Category: Office365


Summary:

The procedure consists in adding DNS TXT records in all domains just like for standard domain registration to prove our ownership and then the process unregister them and add them to tour tenant.

Reference article:

https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/domains-admin-takeover

 

 

 

Advertisements

Reference article:

https://docs.microsoft.com/en-us/office365/admin/add-users/set-password-to-never-expire?view=o365-worldwide

 

# Set a password to expire

Run one of the following commands:

To set the password of one user so that the password expires, run the following cmdlet by using the UPN or the user ID of the user:

Set-AzureADUser -ObjectId <user ID> -PasswordPolicies None

To set the passwords of all users in the organization so that they expire, use the following cmdlet:

Get-AzureADUser -All $true | Set-AzureADUser -PasswordPolicies None

 

# Set a password to never expire

Run one of the following commands:

To set the password of one user to never expire, run the following cmdlet by using the UPN or the user ID of the user:

Set-AzureADUser -ObjectId <user ID> -PasswordPolicies DisablePasswordExpiration

To set the passwords of all the users in an organization to never expire, run the following cmdlet:

Get-AzureADUser -All $true | Set-AzureADUser -PasswordPolicies DisablePasswordExpiration

Warning

Passwords set to -PasswordPolicies DisablePasswordExpiration still age based on the pwdLastSet attribute. If you set the user passwords to never expire and then 90+ days go by, the passwords expire. Based on the pwdLastSet attribute, if you change the expiration to -PasswordPolicies None, all passwords that have a pwdLastSet older than 90 days require the user to change them the next time they sign in. This change can affect a large number of users.

# To get if password will expire for a user

Get-AzureADUser -ObjectId <user id or UPN> | Select-Object UserprincipalName,@{
N=”PasswordNeverExpires”;E={$_.PasswordPolicies -contains “DisablePasswordExpiration”}
}

# To get a report of all the users with PasswordNeverExpires in HTML

Get-AzureADUser -All $true | Select-Object UserprincipalName,@{
N=”PasswordNeverExpires”;E={$_.PasswordPolicies -contains “DisablePasswordExpiration”}
} | ConvertTo-Html | Out-File $env:userprofile\Desktop\ReportPasswordNeverExpires.html

# To get a report of all the users with PasswordNeverExpires in CSV

Get-AzureADUser -All $true | Select-Object UserprincipalName,@{
N=”PasswordNeverExpires”;E={$_.PasswordPolicies -contains “DisablePasswordExpiration”}
} | ConvertTo-Csv -NoTypeInformation | Out-File $env:userprofile\Desktop\ReportPasswordNeverExpires.csv

 

By default, when using a PowerShell script in an Office 365 environment, that need to provide user credentials, we use a PowerShell such as – Get-Credential.
The Get-Credential displays a pop out credential’s windows in which the user needs to fill in his credentials. The information about the user credentials can saved in a variable, and we can use these provided credentials for connecting each of the different Office 365 infrastructures.
The news is that the PowerShell includes a built-in mechanism, which enables us to save user credentials in a text file in a secure manner. The information in the text file will be encrypted so, although the information stored in a simple text file, the information is useless for non-authorized users.

Only the PowerShell will be able to access the encrypted file and fetch from the file the required information.
PowerShell script and user credentials

1. Write the password as part of the PowerShell script. Add the password to the PowerShell script file – this is the simplest option but, from the security perspective, this is the worst option because the password kept in a text file in a non-encrypted format. (we will not review this option).
2. Provide user credentials when running the PowerShell script. the PowerShell script includes an “empty variable” that will contain the required user credentials. When we run the PowerShell script, pop out window will appear.
The person the execute the PowerShell script will need to provide the required credentials. When using this option, we will need to provide the required user credentials, each time we run the PowerShell script

====================================

Read-Host -Prompt “<text>” -AsSecureString

ConvertFrom-SecureString | Out-File “Path”

Read-Host -Prompt “<text>” -AsSecureString | ConvertFrom-SecureString | Out-File “Path”

Read-Host -Prompt “Enter your tenant password” -AsSecureString | ConvertFrom-SecureString | Out-File “C:\windows\temp\cred.txt”

====================================

$AdminName = “UPN Name”

$Pass = Get-Content “<Path>” | ConvertTo-SecureString

$Credential = new-object -typename System.Management.Automation.PSCredential -argumentlist $AdminName, $Pass

====================================

Import-Module MSOnline

Connect-MsolService -Credential $credential

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $credential -Authentication Basic -AllowRedirection

