Category: Office365

Reference article:

Doc to disable the user consent:

Best practices:

There are many aspects to a secure Identity infrastructure, but this five-step checklist will help you quickly accomplish a safer and secure identity infrastructure:

  • Strengthen your credentials.
  • Reduce your attack surface area.
  • Automate threat response.
  • Increase your awareness of auditing and monitoring.
  • Enable more predictable and complete end-user security with self-help.

Details action plan:

  • Make sure your organization uses strong authentication
  • Start banning commonly attacked passwords and turn off traditional complexity, and expiration rules
  • Protect against leaked credentials and add resilience against outages
  • Implement AD FS extranet smart lockout
  • Block legacy authentication
  • Block invalid authentication entry points
  • Implement Azure AD Privileged Identity Management (PIM)
  • Implement user risk security policy using Azure AD Identity Protection
  • Implement sign-in risk policy using Azure AD Identity Protection
  • Monitor Azure AD
  • Monitor Azure AD Connect Health in hybrid environments
  • Monitor Azure AD Identity Protection events
  • Audit apps and consented permissions
  • Implement self-service password reset
  • Implement self-service group and application access
  • Implement Azure AD access reviews

How to:

before to configure ADFS smart lockout, remove your account from AD protected users group, else you can get access denied



Primary Domain Controller Requirement

AD FS 2016 offers a parameter that allows fallback to another domain controller when the PDC is unavailable.

  • ExtranetLockoutRequirePDC <Boolean> When enabled, extranet lockout requires a primary domain controller (PDC). When disabled, extranet lockout will fallback to another domain controller in case the PDC is unavailable.The following example shows the cmdlet to enable lockout with the PDC requirement disabled:
    Set-AdfsProperties -EnableExtranetLockout $true -ExtranetLockoutThreshold 8 -ExtranetObservationWindow (new-timespan -Minutes 30) -ExtranetLockoutRequirePDC $false

PS C:\WINDOWS\system32> get-adfsproperties | select *extra*

ExtranetLockoutThreshold  : 8
ExtranetLockoutMode       : ADPasswordCounter
ExtranetLockoutEnabled    : True
ExtranetObservationWindow : 00:30:00
ExtranetLockoutRequirePDC : True

PS C:\WINDOWS\system32> $cred = Get-Credential

cmdlet Get-Credential at command pipeline position 1
Supply values for the following parameters:
PS C:\WINDOWS\system32> Update-AdfsArtifactDatabasePermission -Credential $cred
PS C:\WINDOWS\system32> Set-AdfsProperties -ExtranetLockoutMode AdfsSmartlockoutLogOnly

This command will set the extranet lockout mode to AdfsSmartLockout.  Verify all nodes have up to date patches and appropriate database permissions have been assigned by
running Update-AdfsArtifactDatabasePermission.  See for more information.
[Y] Yes  [N] No  [S] Suspend  [?] Help (default is “Y”): Y
WARNING: PS0038: This action requires a restart of the AD FS Windows Service. If you have deployed a federation server farm, restart the service on every server in the farm.
PS C:\WINDOWS\system32> restart-service adfssrv
WARNING: Waiting for service ‘Active Directory Federation Services (adfssrv)’ to stop…
WARNING: Waiting for service ‘Active Directory Federation Services (adfssrv)’ to stop…
WARNING: Waiting for service ‘Active Directory Federation Services (adfssrv)’ to stop…
WARNING: Waiting for service ‘Active Directory Federation Services (adfssrv)’ to stop…
WARNING: Waiting for service ‘Active Directory Federation Services (adfssrv)’ to start…
WARNING: Waiting for service ‘Active Directory Federation Services (adfssrv)’ to start…


Observing Audit Events

AD FS will write extranet lockout events to the security audit log:

  • When a user is locked out (reaches the lockout threshold for unsuccessful login attempts)
  • When AD FS receives a login attempt for a user who is already in lockout state

While in log only mode, you can check the security audit log for lockout events. For any events found, you can check the user state using the Get-ADFSAccountActivity cmdlet to determine if the lockout occurred from familiar or unfamiliar IP addresses, and to double check the list of familiar IP addresses for that user.


Enable enforce mode

Once you have been running in log only mode for sufficient time for AD FS to learn login locations and to observe any lockout activity, and once you are comfortable with the lockout threshold and observation window, smart lockout can be moved to “enforce” mode using the PSH cmdlet below:

PS C:\>Set-AdfsProperties -ExtranetLockoutMode AdfsSmartLockoutEnforce

For the new mode to take effect, restart the AD FS service on all nodes in the farm

PS C:\>Restart-service adfssrv

How to choose between authn methods:




Microsoft Office 365 roadmap:

For significant updates, Office customers are initially notified by the O365 roadmap:

As an update gets closer to rolling out, it is communicated through your Office 365 Message center.

Microsoft Azure roadmap:

Microsoft cloud platform:

Graph explorer:

News from ignite 2019:


Resources for MS graph API:


How to access Azure AD using Microsoft GRAPH:



New MS graph API add-on for splunk:

Here are resources about Azure and Office365,

let me summarize:

Office365 : is an offer of MS services and hosted applications – Saas ; in clear you pay for a service (sharepoint,exchange,office…) and you don’t manage the infra behind (like CPU,RAM,Storage,Security)

Azure: is a cloud (private/public) offer – paas/Iaas ; compared to Office365, MS provide just the plumbery (hyper-v, Storage, CPU, RAM, network) and you manage the applications, the Operating system, the security and patches, the applications ; in short “it is like a lego or a Mecano!”, and with Azure you can mix your on-premises IT infra with Azure in the cloud (and vice-versa)

Web resources for Azure:

Domains FAQ:

Domain take over:

Azure tips and tricks:

Azure subscription and naming convention:

Azure RBAC:

Manage VM:


Azure cost calculator:

White papers:

Azure health status:

Choose the right authentication method:

AzureAD connect:

Other resources:

To go deeper:


Seyf’s blog:

Web resources for Office 365:

Office 365 for business get started:



Productivity library (scenarios):

Technical decks:

Technical references:



‘In the Cloud’:

Office blog:    and

Intune blog:

Azure AD – Take over a DNS domain


The procedure consists in adding DNS TXT records in all domains just like for standard domain registration to prove our ownership and then the process unregister them and add them to tour tenant.

Reference article: