Category Archives: Office 365

Delegate resetting azure MFA for helpdesk through azure automation run book and Microsoft Flow

When a user with MFA enabled loses his mobile phone then he wouldn’t be able to login to new devices or in the old devices where the token life time have expired. 

Currently in this scenario the user have to report to help desk team. Unfortunately only the global admins can perform  the force reset of MFA account for the user to reset his Strongauthenticationmethods value to null to clear the  old lost device.  

There is a work around which can be used until we get a delegated RBAC role for performing this action. With Azure Automation account, creating a flow, integrating with flow and delegating this action to helpdesk admins will reduce the load on global admins performing this action. 

Prerequisites:

  1. Create New Automation Accounts from azure portal. Azure subscription required.They provide 500 minutes free every month.
  2. Create new Work Flow from global admin account.This action needs to be performed from global admin account.

Create Azure Automation Account –

Proceed to https://portal.azure.com – Create automation account.

Now add the msonline module-

Add Exchange Online Module – Access Azure Automation account and click Assets > Modules- Add MSOnline Module.

We can see the MSOnline modules are imported successfully.

Enter Global Admin Credentials in the Created Automation account –

Click on Automation accounts – Credentials – Enter Global Admin Credentials. Add scripts(below scripts)

This is the global admin credentials required which will execute the automation when we trigger the work flow from a delegated helpdesk admin account.

Now add the script which is required to execute this operation.

Param
     (
         [Parameter (Mandatory= $false)]

         [String] $UserEmail = ""
     )

     $creds = Get-AutomationPSCredential -Name 'TestDemo’
     Connect-MsolService -Credential $creds
#This command resets the MFA
Set-MSOLUser -UserPrincipalName $UserEmail -StrongAuthenticationMethods @()
#This Command Resets the password  with force login
#Set-MsolUserPassword -UserPrincipalName $UserEmail -NewPassword "S@c@r!ooii" -ForceChangePassword $true

After adding above Publish the scripts.

Now we need to create the flow from the global admin account to execute this action.

Head over to Flow (https://flow.microsoft.com ) and provision a new personal Flow. Click new flow – Click Create from Blank.

Choose – Flow Button for Mobile , Flow Button for Mobile – manually trigger a Flow , Select AA- Type useremail as input flow.

Navigate to triggers – Select Manually trigger a flow.

Type UserEmail as input flow-Click on New Step – Add an Action

Click on Choose an action – Select Azure Automation – Create a Job – Provide the required credentials and subscription details.

Provide the required credentials and subscription details.

Now we will see the flow is connected to Azure automation account

Now Navigate to My Flows- Select the new flow – Click on – Run Now

We can see the flow will be successfully started and execute the requested operation of resetting the MFA value to null for the user.

We can run them on automation accounts and see them for verification and they will be successful.

From the global admin Flow login – Delegate this flow to helpdesk admins as manage run only user permission.

The actual operation is executed by the global admin account however the helpdesk team will be triggering this action through the delegated run only permissions assigned to them in created Microsoft flow.

Thanks & Regards

Sathish Veerapandian

Configure access panel in Azure Active directory

We can enable and provide self service application access to end users.If an organization is using Office 365 applications and the user is licensed for them, then the Office 365 applications will appear on the user’s Access Panel.Microsoft and third-party applications configured with Federation-based SSO can be added into this access panel.

We can create multiple groups example like HR,Marketing and required apps both internal corporate apps and social media apps can be published.

In order to logon access panel we must be authenticated using organizational account in Azure AD.We can be authenticated to azure AD directly or federated authentication and consume this service.

For organizations that have deployed Office 365, applications assigned to users through Azure AD will also appear in the Office 365 portal 

The azure access panel is a web based portal which provides user with below features:

1)View and launch cloud apps.
2)Configure self service password reset.
3)Self manage groups.
4)See account details.
5)Modify MFA settings.

IT admin can be benefited and reduce first level calls by enabling below features:
1)Provide easy portal for users.
2)Launch cloud based, federated onprem apps.
3)Links to URLs.
4)Control access to corporate application.
5)Restrict access to Users by Groups ,device and location.

The portal can be accessed from https://myapps.microsoft.com Azure Admin Can configure the Access panel settings from the below url-

Login to Azure AD – https://portal.azure.com/

Navigate to URL – Azure AD – Enterprise Applications – All applications.

Select the application which we need to add – In below case LinkedIn – Click on Self-Service.

Below are the options we have at this moment:

Select the option allow users to request access to this application. – By enabling this option end users can view and request access to this application.


To which group the users must be added:

Require approval before granting access to this application:

Who is allowed to approve access to this application:

To which role users should be assigned to this application:

We have these option to add an app:

  1. App that your developing- Register an app you’re working on to integrate it with Azure AD.
  2. On prem app (app proxy)- Configure Azure AD Application Proxy to enable secure remote access.
  3. Non gallery app- Integrate any other application that you don’t find in the gallery
  4. Add from the Gallery – There are close to 3000 apps in gallery which can be added.

Example below of when adding an application we have the following options:

In below case we are adding twitter from the gallery- Custom name can be provided for the application.

Single sign on mode-we have 2 options:

  1. Federated SSO – Allow users to access apps with their organizational accounts applicable mostly for on premise apps published here, application you are developing and any application which is integrated with on premise IDP. Only one time login is required.
    After signing in, the user can launch applications from the Office 365 portal or the Azure AD MyApps access panel. 
  2. Password based Sign-on- Users must remember application-specific passwords and sign in to each application. 

Hide application from end user:

This option can be used if we would like to hide application from end user.

We have below option to hide office 365 apps from the access panel. Doing this will allow end users to see office 365 apps only from office 365 portal.

Further more end user settings features for access panel can be managed:

For on premise applications we need to configure federated single sign on and add them on the access panel.

Navigate to Azure AD – Click Enterprise Applications – Click all Applications – Select the application that needs Single sign on configuration

We have the below options:
SAML – Use SAML whenever possible. SAML works when apps are configured to use one of the SAML protocols.For SAML we need to provide the signon url, user attributes , claims , signing certificate

And then we need to provide the azure url in the application to link with azure AD. Here we are creating an relying party trust between the application and Azure AD for the SAML configuration to work.


Linked – Can be used for cloud and on premise apps.we can use this when the application have single sign-on implemented using another service such as Active Directory Federation Services or any other IDP solution.

Disabled – Use this option If your application is not ready and integrated for SSO. Users will need to enter the user name and password every time the application is launched.

End User review from browser –

User can navigate to http://myapps.microsoft.com/

The defaults office 365 apps will be shown if its not hidden.

After Clicking on Add app users can explore the apps added by admin from the admin portal. In our case it shows only LinkedIn since we added only LinkedIn.

If there is any approval process required as per admin config it goes for approval and post approval the application will be available for requested user.

As per the recent update Microsoft recommends to use In-tune Managed Browser My-apps integration for mobile scenarios.
This integration supports lots of additional cool stuff like home screen bookmark integration, azure ad app proxy integration.

The access panel will definitely help end users to access all office and their corporate applications all in one place without any confusion and will reduce the burden on the front line first level end user access requests.

Thanks & Regards

Sathish Veerapandian

Configure Azure AD Terms of Use functionality within conditional access in Microsoft Intune

The Azure AD terms of use functionality have been recently upgraded. In this article we will have a look at configuring the Azure Azure AD terms of use functionality for Microsoft Intune while enrolling the devices.

Navigate to Terms of use at https://aka.ms/catou

Search for Conditional Access – Terms of Use – Click on terms of use – Select New Terms

Create a new terms of use. Here we have an option to upload our own company terms of use PDF. There is an option to choose the language format for the terms of use.

Following features can be enabled :

Require users to expand the terms of use – The end users will be required to view the terms of use prior to accepting.

Require users to consent of every device – The end users will be required to consent to the terms of use on every device.

Expire Consents – The terms of use will be enforced immediately and all users will be forced to re-consent on a schedule.

Duration before re-acceptance required (days) –The terms of use will be enforced immediately and each user will have to re-consent every specified number of days.

Once after completed this terms of use needs to be applied to conditional access as per the requirement.