Import-PSSession $Session

Article about multi environments in a single tenant:

An environment is a space to store, manage, and share your organization’s business data, apps, and flows. They also serve as containers to separate apps that may have different roles, security requirements, or target audiences:

https://flow.microsoft.com/fr-fr/blog/intro-flow-admin-center/

https://docs.microsoft.com/en-us/flow/environments-overview-maker

https://docs.microsoft.com/en-us/power-platform/admin/environments-overview

Licensing:

https://docs.microsoft.com/fr-fr/power-platform/admin/trial-environments

 

Compare the PowerApps Plan:

https://powerapps.microsoft.com/en-us/pricing/#compare-plans

https://docs.microsoft.com/fr-fr/power-platform/admin/pricing-billing-skus#licenses

 

Admin portals:

https://admin.flow.microsoft.com/environments

https://admin.powerapps.com/environments

Azure AD Sync issues:

 

https://gallery.technet.microsoft.com/scriptcenter/Common-Azure-AD-Sync-Issues-0f0025e1#content

 

https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Sync-Error-Reports-in-AzureAD-Connect-Health-are-now-in-Public/ba-p/245151

Here are resources about Azure and Office365,

let me summarize:

Office365 : is an offer of MS services and hosted applications – Saas ; in clear you pay for a service (sharepoint,exchange,office…) and you don’t manage the infra behind (like CPU,RAM,Storage,Security)

Azure: is a cloud (private/public) offer – paas/Iaas ; compared to Office365, MS provide just the plumbery (hyper-v, Storage, CPU, RAM, network) and you manage the applications, the Operating system, the security and patches, the applications ; in short “it is like a lego or a Mecano!”, and with Azure you can mix your on-premises IT infra with Azure in the cloud (and vice-versa)

Web resources for Azure  / Office 365:

Azure tips and tricks: https://azure.microsoft.com/en-us/blog/azure-tips-and-tricks-become-more-productive-with-azure/

Manage VM: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/

Office 365 for business get started: https://support.office.com/en-us/article/Get-started-with-Office-365-for-business-d6466f0d-5d13-464a-adcb-00906ae87029

Fasttrack: http://fasttrack.microsoft.com/office/drive-value/engage

Productivity library (scenarios): http://fasttrack.microsoft.com/office/envision/productivitylibrary

Technical decks: https://channel9.msdn.com/Events/Ignite/2016?sort=status&direction=desc&r%5B0%5D=Office%20365&page=2

Technical references: https://technet.microsoft.com/en-us/library/office-365-service-descriptions.aspx

Videos: https://www.youtube.com/user/OfficeGarageSeries

eLearning: https://mooc.office365-training.com/en/

Roadmap: https://products.office.com/en-us/business/office-365-roadmap

Azure AD Blog: http://blogs.technet.com/b/ad/

Azure Powershell: https://azure.microsoft.com/en-us/blog/azps-1-0/?utm_content=buffer067b3&utm_medium=social&utm_source=twitter.com&utm_campaign=buffer

Azure RMS blog: http://blogs.msdn.com/b/rms/

‘In the Cloud’: http://blogs.technet.com/b/in_the_cloud/

Office blog: http://blogs.office.com/    and   http://office.microsoft.com/en-us/

Intune blog: http://blogs.technet.com/b/microsoftintune/

Azure training kit: http://www.microsoft.com/en-us/download/details.aspx?id=8396

FAQ and enhancement suggestions: http://www.mygreatwindowsazureidea.com/forums/34192-general-feedback

portal and management: https://manage.windowsazure.com

main: http://www.windowsazure.com     calculatrice: http://aka.ms/calculatrice      white papers: http://aka.ms/livresblancs     FR blog: http://aka.ms/AzurBlogFr

Security: http://aka.ms/trustcenter   http://aka.ms/px2ahn

To go deeper:  http://aka.ms/MsdnAzureFr     Forum: http://aka.ms/ForumSupport     channel9:  http://aka.ms/Channel9AzureFr     Dashboard/SLAB: http://aka.ms/AzureDashboard

Blogs: http://blog.jeanlucboucho.com

Renew federation certificates for Office 365 and Azure Active Directory:

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-fed-o365-certs

Prerequisites before using Azure:

Prepare your environment: http://msdn.microsoft.com/en-us/library/windowsazure/jj554332.aspx

Need certificates: http://msdn.microsoft.com/en-us/library/windowsazure/gg981929.aspx

How to use CSUpload?

