Archive for July, 2019


Reference article:

https://docs.microsoft.com/en-us/office365/admin/add-users/set-password-to-never-expire?view=o365-worldwide

 

# Set a password to expire

Run one of the following commands:

To set the password of one user so that the password expires, run the following cmdlet by using the UPN or the user ID of the user:

Set-AzureADUser -ObjectId <user ID> -PasswordPolicies None

To set the passwords of all users in the organization so that they expire, use the following cmdlet:

Get-AzureADUser -All $true | Set-AzureADUser -PasswordPolicies None

 

# Set a password to never expire

Run one of the following commands:

To set the password of one user to never expire, run the following cmdlet by using the UPN or the user ID of the user:

Set-AzureADUser -ObjectId <user ID> -PasswordPolicies DisablePasswordExpiration

To set the passwords of all the users in an organization to never expire, run the following cmdlet:

Get-AzureADUser -All $true | Set-AzureADUser -PasswordPolicies DisablePasswordExpiration

Warning

Passwords set to -PasswordPolicies DisablePasswordExpiration still age based on the pwdLastSet attribute. If you set the user passwords to never expire and then 90+ days go by, the passwords expire. Based on the pwdLastSet attribute, if you change the expiration to -PasswordPolicies None, all passwords that have a pwdLastSet older than 90 days require the user to change them the next time they sign in. This change can affect a large number of users.

# To get if password will expire for a user

Get-AzureADUser -ObjectId <user id or UPN> | Select-Object UserprincipalName,@{
N=”PasswordNeverExpires”;E={$_.PasswordPolicies -contains “DisablePasswordExpiration”}
}

# To get a report of all the users with PasswordNeverExpires in HTML

Get-AzureADUser -All $true | Select-Object UserprincipalName,@{
N=”PasswordNeverExpires”;E={$_.PasswordPolicies -contains “DisablePasswordExpiration”}
} | ConvertTo-Html | Out-File $env:userprofile\Desktop\ReportPasswordNeverExpires.html

# To get a report of all the users with PasswordNeverExpires in CSV

Get-AzureADUser -All $true | Select-Object UserprincipalName,@{
N=”PasswordNeverExpires”;E={$_.PasswordPolicies -contains “DisablePasswordExpiration”}
} | ConvertTo-Csv -NoTypeInformation | Out-File $env:userprofile\Desktop\ReportPasswordNeverExpires.csv

 

Advertisements

By default, when using a PowerShell script in an Office 365 environment, that need to provide user credentials, we use a PowerShell such as – Get-Credential.
The Get-Credential displays a pop out credential’s windows in which the user needs to fill in his credentials. The information about the user credentials can saved in a variable, and we can use these provided credentials for connecting each of the different Office 365 infrastructures.
The news is that the PowerShell includes a built-in mechanism, which enables us to save user credentials in a text file in a secure manner. The information in the text file will be encrypted so, although the information stored in a simple text file, the information is useless for non-authorized users.

Only the PowerShell will be able to access the encrypted file and fetch from the file the required information.
PowerShell script and user credentials

1. Write the password as part of the PowerShell script. Add the password to the PowerShell script file – this is the simplest option but, from the security perspective, this is the worst option because the password kept in a text file in a non-encrypted format. (we will not review this option).
2. Provide user credentials when running the PowerShell script. the PowerShell script includes an “empty variable” that will contain the required user credentials. When we run the PowerShell script, pop out window will appear.
The person the execute the PowerShell script will need to provide the required credentials. When using this option, we will need to provide the required user credentials, each time we run the PowerShell script

====================================

Read-Host -Prompt “<text>” -AsSecureString

ConvertFrom-SecureString | Out-File “Path”

Read-Host -Prompt “<text>” -AsSecureString | ConvertFrom-SecureString | Out-File “Path”

Read-Host -Prompt “Enter your tenant password” -AsSecureString | ConvertFrom-SecureString | Out-File “C:\windows\temp\cred.txt”

====================================

$AdminName = “UPN Name”

$Pass = Get-Content “<Path>” | ConvertTo-SecureString

$Credential = new-object -typename System.Management.Automation.PSCredential -argumentlist $AdminName, $Pass

====================================

Import-Module MSOnline

Connect-MsolService -Credential $credential

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $credential -Authentication Basic -AllowRedirection

Import-PSSession $Session

Reference article:

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/hh994558(v=ws.10)

 

 

To configure Intune to enroll devices with internal PKI certificates and with SCCM in co-management mode read first the articles below:

https://docs.microsoft.com/en-us/intune/certificates-configure

https://docs.microsoft.com/en-us/intune/certificates-scep-configure

https://support.microsoft.com/en-us/help/4459540/troubleshoot-ndes-configuration-for-use-with-intune

https://howtomanagedevices.com/intune/258/intune-certificate-deployment-guide/

https://blogs.technet.microsoft.com/tune_in_to_windows_intune/2015/02/25/part-4-protecting-ndes-with-azure-ad-application-proxy/

https://blogs.technet.microsoft.com/tune_in_to_windows_intune/2014/04/25/part-2-scep-certificate-enrolling-using-configmgr-2012-crp-ndes-and-windows-intune/

 

NDES troubleshooting articles:

https://gsecse.wordpress.com/2015/10/06/ndes-deployment-and-troubleshooting/

https://docs.microsoft.com/en-us/intune/certficates-pfx-configure

https://blogs.technet.microsoft.com/askds/2008/04/28/configuring-network-device-enrollment-service-for-windows-server-2008-with-custom-certificates/

https://blog.hosebei.ch/2016/11/28/configmgr-ndes-certificate-deployment-fails-due-to-network-device-enrollment-service-failure/

https://techcommunity.microsoft.com/t5/Intune-Customer-Success/Support-Tip-Configuring-and-Troubleshooting-PFX-PKCS/ba-p/516450

https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-proxy-add-on-premises-application

Note : a GitHub script to validate the NDES configuration: Validate-NDESConfiguration.ps1.

https://github.com/microsoftgraph/powershell-intune-samples/tree/master/CertificationAuthority

 

 

Azure AD password protection is now generally available:

https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Azure-AD-Password-Protection-is-now-generally-available/ba-p/377487

 

Azure AD password protection – how to eliminate bad passwords:

Architecture (to cover also onprem AD domain controllers):

 

Deployment:

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-password-ban-bad-on-premises-deploy

 

Eliminate bad passwords in your organization:

https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-password-ban-bad#license-requirements

 

Azure AD Password protection monitoring:

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-password-ban-bad-on-premises-monitor

 

Azure AD password protection troubleshooting:

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-password-ban-bad-on-premises-troubleshoot

 

 

https://support.microsoft.com/en-us/help/10065/associating-a-custom-domain-name-and-securing-communication-with-azure

 

 

Microsoft has recently announced the public preview of Azure Active Directory’s passwordless login. This new capability enables your employees to use external security keys to sign into their Azure Active Directory-Joined Windows 10 machines (running version 1809 or higher) and get single sign-on to their cloud resources. They can also sign into Azure AD-connected apps on supported browsers including the latest versions of Microsoft Edge and Mozilla Firefox.

You can learn more about how it works here: https://aka.ms/fido2securitykeys

To help get you started, MS partners are offering promotions so you can try out their solutions:

  1. For a limited time, Yubico is offering complimentary YubiKey Starter Kits to organizations with Microsoft 365 customers who are interested in beginning their passwordless journey. The starter kit includes the YubiKey 5 NFC and YubiKey 5C. You can learn more about Yubico’s promotion here: https://www.yubico.com/passwordlessoffer.
  2. FEITIAN is offering the first 500 Microsoft referred clients limited-time promotional discounts of more than 30% for Fingerprint Biometric Passwordless Security Keys. Visit  http://www.FTSafe.com/AzurePublicPreview.
  3. HID Global will take 10% off the manufacturer’s suggested retail price (MSRP) for orders above 500 Crescendo C2300 cards or the Crescendo Key, until August 16, 2019. Learn more at https://www.hidglobal.com

 

TechNet article how-to:

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-passwordless-enable#enable-new-passwordless-authentication-methods

 

 

Article about multi environments in a single tenant:

An environment is a space to store, manage, and share your organization’s business data, apps, and flows. They also serve as containers to separate apps that may have different roles, security requirements, or target audiences:

https://flow.microsoft.com/fr-fr/blog/intro-flow-admin-center/

https://docs.microsoft.com/en-us/flow/environments-overview-maker

https://docs.microsoft.com/en-us/power-platform/admin/environments-overview

Licensing:

https://docs.microsoft.com/fr-fr/power-platform/admin/trial-environments

 

Compare the PowerApps Plan:

https://powerapps.microsoft.com/en-us/pricing/#compare-plans

https://docs.microsoft.com/fr-fr/power-platform/admin/pricing-billing-skus#licenses

 

Admin portals:

https://admin.flow.microsoft.com/environments

https://admin.powerapps.com/environments

How to Migrate AADConnect LocalDB SQLExpress to MS SQL Server

Reference procedure: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-install-move-db

How to manage AADConnect LocalDB SQLExpress

Reference procedure: https://itfordummies.net/2017/02/13/manage-localdb-aad-connect-sql-database/

Azure AD free tenant

https://azure.microsoft.com/en-us/free/