Transitioning to Outlook Mobile

I always recommend the Outlook mobile client to my customers as this application can be included in an Intune app configuration & protection policy to protect and encrypt corporate data.

One of the features that the native IOS & Android mail client provides to end users is the illusion that the global address list of the organisation that they work for is in their native contacts. So when an end user searches for users in their company they expect to get the contact information instantly. Users must use Outlook Mobile.

End users mostly complain about loosing this feature but the argument is security comes first and Outlook Mobile is more secure!  It is very difficult to find the balance between security and productivity.

Android Outlook Mobile Cheat Sheet
IOS Outlook Mobile Cheat Sheet
Deploying Outlook for iOS and Android app configuration settings

Why use Outlook Mobile?

Content via Ignite 2019 Slide Deck

  • Consistent new features and security patches from Microsoft
  • In BYOB scenario , Corporate email profiles are encrypted via Intune App Protection policy
  • Azure Information Protection integration
  • Sensitivity Labels
  • Add a share mailbox to Outlook Mobile


Azure AD Connect 1.4.38.0 authentication error

I started to notice that Azure AD connect was failing and had a look in the console and seen the error message in the console displayed in the image below

Then when I tried to run the command Start-ADSyncSyncCycle -PolicyType delta ,  I received a long list of authentication errors.

To resolved the issue browse into properties of the Azure Active Directory account and copy the account name onto the clipboard.

Next add this account in as an excluded account from conditional access policies the same way a break glass cloud identity admin account would be excluded from conditional access policies.

As soon as the sync account has been added to the exclusions , syncs will resume

Maintaining Exchange on-premise storage during migrations

Now that Microsoft have announced that Exchange 2010 support will end in October 2020 a lot of organisations are moving to Exchange 2016, 2019 or hopefully Exchange Online.

For enterprise organisations , the migration topology will include two Exchange 2016 servers that are load balanced via an F5 , Citrix Net Scaler or my preferred choice a Kemp load balancer. Autodiscover services for the smtp domains will be transferred to the new virtual IP and the service will be provided by the new Exchange 2016 servers that will proxy access requests to Exchange 2010 hosted mail resources.

The new virtual IP for load balancing services will become the target for the Exchange Online migration endpoint.

The Exchange Online Hybrid wizard licenses the new Exchange 2016 servers as part of the Hybrid configuration process , the Hybrid license does not permit the hosting of mailboxes. One of the problems with Exchange server since Exchange 2013 is log file growth. This post will demonstrate a scheduled task i always create on Hybrid servers.

The task schedules Edward van Biljon script available to download HERE

These log files are mostly IIS log files and not Exchange database log files as no mailboxes are hosted on the Hybrid server. But if an organisation is moving thousands of mailboxes to Exchange Online and not clearing down these logs, then they will run into issues. I have often reclaimed 20 -30GB of disk storage from running this script as a scheduled task.

Drawing1

The next section to consider is Exchange Database logs. Most vendors like

  • Commvault
  • Veeam
  • Veritas

perform an excellent backup service and are typically scheduled to run outside of business hours. Exchange backups are critical to truncate logs and become even more critical in an Exchange DAG. I have worked on previous projects that migrated Lotus Notes or Groupwise to Exchange and the log files grew too quick and could not wait till the daily evening backup. This issue can also arise in Exchange Hybrid native migrations due to the volume of traffic being migrated.

Most Exchange backup vendors communicate with VSS , It is critical that Exchange truncates the mailbox database logs , as there will be corruption in the databases’ if Exchange cannot perform this task.

If there is a scenario where the Exchange database and log volume is running out of space , Microsoft have an excellent utility called diskshadow which has been around for a long time. So essentially we trick Exchange into thinking a full backup has been performed and here are the simple steps if an Exchange Server database was installed on the system volume.

DiskShadow

This process should only be used in emergencies, Business as Usual backup schedules should normally ensure Exchange volumes do not run out of space but during migrations from an Exchange 2010 to Exchange Online or Lotus Notes to Exchange on-premise or online , the log files fill up really quick and even more so if there 3 or more databases that are members of a DAG

The final option for reclaiming space is offline de-fragmentation databases to claim white space. And only choose this option when all mailboxes have been migrated as it can take a long time and requires downtime.