We have 4 options at this moment:

Access to cloud apps for all guests- A conditional access policy will be created for all guests and all cloud apps. This policy impacts the Azure portal. Once this is created, you might be required to sign-out and sign-in.
Access to cloud apps for all users- A conditional access policy will be created for all users and all cloud apps. This policy impacts the Azure portal. Once this is created, you will be required to sign-out and sign-in.
Custom policy- Select the users, groups, and apps that this Terms of Use will be applied to.
Create conditional access policy later- This terms of use will appear in the grant control list when creating a conditional access policy.

Its strongly recommended to go with custom policy or create conditional access policy later option, since the former 2 options will apply for all users accessing all cloud apps and we might have lot of segregation based on user departments, job roles and terms of use might vary for every department.

After created we can see the terms of use created below in the terms of use section.

Further navigation we can see the number of people accepted and declined the terms of use, details and languages.

In the audit logs we can see the actions initiated and changed to the terms of use policy.

Enabling the Terms of use to conditional access intune:

Once after creating the terms of use and selecting the required conditional access template we can see that the new policy that we created will be visible in our CA policy. We can select this option and this will be enforced to all users to accept the terms of policy.

Now we need to select this option to Microsoft Intune device enrollment.

After this is enabled we can run the what if and see if its working for the targeted user. In our case we can see the policy that we enforced is getting applied below.

Client User Behavior- Android Device Enrollment through conditional access policy.

We can see that the Exchange Query IT policy terms of use is applied during device enrollment from android device in our case.

On expanding we can see that the term detail as per the company policy.

Note:

  1. Its always better to roll out this policy to pilot users at the initial stage, verify the behavior and later plan this roll out in a phased approach for remaining users
  2. The IT policy terms can be added for different languages as well based on the different geographic locations.
  3. We have an option to review the users who have accepted the policy and rejected from the policy tab.
  4. Conditional access policy controls (including Terms of use) do not support enforcement on service accounts. So ensure that all the service accounts are excluded.
  5. End user accounts consuming this service will require Azure AD Premium P1, P2, EMS E3, or EMS E5 subscription inorder to activate this service to them.

Thanks & Regards

Sathish Veerapandian

Exchange Mailbox audit in office 365

Post July 2018 the mailbox audit will be enabled by default for all mailboxes in the cloud.

In a hybrid setup ,Once after the mailboxes are moved to the cloud the mailbox audit will be enabled after they are converted to mailboxes from mail enabled users.

Earlier we have to run the Set-Mailbox -AuditEnabled $True every time we add a new mailbox or a mailbox is migrated to the cloud so that mailbox Audit is turned on.

Once the mailbox audit logging is enabled for owner actions we might see lots of items getting occupied for user actions in audit folder. This Audit logs is stored individually on users mailboxes itself in Hidden audit folder.

Get-MailboxFolderStatistics -Identity Helpdesk@exchangequery.com | select name,itemsinfolder,foldersize

This audit folder will not come under the user mailbox quota. It will consume the recoverable items quota for each user mailbox. In order to overcome this mailbox quota limit for these recoverable items the storage quota for the recoverable items folder is automatically increased from 30 GB to 100 GB when a hold is placed on a mailbox in Exchange Online.

Without hold the default value will be 30 GB


We can also see that the audit will be enabled by default in the organizational config.

To enable audit org level – Set-OrganizationConfig -AuditDisabled $false
To disable audit orglevel – Set-OrganizationConfig -AuditDisabled $True

we can see the audit is enabled by default 

Get-Mailbox helpdesk | fl *audit*

 For AuditOwner we can see the below 

Get-Mailbox helpdesk | Select-Object -ExpandProperty auditowner

We can see the mailbox login which will record the client logins for the owner actions inclusive of protocols POP and IMAP. Apart from this we have for inbox rules and calendar delegation which will be definitely useful in terms of troubleshooting or investigation of an compromised account.

When your tenancy begins auditing all mailboxes by default, the per-mailbox AuditEnabled setting will be overridden. However, you may still choose to disable audits for a subset of your users if there is a business need. You can elect this option by configuring audit bypass associations on the identities you intend to ignore with the Set-MailboxAuditBypassAssociation cmdlet. We can also customize the audit logging entries based on our requirement using set-mailbox and -AuditOwner option.

