Latest Entries »

Key properties of the Azure AD B2B collaboration user

Reference: https://docs.microsoft.com/en-us/azure/active-directory/b2b/user-properties

UserType

This property indicates the relationship of the user to the host tenancy. This property can have two values:

  • Member: This value indicates an employee of the host organization and a user in the organization’s payroll. For example, this user expects to have access to internal-only sites. This user is not considered an external collaborator.
  • Guest: This value indicates a user who isn’t considered internal to the company, such as an external collaborator, partner, or customer. Such a user isn’t expected to receive a CEO’s internal memo or receive company benefits, for example.

    Note

    The UserType has no relation to how the user signs in, the directory role of the user, and so on. This property simply indicates the user’s relationship to the host organization and allows the organization to enforce policies that depend on this property.

Source

This property indicates how the user signs in.

  • Invited User: This user has been invited but has not yet redeemed an invitation.
  • External Active Directory: This user is homed in an external organization and authenticates by using an Azure AD account that belongs to the other organization.
  • Microsoft account: This user is homed in a Microsoft account and authenticates by using a Microsoft account.
  • Windows Server Active Directory: This user is signed in from on-premises Active Directory that belongs to this organization.
  • Azure Active Directory: This user authenticates by using an Azure AD account that belongs to this organization.

    Note

    Source and UserType are independent properties. A value of Source does not imply a particular value for UserType.

If your organization has multiple Azure AD (AAD) directories, perhaps due to security requirements, or mergers or acquisitions; it may be a good idea adding guest users from other AAD directories as members.

The main difference between a Guest and a Member is in the lookup rights to the domain. A guest can typically not look up users and groups like a Member user can. A member would need this for self service reasons, and to look up contact information for other users, while you’d typically not want a guest to do that.

In order to convert the user, you currently have to use Powershell. Ypou need to have the AzureAD module installed on your computer.

  1. Log into your Azure AD tenant:
  2. Convert the user

    You may want to search up the user using just the Get-AzureADUser first.

Advertisements

Install .dot net framework

Install .dotnetframework & packages:

https://docs.microsoft.com/en-us/dotnet/framework/deployment/deployment-guide-for-developers#command-line-options

 

ex:

NDP47-KB3186497-x86-x64-AllOS-ENU.exe /norestart

PowerShell – how to test URL ?

To Test Web site using PowerShell:

Invoke-WebRequest -Uri https://login.windows.net

Else you can use portqry:

portqry -n login.windows.net -e 443

It can take up to 30 minutes or up to 24 hours after an event occurs for the corresponding audit log entry to be displayed in the search results. The following table shows the time it takes for the different services in Office 365.

Office 365 service 30 minutes 24 hours
Azure Active Directory (admin events) yes
Azure Active Directory (user login events) yes
Exchange Online yes
Microsoft Teams yes
Power BI yes
Security & Compliance Center yes
SharePoint Online and OneDrive for Business yes
Sway yes
Yammer yes

 

  • Azure Active Directory (Azure AD) is the directory service for Office 365. The unified audit log contains user, group, application, domain, and directory activities performed in the Office 365 admin center or in the in Azure management portal. For a complete list of Azure AD events, see Azure Active Directory Audit Report Events.
  • Exchange Online audit logs consist of two types of events: Exchange admin events (actions taken by administrators) and mailbox events (actions taken by users on mailboxes). Note that mailbox auditing isn’t enabled by default. It must be enable for each user mailbox before mailbox events can be searched for in the Office 365 audit log. For more information about mailbox auditing and the mailbox auditing actions that are logged, see Enable mailbox auditing in Office 365.
  • Audit logging for Power BI isn’t enabled by default. To search for Power BI activities in the Office 365 audit log, you have to enable auditing in the Power BI admin portal. For instructions, see Auditing Power BI.

Note: We’re in the process of turning on auditing by default. Until then, you can turn it on manually.

If you face more than expected delays as described on the temple kindly let me know.

Turn off an activity alert for Auditing

You can turn off an activity alert so that an email notification isn’t sent. After you turn off the activity alert, it’s still displayed in the list of activity alerts for your organization, and you can still view its properties.

  • Go to https://protection.office.com.
  • Sign in to Office 365 using your work or school account.
  • In the left pane, click Alerts, and then click Manage activity alerts.
  • In the list of alerts for your organization, click the alert that you want to turn off.
  • On the Edit alert page, click the On toggle switch to change the status to Off, and then click Save.

The status of the alert on the Activity alerts pages is set to Off.

To turn an activity alert back on, just repeat these steps and click the Off-toggle switch to change the status to On.

