Category: Office365


Microsoft Office 365 roadmap:

For significant updates, Office customers are initially notified by the O365 roadmap: https://www.microsoft.com/en-us/microsoft-365/roadmap

As an update gets closer to rolling out, it is communicated through your Office 365 Message center.

Microsoft Azure roadmap:

https://azure.microsoft.com/en-us/updates/

Microsoft cloud platform:

https://www.microsoft.com/en-us/microsoft-365/enterprise-mobility-security

Graph explorer: 

https://developer.microsoft.com/en-us/graph/graph-explorer

https://graphexplorer.azurewebsites.net/

News from ignite 2019:

https://developer.microsoft.com/en-us/office/blogs/ignite-2019-microsoft-graph-news/

 

Resources for MS graph API:

https://docs.microsoft.com/en-us/graph/security-concept-overview

https://github.com/microsoftgraph/security-api-solutions/tree/master/Samples/PowerShell

https://www.petri.com/exploring-office-365-graph-explorer

 

How to access Azure AD using Microsoft GRAPH:

https://www.bing.com/videos/search?q=how+to+access+azure+AD+using+microsoft+graph&qpvt=how+to+access+azure+AD+using+microsoft+graph&FORM=VDRE

Previous:

https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-graph-api-quickstart

 

New MS graph API add-on for splunk:

https://techcommunity.microsoft.com/t5/Security-Privacy-and-Compliance/Introducing-the-new-Microsoft-Graph-Security-API-add-on-for/ba-p/815972

 

 

 

https://adsecurity.org/wp-content/uploads/2019/08/2019-BlackHat-US-Metcalf-Morowczynski-AttackingAndDefendingTheMicrosoftCloud.pdf

Summary:

The procedure consists in adding DNS TXT records in all domains just like for standard domain registration to prove our ownership and then the process unregister them and add them to tour tenant.

Reference article:

https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/domains-admin-takeover

 

 

 

Understanding Tokens

How the Modern Authentication Protocol Works

Once Modern Authentication is enabled a user will authenticate with one of the Office 365 services and they will be issued both an Access Token and a Refresh Token.  The Access Token is a short-lived token, valid for about 1 hour’s time.  The Refresh Token is longer-lived and can by valid for up to 90 days in some cases.  These longer cases include frequent use and when the user’s password has not changed.  The Access Token is what is used to gain access to the Office 365 services, and when the Access Token expires the Office client will present the Refresh Token to Azure Active Directory and request a new Access Token to use with the service.  The default lifetime for a Refresh Token is 14 days.  Features such as Conditional Access Policies may force users to sign-in again even though the Refresh Token is still valid.

You can specify the lifetime of a token issued by Azure Active Directory (Azure AD). You can set token lifetimes for all apps in your organization, for a multi-tenant (multi-organization) application, or for a specific service principal in your organization.

Reference: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-configurable-token-lifetimes

Configurable token lifetime properties

Property Policy property string Affects Default Minimum Maximum
Access Token Lifetime AccessTokenLifetime Access tokens, ID tokens, SAML2 tokens 1 hour 10 minutes 1 day
Refresh Token Max Inactive Time MaxInactiveTime Refresh tokens 90 days 10 minutes 90 days
Single-Factor Refresh Token Max Age MaxAgeSingleFactor Refresh tokens (for any users) Until-revoked 10 minutes Until-revoked1
Multi-Factor Refresh Token Max Age MaxAgeMultiFactor Refresh tokens (for any users) Until-revoked 10 minutes Until-revoked1
Single-Factor Session Token Max Age MaxAgeSessionSingleFactor2 Session tokens (persistent and nonpersistent) Until-revoked 10 minutes Until-revoked1
Multi-Factor Session Token Max Age MaxAgeSessionMultiFactor3 Session tokens (persistent and nonpersistent) Until-revoked 10 minutes Until-revoked1
  • 1365 days is the maximum explicit length that can be set for these attributes.
  • 2If MaxAgeSessionSingleFactor is not set, this value takes the MaxAgeSingleFactor value. If neither parameter is set, the property takes the default value (until-revoked).
  • 3If MaxAgeSessionMultiFactor is not set, this value takes the MaxAgeMultiFactor value. If neither parameter is set, the property takes the default value (until-revoked).

 

Example token lifetime policies

Many scenarios are possible in Azure AD when you can create and manage token lifetimes for apps, service principals, and your overall organization. In this section, we walk through a few common policy scenarios that can help you impose new rules for:

  • Token Lifetime
  • Token Max Inactive Time
  • Token Max Age

In the examples, you can learn how to:

  • Manage an organization’s default policy
  • Create a policy for web sign-in
  • Create a policy for a native app that calls a web API
  • Manage an advanced policy

Prerequisites

In the following examples, you create, update, link, and delete policies for apps, service principals, and your overall organization. If you are new to Azure AD, we recommend that you learn about how to get an Azure AD tenant before you proceed with these examples.