Anonymous Relay when transitioning from 2010 to 2016

I recently worked on a project where my customer had a load balanced vip for SMTP. There were two Exchange 2010 cas-hub servers included in the vip. And the 2010 servers had a relay connector for anonymous access configured for applications like scan to email and HR applications. So how do we move this service to our lovely new Exchange 2016 servers.

  1. Create the fronted transport service relay connectors on both Exchange 2016 servers called ‘Relay’
  2. Then run this script to copy all of the relay ips to the new Exchange 2016 relay connectors
    Credit:https://gallery.technet.microsoft.com/office/Copy-a-receive-connector-b20b9bef
  3. Then on Exchange 2016 server 1 we run these commands
    Servers are contso1 & contoso2
    Set-ReceiveConnector “contso1\Relay” -PermissionGroups AnonymousUsers,Exchangeservers -DomainController FSMO DCGet-ReceiveConnector “contso1\Relay” | Add-ADPermission -User ‘NT AUTHORITY\Anonymous Logon’ -ExtendedRights MS-Exch-SMTP-Accept-Any-Recipient -DomainController FSMO DCSet-ReceiveConnector “contso2\Relay” -PermissionGroups AnonymousUsers,Exchangeservers -DomainController FSMO DCGet-ReceiveConnector “contso2\Relay” | Add-ADPermission -User ‘NT AUTHORITY\Anonymous Logon’ -ExtendedRights MS-Exch-SMTP-Accept-Any-Recipient -DomainController FSMO DC
  4. Add a server IP like the ad connect server into the relay connector scope on both contoso1 and contoso2
  5. Then run this command from the AD Connect server to each of the Contoso servers
    telnet SMTP VIP 25
    Helo
    mail from:sean@contoso.com
    rcpt to:sean.ofarrell@yahoooooo.com
    data
    Test from Sean.
  6. Once the email comes through we can then remove the Exchange 2010 server from the SMTP VIP and disable the relay connector on the Exchange 2010 servers.

Finally a lot of my customers do not trust Exchange Online Protection and use services like Mimecast , Proofpoint, Cisco Cloud Email Security and once the SPF records for the domains matches the service it can normally be much easier to set up smtp relay via these saas services.

AD Connect – Sync-rule-error-function-triggered

I recently worked on a project that had the following scope.

  • Migrate 6 Office365 tenants into a new single Office365 tenant
  • Migrate all users, sidhistory and computer accounts into a new AD Forest using Quest Migration Manager for Active Directory from 10 source Active Directory Forests to a new Windows Server 2019 Active Directory Forest.

14 user objects could not sync changes like adding aliases. If I extract the affected user’s immutable from the source office365 tenant it was different to the corresponding users immutableid in the new tenant.

So where is the problem? Why wont the changes sync?

When further analyzing the errors in AD Connect, I could see that the cloudanchor attribute in my new tenant had the same immutable ID as the source tenant.

So how do we fix this?

  1. Exclude the following two attributes from Quest Migration Manager for Active Directory migrations and synchronization tasks ‘mS-DS-ConsistencyGuid’ & ‘msDS-ExternalDirectoryObjectId’
  2. Then run this powershell command to export all destination  site immutable IDs

    get-aduser -filter * -SearchBase “OU=Contoso” | select samaccountname,mail,userprincipalname,objectguid,@{label=”ImmutableID”;expression={[System.Convert]::ToBase64String($_.objectguid.ToByteArray())}} | export-csv CSV LOCATION

  3. Then run the following command and replace the immutable id from the exported csv in step3 in the bold text below to convert the immuttableid to HEX format
    [system.convert]::FromBase64String(“rk4ZgeI/l0OpdRr5PiwU1g==“) | %{$a += [System.String]::Format(“{0:X}”, $_) + ” “};$result = $null;$result = $a.trimend();$result
  4. The output of this command will convert the immutable ID from the CSV to a Hex value like AE 4E 19 81 E2 3F 97 43 A9 75 1A F9 3E 2C 14 D6
  5. Next step is to populate the ‘mS-DS-ConsistencyGuid’ attribute with the hex value from step 4 and replicate domain controllers.
  6. Run a delta or initial sync on AD Connect and the issue will be resolved.

Reference Article: https://docs.microsoft.com/en-us/archive/blogs/latam/using-the-consistencyguid

 

SPF,DKIM & DMARC for Message Hygiene Services

This article is about securing email transmission and I mention multiple vendors. Proofpoint recently acquired Wombat Security Technologies that provide security awareness training for end users. knowbe4 is another excellent security awareness training provider and the Gartner leader in security awareness training.

