Category: Office365


Introduction

 

  • A number of organizations use AD FS for SSO capabilities, but all such organizations do not have HA or Site resilience added to AD FS Deployment
  • The Password Sync option can be a great backup solution while AD FS is offline or while you are fixing AD FS problems
    • DirSync is already a core component required for AD FS, just required to enable the Password Sync feature
    • Alternatively, you could have Password Sync enabled running all the time. Does not interfere with SSO
    • During AD FS failure, fallback to Password Sync can be done through couple of methods. But it will takes time (up to 72 hours) to be effective for the users. Those methods must be only enabled in case of Disaster.

Implementation Method1

 

  • Method 1: Using Set-MsolDomainAuthentication cmdlet
    • This cmdlet is a good temporary option, as it,
      • Does not require AD FS to be online
      • Will only update the settings in Microsoft Online Services
      • Will not remove the Office 365 relying party trust information from AD FS
      • Will not change the User objects (from federated to standard)
    • Process to switch to Password sync:
        • Enable Password Sync (if not already enabled)

       

    • Set-MsolDomainAuthentication –DomainName <Domain Name> -Authentication Managed
      • Use Get-Msoldomain cmdlet to check if the domain is in mode Managed and not Federated
      • Force full Password sync, if required
    • Revert to AD FS or SSO:
      • Convert-MsolDomainToFederated –DomainName <DomainName> (requires AD FS online)
      • This cmdlet will revert the domain back to Federated, and will re-establish the relying party trust
      • Use Get-Msoldomain cmdlet to check if the domain is in mode Federated and not Managed

Implementation Method 2

 

  • Method 2: Using Convert-MsolDomainToStandard cmdlet
    • Is good for either temporary or exclusive switch over to Password Sync
      • Requires AD FS to be online
      • Will remove relying party trust information from MFG and on-premises AD FS (cleans-up)
      • Optionally converts Federated users to Standard users (which enables ‘change password’ option for them in portal)
      • Resets and generates temporary passwords for these users (can be overwritten with Password Sync)
      • Limited to process only 1000 user objects (use Convert-MsolFederatedUser or this script for more than 1000 objects)
      • Use Get-Msoldomain cmdlet to check if the domain is in mode Managed and not Federated
    • Process to switch to Password sync:
      • Enable Password Sync (if not already enabled)
      • Convert-MsolDomainToStandard -DomainName <Domain Name> -SkipUserConversion $True or, for permanent switchover that could take two hours, use -SkipUserConversion $false
      • 3. Force full Password sync
    • Revert to AD FS or SSO:

Convert-MsolDomainToFederated –DomainName <DomainName> (requires AD FS online)

      • Use Get-Msoldomain cmdlet to check if the domain is in mode Federated and not Managed
Advertisements

Good articles to explain the differences and how to merge the S&C Sensitivity labels and AIP labels,

https://www.itpromentor.com/aip-vs-365-labels/

https://www.petri.com/unifying-office-365-sensitivity-labels

 

MS technet:

S&C labels: https://docs.microsoft.com/en-us/Office365/SecurityCompliance/sensitivity-labels

AIP labels: https://docs.microsoft.com/en-us/azure/information-protection/configure-policy-protection

 

 

https://docs.microsoft.com/en-gb/office365/admin/manage/release-options-in-office-365

Azure AD B2B resources

https://docs.microsoft.com/fr-fr/azure/active-directory/b2b/what-is-b2b

  • The partner uses their own identities and credentials; Azure AD is not required.
  • You don’t need to manage external accounts or passwords.
  • You don’t need to sync accounts or manage account lifecycles.