How do you get CSUPLOAD?

CSUPLOAD is part of the Windows Azure SDK. After installing all components, it finds you csupload under the following path:
“C:\Program Files\Microsoft SDKs\Windows Azure\.NET SDK\v2.0\bin\csupload.exe”
How does CSUPLOAD work?

CSUPLOAD is a command console program that the VHDs in the uploads BLOB storage account and authenticated to the azure cloud client certificates.
Overall it with Visual Studio is very simple and fast to create the appropriate certificates, and to distribute them to the appropriate locations through the function
“Publish to Azure” that requires requires developer know-how or you experience with the Visual Studio.

CSUpload syntax reference:
http://msdn.microsoft.com/en-us/library/gg466228.aspx

Managing disks and images:
http://msdn.microsoft.com/en-us/library/windowsazure/jj672979.aspx

How to:http://www.microsofttranslator.com/bv.aspx?from=&to=en&a=http://blogs.technet.com/b/patrick_heyde/archive/2012/07/12/windows-azure-csupload-setup-amp-how-to.aspx

the article above refers to: http://www.microsofttranslator.com/bv.aspx?from=&to=en&a=http%3A%2F%2Fblogs.msdn.com%2Fb%2Favkashchauhan%2Farchive%2F2011%2F09%2F21%2Fhow-to-generate-2048-bit-certificate-with-makecert-exe.aspx

Example:

CSUPLOAD how to?

# Create exportable certificate for Azure (use -pe to be exportable)
makecert -r -pe -n “CN=My Azure IaaS Cert2048” -a sha1 -ss My -len 2048 -sy 24 -b 07/08/2013 -e 07/08/2014

then open mmc,load certificates snap-in, My user, personal,
select the certificate, export
to D:\Contoso
MyAzureCertificate.cer

upload the certificate, from the Azure portal, settings, certificates management

get the thumbprint: 4D15540AFD7182964651826BE133FB3C868BA4D1

Now with csupload:

“C:\Program Files\Microsoft SDKs\Windows Azure\.NET SDK\v2.0\bin\csupload” Set-Connection “SubscriptionId=eaea9c22-cc5a-4da2-8dd2-d89837f042b7;CertificateThumbprint=4D15540AFD7182964651826BE133FB3C868BA4D1;ServiceManagementEndpoint=https://management.core.windows.net”

# just for fun

D:\Contoso>”C:\Program Files\Microsoft SDKs\Windows Azure\.NET SDK\v2.0\bin\csupload” get-Connection
Windows(R) Azure(TM) Upload Tool version 2.0.0.0
for Microsoft(R) .NET Framework 3.5
Copyright c Microsoft Corporation. All rights reserved.

Warning: CSUpload.exe will be deprecated in a future release. Use the Windows Azure PowerShell cmdlets instead: http://go.microsoft.com/?linkid=9811175&clcid=0x409.
ConnectionString          : SubscriptionId=eaea9c22-cc5a-4da2-8dd2-d89837f042b7;CertificateThumbprint=4D15540AFD7182964651826BE133FB3C868BA4D1;ServiceManagementEndpoint=https://management.core.windows.net/
SubscriptionId            : eaea9c22-cc5a-4da2-8dd2-d89837f042b7
CertificateSubjectName    : CN=Amadeus Azure IaaS Cert2048
CertificateThumbprint     : 4D15540AFD7182964651826BE133FB3C868BA4D1
ServiceManagementEndpoint : https://management.core.windows.net/

D:\Contoso>”C:\Program Files\Microsoft SDKs\Windows Azure\.NET SDK\v2.0\bin\csupload” get-location
Windows(R) Azure(TM) Upload Tool version 2.0.0.0
for Microsoft(R) .NET Framework 3.5
Copyright c Microsoft Corporation. All rights reserved.

Warning: CSUpload.exe will be deprecated in a future release. Use the Windows Azure PowerShell cmdlets instead: http://go.microsoft.com/?linkid=9811175&clcid=0x409.
Using the saved connection string…
Location : West US

Location : East US

Location : East Asia

Location : Southeast Asia

Location : North Europe

Location : West Europe

A total of 6 record(s) were found.

D:\Contoso>”C:\Program Files\Microsoft SDKs\Windows Azure\.NET SDK\v2.0\bin\csupload” get-hostedservice
Windows(R) Azure(TM) Upload Tool version 2.0.0.0
for Microsoft(R) .NET Framework 3.5
Copyright c Microsoft Corporation. All rights reserved.