Create activity alerts in the Office 365 Security & Compliance Center
https://support.office.com/en-us/article/create-activity-alerts-in-the-office-365-security-compliance-center-72bbad69-035b-4d33-b8f4-549a2743e97d

Reference: https://docs.microsoft.com/en-us/office365/securitycompliance/enable-mailbox-auditing

Scripts:

https://github.com/O365AES/Scripts

To get status:

Get-Mailbox “office365user”| FL Audit*

AuditEnabled : True
AuditLogAgeLimit : 90.00:00:00
AuditAdmin : {Update, Copy, Move, MoveToDeletedItems…}
AuditDelegate : {Update, Move, MoveToDeletedItems, SoftDelete…}
AuditOwner : {}

 

To setup mailbox audit logging for all user mailboxes in your organization:

Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq “UserMailbox”} | Set-Mailbox -AuditEnabled $true

Here is a PowerShell script to export OU filtering on AADConnect:

$ExcludeFilterFile = “d:\scripts\logs\AADC_ExcludedOU.txt”
$IncludeFilterFile = “d:\scripts\logs\AADC_IncludedOU.txt”
$AADConnector= “mydomain.com”
$AADConn= Get-ADSyncConnector -Name $AADConnector
$AADConPartition = Get-ADSyncConnectorPartition -Connector $AADConn[0] -Identifier $AADConn.Partitions.Identifier.Guid
$AADConPartition.ConnectorPartitionScope.ContainerInclusionList | Out-File -FilePath $IncludeFilterFile
$AADConPartition.ConnectorPartitionScope.ContainerExclusionList | Out-File -FilePath $ExcludeFilterFile
To export other AADConnect settings:

(Get-ADSyncGlobalSettings).Parameters | Export-Csv [path to csv file here]
This will create a spreadsheet with all the parameters names and their values. With this, you have pretty neat documentation of the AD Connect configuration.

Now let’s get the names of the connectors, run:
Get-ADSyncConnector
You will get connectors’ names, their identifiers, installation date, and last modification date.
If you knew the names of the connectors (say, your AD connectors’ name is xyz.com and your extensible connector called ‘xyz.onmicrosoft.com – AAD’), you could also pass the name to the powershell cmdlet like this:
Get-ADSyncConnectorPartition -Connector (Get-ADSyncConnector -Name ‘mydomain.local’
Get-ADSyncConnectorPartition -Connector (Get-ADSyncConnector -Name ‘mydomain.onmicrosoft.com – AAD’)

What commands are available for Partitions?

Get-Command -Module ADSync -Name *partition*

 

# Get the Partitions through the ‘Partitions’ property on the connector object

Get-ADSyncConnector-Name ‘mydomain.com – AAD’ | Select-ExpandPropertyPartitions

<#

Identifier             : f083884f-dbf1-4eef-a5b3-02adabc96dbd

DN                     : default

Version                 : 1

CreationTime           : 2/24/2015 12:16:38 AM

LastModificationTime   : 2/24/2015 12:16:38 AM

Selected               : True

ConnectorPartitionScope : Microsoft.IdentityManagement.PowerShell.ObjectModel.ConnectorPartitionScope

Name                   : default

Parameters             : {}

IsDomain               : True

ECMAWaterMark           : ….

#>

# Get just one Partition

Get-ADSyncConnector-Name mydomain.com | Select-ExpandPropertyPartitions | Where Name -eq mydomain.com

 

 

 

Overview:

https://docs.microsoft.com/en-us/powershell/dsc/overview/overview

https://docs.microsoft.com/en-us/powershell/dsc/resources/resources

Blog: https://blogs.msdn.microsoft.com/powershell/2018/09/13/desired-state-configuration-dsc-planning-update-september-2018/

DSC resource kit:

https://github.com/powershell/dscresources

DSCEA:

https://github.com/Microsoft/DSCEA

readme: https://microsoft.github.io/DSCEA/

 

To backup a DFS root:

dfsUtil root export \\mydomain.net\rootdfs .\logs\rootdfs_Configuration.xml

To restore a DFS root:

dfsUtil root addDom \\mydomain.net\rootdfs
dfsUtil root import set \\mydomain.net\rootdfs  .\logs\rootdfs_Configuration.xml

If you want to enable advanced audit settings using Local GPOs or domain GPOs, you

must enable the Audit option:

Audit: force audit policy subcategory settings to override audit policy category settings

Web resources:

https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-services/migrate-rds-role-services

https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds-client-access-license

Note:

Do not specify DNS alias on RDS licensing service server ( on a new RDS server )

Old articles:

https://hichamkadiri.wordpress.com/tag/remote-desktop-services-2012-r2/page/2/

http://blogs.technet.com/b/askperf/archive/2013/09/20/rd-licensing-configuration-on-windows-server-2012.aspx