I look at the Azure AD portal with curiosity to see what are the new features and then want to play around with them to better understand it’s usage. This is not a latest feature, but it’s out of the preview mode and this is me writing the effective use of Azure AD AUs.Continue reading “Effective use of Azure AD Administrative Units [Azure AD AUs]”
While I was navigating through my personal Outlook (Hotmail) recently, I’ve noticed a new icon has emerged from the side and I had to look what that is. That was Project Moca or Outlook Spaces. A common ground to manage a project, brain storm or gather information on a canvas and collaborateContinue reading “My review on Outlook Spaces AKA Project Moca”
My DIY project for this weekend is to try and implement a method to set Google as an identity provider for Azure AD resource access requirements. If someone can access apps or services on a different platform without having to create an account of the resource owner’s end, that makes lives more easier and simply takes off the hassle of registering another account.Read mo
This is my compilation of the something out of everything you need to know about the M365 Groups.
Over the course of time Microsoft brought different types of groups to manage users and computers. In all those scenarios, the group was capable of performing one task or 2 maximum.
Act as a Security Group or an Exchange Distribution List or both at once.
Limited mailbox size due to limited mailbox database size due to on-premises server’s disk space due to the number of users. Sound familiar?
On-premises Exchange servers always dictates the server disk space and that always comes down to proper user profiling and limiting the per user mailbox capacities.
Why automate such a workload?
Few reasons though
- Better Identity and access management
- Not having to update too many locations for these type of requests
Meet demands/ less stress on the frontline IT
This is the age of automation and everyone is in the automation bandwagon to automate the tech workloads in the cloud or on-premises.
If you have the right infrastructure, this can be easily achieved without going in to much trouble.
The automation magic happens when the user is created in the On premises AD with the specific attribute
- User will be auto added to the dynamic Azure AD group for Cloud licensing
- Licenses will be assigned to the user according to the Group Based Licensing setup
- User will be challenged for MFA with the Conditional Access policy
- User will get the Seamless SSO functionality after login to the domain joined computer
- Apps will be assigned for the user to use in the My Applications portal
- User will be getting access to the shares on the Azure Files
- Hybrid Environment (Local AD — AAD Connect — Azure AD)
- Password Hash Synchronization activated in the AAD Connect tool
- Azure AD Premium 1 license per user or a an M365 license which have included the P1 option
- Appropriate licenses in the portal to assign the users
- An Azure subscription if you thinking of migrating the local file shares to Azure Files
The fun bit starts now
- Enable Seamless SSO
- Creating the AD User and setting the attribute/s
- Azure AD M365 Dynamic Group creation
- My Applications Portal with specific app access
- Group based licensing
- Azure AD Dynamic Security group and Conditional Access policy for MFA
- Setup Azure Files
Enable Seamless SSO
Open the Azure AD Sync Connect tool
Select Change User Sign-In option
Login from a Global Admin Account
Check “Enable Single Sign-on” option
Enter the credentials for the enterprise admin account for the domain
Click on Configure
Once the credentials were entered, press Next and press Configure
Notice the highlighted computer in the Computers OU? That’s the object that is responsible of SSO for the domain joined computers
Its very important to perform a roll over the Kerberos decryption key periodically for security reasons.
Please check this article as it has the steps to preform this task
What is the difference between the single sign-on experience provided by Azure AD Join and Seamless SSO?
Azure AD Join provides SSO to users if their devices are registered with Azure AD. These devices don’t necessarily have to be domain-joined. SSO is provided using primary refresh tokens or PRTs, and not Kerberos. The user experience is most optimal on Windows 10 devices. SSO happens automatically on the Microsoft Edge browser. It also works on Chrome with the use of a browser extension.
You can use both Azure AD Join and Seamless SSO on your tenant. These two features are complementary. If both features are turned on, then SSO from Azure AD Join takes precedence over Seamless SSO.
