Block sending of messages based on real-time content inspection in SASS with Cloud APP Security

This post demonstrates how to integrate Facebook Workplace with Azure AD and enable single sign on, and CASB protection for keywords that users post in a Facebook Workplace site.

The process would be exactly the same for any SAAS application and this post demonstrates the power of CASB integration with SAAS applications. For example , when using CASB to protect SAAS applications like GMAIL, Salesforce, Service Now, CASB can block real time key words and inspect files for sensitive information types defined by an organisation and integrate with Azure Information Protection.

There is a Microsoft tutorial on how to integrate Azure AD with Facebook workplace but I found the guide difficult to follow.

So I will try and structure this post in order to block a keyword from being posted to Facebook Workplace.

  1. Sign up for a Facebook Workplace account and sign in. Then click on the admin panel , security and authentication settings.
  2. Click on the Add new SSO Provider
  3. After you click on the link displayed above , scroll down and copy the audience URL which is the unique identifier.
  4. Next we add a new tab in the browser and go to Azure Active Directory , Enterprise Applications and add Facebook Workplace from the gallery.
  5. Add the users or security group that will have access to this published application within Azure AD
  6. Create a conditional access policy and do the following
    Select Facebook Workplace as the app
    Select the users in scope for testing
    Select session control and select the settings displayed in the image below
    There is obviously a lot more protection that can be applied with this conditional access policy, like location protection , azure hybrid joined machines etc..  For the purpose of this blog we are simply demonstrating the interaction with CASB and conditional access session policies.
  7. As I always use Chrome until Edge Chromium is GA , the next step is to to open a new tab and install the My Apps Secure Sign-in Extension for Chrome and sign in with the credentials that you are signed into the Azure Portal with.
  8. Within Azure AD , Select Facebook Workplace and select single sign on and select SAML
  9. Edit basic saml configuration and paste in the following urls
    A:Identifier (Entity ID) :  The audience url captured in step 3
    B:Reply URL (Assertion Consumer Service URL) :
    C:Sign On Url :
  10. Exit the SAML basic configuration and then move to step 5 in the SAML configuration and click on ‘Setup WorkPlace for Facebook’
  11. When we click on ‘Setup WorkPlace by Facebook’ , The browser will redirect the session to the Facebook WorkPlace authentication settings and click on the ‘Single Sign On  (SSO) button
  12. Wait a few seconds and the Chrome add in we discussed in step 7 will display the following screen which will auto populate the Azure SAML configuration automatically into Facebook WorkPlace.
  13. The next pop up requests the admin to test SSO and then save the changes.
  14. The next window will re-direct the Facebook Workplace login url through CASB
  15. Click on close on the next page
  16. Next really important step , Go back to the Facebook Workplace tab and select save changes
  17. Next steps are to create the Cloud App Security Policy to block a key word using this template :Block sending of messages based on real-time content inspection
  18. The activities in the policy are displayed below
  19. The content inspection config of the policy uses contoso as the keyword
  20. The action is to block and notify the user with the organisation’s terms and conditions for usage of cloud apps or a custom response
  21. Finally , Facebook WorkPlace will be available for the users in scope to use the application in the portal

Final note , SAAS applications that support SCIM will be much easier to on-board into Azure Active Directory and CASB. I hope this blog post shows how easy it is to on-board SAAS apps into Azure AD and CASB.


Remove a public domain name from an Office365 Tenant – The QUICK WAY

I have worked recently on a lot of Office365 tenant to tenant migrations and the biggest challenge in all of these migrations is where the same domain name eg. cannot exist in two tenants at once.

I always use the Migration Wiz Bundle which can migrate primary mailbox, archive mailbox , ODFB sites and Deployment Pro which manages the Outlook Profile transition to the new tenant.