None of the vendors I mention in this article can provide zero day vulnerabilities protection and I still think one of the best line of defences for any organisation is security awareness training for end users.

SPF The Sender Policy Framework (SPF) is an email-authentication technique which is used to prevent spammers from sending messages on behalf of your domain. With SPF an organisation can publish authorized mail servers.
Ref: https://www.dmarcanalyzer.com/spf/

DKIM (Domain Keys Identified Mail) is an email authentication technique that allows the receiver to check that an email was indeed sent and authorized by the owner of that domain. This is done by giving the email a digital signature. This DKIM signature is a header that is added to the message and is secured with encryption.
Ref: https://www.dmarcanalyzer.com/dkim/

DMARC : DMARC, which stands for “Domain-based Message Authentication, Reporting & Conformance”, is an email authentication, policy, and reporting protocol. It builds on the widely deployed SPF and DKIM protocols, adding linkage to the author (“From:”) domain name, published policies for recipient handling of authentication failures, and reporting from receivers to senders, to improve and monitor protection of the domain from fraudulent email.
Ref: https://dmarc.org/

With the combination of SPF,DKIM and DMARC , these standards improve the reputation of an email like contoso.com. But most importantly they can help an organisation like contoso.com from being a victim of a phishing or an email spoofing campaign.

A lot of my enterprise customers and early adopters of Exchange Online chose not to use Exchange Online Protection because it quite simply wasn’t good enough at the time they moved to Exchange Online. Exchange Online Protection has really matured in the last number of years with some excellent features like:

  • Office365 ATP
  • Zero Hour Purge
  • Automated Investigation and Response (AIR)

In my view the two best locations for technical guidance on configuring Exchange Online Protection

  1. https://office365itpros.com/
  2. https://www-undocumented–features-com.cdn.ampproject.org/c/s/www.undocumented-features.com/2019/08/13/exchange-online-protection-eop-best-practices-and-recommendations/?amp

DKIM and DMARC should be configured on the last hop of email messages transmission.

Microsoft have documented how to configure DKIM for Exchange Online HERE
Microsoft have documented how to configure DMARC for Exchange Online HERE

Symantec Email Security Cloud DKIM
Symantec Email Security Cloud DMARC

Mimecast DKIM
Mimecast DMARC

Proofpoint DKIM
Proofpoint DMARC
Note: DMARC Not supported on ProofPoint Essentials

Cisco Cloud Email Security DKIM
Cisco Cloud Email Security DMARC

ForcePoint Email Security DKIM
ForcePoint Email Security DMARC

Switch from SCCM Co-Management Hybrid to Intune

I recently had to break co-management of SCCM & Intune Co-Management Hybrid and migrate to Intune for mobile devices that were managed by SCCM\Intune.

I followed Gerry Hampson’s blog POST on how to do this. Gerry is a Microsoft MVP in Enterprise Client Management.

I faced a problem. How do I translate an SCCM device collection that has no information on users, to a security group that I can assign an Intune Application Protection Policy to. In my particular instance there was only two policies required.

  1. Intune_Exec_AppProtection_Policy
  2. All users except the Exec users

Azure Active Directory has the ability to create complex dynamic user or device security groups. So in my instance I created two Intune Application Protection Policies that are listed above.

I created one on-premise synced AD Security group that contained the Exec users, this group would be assigned to Intune Application Protection Policy 1. I then wanted to create a security group that I could assign to all non exec users and any new users. So I created an Azure dynamic user security group that queried Azure AD for any user that has an Intune license. The query for the Azure dynamic security group is listed below.

user.assignedPlans -any (assignedPlan.servicePlanId -eq “c1ec4a95-1f05-45b3-a911-aa3fa01094f5” -and assignedPlan.capabilityStatus -eq “Enabled”)

This type of dynamic security group can be applied to any Microsoft cloud service. The list of all Microsoft servicePlanId’s is available HERE

 

 

Conditional Access and Azure Active Directory License Management

Azure AD group based license assignment was made generally available in Feb 2018. It really is a superb way of managing and assigning licenses for services like Office365.

Quite often on projects that I deliver ,  I will work with my customer to build a profile which could be for example standard user, power user , exec user and these groups can assign some or all of the M365 suite of services.

So this means we would have 3 security groups to match each user profile and each organisation can modify their new starter process to add new users into their relevant security group or use Identity Management tools like Microsoft Identity Manager 2016 SP1 to manage the user life cycle.