To get started, do the following steps:

  1. Download the latest Azure AD PowerShell Module Public Preview release.
  2. Run the Connect command to sign in to your Azure AD admin account. Run this command each time you start a new session.
    PowerShellCopy
    Connect-AzureAD -Confirm
    
  3. To see all policies that have been created in your organization, run the following command. Run this command after most operations in the following scenarios. Running the command also helps you get the ** ** of your policies.
    PowerShellCopy
    Get-AzureADPolicy

Reference article:

https://docs.microsoft.com/en-us/office365/admin/add-users/set-password-to-never-expire?view=o365-worldwide

 

# Set a password to expire

Run one of the following commands:

To set the password of one user so that the password expires, run the following cmdlet by using the UPN or the user ID of the user:

Set-AzureADUser -ObjectId <user ID> -PasswordPolicies None

To set the passwords of all users in the organization so that they expire, use the following cmdlet:

Get-AzureADUser -All $true | Set-AzureADUser -PasswordPolicies None

 

# Set a password to never expire

Run one of the following commands:

To set the password of one user to never expire, run the following cmdlet by using the UPN or the user ID of the user:

Set-AzureADUser -ObjectId <user ID> -PasswordPolicies DisablePasswordExpiration

To set the passwords of all the users in an organization to never expire, run the following cmdlet:

Get-AzureADUser -All $true | Set-AzureADUser -PasswordPolicies DisablePasswordExpiration

Warning

Passwords set to -PasswordPolicies DisablePasswordExpiration still age based on the pwdLastSet attribute. If you set the user passwords to never expire and then 90+ days go by, the passwords expire. Based on the pwdLastSet attribute, if you change the expiration to -PasswordPolicies None, all passwords that have a pwdLastSet older than 90 days require the user to change them the next time they sign in. This change can affect a large number of users.

# To get if password will expire for a user

Get-AzureADUser -ObjectId <user id or UPN> | Select-Object UserprincipalName,@{
N=”PasswordNeverExpires”;E={$_.PasswordPolicies -contains “DisablePasswordExpiration”}
}

# To get a report of all the users with PasswordNeverExpires in HTML

Get-AzureADUser -All $true | Select-Object UserprincipalName,@{
N=”PasswordNeverExpires”;E={$_.PasswordPolicies -contains “DisablePasswordExpiration”}
} | ConvertTo-Html | Out-File $env:userprofile\Desktop\ReportPasswordNeverExpires.html

# To get a report of all the users with PasswordNeverExpires in CSV

Get-AzureADUser -All $true | Select-Object UserprincipalName,@{
N=”PasswordNeverExpires”;E={$_.PasswordPolicies -contains “DisablePasswordExpiration”}
} | ConvertTo-Csv -NoTypeInformation | Out-File $env:userprofile\Desktop\ReportPasswordNeverExpires.csv

 

By default, when using a PowerShell script in an Office 365 environment, that need to provide user credentials, we use a PowerShell such as – Get-Credential.
The Get-Credential displays a pop out credential’s windows in which the user needs to fill in his credentials. The information about the user credentials can saved in a variable, and we can use these provided credentials for connecting each of the different Office 365 infrastructures.
The news is that the PowerShell includes a built-in mechanism, which enables us to save user credentials in a text file in a secure manner. The information in the text file will be encrypted so, although the information stored in a simple text file, the information is useless for non-authorized users.

Only the PowerShell will be able to access the encrypted file and fetch from the file the required information.
PowerShell script and user credentials

1. Write the password as part of the PowerShell script. Add the password to the PowerShell script file – this is the simplest option but, from the security perspective, this is the worst option because the password kept in a text file in a non-encrypted format. (we will not review this option).
2. Provide user credentials when running the PowerShell script. the PowerShell script includes an “empty variable” that will contain the required user credentials. When we run the PowerShell script, pop out window will appear.
The person the execute the PowerShell script will need to provide the required credentials. When using this option, we will need to provide the required user credentials, each time we run the PowerShell script

====================================

Read-Host -Prompt “<text>” -AsSecureString

ConvertFrom-SecureString | Out-File “Path”

Read-Host -Prompt “<text>” -AsSecureString | ConvertFrom-SecureString | Out-File “Path”

Read-Host -Prompt “Enter your tenant password” -AsSecureString | ConvertFrom-SecureString | Out-File “C:\windows\temp\cred.txt”

====================================

$AdminName = “UPN Name”

$Pass = Get-Content “<Path>” | ConvertTo-SecureString

$Credential = new-object -typename System.Management.Automation.PSCredential -argumentlist $AdminName, $Pass

====================================

Import-Module MSOnline

Connect-MsolService -Credential $credential

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $credential -Authentication Basic -AllowRedirection

Import-PSSession $Session

Article about multi environments in a single tenant:

An environment is a space to store, manage, and share your organization’s business data, apps, and flows. They also serve as containers to separate apps that may have different roles, security requirements, or target audiences:

https://flow.microsoft.com/fr-fr/blog/intro-flow-admin-center/

https://docs.microsoft.com/en-us/flow/environments-overview-maker

https://docs.microsoft.com/en-us/power-platform/admin/environments-overview

Licensing:

https://docs.microsoft.com/fr-fr/power-platform/admin/trial-environments

 

Compare the PowerApps Plan:

https://powerapps.microsoft.com/en-us/pricing/#compare-plans

https://docs.microsoft.com/fr-fr/power-platform/admin/pricing-billing-skus#licenses

 

Admin portals:

https://admin.flow.microsoft.com/environments

https://admin.powerapps.com/environments

Azure AD Sync issues:

 

https://gallery.technet.microsoft.com/scriptcenter/Common-Azure-AD-Sync-Issues-0f0025e1#content

 

https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Sync-Error-Reports-in-AzureAD-Connect-Health-are-now-in-Public/ba-p/245151