One last thing to setup for Seamless SSO to work
Set the below GPOs by adding the following URLs to the Internet Zone settings URLs list so it will direct the user logon requests ‘seamlessly’ to Azure AD.
User Configuration > Policy > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page. Then select Site to Zone Assignment List
Value name: The Azure AD URL where the Kerberos tickets are forwarded
Value (Data): 1 indicates the Intranet zone.
Value (Data): 1
User Configuration > Policy > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Intranet Zone. Then select Enable updates to status bar via script.
Enable the policy setting, and then select OK.
Notice the Azure AD portal
Navigate to Azure Active Directory > Azure AD Connect > USER SIGN-IN
Creating the AD User and setting the attribute/s
There are few ways to get around this. The easiest way is to go with the attributes that’s used everyday. Eg: Office, Department, Company and etc.
However, if you need to play with the Custom Attributes, there are 15 of them sitting in the attribute editor tab in the user’s local AD profile.
msDS-cloudExtensionAttribute1 to msDS-cloudExtensionAttribute15
They are not the same attributes set in the Dynamic Group rules, so there’s some additional work involves to sync the attributes to Azure AD.
In my example I have taken the msDS-cloudExtensionAttribute1 to be synced across to Azure AD
Eg- You can go with the Cost Center name/ number or any other string value. I’m using the tag finance-payroll or to make things easy fin-pr
Now lets sync that across. For this,
Open the Azure AD Connect tool –> Select customize synchronization options –> Select Directory extension attribute sync
Press Next on the screens that says “Azure AD Apps” and “Azure AD Attributes“
Select the Attributes and add them
Next on Ready to configure Configure and it will start synchronizing after
Azure AD Dynamic Group creation
Navigate to Azure Active Directory > Groups > New Group
Set the Group type as Security and Membership Type as “Dynamic User“
To add the query to add users dynamically,
Click on Add dynamic query
If you try to select the attribute from Property field now, the attribute we set from ad will not come up.
For this to be reflected, open a new tab and go to Azure AD portal again and navigate to Enterprise Applications
Search for the app Tenant Schema Extensions app
Configuration changes in Azure AD made by the wizard will be saved in this app. In our case, msDS-cloudExtensionAttribute1
Nothing much to do here, just grab the application ID for this app from the overview pane.
After grabbing the application ID, go back to the Dynamic Group creation tab and go to “Get custom extension properties”
Paste the App ID and hit “Refresh Properties“
The synced attribute will now start showing under the properties
Set your rule appropriately. Mine goes as below.
Once this is done, hit Save and Create so the Dynamic Group will be created with the query to go in.
My Applications Portal with specific app access
There can be requireminest for different Teams/ departments would get different apps. and if you have them registerd in Azure AD, it’s really easy to bundle them according to the groups and also they can open all the apps from one location. My apps portal
First, identify what apps your user groups need to access.
Go to Azure AD > Enterprise Applications > All Applications
Search for the App that needs to be assigned.
I’ve used the app Box as the example.
Under Users and Groups, I’ve added the Finance-Payroll group.
This will now start showing up in the My Applications Portal when a group member logs in
Notice how Box will now appear when a group member logs in to the my applications portal
How Seamless SSO helps here?
User has already logged in to the domain joined computer and opening the my applications portal. The user just requires to type the username and when press Next, it will log the user in automatically and will be prompted for MFA challenge
If logging from a non domain joined computer, it will use the opportunistic feature of Seamless SSO and will prompt the user for the password followed by the MFA challenge.
MFA can make further limited to be prompted only when the computer/ device is not Azure AD Joined or Hybrid Azure AD joined as they are connected to the domain.
Group based licensing
You may have different licenisng requirements for different user groups depending in the department, user type, and the tasks they perform.
Eg – Frontline workforce doesnt need Office apps but may require web apps or Project managers may require MS Project app among the other apps,
or CXOs and management may require Azure AD P2 so IT can look for risky sign-ins and monimize trhe threats
Open dynamic group we created earlier and navigate to “Licenses” from the left-hand pane and select one or more licenses and it’s options that needs to be added for anyone who is a member of this group.
