Enterprise Client Management.

I faced a problem. How do I translate an SCCM device collection that has no information on users, to a security group that I can assign an Intune Application Protection Policy to. In my particular instance there was only two policies required.

  1. Intune_Exec_AppProtection_Policy
  2. All users except the Exec users

Azure Active Directory has the ability to create complex dynamic user or device security groups. So in my instance I created two Intune Application Protection Policies that are listed above.

I created one on-premise synced AD Security group that contained the Exec users, this group would be assigned to Intune Application Protection Policy 1. I then wanted to create a security group that I could assign to all non exec users and any new users. So I created an Azure dynamic user security group that queried Azure AD for any user that has an Intune license. The query for the Azure dynamic security group is listed below.

user.assignedPlans -any (assignedPlan.servicePlanId -eq “c1ec4a95-1f05-45b3-a911-aa3fa01094f5” -and assignedPlan.capabilityStatus -eq “Enabled”)

This type of dynamic security group can be applied to any Microsoft cloud service. The list of all Microsoft servicePlanId’s is available HERE



Conditional Access and Azure Active Directory License Management

Azure AD group based license assignment was made generally available in Feb 2018. It really is a superb way of managing and assigning licenses for services like Office365.

Quite often on projects that I deliver ,  I will work with my customer to build a profile which could be for example standard user, power user , exec user and these groups can assign some or all of the M365 suite of services.

So this means we would have 3 security groups to match each user profile and each organisation can modify their new starter process to add new users into their relevant security group or use Identity Management tools like Microsoft Identity Manager 2016 SP1 to manage the user life cycle.

One of the quickest and most powerful conditional access policy is as follows

  • Assignment : All users , except license groups and break glass admin account
  • Cloud Apps :  All Apps
  • Conditions : Default , NO CHANGE
  • Access Controls \ Grant : BLOCK

So the assignment to all users is the key , If a new user is not setup properly and follows the new user creation process then they cannot access the organisation’s cloud apps that are integrated with Azure AD.

This is a policy to block all unlicensed users.

All licensed users would expect to have the following items configured as a minimum requirement.

  • MFA
  • SSPR
  • Combined SSPR & MFA registration
  • Azure Password Protection Service
  • Microsoft Advanced Threat Protection integration with CASB
  • Azure AD P2 license , Identity Protection policies enabled
  • Azure AD Hybrid joined machines
  • Intune managed bitlocker encrypted devices
  • Intune managed devices with security baselines

Block sending of messages based on real-time content inspection in SASS with Cloud APP Security

This post demonstrates how to integrate Facebook Workplace with Azure AD and enable single sign on, and CASB protection for keywords that users post in a Facebook Workplace site.

The process would be exactly the same for any SAAS application and this post demonstrates the power of CASB integration with SAAS applications. For example , when using CASB to protect SAAS applications like GMAIL, Salesforce, Service Now, CASB can block real time key words and inspect files for sensitive information types defined by an organisation and integrate with Azure Information Protection.

There is a Microsoft tutorial on how to integrate Azure AD with Facebook workplace but I found the guide difficult to follow.

So I will try and structure this post in order to block a keyword from being posted to Facebook Workplace.