One of the quickest and most powerful conditional access policy is as follows

  • Assignment : All users , except license groups and break glass admin account
  • Cloud Apps :  All Apps
  • Conditions : Default , NO CHANGE
  • Access Controls \ Grant : BLOCK

So the assignment to all users is the key , If a new user is not setup properly and follows the new user creation process then they cannot access the organisation’s cloud apps that are integrated with Azure AD.

This is a policy to block all unlicensed users.

All licensed users would expect to have the following items configured as a minimum requirement.

  • MFA
  • SSPR
  • Combined SSPR & MFA registration
  • Azure Password Protection Service
  • Microsoft Advanced Threat Protection integration with CASB
  • Azure AD P2 license , Identity Protection policies enabled
  • Azure AD Hybrid joined machines
  • Intune managed bitlocker encrypted devices
  • Intune managed devices with security baselines

Block sending of messages based on real-time content inspection in SASS with Cloud APP Security

This post demonstrates how to integrate Facebook Workplace with Azure AD and enable single sign on, and CASB protection for keywords that users post in a Facebook Workplace site.

The process would be exactly the same for any SAAS application and this post demonstrates the power of CASB integration with SAAS applications. For example , when using CASB to protect SAAS applications like GMAIL, Salesforce, Service Now, CASB can block real time key words and inspect files for sensitive information types defined by an organisation and integrate with Azure Information Protection.

There is a Microsoft tutorial on how to integrate Azure AD with Facebook workplace but I found the guide difficult to follow.

So I will try and structure this post in order to block a keyword from being posted to Facebook Workplace.

  1. Sign up for a Facebook Workplace account and sign in. Then click on the admin panel , security and authentication settings.
  2. Click on the Add new SSO Provider
  3. After you click on the link displayed above , scroll down and copy the audience URL which is the unique identifier.
  4. Next we add a new tab in the browser and go to Azure Active Directory , Enterprise Applications and add Facebook Workplace from the gallery.
  5. Add the users or security group that will have access to this published application within Azure AD
  6. Create a conditional access policy and do the following
    Select Facebook Workplace as the app
    Select the users in scope for testing
    Select session control and select the settings displayed in the image below
    There is obviously a lot more protection that can be applied with this conditional access policy, like location protection , azure hybrid joined machines etc..  For the purpose of this blog we are simply demonstrating the interaction with CASB and conditional access session policies.
  7. As I always use Chrome until Edge Chromium is GA , the next step is to to open a new tab and install the My Apps Secure Sign-in Extension for Chrome and sign in with the credentials that you are signed into the Azure Portal with.
  8. Within Azure AD , Select Facebook Workplace and select single sign on and select SAML
  9. Edit basic saml configuration and paste in the following urls
    A:Identifier (Entity ID) :  The audience url captured in step 3
    B:Reply URL (Assertion Consumer Service URL) : https://my.workplace.com/work/saml.php
    C:Sign On Url : https://my.workplace.com/work/saml.php
  10. Exit the SAML basic configuration and then move to step 5 in the SAML configuration and click on ‘Setup WorkPlace for Facebook’
  11. When we click on ‘Setup WorkPlace by Facebook’ , The browser will redirect the session to the Facebook WorkPlace authentication settings and click on the ‘Single Sign On  (SSO) button
  12. Wait a few seconds and the Chrome add in we discussed in step 7 will display the following screen which will auto populate the Azure SAML configuration automatically into Facebook WorkPlace.
  13. The next pop up requests the admin to test SSO and then save the changes.
  14. The next window will re-direct the Facebook Workplace login url through CASB
  15. Click on close on the next page
  16. Next really important step , Go back to the Facebook Workplace tab and select save changes
  17. Next steps are to create the Cloud App Security Policy to block a key word using this template :Block sending of messages based on real-time content inspection
  18. The activities in the policy are displayed below
  19. The content inspection config of the policy uses contoso as the keyword
  20. The action is to block and notify the user with the organisation’s terms and conditions for usage of cloud apps or a custom response
  21. Finally , Facebook WorkPlace will be available for the users in scope to use the application in the https://myapps.microsoft.com portal

Final note , SAAS applications that support SCIM will be much easier to on-board into Azure Active Directory and CASB. I hope this blog post shows how easy it is to on-board SAAS apps into Azure AD and CASB.