Next up, Azure AD Dynamic Security group and Conditional Access policy for MFA
Add the Finance-Payroll group for the selected users and groups option.
You can add more users and groups as you add more departments or teams or individual users
Selecting the all Cloud apps will require the user to enter all apps that are using Azure AD as the sign-in method in my opinion, this will make no room for error.
Enforcement to Grant Access with the MFA challenge
Set conditions to add all device types and exclude Hybrid Azure AD joined and Azure AD joined devices so MFA will only prompted when not in an office device. Further, try Geo blocking if required.
Lets, setup Azure Files
This can be an optional step, but if you already have Azure files setup (Kudos for you!) you can add the Dynamic group to the NTFS permissions for that Azure Files share.
Please refer this previous article for that – Azure Files
Automate further and Summary
You can further automate it to the SharePoint document library level so the these groups will get the necessary permissions automatically.
At the end of the day its the degree of how much you want to automate this process in order to save time and use the Modern Workplace methodologies. Once the background is set, it’s just a matter of creating the AD user with the specific attribute and rest will happen automatically.
Feature image : Mechanic Vectors by Vecteezy
Sometime a go I wrote on How to Disable Basic auth to make way to Modern Authentication. The procedure is manageable and with a bit of effort, you can achieve it with less or no noise in your Organization.
Either you block Basic Auth via an Azure AD Conditional Access policy or creating an EXO authentication policy and applying it to the users, you must plan it well. Things may go pear shaped if you don’t take everything in to consideration.
Microsoft have announced that they will retire the Basic Authentication method from Office 365 Exchange Online and make Modern Authentication method the standard way of authenticating going forward.
There are continues updates in the M365 Admin Center messages and what admins need to do to prepare for the change.
Companies now have to prepare for the change and Microsoft is sending continuous updates on what we need to do and how to identify how many clients are using Basic Auth to connect Outlook/ Exchange Server.
I have written a quick set of guidelines that will help you to see all the important points in on go.
This will include the steps to enable Modern Authentication and block the Basic Authentication.
While the Office apps are capable of showing the reporting structure of the staff, if you need to extract that data into a Visio Diagram, that’s easy and just few click away.Continue reading “How to Extract Organization Hierarchy from Office 365 and represent in MS Visio Org Charts”
As Microsoft 365 evolves, to store user data and sync them easily across the devices, apply security, collaborate easily, OneDrive for Business (ODB) is the way. This article explains some basic operations you can perform to manage ODB drives in your tenant. This is my approach on making OneDrive for Business to replace user’s traditional AD mapped Home drive and folder redirection quotas. This article talks about the nitty-gritty of OneDrive for business and some of the things you need to check before implement the Known Folder Move.Continue reading “Known Folder Move With OneDrive for Business”
This article is for anyone who is struggling and thinking how to get rid of the On Premises Exchange Server now all the mailboxes have been migrated to the cloud and no need of coexistence, federation and mail flow required. As you may already know (maybe) Microsoft recommends us to keep the last Exchange Server leave in the environment but NOT to be removed as it will remove the Exchange related attributes from the schema and after that managing the users will be impossible when it comes to Exchange related matters. Yes ADSI can be a life saver, but hold on! playing with ADSI edit is not a good idea and again, not recommended and supported by Microsoft.Continue reading “The Hybrid Exchange Server Dilemma”
If you are an Office 365 admin like myself, you may have received many notifications from Microsoft regarding the TLS 1.0 being deprecated in their infrastructure which in result will affect their customers if they don’t move to TLS 1.2 in time. They’ve 1st informed this will be valid from 31st Oct 2018, but have extended the support until 15 October 2020.
This has been announced as they’ve found out vulnerabilities with current TLS versions as it causes many security issues, specially the POODLE attack.
And almost all the web services are preparing for the change.