Category: Azure


Here are resources about Azure and Office365,

let me summarize:

Office365 : is an offer of MS services and hosted applications – Saas ; in clear you pay for a service (sharepoint,exchange,office…) and you don’t manage the infra behind (like CPU,RAM,Storage,Security)

Azure: is a cloud (private/public) offer – paas/Iaas ; compared to Office365, MS provide just the plumbery (hyper-v, Storage, CPU, RAM, network) and you manage the applications, the Operating system, the security and patches, the applications ; in short “it is like a lego or a Mecano!”, and with Azure you can mix your on-premises IT infra with Azure in the cloud (and vice-versa)

Web resources for Azure:

Domains FAQ: https://docs.microsoft.com/en-us/office365/admin/setup/domains-faq

Domain take over: https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/domains-admin-takeover

Azure tips and tricks: https://azure.microsoft.com/en-us/blog/azure-tips-and-tricks-become-more-productive-with-azure/

Azure subscription and naming convention: https://blogs.technet.microsoft.com/dsilva/2017/11/10/azure-subscription-governance-resource-group-and-naming-convention-strategies/

Azure RBAC: https://docs.microsoft.com/en-us/azure/role-based-access-control/overview

Manage VM: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/

Main: http://www.windowsazure.com

Azure cost calculator: https://azure.microsoft.com/en-us/pricing/calculator/?scenario=full

White papers: http://aka.ms/livresblancs

Azure health status: https://status.azure.com/en-us/status

Choose the right authentication method: https://docs.microsoft.com/en-us/azure/security/fundamentals/choose-ad-authn

AzureAD connect: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-version-history

Other resources:

To go deeper: https://docs.microsoft.com/en-us/azure/

Forum: https://azure.microsoft.com/en-us/support/community/

Seyf’s blog: https://seyfallah-it.blogspot.com/

Web resources for Office 365:

Office 365 for business get started: https://support.office.com/en-us/article/Get-started-with-Office-365-for-business-d6466f0d-5d13-464a-adcb-00906ae87029

Roadmap: https://products.office.com/en-us/business/office-365-roadmap

Fasttrack: http://fasttrack.microsoft.com/office/drive-value/engage

Productivity library (scenarios): http://fasttrack.microsoft.com/office/envision/productivitylibrary

Technical decks: https://channel9.msdn.com/Events/Ignite/2016?sort=status&direction=desc&r%5B0%5D=Office%20365&page=2

Technical references: https://technet.microsoft.com/en-us/library/office-365-service-descriptions.aspx

Videos: https://www.youtube.com/user/OfficeGarageSeries

eLearning: https://mooc.office365-training.com/en/

‘In the Cloud’: http://blogs.technet.com/b/in_the_cloud/

Office blog: http://blogs.office.com/    and   http://office.microsoft.com/en-us/

Intune blog: http://blogs.technet.com/b/microsoftintune/

Azure AD Resources

Domains FAQ: https://docs.microsoft.com/en-us/office365/admin/setup/domains-faq

Domain take over: https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/domains-admin-takeover

Azure tips and tricks: https://azure.microsoft.com/en-us/blog/azure-tips-and-tricks-become-more-productive-with-azure/

Azure subscription and naming convention: https://blogs.technet.microsoft.com/dsilva/2017/11/10/azure-subscription-governance-resource-group-and-naming-convention-strategies/

Azure RBAC: https://docs.microsoft.com/en-us/azure/role-based-access-control/overview

Manage VM: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/

Main: http://www.windowsazure.com

Azure cost calculator: https://azure.microsoft.com/en-us/pricing/calculator/?scenario=full

White papers: http://aka.ms/livresblancs

Azure health status: https://status.azure.com/en-us/status

Choose the right authentication method: https://docs.microsoft.com/en-us/azure/security/fundamentals/choose-ad-authn

AzureAD connect: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-version-history

Other resources:

