Archive for February, 2018


How to move Mailbox to Exchange online:

https://technet.microsoft.com/en-us/library/o365e_hrcmoverequest_fl312271(v=exchg.150).aspx

Advertisements

About Office 365 message encryption:

New Office 365 Message Encryption capabilities built on top of Azure Information Protection, your organization can use protected email communication with people inside and outside your organization. The new OME capabilities work with other Office 365 organizations, Outlook.com, Gmail, and other email services

OME How to:

https://support.office.com/en-us/article/office-365-message-encryption-ome-f87cb016-7876-4317-ae3c-9169b311ff8a

 

Reference: http://support.microsoft.com/kb/318785

Microsoft .net Framework is a software package that is used by many applications, it runs in a software environment as opposed to hardware environment.

Free program called .NET Version Detector ( download here ).

PowerShell: how to get version of .net framework on a remote computer: https://gallery.technet.microsoft.com/scriptcenter/Detect-NET-Framework-120ec923

To query the local Registry using PowerShell, execute the below command in an elevated PowerShell session.

(Get-ItemProperty ‘HKLM:\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full’  -Name Release).Release

You can then use the table below to reference the installed version of .NET. For instance, if the returned value is 379893, then .NET 4.5.2 is installed.

Those laptops must run the latest Windows 10 OS with all the new security features and security best practices like:

  • Apply a Hardening Security Baseline from Microsoft Security Compliance Manager (SCM)
  • Enable Secure Boot with UEFI
  • Impose Software Restrictions using AppLocker
  • Enable Full Disk Encryption.
  • Impose Restrictions on USB ports.
  • Implement Network Isolation via host firewall
  • Install and configure the Device Guard, Windows defender ATP or equivalent + Crowdstrike or equivalent
  • Don’t allow Internet access from a browser.
  • Install Minimal Software.
  • Allow Minimal Administrative Accounts (gad-xxxx accounts in our case)
  • Implement a Hardened OU for the PAWs into the GAD of MUCMSPDOM

Best practices for big companies:

  • It is recommended to deploy Office pro plus in 32bit mode
  • deploy using SCCM or equivalent deployment software in .msi mode or click-to-run
  • patch management using SCCM
  • set GPO settings for Office suite

 

Here a link to explain the different channel:

https://docs.microsoft.com/en-us/DeployOffice/overview-of-update-channels-for-office-365-proplus?ui=en-US&rs=en-US&ad=US

 

And the link for the history of the version (with the detail of build number):

https://docs.microsoft.com/en-us/officeupdates/update-history-office365-proplus-by-date

 

How to control office pro plus activations:

https://blogs.technet.microsoft.com/odsupport/2015/06/22/office-365-proplus-user-activations-management/

Deployment guide:

https://docs.microsoft.com/en-us/deployoffice/deployment-guide-for-office-365-proplus

 

Office deployment toolkit:

https://officedev.github.io/Office-IT-Pro-Deployment-Scripts/XmlEditor.html

https://www.microsoft.com/en-us/download/details.aspx?id=49117

 

Troubleshooting:

https://support.office.com/en-us/article/troubleshoot-office-installation-issues-in-office-365-for-business-fbbf663b-1e76-46d2-a417-0aa78ed2fb9a?ui=en-US&rs=en-US&ad=US#bkmk_activationfail

To get the information about Office 365 Pro Plus products on a computer, we can use ospp.vbs script:

1)Determine whether the 32-bit or 64-bit version of Office 365 ProPlus is installed. To do this, open an Office 365 ProPlus application, such as Word, and choose File > Account > About {name of app}. 64-bit or 32-bit is displayed next to the application version.

2)Determine whether the computer has the 32-bit or 64-bit version of Windows installed. To do this, press the Windows logo key+E, then choose System properties or Computer > System properties. Under System, the System type property will indicate either a 32-bit or 64-bit operating system.

3)Open a command prompt and type one of the following commands, depending on your versions of Windows and Office:

  • If the 32-bit version of Office 365 ProPlus is installed on the 32-bit version of Windows:cscript.exe "%ProgramFiles%\Microsoft Office\Office15\"ospp.vbs /dstatus
  • If the 32-bit version of Office 365 ProPlus is installed on the 64-bit version of Windows:cscript.exe "%ProgramFiles(x86)%\Microsoft Office\Office15\"ospp.vbs /dstatus
  • If the 64-bit version of Office 365 ProPlus is installed on the 64-bit version of Windows:cscript.exe "%ProgramFiles%\Microsoft Office\Office15\"ospp.vbs /dstatus

4)Review the LICENSE STATUS. The following table describes what each status means.