Migration Wiz have an interesting co-existence solution which you can review HERE

If using a migration tool like Migration Wiz and all data has been migrated a really quick way of removing all traces from from the legacy tenant is to run through the following process

WARNING ALL DATA MUST BE MIGRATED BEFORE ATTEMPTING TO USE THIS PROCESS. This process does not delete any data. It removes all references to the public domain that is required in the target tenant in this example that domain name is CONTOSO.COM. If users still need to access data in a Sharepoint Site in the legacy tenant the user me informed on what their new UPN is.

  1. Connect to Azure AD Connect server
  2. Disable-ADSyncExportDeletionThreshold  and then enter Office365 Global Admin Credentials
  3. Next steps are to de-select all the OUs that were previously in scope for synchronization
  4. Then run this command on the Start-ADSyncSyncCycle -PolicyType Initial
    (Run the command twice)
  5. This will place all objects that were synced to Office365 in the recycle bin.
  6. Change UPN for any cloud identity objects that remain
    Get-MsolUser -All | ? {$_.UserPrincipalName -match “” -and $_.UserPrincipalName -notmatch “admin”} | % {Set-MsolUserPrincipalName -ObjectId $_.objectId -NewUserPrincipalName ($_.UserPrincipalName.Split(“@”)[0] + “”); $dataout += “$($_.UserPrincipalName)” ; $_.UserPrincipalName };$dataout | out-file “CSV FILE NAME AND PATH”}}
  7. Set the primary smtp address for all remaining mail enabled objects to
    $AllMailboxes = Get-Mailbox -ResultSize Unlimited
    Foreach ($Mailbox in $AllMailboxes){
    # Creating NEW E-mail address that concatenate in the following way: Take the existing recipient Alias name + use the NEW Domain name as a domain suffix + “Bind” the Alias name + the NEW Domain name suffix.$NewAddress = $Mailbox.Alias + “”Set-Mailbox -Identity $Mailbox.Alias -WindowsEmailAddress $NewAddress 
  8. Remove all aliases
    $Records = Get-mailbox -ResultSize Unlimited| where {$_.emailaddresses -like “smtp:*”} | Select-Object DisplayName,@{Name=“EmailAddresses”;Expression={$_.EmailAddresses |Where-Object {$_ -like “smtp:*”}}}foreach ($record in $Records){    write-host “Removing Alias” $record.EmailAddresses “for” $record.DisplayName

        Set-Mailbox $record.DisplayName -EmailAddresses @{Remove=$record.EmailAddresses}


  9. Remove from any groups
    Get-Msolgroup -All | where {$_.emailaddress -match “”} | Remove-MsolGroup –Force
  10. Change the default domain in the portal to
  11. Remove
    Remove-MsolDomain -DomainName “” –Force
  12. Next we can add into the new Office365 tenant and update the mx records for
  13. Last but not least , We modify AD Connect configuration and re-enable the sync of all the objects that were previously synced and are now in the Office365 recycle bin ,they will all be restored and have the ability to access their data via a UPN.

We forgot to mention Public Folders. Migration Wiz have a separate tool for public folder migrations which is very simple to use. I always prefer to convert public folders into resource mailboxes.

Credit: The domain removal powershell migration scripts are publicly available in Migration  Wiz Knowledge Base articles.

Exchange 2010 – 2016 Hyrid – Outlook not connecting

I have wrote many articles  about the Exchange Hybrid process. There are lots of excellent articles on line about this process. This blog post is aimed it simplifying the whole process and ensuring 2010 clients can still connect when using Exchange 2016 servers for autodiscover.

The Exchange Online Hybrid wizard has greatly improved over the years and the Exchange Hybrid Modern Agent is an amazing step forward and provides a mechanism to quickly migrate mailboxes to Exchange Online.

Exchange 2010  support will Expire in October 2020. I have recently been performing a lot of Hybrid migrations using Exchange 2010 and Exchange 2016 as the hybrid server

I always use this powershell SCRIPT to install the pre-requisites for each new Exchange server.

Autodiscover services are typically  transferred from the Exchange 2010 servers to Exchange 2016 servers.

Simply updating the A record to point at the new Hybrid server and expecting clients to connect without any issues is a big mistake.