Below command will bypass audit for the specified mailbox.

Get-Mailbox usteam | Set-MailboxAuditBypassAssociation -AuditBypassEnabled $true

We can run a audit report from the security and compliance center to generate audit report during an investigation. We have export operation as well.

More filter options are available 

Based on the monitored mailbox audit actions we can also create an alert and notify the information security team mailbox/group for these actions which are not meeting the organization compliance.

Over the next several months, Microsoft will enable the default-auditing configuration on all tenants with a steady ramp-up with all commercial customers to be covered by the end of the calendar year. So we can expect this to be covered for all tenants by the end of this calendar year.

Mailbox audits will be stored for all user mailboxes within the commercial service by default.
The default audit configuration will change and include more audit events.

Quick Tips – Search mailbox operation in office 365

In office 365 the search can be used to search in-place items from email, documents, Skype for business and Microsoft Teams.In this article we will look into the steps to search emails from  mailboxes present in office 365.

The search and delete operation can be executed when an important confidential  message is sent by mistake to unintended recipients, a suspicious message have been circulated to few users or it can be even a phishing email. Admin can run into any of the above scenario and can be requested to perform this action.

In office 365 we can use the native search-mailbox , compliance search or the content search available in the office 365 security and compliance center.

The search-mailbox is exactly similar to what we have in on premise.We have to be a member of Mailbox Search and Mailbox Import Export role group to execute the search and delete operation.

We need to establish PSSession to office 365 with below:

$Cred = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $Cred -Authentication Basic -AllowRedirection
Import-PSSession $Session

Search-Mailbox

SMBX0

Then we need to execute the search operation based on the search parameter , search query and operators as per our requirement to search the required data.

Example of basic search which allowed to log data to a target mailbox

Search-Mailbox -identity mbx@domain.com -SearchQuery ‘subject:test’ -Logonly -LogLevel full  -TargetMailbox mbx@domain.com -TargetFolder SearchResults

SMBX

SMBX1

The delete operation can be used to delete the content.

Search-Mailbox -Identity mbx@domain.com -SearchQuery ‘subject:test’ -DeleteContent

SMBX2

Compliance Search

We can use the compliance search operation to search and delete any emails from mailboxes present in office 365. We need to establish new pssession to compliance as below.

$Cred = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.compliance.protection.outlook.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection

CS1

Once connected we can initiate new compliance search with New-Compliance search commandlet.

First New-Compliance search with required  parameter and content match query needs to be created.

New-ComplianceSearch -Description Marketing-Search -Name MarketingTeam -Exchangelocation alias@domain.com -ContentMatchQuery “‘Teach English in China'”

CS2

Then we need to start the compliance search with Start-ComplianceSearch

Start-ComplianceSearch -Identity searchname

Post this operation we have 3 options with New-ComplianceSearchAction report only mode , export the searched data also delete the search results as below example.

Report Mode

New-ComplianceSearchAction -SearchName SearchName -Report

CS3

Export Mode

New-ComplianceSearchAction  -SearchName SearchName -Export

CS11

After we run the command with export once export is completed it will be available in the security and compliance center in the export section ready for download.

Untitled24

We can also use the delete option

New-ComplianceSearchAction -SearchName SearchName Puirge -PurgeType softdelete

CS4

Get-ComplianceSearch can be run to check the existing executed compliance searches.

untitled41

Content Search

We can also use the content search option available in office 365 security and compliance center. Here we can specify the content locations from where it has to be searching the required content.

Here we have 3 options to search.

New Search – which is the default option and provides the search query parameters and conditions.

Untitled26

Guided Search –  Guided search  has the same options like new search except it has an addition guided wizard like below. Rest of the search query parameters and the conditions remains the same.

Untitled26

ID Search –  We can perform a targeted search based on providing a csv input file.

Untitled26

For ID search we need to provide a well formatted CSV input as mentioned in this Technet  format the document ID column and populate the selected column as mentioned in the article.

Once the CSV is prepared and imported it will be ready for  save and run as below.