License status Description
OOB_GRACE Office 365 ProPlus was recently installed and is fully functional, but hasn’t been activated yet. The user is prompted to enter user ID credentials to activate Office 365 ProPlus.
LICENSED Office 365 ProPlus is fully functional and activated.
EXTENDED_GRACE Office 365 ProPlus is fully functional but at risk of going into reduced functionality mode. This status lasts for 30 days and indicates that the product key wasn’t successfully re-activated. In most cases, this means the computer hasn’t connected to the Internet for some time and Office 365 hasn’t had an opportunity to validate the license.
NOTIFICATIONS Office 365 ProPlus is in reduced functionality mode, and displays messages that the user needs to reactivate.

 

Reference articles:

https://docs.microsoft.com/sl-si/azure/multi-factor-authentication/multi-factor-authentication-get-started

https://docs.microsoft.com/sl-si/azure/multi-factor-authentication/multi-factor-authentication-get-started-server

https://docs.microsoft.com/sl-si/azure/multi-factor-authentication/multi-factor-authentication-get-started-adfs

 

https://blog.kloud.com.au/2017/07/04/resolving-the-double-auth-prompt-issue-in-adfs-with-azure-ad-conditional-access-mfa/

https://blog.kloud.com.au/2017/07/01/using-adfs-on-premises-mfa-with-azure-ad-conditional-access/

 

Scripting and automation:

https://araihan.wordpress.com/2017/01/20/enable-multi-factor-authentication-for-office-365-users-using-powershell/

http://eskonr.com/2018/03/different-methods-to-setup-azure-mfa-registration-for-o365/

 

Configuration:

The tenant must be configured to redirect MFA to MFAonprem through ADFS: ADFS infrastructure has been configured to support MFA onprem with special connector running on each internal ADFS server

MFA servers onprem configured to import internal domain users. No conditional policies possible with MFA onprem servers.

 

AzureMFA:

  • Azure MFA will works only for accounts created on the tenants (aad-xxx, guests)
  • Azure AD conditional access policies will not work with MFA onprem – only with Azure MFA
  • Accounts on Azure AD must be MFA enabled (with the phonefactor portal or via PS script or AAD identity protection policy). MFA setup: aka.ms/mfasetup
  • Applications supported:

Granular policies possible per application

Azure AD federated applications / office 365 apps…

Not possible to use Cisco VPN or onprem applications => because account must be declared on MFA onprem server database.

 

MFA onPrem:

  • Synchronized users will use only MFA onprem
  • Synchronized accounts on Azure AD must be MFA enabled (with the phonefactor portal or via PS script or AAD identity protection policy) , else by default users are not MFA enabled
  • Conditional access to Office 365 is only possible at the ADFS level (Access rule for the whole O365 RP trust)
    • and for all AzureAD/Office 355 apps (no granularity per application compared to AzureMFA)
  • Other use case supported:

Cisco VPN (using Radius)

Citrix…

 

=========================================================

Users must be MFA enabled to support AzureMFA OR MFAonprem:

To automate:

  1. By PowerShell script
  2. By using Azure AD identity protection and policies

 

Unchecked the box Azure MFA to keep only MFA onprem as main MFA authentication method

 

ADFS conditional access for the RP office365:

We must create a single policy – valid for the Office 365 RP trust and thus – valid for all Azure AD and Office 365 apps (ALL or nothing – no granularity here).

 

 

Office 365 groups:

https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/groups-settings-cmdlets

Blog: https://www.avepoint.com/blog/office-365/top-office-365-groups-questions-answered/

Manage Office 365 groups with PowerShell:

https://support.office.com/en-us/article/manage-office-365-groups-with-powershell-aeb669aa-1770-4537-9de2-a82ac11b0540

https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/groups-settings-v2-cmdlets

Allow/Block guest access to Office 365 groups:

https://technet.microsoft.com/en-us/library/mt842200%28v=exchg.150%29.aspx?f=255&MSPPError=-2147217396

Office 365 groups naming policies: (I know how to use PowerShell to apply naming convention for new and current groups and blacklisting words in group names!)

https://support.office.com/en-us/article/office-365-groups-naming-policy-6ceca4d3-cad1-4532-9f0f-d469dfbbb552

https://support.office.com/en-us/article/manage-office-365-groups-with-powershell-aeb669aa-1770-4537-9de2-a82ac11b0540?ui=en-US&rs=en-US&ad=US

https://www.petri.com/office-365-groups-naming-policy

How to restrict who can create Office 365 groups:

https://support.office.com/en-us/article/Manage-who-can-create-Office-365-Groups-4c46c8cb-17d0-44b5-9776-005fced8e618?ui=en-US&rs=en-US&ad=US