Managing externals:

https://predica.pl/blog/guests-in-the-cloud-how-to-safely-manage-external-users-using-azure-ad-b2b/

SharePoint Online Azure AD B2B – Custom email invites for users using PowerShell

Powershell to invite B2B users:

https://github.com/Azure/azure-docs-powershell-azuread/blob/master/azureadps-2.0/AzureAD/New-AzureADMSInvitation.md

https://www.adamfowlerit.com/2017/03/azure-ad-b2b-powershell-invites/

https://justidm.wordpress.com/2017/05/07/azure-ad-b2b-how-to-bulk-add-guest-users-without-invitation-redemption/

How to identify stale guest users:

https://www.undocumented-features.com/2018/06/22/how-to-find-staleish-azure-b2b-guest-accounts/

script: https://gallery.technet.microsoft.com/scriptcenter/Report-on-Azure-AD-Stale-8e64c1c5

External sharing:

with SPO: https://docs.microsoft.com/en-us/sharepoint/external-sharing-overview

with OneDrive: https://docs.microsoft.com/en-us/onedrive/manage-sharing

with MS Teams: https://docs.microsoft.com/en-us/microsoftteams/let-your-teams-users-communicate-with-other-people

Sharing and collaboration:

https://docs.microsoft.com/en-us/office365/enterprise/office-365-inter-tenant-collaboration

B2B Collaboration in Hybrid Identity Scenario

B2B Collaboration in Hybrid Identity Scenario – Part II

By default Azure AD connect will synchronize disabled accounts from AD to AAD. It is normal and is it recommended due to Exchange hybrid and EXO requirements.

 

It is possible to create a custom rule on AD Sync rules editor to not synchronize disabled AD accounts:

https://spanougakis.wordpress.com/2016/02/28/how-to-stop-disabled-user-accounts-from-syncing-with-azure-ad-connect/

 

Office 365 – Assigning licenses

Managing licenses with AzureAD module:

https://practical365.com/blog/managing-office-365-licenses-with-azure-ad-v2-powershell-module/

 

Managing licenses with MSonline module:

https://gcits.com/knowledge-base/get-office-365-users-specific-license-type-via-powershell/

https://www.morgantechspace.com/2018/02/check-if-office-365-user-is-licensed-or-not-powershell.html

 

Assign licenses with AzureAD groups:

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-licensing-group-assignment-azure-portal

 

 

 

As we prepare for the migration from on-premises Skype for Business to Skype for Business Online, there are a few important considerations to bear in mind before you take the leap. I will be covering these in a series of posts (hopefully), today I want to share with you a common scenario we will face while preparing for migration.

We are well aware of the pre-requisite for Office 365 that demands an Active Directory synchronised user must have a publically routable User Principal Name (UPN). So critical is this requirement that it is now engrained in every consultant’s mind and increasingly customers are becoming more aware of this without us even mentioning it. However, this can often produce its own unique challenges.

Many organisations set their users up with an ambiguous username, something that does not immediately identify a user by name e.g. a134g@domain.com rather than markv@domain.com. This is to avoid name conflicts and was often used as an additional domain security measure. When a user is synchronised to Office 365 their UPN is used to provision the identity and service addresses for Exchange and Skype for Business. Often the case is that users UPNs do not match their publically available contact information such as their e-mail address. E-mail addresses are usually more personable to each users and contain their true identity e.g markv@domain.com. In order to integrate Skype for Business Online with Exchange properly it is important that the user’s SIP address matches their primary e-mail address i.e. markv@domain.com and not a134g@domain.com.

However, when you perform an AD Sync with Office 365 the user’s Skype for Business Online identity is provisioned using the UPN like so:

On-premises Identity (UPN = a134g@domain.org)

Synchronised Identity in Office 365 Portal also a134g@domain.org

PowerShell output showing primary SIP Address in Skype for Business Online


In order to change this, the solution is to look and edit the on-premises identity, as this is the source of authority for this person’s cloud identity. Specifically, we need to modify an attribute on the user’s Active Directory account called msRTCSIP-PrimaryUserAddress. In order to find this attribute, your on-premises Active Directory domain is required to be prepared for Lync / Skype for Business On-premises. Therefore, you may need to download the on premises software and run AD schema preparation to have this property available. I say may read on.

First change find and change this attribute

Click on edit and enter the desired address in this format: sip:markv@domain.org

Perform directory synchronisation using AADSync and then check the SIP Address of the online identity. You should see that is has changed

Please note that this only works for synchronised identities. Cloud identities must be provisioned with the primary SIP address as the username.