Untitled26

After the save and run operation we get the results as below

Untitled26

We have options to choose the locations from where the data has to be fetched from modify location. This option is available only on New Search and Guided Search.

After specifying the location – add the search query keywords – date range – sender and other required parameters based on the search requirement.

Content

 

once the search query is completed we can see the search results in the searches tab like below

Content1

 

We have an option to download the search results

Content2

We have options  to export the report  like below.

Untitled25

Imp Notes:

  1. The ID search is limited and supported only for mailbox items.
  2. We need to be member of Organization Management or at least Compliance Administrator role group in-order to consume this service from Security & Compliance Center.

Configure DKIM in office 365 Environment

In this article we will go through the steps to enable DKIM in pure  office 365 cloud environment.

For understanding DKIM concepts and  Enabling DKIM in on premise environment you can follow my previous blog 

The main difference between enabling DKIM in on premise environment and office 365 is:

  1.  In on premise we keep the private keys in our outgoing Anti spam gateway or DKIM agent which will be responsible for signing every outbound emails with DKIM stamp. Later we publish the public key in the DNS record.
  2.  But office 365 requests the customers to publish the CNAME and point them to a public key in DNS which will delegate the corresponding name space to office 365.

With this office 365 CNAME option we can rotate the keys whenever required. Because in this case the private key is owned by Microsoft and the public key is maintained in their office365 DNS records. We just need to create CNAME in our DNS console only for the first time. Later we need to create CNAMES only for the new domains we are adding in office 365.

First we need to enable DKIM from the Exchange admin center from the office 365 portal – navigate to protection – click on DKIM tab

We can enable for the routable domains registered with office 365. But when we enable them without publishing the DNS records for DKIM then we will get the below error.

Untitled

We have to publish DKIM DNS records as below:

Create 2 CNAME records for 2 selector’s to sign the outgoing emails with DKIM.

In our case we need to create below records from the DNS hosting provider console.

Host name: selector1._domainkey.exchangequery.com
Points to address or value: selector1-exchangequery-com._domainkey.exchangequery.onmicrosoft.com
TTL: 3600

Host name: selector2._domainkey.exchangequery.com
Points to address or value: selector2-exchangequery-com._domainkey.exchangequery.onmicrosoft.com
TTL: 3600

Untitled1

Untitled2

Once we create these 2 CNAME records office 365  will take care of signing all the outgoing emails with DKIM with their signing agents.

Now if we go to office 365 portal and enable the DKIM it will get enabled. If we have a closer look we have an option to  rotate DKIM keys just in one radio button which is amazing option. Ideally its  not required to do this option from our side  since office 365 will do the rotation  of their keys once in a while as a part of their security checks.

Untitled3

To verify if the mail is signed by DKIM we can send one test email to gmail and if it says signed by your domain name then its DKIM enabled outbound email.

Untitled4

In the message headers we can see the DKIM status as passed.

Untitled8

Further if we look into the message headers we can see

Authenticated Received Chain (ARC)- New email security mechanism standard Which is currently used by office 365.
DomainKeys Identified Mail (DKIM)-  If the DKIM is enabled we see the DKIM value as pass.
Sender Policy FrameWork(SPF)-  SPF verification results.

Untitled6

Also in the DKIM signature we can see the selector and the domain name like below

Untitled5

Further we can look into the DKIM public keys by running the below command.

Get-DkimSigningConfig -Identity exchangequery.com | fl

Untitled9

Additional General Info:

Below can be the possible results as a part of DKIM test in the message header.

  • DKIM=Pass – Message was Signed.
  • DKIM=Fail – The message was signed and the signature or signatures were acceptable, but they failed the verification test(s).
  • DKIM=None – The messages were not signed.
  • DKIM=Policy – The messages were signed but the signatures were not acceptable.
  • DKIM=neutral = The message was signed, but it was not formed correctly. This is possibly a configuration error on the sending domain side.
  • DKIM=temperror – This is a temproary error where unable to verify the public key for the DKIM verification.
  • DKIM=permerror = The message could not be verified due to some error that is unrecoverable.