If the Exchange 2010 organisation has a load balanced virtual ip , this IP cannot be simply reused for the Exchange 2016 server. The main reason for this is that,mapi has transitioned to mapi over http from Exchange 2013 versions and higher.

Exchange 2016 has different virtual directories and also has health check urls per Exchange virtual directory.

  • Kemp – Kemp have templates for Exchange 2016
  • F5 – Have templates for Exchange 2016
  • Netscaler – Follow this article to load balance Exchange 2016 via Netscaler HERE

When the Exchange Hybrid has been installed and configured , Run this SCRIPT
And set all of the virtual directories to your corporate domain eg.

On the Exchange 2010 server , get an inventory of databases hosted on the Exchange 2010 servers. And then run this command to set the rpc client access server per Exchange 2010 database,

Set-MailboxDatabase –Identity “<Database Name>” –RPCClientAccessServer “exch2010-01.contoso.local”

This is the most important task, Exchange 2016 receives autodiscover requests and proxies them to the Exchange 2010 client access servers for mailboxes that are still hosted on Exchange 2010.

Now is the time to update the two DNS records and to point to the new Hybrid server.

Exchange Online users that have been migrated and are working outside of their company offices will query the public record which will point to the hybrid server, the hybrid server will respond with the correct autodiscover xml via http redirect to Exchange Online.

Intune Endpoints Through Proxies or Corporate Firewalls

Microsoft previously submitted all the urls  and ip ranges for the Office365 platform on Now there is a new Office365 IP Web Service , HERE 

It would be great if this dynamic ip services covered all services in Office365  that can be updated in firewalls and proxies. Unfortunately it does not.

Intune is an amazing service from Microsoft but if you do not white-list the endpoints listed HERE

Features like Bitlocker, x86 custom app deployments, Windows 10 Security Baselines will fail.

Microsoft Cloud Service for Global Enterprise Organisation

Even I get confused when it comes to all the different options available with Microsoft cloud services.Some of my global customers have engaged with business analyst to perform the task of user profiling to try and establish what licenses end user really need per division.

One of my customers refused to buy AD premium for all users because they could lock down access by IP-range with ADFS and don’t need to license 23k users for AD premium. This is a very valid use case when you do the numbers and saves a lot of money.

Some of my customers want conditional access but do not have a compatible version of Office or OS and when the cost associated with bringing the desktop to a suitable level for conditional access for 10, 20k user sites, they are most often binned.

For global roll outs of Office365 , I aways recommend the use of a business analyst for user profiling to get the best value for your client or customer.

Microsoft always get their money!!!

Exchange On-Premise Mailbox will not MIGRATE

I recently encountered an issue which I have seen before but never this bad and more commonly with Public Folders. My customer had a 50GB mailbox that also had an archive mailbox. The mailbox would get so far and just stall and never complete.

So I tried all of some of the usual methods to repair the mailbox to no avail.
Repair the mailbox with PowerShell & Migrate the mailbox to another Exchange database

So we asked the customer could we review the mailbox and found thousands of folder in the format of 16/04/2019. Exchange does not like / , Exchange normally sees / as the top of the information store. So my first attempt to resolve this was powershell and could not seem to crack it. Thanks to my colleague Mark Doyle  ,We resolved this issue with an Outlook Macro.

So if you ever encounter this unique issue , Please follow these steps.

  1. Browse to the Outlook Trust Center
  2. Macro Settings, Select Notifications for all Macros
  3. Press Alt + F11 to open Visual Basic
  4. Double click “This Outlook Session” under Microsoft Outlook Objects
  5. Paste  this TEXT below into the window
  6. Click on the folder or inbox that you want , And run the Macro
  7. Input character we want to replace in this case will be /
  8. Then select . as the replacement character
  9. Finally task complete

Final Comment

This is in no means an enterprise solution and I asked Microsoft for help and didn’t get anywhere. Once we removed the / , We could see when checking get-moverequeststatistics (mailbox) , that it was getting past the ‘create folder hierarchy’ stage in a mailbox move. And we did not need to tell our customer , Sorry this mailbox cannot be migrated!