  1. Sign up for a Facebook Workplace account and sign in. Then click on the admin panel , security and authentication settings.
  2. Click on the Add new SSO Provider
  3. After you click on the link displayed above , scroll down and copy the audience URL which is the unique identifier.
  4. Next we add a new tab in the browser and go to Azure Active Directory , Enterprise Applications and add Facebook Workplace from the gallery.
  5. Add the users or security group that will have access to this published application within Azure AD
  6. Create a conditional access policy and do the following
    Select Facebook Workplace as the app
    Select the users in scope for testing
    Select session control and select the settings displayed in the image below
    There is obviously a lot more protection that can be applied with this conditional access policy, like location protection , azure hybrid joined machines etc..  For the purpose of this blog we are simply demonstrating the interaction with CASB and conditional access session policies.
  7. As I always use Chrome until Edge Chromium is GA , the next step is to to open a new tab and install the My Apps Secure Sign-in Extension for Chrome and sign in with the credentials that you are signed into the Azure Portal with.
  8. Within Azure AD , Select Facebook Workplace and select single sign on and select SAML
  9. Edit basic saml configuration and paste in the following urls
    A:Identifier (Entity ID) :  The audience url captured in step 3
    B:Reply URL (Assertion Consumer Service URL) : https://my.workplace.com/work/saml.php
    C:Sign On Url : https://my.workplace.com/work/saml.php
  10. Exit the SAML basic configuration and then move to step 5 in the SAML configuration and click on ‘Setup WorkPlace for Facebook’
  11. When we click on ‘Setup WorkPlace by Facebook’ , The browser will redirect the session to the Facebook WorkPlace authentication settings and click on the ‘Single Sign On  (SSO) button
  12. Wait a few seconds and the Chrome add in we discussed in step 7 will display the following screen which will auto populate the Azure SAML configuration automatically into Facebook WorkPlace.
  13. The next pop up requests the admin to test SSO and then save the changes.
  14. The next window will re-direct the Facebook Workplace login url through CASB
  15. Click on close on the next page
  16. Next really important step , Go back to the Facebook Workplace tab and select save changes
  17. Next steps are to create the Cloud App Security Policy to block a key word using this template :Block sending of messages based on real-time content inspection
  18. The activities in the policy are displayed below
  19. The content inspection config of the policy uses contoso as the keyword
  20. The action is to block and notify the user with the organisation’s terms and conditions for usage of cloud apps or a custom response
  21. Finally , Facebook WorkPlace will be available for the users in scope to use the application in the https://myapps.microsoft.com portal

Final note , SAAS applications that support SCIM will be much easier to on-board into Azure Active Directory and CASB. I hope this blog post shows how easy it is to on-board SAAS apps into Azure AD and CASB.


Remove a public domain name from an Office365 Tenant – The QUICK WAY

I have worked recently on a lot of Office365 tenant to tenant migrations and the biggest challenge in all of these migrations is where the same domain name eg. contoso.com cannot exist in two tenants at once.

I always use the Migration Wiz Bundle which can migrate primary mailbox, archive mailbox , ODFB sites and Deployment Pro which manages the Outlook Profile transition to the new tenant.

Migration Wiz have an interesting co-existence solution which you can review HERE

If using a migration tool like Migration Wiz and all data has been migrated a really quick way of removing all traces from contoso.com from the legacy tenant is to run through the following process

WARNING ALL DATA MUST BE MIGRATED BEFORE ATTEMPTING TO USE THIS PROCESS. This process does not delete any data. It removes all references to the public domain that is required in the target tenant in this example that domain name is CONTOSO.COM. If users still need to access data in a Sharepoint Site in the legacy tenant the user me informed on what their new UPN is.

  1. Connect to Azure AD Connect server
  2. Disable-ADSyncExportDeletionThreshold  and then enter Office365 Global Admin Credentials
  3. Next steps are to de-select all the OUs that were previously in scope for synchronization
  4. Then run this command on the Start-ADSyncSyncCycle -PolicyType Initial
    (Run the command twice)
  5. This will place all objects that were synced to Office365 in the recycle bin.
  6. Change UPN for any cloud identity objects that remain
    Get-MsolUser -All | ? {$_.UserPrincipalName -match “contoso.com” -and $_.UserPrincipalName -notmatch “admin”} | % {Set-MsolUserPrincipalName -ObjectId $_.objectId -NewUserPrincipalName ($_.UserPrincipalName.Split(“@”)[0] + “@brakelaero.onmicrosoft.com”); $dataout += “$($_.UserPrincipalName)” ; $_.UserPrincipalName };$dataout | out-file “CSV FILE NAME AND PATH”}}
  7. Set the primary smtp address for all remaining mail enabled objects to contoso.onmicrosoft.com
    $AllMailboxes = Get-Mailbox -ResultSize Unlimited
    Foreach ($Mailbox in $AllMailboxes)

    # Creating NEW E-mail address that concatenate in the following way: Take the existing recipient Alias name + use the NEW Domain name as a domain suffix + “Bind” the Alias name + the NEW Domain name suffix.

    $NewAddress = $Mailbox.Alias + “@contoso.onmicrosoft.com”

    Set-Mailbox -Identity $Mailbox.Alias -WindowsEmailAddress $NewAddress 

  8. Remove all contoso.com aliases
    $Records = Get-mailbox -ResultSize Unlimited| where {$_.emailaddresses -like “smtp:*@contoso.com”} | Select-Object DisplayName,@{Name=“EmailAddresses”;Expression={$_.EmailAddresses |Where-Object {$_ -like “smtp:*brakelaero.be”}}}

    foreach ($record in $Records)


        write-host “Removing Alias” $record.EmailAddresses “for” $record.DisplayName

        Set-Mailbox $record.DisplayName -EmailAddresses @{Remove=$record.EmailAddresses}


  9. Remove Contoso.com from any groups
    Get-Msolgroup -All | where {$_.emailaddress -match “brakelaero.be”} | Remove-MsolGroup –Force
  10. Change the default domain in the Admin.Microsoft.com portal to contoso.onmicrosoft.com
  11. Remove Contoso.com
    Remove-MsolDomain -DomainName “contoso.com” –Force
  12. Next we can add Contoso.com into the new Office365 tenant and update the mx records for Contoso.com
  13. Last but not least , We modify AD Connect configuration and re-enable the sync of all the objects that were previously synced and are now in the Office365 recycle bin ,they will all be restored and have the ability to access their data via a contoso.onmicrosoft.com UPN.

We forgot to mention Public Folders. Migration Wiz have a separate tool for public folder migrations which is very simple to use. I always prefer to convert public folders into resource mailboxes.

Credit: The domain removal powershell migration scripts are publicly available in Migration  Wiz Knowledge Base articles.

Exchange 2010 – 2016 Hyrid – Outlook not connecting

I have wrote many articles  about the Exchange Hybrid process. There are lots of excellent articles on line about this process. This blog post is aimed it simplifying the whole process and ensuring 2010 clients can still connect when using Exchange 2016 servers for autodiscover.

The Exchange Online Hybrid wizard has greatly improved over the years and the Exchange Hybrid Modern Agent is an amazing step forward and provides a mechanism to quickly migrate mailboxes to Exchange Online.

Exchange 2010  support will Expire in October 2020. I have recently been performing a lot of Hybrid migrations using Exchange 2010 and Exchange 2016 as the hybrid server

I always use this powershell SCRIPT to install the pre-requisites for each new Exchange server.

Autodiscover services are typically  transferred from the Exchange 2010 servers to Exchange 2016 servers.

Simply updating the autodiscover.consto.com A record to point at the new Hybrid server and expecting clients to connect without any issues is a big mistake.

If the Exchange 2010 organisation has a load balanced virtual ip , this IP cannot be simply reused for the Exchange 2016 server. The main reason for this is that,mapi has transitioned to mapi over http from Exchange 2013 versions and higher.

Exchange 2016 has different virtual directories and also has health check urls per Exchange virtual directory.

  • Kemp – Kemp have templates for Exchange 2016
  • F5 – Have templates for Exchange 2016
  • Netscaler – Follow this article to load balance Exchange 2016 via Netscaler HERE

When the Exchange Hybrid has been installed and configured , Run this SCRIPT
And set all of the virtual directories to your corporate domain eg. autodiscover.contoso.com

On the Exchange 2010 server , get an inventory of databases hosted on the Exchange 2010 servers. And then run this command to set the rpc client access server per Exchange 2010 database,

Set-MailboxDatabase –Identity “<Database Name>” –RPCClientAccessServer “exch2010-01.contoso.local”

This is the most important task, Exchange 2016 receives autodiscover requests and proxies them to the Exchange 2010 client access servers for mailboxes that are still hosted on Exchange 2010.

Now is the time to update the two DNS records autodiscover.contoso.com and mail.contoso.com to point to the new Hybrid server.

Exchange Online users that have been migrated and are working outside of their company offices will query the public autodiscover.contoso.com record which will point to the hybrid server, the hybrid server will respond with the correct autodiscover xml via http redirect to Exchange Online.

Intune Endpoints Through Proxies or Corporate Firewalls

Microsoft previously submitted all the urls  and ip ranges for the Office365 platform on docs.microsoft.com. Now there is a new Office365 IP Web Service , HERE 

It would be great if this dynamic ip services covered all services in Office365  that can be updated in firewalls and proxies. Unfortunately it does not.

Intune is an amazing service from Microsoft but if you do not white-list the endpoints listed HERE

Features like Bitlocker, x86 custom app deployments, Windows 10 Security Baselines will fail.