Microsoft Information Protection

What is Microsoft Information Protection. The Infograph displayed below , Shows all of the different areas covered by Microsoft Information Protection and it really is the fastest evolving suite of technologies in the Microsoft stack.

Microsoft recently announced two new Security SKUs which was a real sigh of relief to tell my customers that they no longer need to buy an Office365 E5 license to get all of these features.

Identity & Threat Protection—This new package brings together security value across Office 365, Windows 10, and EMS in a single offering. It includes best of breed for advanced threat protection services including Microsoft Threat Protection (Azure Advanced Threat Protection (ATP), Windows Defender ATP, and Office 365 ATP including Threat Intelligence), as well as Microsoft Cloud App Security and Azure Active Directory. This offer will be available for $12 per user per month.*

Information Protection & Compliance—This new package combines Office 365 Advanced Compliance and Azure Information Protection. It’s designed to help compliance and IT teams perform ongoing risk assessments across Microsoft Cloud services, automatically protect and govern sensitive data throughout its lifecycle, and efficiently respond to regulatory requests leveraging intelligence. This offer will be available for $10 per user per month.*

Securing Intune Enrolment

I have been working a lot with Intune for Android & IOS MDM. This post is focused on securing enrollment for Android & IOS devices. There are different methods available for Windows 10 devices which will be covered in a later post.

The Intune enrollment process can be secured via Conditional Access & Azure MFA and Microsoft have an article available HERE that describes how to secure the Intune Enrollment APP via Azure MFA.

But first we need to secure the Azure MFA registration process, If an attacker has obtained a user’s credentials and the user that has been compromised has not registered for MFA, the attacker could use his\her phone to register for MFA.

So there are 3 methods to secure the MFA registration process.

  1. Multi-factor authentication registration policy 
  2. User risk Sign In Policy
  3. Populating the phone numbers as described in this ARTICLE
If using method 3 and using a text message or call authentication process, The organisation admins can populate the mobile phone number per user and manage the MFA registration process.

Some helpful commands

##Using MSONLINE module, Query what the existing MFA auth method is
get-msoluser -UserPrincipalName | Select-Object -ExpandProperty StrongAuthenticationMethods

##Using MSONLINE module to cancel existing MFA Auth methods
set-msoluser -UserPrincipalName -StrongAuthenticationMethods $null

##Export all MFA enabled users to a csv
Get-MsolUser -All | where {$_.StrongAuthenticationMethods -ne $null} | Select-Object -Property UserPrincipalName | export-csv “CSV PATH”

Once we have followed the guidelines in the Microsoft article to secure the Intune enrollment process with MFA , We can proceed to create our policy for Android & IOS

In the conditional access policy for Android & IOS devices, The final actions are listed below, Devices must be compliant but the compliance enrollment process is secured with MFA

Block native mail app on Apple IOS using Azure conditional access policies

I recently set up EMS for a customer and they wanted to ensure all ios native mail apps were blocked and that all client phones must use the Microsoft Outlook app and that devices are enrolled before they can access corporate email.

Azure conditional access policies make this really simple and the following screenshots ill show how we can create this conditional policy.

Browse to the Azure Active Directory admin center / Azure Active Directory/ Conditional Policies

   Firstly Create the Policy

    Next we assign what users the policy will be applied to
   Select the cloud app – Exchange Online
    Select the client app – Active Sync

    Select the controls to enforce
Finally save & enable the policy

Now when a client attempts to setup and use the native Apple IOS app , this message will appear in the end users mailbox, the native app will be unusable for sending and receiving messages. The user can then proceed with the device enrollment process.


Clear down Exchange 2016 Transaction Logs

During enterprise migrations to Exchange 2016 , Logfiles can grow very large and the role of an Exchange backup service becomes critical to clear down log files and ensure log file volumes do not run out of space.

Quite often businesses request bulk upload migrations are performed outside business hours, the problem with this is that backups run at the same time as bulk uploads and then prevents the backup program from truncating log files.

Circular logging is not an option when there Exchange is hosting a DAG.

These simple commands can trick Exchange into thinking a full backup has been performed and then Exchange will take care of truncating the logs and not cause any corruption to databases.

  1. Log on to Exchange server that hosts the volume running low on space
  2. Launch a command prompt with elevated privilages
  3. Type : Diskshadow and press enter

    ####Browse to the root of the volume, NTFS mount points are fine, the following command mounts DBVolume1

  4. Add volume C:\-Exchange-Disks\DBVolume1
  5.  Begin backup and press enter
  6. Create and press enter
  7. End backup and press enter
Exchange will then truncate the logs 

One Drive for Business next gen client

Finally OneDrive really is OneDrive, The next gen client uses the same engine for OneDrive personal and OneDrive for business. I have always found the OneDrive personal client better than the OneDrive for business client.

The next gen client uses the same engine and it just works, no more sync issues. To ensure you are using the correct client browse to and click on the download link and update your client.

After your client is updated you should have version 17.3.6381.0405 as per the image below

After the client has been updated, Sync your personal OneDrive and select only the folders required. Then right click on the OneDrive icon in the system tray and select : settings. You can now add a business account as per the image below and select only folders required for syncing.

If you have Office installed the next thing is to disable OneDrive for Business client startup which is part of the Office suite as per image below.

So now finally , OneDrive simply works and a lot of the old limitations like the 20,000 item sync limit have been removed.

Synchronize an Exchange Online Mailbox with a different Active Directory Forest.

I recently worked on a project whereby I was migrating a Global Company that owned a number of business and they wanted to break down the barriers between the different brands and all collaborate under a new brand in Office365.

I synchronized a number of forests from around the world into the organization’s Office365 tenant using the new Azure Active Directory synchronization tool. 

One of the businesses shared their Exchange Server (Business A)  with another business (Business B) and to migrate their mailboxes I implemented an Exchange Hybrid and migrated the mailboxes into Exchange Online. 

Business A Active Directory was authoritative for Business B mailboxes. So how do we disjoin them from Business A and synchronize them with Business B , so that Business B can perform identity management on their own Active Directory Forest.

So the following steps explain how to do this. This can of course be scripted if there were hundreds or thousands of users.

  1. Run this command on Business B Active Directory Forest to obtain all user’s immutable ID
    ldifde -f con -r -l objectguid
  2. Then on in the AAD tool stop synchronizing the users’ from Business B
  3. This will then delete the users accounts, got to the Office365 recycle bin and restore the user’s account. This will also convert the user’s account to a cloud identity.
  4. The run this command in  the ‘Windows Azure Active Directory Module for Windows PowerShell’ to convert the cloud user’s immutable id so that it matches the object guids obtained in step 1

    set-MsolUser -UserPrincipalName -ImmutableID I3/MGNcBbUWWVs+jXPTH4g==

  5. Finally their are some attributes that we need to match from Business A Active Directory Forest with each user’s account in Business B Active Directory


  6. No we are ready to sync the OU with the AAD tool from Business B and Business B Active Directory will be the authoritative Active Forest for these mailboxes.