Azure AD Combined security information registration

One of the glaring holes in the SSPR and MFA registration process was when bad actors that had compromised credentials could register for SSPR or MFA if the compromised account had not already registered.

One of my customers highlighted this to me and the way we overcame the vulnerability was to populate Active Directory with mobile numbers and through powershell force the authentication method to text message and not give an end user the choice.

Finally Microsoft have released a feature that can lock down the SSPR an MFA registration process to a corporate ip or ip ranges, the following slides show how we enable this in a conditional access policy.

  1. Select all users and exclude the tenant Office365 admin breakglass account.
  2. Select cloud apps or actions and select the ‘Register Security information (preview)’ option.
  3. In location select from any location
  4. Exclude all trusted locations
  5. In the controls section , Select ‘Grant Access’ and ‘Require multi-factor authentication.


Office365 & Intune White list URL and IP Range

For years I have fought tooth and nail with Security vendors on my enterprise customer sites that will typically have a corporate proxy or silent proxy like Palo Alto by tryng to get them to grant the customer,site or project access to Office365.

Microsoft have made the Office365 endpoints dynamically available as a web link which all enterprise firewall vendors support like Cisco, Juniper, Palo Alto can connect to.

Palo Alto guide HERE

Microsoft site Office 365 URLs and IP address ranges
Dynamic URL for firewalls and proxies 

I have faced on numerous occasions , issues with ip ranges that are outside the published Microsoft ranges. When my customer asked me what is this IP address , I cannot say it is mine and then need Microsoft to verify via a service ticket that they own the ip address.

My recommendation is also to white list the urls and ip ranges listed in this Microsoft article when using Intune. Intune network configuration requirements and bandwidth

Microsoft IP ranges outside the published ip ranges have affected me on customer project sites with Office365 ProPlus activation and Intune managed BitLocker encryption.

Hybrid Azure AD Joined Devices

Anyone familiar with conditional access, will have noticed this access control in Conditional Access policies. So what does it mean , How can I enable this, Is this a good feature.

This is not a good feature, it is an excellent feature. The best way to describe this control requirement is as follows. DO NOT GRANT access unless the machine is DOMAIN JOINED. Many enterprise companies have corporate wifi rolled out and only permit access to the corporate wifi via credentials and a machine certificate issued by the local certificate authority.

AD Connect keeps getting better and better and Microsoft have made it so easy to enable this feature. The following screenshots ill demonstrate how easy it is to enable this feature.

Modify the configuration of AD Connect and select ‘Configure Device Options’

Enter Azure AD Credentials

Note: Only select the second option ‘Supported Windows domain level domain-joined devices if you are using Azure Seamless Sign On, Azure Seamless Sign on provides the functionality to support Windows 7 and above operating systems.

Then enter enterprise admin on-premise credentials as per the image below.

Download and run the PowerShell script using on-premise enterprise admin credentials that AD Connect has prepared as per image above.

Next step is to follow this Microsoft Article : To enable auto enrollment of Windows Devices.

Now that we have enabled device auto enrollment into Intune, What are the benefits?

  • Intune Device Management – Intune can manage 5 devices per user license
  • Conditional Access Policy Control : Hybrid Azure AD objects
  • Intune – Bitlocker Management
  • Azure Dynamic Machine groups can be a useful method for managing global or large enterprise organisations.
  • Windows 10 Security Base Lines
  • Intune integration with Windows Defender ATP

These are just a small number of benefits , Open to comments on more benefits.

Update: 24.05.2019

Follow THIS Microsoft guide and block downloading from SharePoint Online on no domain joined devices

eDiscovery for Exchange Online Data at Rest

  • It is not possible to search for sensitive information types when selecting Exchange Online mailboxes as the data source , Office 365 User Voice REQUEST
  • It is possible to search for the items specified in this Microsoft ARTICLE and via KeyWord

The screen shot below is from an Office365 E5 Advanced eDiscovery query that shows these types of searches are not supported