Warning: CSUpload.exe will be deprecated in a future release. Use the Windows Azure PowerShell cmdlets instead: http://go.microsoft.com/?linkid=9811175&clcid=0x409.
Using the saved connection string…
Name          : amazure
Label         : amazure
Location      : North Europe

A total of 1 record(s) were found.

D:\Contoso>”C:\Program Files\Microsoft SDKs\Windows Azure\.NET SDK\v2.0\bin\csupload” get-disk
Windows(R) Azure(TM) Upload Tool version 2.0.0.0
for Microsoft(R) .NET Framework 3.5
Copyright c Microsoft Corporation. All rights reserved.

Warning: CSUpload.exe will be deprecated in a future release. Use the Windows Azure PowerShell cmdlets instead: http://go.microsoft.com/?linkid=9811175&clcid=0x409.
Using the saved connection string…
Name                : Contoso-Contoso-0-201308011545510947
Location            : North Europe
OS                  : Windows
LogicalDiskSizeInGB : 128
MediaLink           : http://portalvhdsncdc9022xjxbf.blob.core.windows.net/vhds/amazure-Contoso-2013-08-01.vhd
SourceImageName     : a699494373c04fc0bc8f2bb1389d6106__Windows-Server-2012-Datacenter-201306.01-en.us-127GB.vhd

A total of 1 record(s) were found.

—————————————–
Upload a disk (vhd) to Azure:

You can use the Add-Disk parameter of the CSUpload Command-Line Tool to upload a .vhd file and register it in Windows Azure as either an operating system disk or a data disk.
An image is a VHD that has been generalized and is used to create an operating system disk. An operating system disk is a VHD that contains specific settings for a virtual machine.

Specifies a VHD file to be uploaded as a disk. A VHD file that has been uploaded as a disk can be used to create a virtual machine if the file contains an operating system or it can be used to create a data disk that can be attached to a virtual machine.
•–Connection <string> – (Optional if the Set-Connection command has been run) Specifies the connection string that is used to connect to Windows Azure. The connection string contains the identifier of your Windows Azure subscription and the thumbprint of the management certificate that you created to enable API access to the subscription. The connection string is provided in the following format: “SubscriptionID=subscription-id;CertificateThumbprint=cert-thumbprint;ServiceManagementEndpoint=https://management.core.windows.net”. You can find the subscription identifier and certificate thumbprint in Management Portal.
•-Destination <string> – Specifies the blob storage account where the VHD file is stored. The destination includes the endpoint of the account, the container in the account where the file is stored, and the name of the VHD file. For example,”http://auxpreview146imagestore.blob.core.azure-preview.com/mydisks/mydisk.vhd&#8221;
•-Label <string> – Specifies the identifier that is used for the disk in the Management Portal.
•-LiteralPath <string> – Specifies the location and name of the VHD file to upload as a disk.
•-Name <string> – (Optional) Specifies the name to be used for the VHD file that is being uploaded.
•-OS <string> – (Optional) If the VHD file that is being uploaded contains an operating system to be used with a virtual machine, you must include this parameter with the value of Windows or Linux depending on the type of operating system that is installed.
•-Overwrite – (Optional) Indicates that you intend to overwrite an existing VHD file with a new file.

“C:\Program Files\Microsoft SDKs\Windows Azure\.NET SDK\v2.0\bin\csupload” add-disk -destination http://portalvhdsncdc9022xjxbf.blob.core.windows.net/vhds/SP2010.vhd -label SP2010 -literalpath d:\contoso\contoso1.vhd -name contoso1.vhd -os Windows

“C:\Program Files\Microsoft SDKs\Windows Azure\.NET SDK\v2.0\bin\csupload” add-disk -destination http://portalvhdsncdc9022xjxbf.blob.core.windows.net/vhds/EX2010.vhd -label EX2010 -literalpath d:\contoso\contoso2.vhd -name contoso2.vhd -os Windows

Introduction

 

  • A number of organizations use AD FS for SSO capabilities, but all such organizations do not have HA or Site resilience added to AD FS Deployment
  • The Password Sync option can be a great backup solution while AD FS is offline or while you are fixing AD FS problems
    • DirSync is already a core component required for AD FS, just required to enable the Password Sync feature
    • Alternatively, you could have Password Sync enabled running all the time. Does not interfere with SSO
    • During AD FS failure, fallback to Password Sync can be done through couple of methods. But it will takes time (up to 72 hours) to be effective for the users. Those methods must be only enabled in case of Disaster.

