Friday, April 26, 2019
Wednesday, June 27, 2018
Securing Intune Enrolment
The Intune enrollment process can be secured via Conditional Access & Azure MFA and Microsoft have an article available HERE that describes how to secure the Intune Enrollment APP via Azure MFA.
But first we need to secure the Azure MFA registration process, If an attacker has obtained a user's credentials and the user that has been compromised has not registered for MFA, the attacker could use his\her phone to register for MFA.
So there are 3 methods to secure the MFA registration process.
- Multi-factor authentication registration policy
- User risk Sign In Policy
- Populating the phone numbers as described in this ARTICLE
If using method 3 and using a text message or call authentication process, The organisation admins can populate the mobile phone number per user and manage the MFA registration process.
Some helpful commands
##Using MSONLINE module, Query what the existing MFA auth method is
get-msoluser -UserPrincipalName sean@contoso.com | Select-Object -ExpandProperty StrongAuthenticationMethods
get-msoluser -UserPrincipalName sean@contoso.com | Select-Object -ExpandProperty StrongAuthenticationMethods
##Using MSONLINE module to cancel existing MFA Auth methods
set-msoluser -UserPrincipalName sean@contoso.com -StrongAuthenticationMethods $null
##Export all MFA enabled users to a csv
Get-MsolUser -All | where {$_.StrongAuthenticationMethods -ne $null} | Select-Object -Property UserPrincipalName | export-csv "CSV PATH"
Get-MsolUser -All | where {$_.StrongAuthenticationMethods -ne $null} | Select-Object -Property UserPrincipalName | export-csv "CSV PATH"
Once we have followed the guidelines in the Microsoft article to secure the Intune enrollment process with MFA , We can proceed to create our policy for Android & IOS
In the conditional access policy for Android & IOS devices, The final actions are listed below, Devices must be compliant but the compliance enrollment process is secured with MFA
Wednesday, May 9, 2018
Automate OneDrive for Business Hold with Azure Automation
I was working on a project for a customer recently that wanted to automate the process of placing ODFB sites on hold the same way we can automate all Exchange Online mailboxes being placed on hold.
So I created a script and uploaded it to Technet Gallery , Available HERE
Readiness Toolkit to assess application compatibility for Office 365 ProPlus
Microsoft recently released a new Readiness Toolkit to assess application compatibility for Office. The toolkit can be downloaded HERE.
This blog post describes how I used this toolkit to gather analysis for approx 1500 machines.
- Install the toolkit on a Windows client.
- Create a network share and provide sufficient permissions for each client machine and user. Then copy all of the files from the local installation to the file share.
- Create a new folder in the file share called readiness.
- Add this executable as an exclusion to your endpoint protection service 'Readinessreporter.exe'
- Create a .bat file : '\\fileshare\ReadinessReportCreator.exe -mru -addinscan -output \\fileshare\readiness\ -silent'
- Add the .bat file into a group policy start up script
- After a number of days when client machines have logged on, Their will be a sufficient number of .json files.
- Launch the readiness toolkit and choose the option
'Previous readiness results saved together in a local folder or network share' - This will then produce the report
This toolkit is very useful for providing a detailed report on add-ins and macros. The most common Office applications that use specific add-ins are Word and Excel. A use case where this type of report becomes critical is for legal organisations that use case management systems or document management systems.
Friday, March 30, 2018
Block native mail app on Apple IOS using Azure conditional access policies
Azure conditional access policies make this really simple and the following screenshots ill show how we can create this conditional policy.
Browse to the Azure Active Directory admin center / Azure Active Directory/ Conditional Policies
Next we assign what users the policy will be applied to
Select the cloud app - Exchange Online
Select the client app - Active Sync
Select the controls to enforce
Finally save & enable the policy
Now when a client attempts to setup and use the native Apple IOS app , this message will appear in the end users mailbox, the native app will be unusable for sending and receiving messages. The user can then proceed with the device enrollment process.
Wednesday, September 27, 2017
Clear down Exchange 2016 Transaction Logs
During enterprise migrations to Exchange 2016 , Logfiles can grow very large and the role of an Exchange backup service becomes critical to clear down log files and ensure log file volumes do not run out of space.
Quite often businesses request bulk upload migrations are performed outside business hours, the problem with this is that backups run at the same time as bulk uploads and then prevents the backup program from truncating log files.
Circular logging is not an option when there Exchange is hosting a DAG.
These simple commands can trick Exchange into thinking a full backup has been performed and then Exchange will take care of truncating the logs and not cause any corruption to databases.
- Log on to Exchange server that hosts the volume running low on space
- Launch a command prompt with elevated privilages
- Type : Diskshadow and press enter
####Browse to the root of the volume, NTFS mount points are fine, the following command mounts DBVolume1 - Add volume C:\-Exchange-Disks\DBVolume1
- Begin backup and press enter
- Create and press enter
- End backup and press enter
Exchange will then truncate the logs
Thursday, June 15, 2017
Skype for Business - Network password required to connect
Most enterprises use a corporate proxy to control Internet access for an organisation. Skype for Business makes connections to the Internet to display the tips on start up and this can cause the dreaded error message displayed above and a lot for help desk calls.
So this is how we can stop this from happening
Whitelist the following URS for unauthenticated access
Then we can add the following reg keys via group policy or res workspace depending on the environment.
We then need to create some reg keys.
Open Regedit and go to location HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Lync
Create new Dword name “IsBasicTutorialSeenByUser” with value:1
Create new Dword name TutorialFeatureEnabled with value:0
###############################################################
HKEY_CURRENT_USER\Software\Microsoft\Office\Common\ClientTelemetry
Name:
DisableTelemetry
Type: DWORD
Value:
160000 (Decimal)
######################################################################
[HKEY_LOCAL_MACHINE\Software\Microsoft\Office\16.0\User
Settings\ClientTelemetry]
"Count"=dword:00000001
###############################################################
[HKEY_LOCAL_MACHINE\Software\Microsoft\Office\16.0\User
Settings\ClientTelemetry\Create\Software\Microsoft\Office\Common\ClientTelemetry]
"DisableTelemetry"=dword:29810
###############################################################
Credit:
Subscribe to:
Posts (Atom)