Bulk Import local PST files to Office 365 mailboxes

In this article we will look at the steps to bulk import PST files to office 365 mailboxes.
There might be a scenario when a switch over from on premise to office 365 is done users might have maintained local PST files in network drive without an archive solution which is a bad practice.
When we run into these kind of scenarios its definitely not recommended to maintain this data in this approach.We might have bunch of pst files or probably more which might be 10 years worth of email that needs to be imported to the associated mailboxes.

There are 2 options to perform this action

Method 1: Use the free Azure service to upload the .PST files and map to the users mailbox.

Below prerequisites needs to be done:

1)So as a initial prerequisite move all the pst files to one central location which will be easier to perform the bulk import. If you have them in different sites then better to create one central location per site.

2)If we have more number of PST files and the data is more then create multiple jobs which will be better for tracking and not to choke the bandwidth and throttling.

3) The administrator will require a mailbox import\export rights to perform this operation.

Step 1:  Assign RBAC Mailbox import Export role to the required account. This can be done via power shell to connecting remote session to office 365 account or via Exchange admin console in office 365.

Untitled

Untitled1

 

Office356

 

Once permission is granted navigate to data migration option setup  in the admin  page in office 365 admin URL – Here we need to select the option upload PST files.

2

Now Upload PST files go to New Import Job and type the Job name >> Next. Then check on Upload Your Data or hit on Next.

3

Now an import job window will appear. Here we need to click on Show network upload SAS URL and copy the URL by clicking Copy to clipboard. After that download Azure AzCopy for download the AzCopy tool and install the application.

4

Click on Azure AzCopy software and type the given command.

AzCopy.exe /Source:\\network path /Dest:”SAS URL” /V: give location  to save log file \AzCopy.log /Y

5

Note: We need to give the Sharing Permission for our file or folder where the PST file is present.

Navigate  to the import data window and check on the both preparing the mapping file’s option and click on Next.

6

Now in this import data we need to create the pst mapping and user in the excel file.

7

And upload the file by clicking the Select mapping file option

8

 

9

Once done we can see the pst files have been successfully imported to the associated office 365 mailboxes.

Method 2: Use a third-party solution for migrating PST to O365 Cloud Platform

Sometime we need  solution to import specific items from bunch PST file data into Office 365. So here we are going to discuss one more method which is a third-party tool for migrating PST to Exchange Online Mailbox.

I happened to have a look at this  MailsDaddy PST to Office 365 Migration Tool and it provides  security and easiness to Import all PST file data like emails, contacts, calendars, appointments, and attachments etc into o365 .

The tool carries advantages like:

Export the selected items only: It will show all the preview of PST file data and you can select the items and migrate them to O365 account. This is very much useful where in terms of an organization have restored a large mailbox from the old backup tapes for a legal issue. Here the exported huge PST from the backup can be taken and only the required important emails can be selected and imported to the user mailbox in online.

Date Range Filter: With the data filter option you can search the emails between the specific times and import only required data from PST file to Exchange online Mailbox. This option is also useful for cases where end user requires a restore of missing emails or a resigned employee from an old data from the backup and extract data only for last 1 year and importing them to the associated  office 365 mailbox.

Impersonation Option: Using this option, we will be able to migrate multiple mailboxes using sharing throttling and connection limits of each users. To use the impersonation export option, users must have application impression rights and full access to the admin account.

Bulk export Option: With this option, we can export multiple PST files into multiple mailboxes by mapping all mailboxes using a CSV file.

Below are the steps to use the Mails Daddy PST import tool :

Step 1: We can download this application and install it.

Step 2: Once it installed launch this software. After that click on Add file to upload the PST file.

Step 3: Once we click on upload the PST the software it will show all the preview of the PST file data.

10

Now we can select the mail, contacts, calendars, appointments, and attachments etc. if we need to export only selected items.
Click Export button to import all data from PST into Office 365.
Now select the provide export option and put the Office 365 Mailbox ID and password>> click Export.

Here we have 3 options export  all folders , export selected folders, export to primary mailbox and export to archive mailbox.

11

Once the export is clicked the  selected emails will be imported to  associated office 365 mailboxes successfully.

%d bloggers like this: