Wednesday, June 27, 2018

Securing Intune Enrolment



I have been working a lot with Intune for Android & IOS MDM. This post is focused on securing enrollment for Android & IOS devices. There are different methods available for Windows 10 devices which will be covered in a later post.

The Intune enrollment process can be secured via Conditional Access & Azure MFA and Microsoft have an article available HERE that describes how to secure the Intune Enrollment APP via Azure MFA.

But first we need to secure the Azure MFA registration process, If an attacker has obtained a user's credentials and the user that has been compromised has not registered for MFA, the attacker could use his\her phone to register for MFA.

So there are 3 methods to secure the MFA registration process.


  1. Multi-factor authentication registration policy 
  2. User risk Sign In Policy
  3. Populating the phone numbers as described in this ARTICLE
If using method 3 and using a text message or call authentication process, The organisation admins can populate the mobile phone number per user and manage the MFA registration process.

Some helpful commands

##Using MSONLINE module, Query what the existing MFA auth method is
get-msoluser -UserPrincipalName sean@contoso.com | Select-Object -ExpandProperty StrongAuthenticationMethods

##Using MSONLINE module to cancel existing MFA Auth methods
set-msoluser -UserPrincipalName sean@contoso.com -StrongAuthenticationMethods $null

##Export all MFA enabled users to a csv
Get-MsolUser -All | where {$_.StrongAuthenticationMethods -ne $null} | Select-Object -Property UserPrincipalName | export-csv "CSV PATH"

Once we have followed the guidelines in the Microsoft article to secure the Intune enrollment process with MFA , We can proceed to create our policy for Android & IOS

In the conditional access policy for Android & IOS devices, The final actions are listed below, Devices must be compliant but the compliance enrollment process is secured with MFA












Wednesday, May 9, 2018

Automate OneDrive for Business Hold with Azure Automation

I was working on a project for a customer recently that wanted to automate the process of placing ODFB sites on hold the same way we can automate all Exchange Online mailboxes being placed on hold.

So I created a script and uploaded it to Technet Gallery , Available HERE

Readiness Toolkit to assess application compatibility for Office 365 ProPlus


Microsoft recently released a new Readiness Toolkit to assess application compatibility for Office. The toolkit can be downloaded HERE.

This blog post describes how I used this toolkit to gather analysis for approx 1500 machines.


  1. Install the toolkit on a Windows client.
  2. Create a network share and provide sufficient permissions for each client machine and user. Then copy all of the files from the local installation to the file share.
  3. Create a new folder in the file share called readiness.
  4. Add this executable as an exclusion to your endpoint protection service 'Readinessreporter.exe' 
  5. Create a .bat file : '\\fileshare\ReadinessReportCreator.exe -mru -addinscan -output \\fileshare\readiness\ -silent'
  6. Add the .bat file into a group policy start up script
  7. After a number of days when client machines have logged on, Their will be a sufficient number of .json files.
  8. Launch the readiness toolkit and choose the option
    'Previous readiness results saved together in a local folder or network share'
  9. This will then produce the report
This toolkit is very useful for providing a detailed report on add-ins and macros. The most common Office applications that use specific add-ins are Word and Excel. A use case where this type of report becomes critical is for legal organisations that use case management systems or document management systems.
































Friday, March 30, 2018

Block native mail app on Apple IOS using Azure conditional access policies


I recently set up EMS for a customer and they wanted to ensure all ios native mail apps were blocked and that all client phones must use the Microsoft Outlook app and that devices are enrolled before they can access corporate email.

Azure conditional access policies make this really simple and the following screenshots ill show how we can create this conditional policy.

Browse to the Azure Active Directory admin center / Azure Active Directory/ Conditional Policies

   Firstly Create the Policy

    Next we assign what users the policy will be applied to

   Select the cloud app - Exchange Online

    Select the client app - Active Sync


    Select the controls to enforce

Finally save & enable the policy


Now when a client attempts to setup and use the native Apple IOS app , this message will appear in the end users mailbox, the native app will be unusable for sending and receiving messages. The user can then proceed with the device enrollment process.








   



Wednesday, September 27, 2017

Clear down Exchange 2016 Transaction Logs


During enterprise migrations to Exchange 2016 , Logfiles can grow very large and the role of an Exchange backup service becomes critical to clear down log files and ensure log file volumes do not run out of space.

Quite often businesses request bulk upload migrations are performed outside business hours, the problem with this is that backups run at the same time as bulk uploads and then prevents the backup program from truncating log files.

Circular logging is not an option when there Exchange is hosting a DAG.

These simple commands can trick Exchange into thinking a full backup has been performed and then Exchange will take care of truncating the logs and not cause any corruption to databases.

  1. Log on to Exchange server that hosts the volume running low on space
  2. Launch a command prompt with elevated privilages
  3. Type : Diskshadow and press enter

    ####Browse to the root of the volume, NTFS mount points are fine, the following command mounts DBVolume1
  4. Add volume C:\-Exchange-Disks\DBVolume1
  5.  Begin backup and press enter
  6. Create and press enter
  7. End backup and press enter
Exchange will then truncate the logs 

Thursday, June 15, 2017

Skype for Business - Network password required to connect



Most enterprises use a corporate proxy to control Internet access for an organisation. Skype for Business makes connections to the Internet to display the tips on start up and this can cause the dreaded error message displayed above and a lot for help desk calls.

So this is how we can stop this from happening

Whitelist the following URS for unauthenticated access







Then we can add the following reg keys via group policy or res workspace depending on the environment.

We then need to create some reg keys.

Open Regedit and go to location HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Lync 
Create new Dword name “IsBasicTutorialSeenByUser” with value:1 
Create new Dword name TutorialFeatureEnabled with value:0

###############################################################
 HKEY_CURRENT_USER\Software\Microsoft\Office\Common\ClientTelemetry
Name: DisableTelemetry
Type: DWORD
Value: 160000 (Decimal)
######################################################################
[HKEY_LOCAL_MACHINE\Software\Microsoft\Office\16.0\User Settings\ClientTelemetry]
"Count"=dword:00000001
###############################################################
[HKEY_LOCAL_MACHINE\Software\Microsoft\Office\16.0\User Settings\ClientTelemetry\Create\Software\Microsoft\Office\Common\ClientTelemetry]
"DisableTelemetry"=dword:29810
###############################################################

Credit:





Thursday, March 30, 2017

How to lock down Office365 Global Admin access with managements scopes.


I have not posted a blog entry in quite some time, I have been crazy busy working for my new employer Evros and busy with my kids. I hope this blog will prove useful to anyone out there that follows my blog and promise a lot Blog posting to follow focusing on data protection, advanced threat analytics and AZURE

To help describe why an enterprise would like to lock down global admin access, I would like to describe a typical enterprise organisation and scenario.

Contoso.com is an enterprise organisation that consists of 15 companies. 
Contoso.com is the root AD Forest of the organisation and all other companies have their own child domains.
Contoso.com is the head office of the organisation and are responsible for data protection and governance within the organisation.
AD Connect synchronizes the root forests and child domains.

Contoso would like to remove global admin privileges from ICT Admin staff in one of the organisation's companies Fabrikam and grant the ICT admin staff some custom Exchange Online administration privileges. The Fabrikam ICT admin staff must also have the ability to log Office365 service requests.

The following steps are required to lock down the Fabrikam ICT staff access to Office365 as per Fabrikam's parent company Contoso's new security and data protection policies.

#####################Exchange Management Shell############################
####Create Management Scope
New-ManagementScope -Name "EO-FABRIKAM" -RecipientRestrictionFilter {customattribute10 -like "FABRIKAM"}
####All mail enabled objects  in the Fabrikam child domain will have the value 'Fabrikam' added to Active Directory attribute: Extenstionattribute10
####Create a Role Group
New-RoleGroup -NameEO-FABRIKAM-Roles "User Options", "Address Lists", "Distribution Groups", "Team Mailboxes", "Mail Recipients", "Reset Password", "Mail Recipient Creation", "Message Tracking", "Move Mailboxes","Migration","Retention Management","UM Mailboxes", "UM Prompts" , "Unified Messaging"    -Members “EO Fabrikam Admins” -CustomRecipientWriteScopeEO-FABRIKAM-ManagedBy “Organization Management”

####Note: When assigning the members to a security group. The security group must be a mail enabled security group.

####################Windows Azure Active Directory###########################
 

Function

Commandlet

Import CSV

$Users = Import-Csv "CSV PATH"

Assign Role

$Users | ForEach-Object {Add-MsolRoleMember -RoleMemberEmailAddress $_.UserPrincipalName -RoleName "Service Support Administrator"}

####Note: It is not possible to assign service administrator roles per security group


############################Summary####################################

Fabrikam ICT admins can access the Exchange Online Control Panel via this URL: https://outlook.office365.com/ecp
Fabrikam ICT admins can log Office365 service request via this URL:

#############################Next Steps##################################
The next steps would be to create similar management scopes and role groups for SharePoint Online and Skype for Business. (New Blog Post to Follow)
Once Contoso have locked down access for all the companies within their organisation the next step will be developing compliance and governance policies in the Security and Compliance center in Office365