To go deeper: https://docs.microsoft.com/en-us/azure/

Forum: https://azure.microsoft.com/en-us/support/community/

Seyf’s blog: https://seyfallah-it.blogspot.com/

Azure AD custom extensions

How to work with custom extensions:

Reference:

https://docs.microsoft.com/en-us/powershell/azure/active-directory/using-extension-attributes-sample?view=azureadps-2.0

 

 

Examples:

 

# Connect to Azure AD with Global Administrator

Connect-AzureAD  

# Get a User and Read Extension Properties

$aadUser = Get-AzureADUser -ObjectId <youruser> $aadUser | Select -ExpandProperty ExtensionProperty  

# Serialize User Object to JSON

$aadUser.ToJson()  

# Explore Object Properties

$aadUser | Get-Member  

# How to: Add Extension Properties

# PS! Can only write to Cloud homed users

$aadUser = Get-AzureADUser ObjectId <yourclouduser>@mydomain.onmicrosoft.com
$extensionProp = New-Object System.Collections.Generic.Dictionary2[System.String,System.String]
$extensionProp.Add(extension_<YourTenantSchemaExtensionAppId>_msDS_ExtensionAttr1,ENTERPRISEPACK)
$extensionProp.Add(extension_<YourTenantSchemaExtensionAppId>_msDS_ExtensionAttr2,EMSPREMIUM)
Set-AzureADUser ObjectId $aadUser.ObjectId ExtensionProperty $extensionProp

# Check added Extension Properties

Get-AzureADUser -ObjectId <yourclouduser>@mydomain.onmicrosoft.com | Select -ExpandProperty ExtensionProperty

 #region List all users with Extension Properties

$aadUsers = Get-AzureADUser | Select DisplayName, ObjectId
$aadUsersExt = @()
ForEach ($aadUser in $aadUsers) {
    $user = Get-AzureADUser ObjectId $aadUser.ObjectId | Select ObjectId, DisplayName
    $userDetail = Get-AzureADUser ObjectId $aadUser.ObjectId | Select ExpandProperty ExtensionProperty
        foreach ($key in $userDetail.Keys)
        {
            if($key -like extension_<YourTenantSchemaExtensionAppId>_msDS_ExtensionAttr1)
            {
                $ext1 = $userDetail.$key
            }
            elseif($key -like extension_<YourTenantSchemaExtensionAppId>_msDS_ExtensionAttr2)
            {
                $ext2 = $userDetail.$key
            }
            else { $ext1 = ; $ext2 = }
        }
    $obj = [pscustomobject]@{DisplayName=$user.DisplayName; ObjectId=$user.ObjectId; Ext1=$ext1; Ext2=$ext2}
    $aadUsersExt += $obj
    }

# List only users with values for extension attributes

$aadUsersExt | Where {$_.Ext1 -or $_.Ext2} | FT  

# List all users

$aadUsersExt  

# Serialize users and extension attributes to JSON

$aadUsersExt | ConvertTo-Json

Compare self-managed Active Directory Domain Services, Azure Active Directory, and managed Azure Active Directory Domain Services: To provide applications, services, or devices access to a central identity, there are three common ways to use Active Directory-based services in Azure. This choice in identity solutions gives you the flexibility to use the most appropriate directory for your organization’s needs. For example, if you mostly manage cloud-only users that run mobile devices, it may not make sense to build and run your own Active Directory Domain Services identity solution. Instead, you could just use Azure Active Directory

https://blogs.technet.microsoft.com/cbernier/2018/01/16/microsoft-flow-and-azure-ad-lets-automate/

 

 

Microsoft has release a new PS  module to manage Azure Information Protection : AIPService. At the same time, MS is deprecating the previous AIP module called AADRM (for the 15th, July  2020). https://docs.microsoft.com/en-us/azure/information-protection/install-powershell

https://docs.microsoft.com/en-us/powershell/azure/aip/overview?view=azureipps

 

Azure AD – Take over a DNS domain

Summary:

The procedure consists in adding DNS TXT records in all domains just like for standard domain registration to prove our ownership and then the process unregister them and add them to tour tenant.