Implementation Method1

 

  • Method 1: Using Set-MsolDomainAuthentication cmdlet
    • This cmdlet is a good temporary option, as it,
      • Does not require AD FS to be online
      • Will only update the settings in Microsoft Online Services
      • Will not remove the Office 365 relying party trust information from AD FS
      • Will not change the User objects (from federated to standard)
    • Process to switch to Password sync:
        • Enable Password Sync (if not already enabled)

       

    • Set-MsolDomainAuthentication –DomainName <Domain Name> -Authentication Managed
      • Use Get-Msoldomain cmdlet to check if the domain is in mode Managed and not Federated
      • Force full Password sync, if required
    • Revert to AD FS or SSO:
      • Convert-MsolDomainToFederated –DomainName <DomainName> (requires AD FS online)
      • This cmdlet will revert the domain back to Federated, and will re-establish the relying party trust
      • Use Get-Msoldomain cmdlet to check if the domain is in mode Federated and not Managed

Implementation Method 2

 

  • Method 2: Using Convert-MsolDomainToStandard cmdlet
    • Is good for either temporary or exclusive switch over to Password Sync
      • Requires AD FS to be online
      • Will remove relying party trust information from MFG and on-premises AD FS (cleans-up)
      • Optionally converts Federated users to Standard users (which enables ‘change password’ option for them in portal)
      • Resets and generates temporary passwords for these users (can be overwritten with Password Sync)
      • Limited to process only 1000 user objects (use Convert-MsolFederatedUser or this script for more than 1000 objects)
      • Use Get-Msoldomain cmdlet to check if the domain is in mode Managed and not Federated
    • Process to switch to Password sync:
      • Enable Password Sync (if not already enabled)
      • Convert-MsolDomainToStandard -DomainName <Domain Name> -SkipUserConversion $True or, for permanent switchover that could take two hours, use -SkipUserConversion $false
      • 3. Force full Password sync
    • Revert to AD FS or SSO:

Convert-MsolDomainToFederated –DomainName <DomainName> (requires AD FS online)

      • Use Get-Msoldomain cmdlet to check if the domain is in mode Federated and not Managed

Good articles to explain the differences and how to merge the S&C Sensitivity labels and AIP labels,

https://www.itpromentor.com/aip-vs-365-labels/

https://www.petri.com/unifying-office-365-sensitivity-labels

 

MS technet:

S&C labels: https://docs.microsoft.com/en-us/Office365/SecurityCompliance/sensitivity-labels

AIP labels: https://docs.microsoft.com/en-us/azure/information-protection/configure-policy-protection

 

 

https://docs.microsoft.com/en-gb/office365/admin/manage/release-options-in-office-365

Azure AD B2B resources

https://docs.microsoft.com/fr-fr/azure/active-directory/b2b/what-is-b2b

  • The partner uses their own identities and credentials; Azure AD is not required.
  • You don’t need to manage external accounts or passwords.
  • You don’t need to sync accounts or manage account lifecycles.

Managing externals:

https://predica.pl/blog/guests-in-the-cloud-how-to-safely-manage-external-users-using-azure-ad-b2b/

SharePoint Online Azure AD B2B – Custom email invites for users using PowerShell

Powershell to invite B2B users:

https://github.com/Azure/azure-docs-powershell-azuread/blob/master/azureadps-2.0/AzureAD/New-AzureADMSInvitation.md

https://www.adamfowlerit.com/2017/03/azure-ad-b2b-powershell-invites/

https://justidm.wordpress.com/2017/05/07/azure-ad-b2b-how-to-bulk-add-guest-users-without-invitation-redemption/

How to identify stale guest users:

https://www.undocumented-features.com/2018/06/22/how-to-find-staleish-azure-b2b-guest-accounts/

script: https://gallery.technet.microsoft.com/scriptcenter/Report-on-Azure-AD-Stale-8e64c1c5

External sharing:

with SPO: https://docs.microsoft.com/en-us/sharepoint/external-sharing-overview

with OneDrive: https://docs.microsoft.com/en-us/onedrive/manage-sharing

with MS Teams: https://docs.microsoft.com/en-us/microsoftteams/let-your-teams-users-communicate-with-other-people

Sharing and collaboration:

https://docs.microsoft.com/en-us/office365/enterprise/office-365-inter-tenant-collaboration

B2B Collaboration in Hybrid Identity Scenario

B2B Collaboration in Hybrid Identity Scenario – Part II