How to restore a deleted Office 365 groups:

https://support.office.com/en-us/article/restore-a-deleted-office-365-group-b7c66b59-657a-4e1a-8aa0-8163b1f4eb54

https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/groups-restore-deleted

Archive or restore a team?

https://support.office.com/en-us/article/archive-or-restore-a-team-dc161cfd-b328-440f-974b-5da5bd98b5a7

Connect to AzureAD:

Check installed module:
Get-InstalledModule -Name “AzureAD*”
To uninstall a previous version of AzureADPreview or AzureAD, run this command:
Uninstall-Module AzureADPreview
or
Uninstall-Module AzureAD

To install the latest version of AzureADPreview, run this command:   Install-Module AzureADPreview -force

At the message about an untrusted repository, type Y. It will take a minute or so for the new module to install.

Then Connect-azureAD

Office 365 groups governance guidance:

I am in favour of the self-service of the end users. This kind of freedom helps to improve the collaboration and the adoption. But It’s true that a bad use of this self-sevice, can be a nightmare in terms of governance. Here some ideas or highlights to balance the user needs and IT management :

Questions to be addressed before the real production phase:

  • Do we want to continue to allow ALL users to create groups ! or do we want to only allow some users?
    • By default all users can create such office 365 groups ! (contrarily to a normal active directory)
    • In one side it is good for end-user (more flexibility and autonomy) => self-service
    • But in other side, it can be a mess for IT !
  • Do we need a naming convention? (but limited to only one naming convention: ie. OG_, O365_ , <prefix>_<attribute>_<free text> …)
  • Do we need to blacklist words? (which ones? Who decide? …)

Other subject:

  • Need to change the expiration policy ? ( Retention period is 30 days after deletion)
  • To restore Office 365 groups is only via PowerShell or with Exchange admin center
  • Need an end-user procedure to request new group
  • Need an end-user procedure to request group restore

 

 

PowerShell connection to exchange online:

Office 365 group => management using PowerShell => not part of AzureAD or MSOnline module => only available online ! But need Basic authentication on the client:

PS C:\WINDOWS\system32> Set-ExecutionPolicy -scope currentUser RemoteSigned

PS C:\WINDOWS\system32> $UserCredential = Get-Credential     <== do not use an account with Azure MFA enabled

Note: if you are using Azure MFA to connect to Exchange online, follow this article: https://technet.microsoft.com/en-us/library/mt775114(v=exchg.160).aspx

PS C:\WINDOWS\system32> $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection

In case of problem due to Message: “The WinRM client cannot process the request. Basic authentication is currently disabled in the client configuration”

PS E:\–DEV WORK–> winrm get winrm/config/client
Client
NetworkDelayms = 5000
URLPrefix = wsman
AllowUnencrypted = false [Source=”GPO”]
Auth
Basic = false [Source=”GPO”]
Digest = false [Source=”GPO”]
Kerberos = true [Source=”GPO”]
Negotiate = true [Source=”GPO”]
Certificate = true
CredSSP = true [Source=”GPO”]
DefaultPorts
HTTP = 5985
HTTPS = 5986
TrustedHosts

 

Import-PSSession $Session

ModuleType Version    Name                                ExportedCommands
———- ——-    —-                                —————-
Script     1.0        tmp_0gtrs5dm.juw                    {Add-AvailabilityAddressSpace, Add-DistributionGroupMember, Add-MailboxFolderPermission, Add-MailboxLocation…}

PS C:\WINDOWS\system32> Get-Mailbox | Get-MailboxStatistics

Note: https://technet.microsoft.com/library/13843002-56ca-4b75-81c5-84386522b01b.aspx

For Office 365 groups:

Note: https://thoughtsofanidlemind.com/2015/05/07/new-management-cmdlets-for-office-365-groups/

PS C:\WINDOWS\system32> get-unifiedgroup “All Guest users”

After your work, dont forget to stop the remote session:

Remove-PSSession $Session

 External access for Office 365 applications:

https://support.office.com/en-us/article/Manage-external-sharing-for-your-SharePoint-Online-environment-C8A462EB-0723-4B0B-8D0A-70FEAFE4BE85

 https://support.office.com/en-us/article/manage-sharing-in-onedrive-and-sharepoint-ee8b91c5-05ec-44c2-9796-78fa27ec8425

 https://support.office.com/en-us/article/Share-sites-or-documents-with-people-outside-your-organization-80e49744-e30f-44db-8d51-16661b1d4232?ui=en-US&rs=en-US&ad=US

 https://support.office.com/en-us/article/guest-access-in-office-365-groups-bfc7a840-868f-4fd6-a390-f347bf51aff6