Reference article:

https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/domains-admin-takeover

 

 

 

Understanding Tokens

How the Modern Authentication Protocol Works

Once Modern Authentication is enabled a user will authenticate with one of the Office 365 services and they will be issued both an Access Token and a Refresh Token.  The Access Token is a short-lived token, valid for about 1 hour’s time.  The Refresh Token is longer-lived and can by valid for up to 90 days in some cases.  These longer cases include frequent use and when the user’s password has not changed.  The Access Token is what is used to gain access to the Office 365 services, and when the Access Token expires the Office client will present the Refresh Token to Azure Active Directory and request a new Access Token to use with the service.  The default lifetime for a Refresh Token is 14 days.  Features such as Conditional Access Policies may force users to sign-in again even though the Refresh Token is still valid.

You can specify the lifetime of a token issued by Azure Active Directory (Azure AD). You can set token lifetimes for all apps in your organization, for a multi-tenant (multi-organization) application, or for a specific service principal in your organization.

Reference: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-configurable-token-lifetimes

Configurable token lifetime properties

Property Policy property string Affects Default Minimum Maximum
Access Token Lifetime AccessTokenLifetime Access tokens, ID tokens, SAML2 tokens 1 hour 10 minutes 1 day
Refresh Token Max Inactive Time MaxInactiveTime Refresh tokens 90 days 10 minutes 90 days
Single-Factor Refresh Token Max Age MaxAgeSingleFactor Refresh tokens (for any users) Until-revoked 10 minutes Until-revoked1
Multi-Factor Refresh Token Max Age MaxAgeMultiFactor Refresh tokens (for any users) Until-revoked 10 minutes Until-revoked1
Single-Factor Session Token Max Age MaxAgeSessionSingleFactor2 Session tokens (persistent and nonpersistent) Until-revoked 10 minutes Until-revoked1
Multi-Factor Session Token Max Age MaxAgeSessionMultiFactor3 Session tokens (persistent and nonpersistent) Until-revoked 10 minutes Until-revoked1
  • 1365 days is the maximum explicit length that can be set for these attributes.
  • 2If MaxAgeSessionSingleFactor is not set, this value takes the MaxAgeSingleFactor value. If neither parameter is set, the property takes the default value (until-revoked).
  • 3If MaxAgeSessionMultiFactor is not set, this value takes the MaxAgeMultiFactor value. If neither parameter is set, the property takes the default value (until-revoked).

 

Example token lifetime policies

Many scenarios are possible in Azure AD when you can create and manage token lifetimes for apps, service principals, and your overall organization. In this section, we walk through a few common policy scenarios that can help you impose new rules for:

  • Token Lifetime
  • Token Max Inactive Time
  • Token Max Age

In the examples, you can learn how to:

  • Manage an organization’s default policy
  • Create a policy for web sign-in
  • Create a policy for a native app that calls a web API
  • Manage an advanced policy

Prerequisites

In the following examples, you create, update, link, and delete policies for apps, service principals, and your overall organization. If you are new to Azure AD, we recommend that you learn about how to get an Azure AD tenant before you proceed with these examples.

To get started, do the following steps:

  1. Download the latest Azure AD PowerShell Module Public Preview release.
  2. Run the Connect command to sign in to your Azure AD admin account. Run this command each time you start a new session.
    PowerShellCopy
    Connect-AzureAD -Confirm
    
  3. To see all policies that have been created in your organization, run the following command. Run this command after most operations in the following scenarios. Running the command also helps you get the ** ** of your policies.
    PowerShellCopy
    Get-AzureADPolicy

Reference article:

https://docs.microsoft.com/en-us/office365/admin/add-users/set-password-to-never-expire?view=o365-worldwide

 

# Set a password to expire

Run one of the following commands:

To set the password of one user so that the password expires, run the following cmdlet by using the UPN or the user ID of the user:

Set-AzureADUser -ObjectId <user ID> -PasswordPolicies None

To set the passwords of all users in the organization so that they expire, use the following cmdlet:

Get-AzureADUser -All $true | Set-AzureADUser -PasswordPolicies None

 

# Set a password to never expire

Run one of the following commands:

To set the password of one user to never expire, run the following cmdlet by using the UPN or the user ID of the user:

Set-AzureADUser -ObjectId <user ID> -PasswordPolicies DisablePasswordExpiration

To set the passwords of all the users in an organization to never expire, run the following cmdlet:

Get-AzureADUser -All $true | Set-AzureADUser -PasswordPolicies DisablePasswordExpiration

Warning

Passwords set to -PasswordPolicies DisablePasswordExpiration still age based on the pwdLastSet attribute. If you set the user passwords to never expire and then 90+ days go by, the passwords expire. Based on the pwdLastSet attribute, if you change the expiration to -PasswordPolicies None, all passwords that have a pwdLastSet older than 90 days require the user to change them the next time they sign in. This change can affect a large number of users.

# To get if password will expire for a user

Get-AzureADUser -ObjectId <user id or UPN> | Select-Object UserprincipalName,@{
N=”PasswordNeverExpires”;E={$_.PasswordPolicies -contains “DisablePasswordExpiration”}
}

# To get a report of all the users with PasswordNeverExpires in HTML

Get-AzureADUser -All $true | Select-Object UserprincipalName,@{
N=”PasswordNeverExpires”;E={$_.PasswordPolicies -contains “DisablePasswordExpiration”}
} | ConvertTo-Html | Out-File $env:userprofile\Desktop\ReportPasswordNeverExpires.html

# To get a report of all the users with PasswordNeverExpires in CSV

Get-AzureADUser -All $true | Select-Object UserprincipalName,@{
N=”PasswordNeverExpires”;E={$_.PasswordPolicies -contains “DisablePasswordExpiration”}
} | ConvertTo-Csv -NoTypeInformation | Out-File $env:userprofile\Desktop\ReportPasswordNeverExpires.csv

 

By default, when using a PowerShell script in an Office 365 environment, that need to provide user credentials, we use a PowerShell such as – Get-Credential.
The Get-Credential displays a pop out credential’s windows in which the user needs to fill in his credentials. The information about the user credentials can saved in a variable, and we can use these provided credentials for connecting each of the different Office 365 infrastructures.
The news is that the PowerShell includes a built-in mechanism, which enables us to save user credentials in a text file in a secure manner. The information in the text file will be encrypted so, although the information stored in a simple text file, the information is useless for non-authorized users.

Only the PowerShell will be able to access the encrypted file and fetch from the file the required information.
PowerShell script and user credentials

1. Write the password as part of the PowerShell script. Add the password to the PowerShell script file – this is the simplest option but, from the security perspective, this is the worst option because the password kept in a text file in a non-encrypted format. (we will not review this option).
2. Provide user credentials when running the PowerShell script. the PowerShell script includes an “empty variable” that will contain the required user credentials. When we run the PowerShell script, pop out window will appear.
The person the execute the PowerShell script will need to provide the required credentials. When using this option, we will need to provide the required user credentials, each time we run the PowerShell script

====================================

Read-Host -Prompt “<text>” -AsSecureString

ConvertFrom-SecureString | Out-File “Path”

Read-Host -Prompt “<text>” -AsSecureString | ConvertFrom-SecureString | Out-File “Path”

Read-Host -Prompt “Enter your tenant password” -AsSecureString | ConvertFrom-SecureString | Out-File “C:\windows\temp\cred.txt”

====================================

$AdminName = “UPN Name”

$Pass = Get-Content “<Path>” | ConvertTo-SecureString

$Credential = new-object -typename System.Management.Automation.PSCredential -argumentlist $AdminName, $Pass

====================================

Import-Module MSOnline

Connect-MsolService -Credential $credential

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $credential -Authentication Basic -AllowRedirection

Import-PSSession $Session