If you have not prepared your Active Directory domain from on-premises Lync / Skype for Business and do not have the msRTCSIP-PriamryUserAddress attribute, there is an alternative method you can use. Instead we can use the ProxyAddresses attribute that is natively part of Active Directory. This attribute is the same on you use for provisioning e-mail addresses to get around the same issue as we have. Open the ProxyAddressess attribute and add a new Proxy Address into the list using the following format: sip:markv@domain.org

Perform a directory synchronisation and test the SIP address has been updated correctly

Key properties of the Azure AD B2B collaboration user

Reference: https://docs.microsoft.com/en-us/azure/active-directory/b2b/user-properties

UserType

This property indicates the relationship of the user to the host tenancy. This property can have two values:

  • Member: This value indicates an employee of the host organization and a user in the organization’s payroll. For example, this user expects to have access to internal-only sites. This user is not considered an external collaborator.
  • Guest: This value indicates a user who isn’t considered internal to the company, such as an external collaborator, partner, or customer. Such a user isn’t expected to receive a CEO’s internal memo or receive company benefits, for example.

    Note

    The UserType has no relation to how the user signs in, the directory role of the user, and so on. This property simply indicates the user’s relationship to the host organization and allows the organization to enforce policies that depend on this property.

Source

This property indicates how the user signs in.

  • Invited User: This user has been invited but has not yet redeemed an invitation.
  • External Active Directory: This user is homed in an external organization and authenticates by using an Azure AD account that belongs to the other organization.
  • Microsoft account: This user is homed in a Microsoft account and authenticates by using a Microsoft account.
  • Windows Server Active Directory: This user is signed in from on-premises Active Directory that belongs to this organization.
  • Azure Active Directory: This user authenticates by using an Azure AD account that belongs to this organization.

    Note

    Source and UserType are independent properties. A value of Source does not imply a particular value for UserType.

If your organization has multiple Azure AD (AAD) directories, perhaps due to security requirements, or mergers or acquisitions; it may be a good idea adding guest users from other AAD directories as members.

The main difference between a Guest and a Member is in the lookup rights to the domain. A guest can typically not look up users and groups like a Member user can. A member would need this for self service reasons, and to look up contact information for other users, while you’d typically not want a guest to do that.

In order to convert the user, you currently have to use Powershell. Ypou need to have the AzureAD module installed on your computer.

  1. Log into your Azure AD tenant:
  2. Convert the user

    You may want to search up the user using just the Get-AzureADUser first.

Office 365 Auditing

It can take up to 30 minutes or up to 24 hours after an event occurs for the corresponding audit log entry to be displayed in the search results. The following table shows the time it takes for the different services in Office 365.

Office 365 service 30 minutes 24 hours
Azure Active Directory (admin events) yes
Azure Active Directory (user login events) yes
Exchange Online yes
Microsoft Teams yes
Power BI yes
Security & Compliance Center yes
SharePoint Online and OneDrive for Business yes
Sway yes
Yammer yes

 

  • Azure Active Directory (Azure AD) is the directory service for Office 365. The unified audit log contains user, group, application, domain, and directory activities performed in the Office 365 admin center or in the in Azure management portal. For a complete list of Azure AD events, see Azure Active Directory Audit Report Events.
  • Exchange Online audit logs consist of two types of events: Exchange admin events (actions taken by administrators) and mailbox events (actions taken by users on mailboxes). Note that mailbox auditing isn’t enabled by default. It must be enable for each user mailbox before mailbox events can be searched for in the Office 365 audit log. For more information about mailbox auditing and the mailbox auditing actions that are logged, see Enable mailbox auditing in Office 365.
  • Audit logging for Power BI isn’t enabled by default. To search for Power BI activities in the Office 365 audit log, you have to enable auditing in the Power BI admin portal. For instructions, see Auditing Power BI.

Note: We’re in the process of turning on auditing by default. Until then, you can turn it on manually.

If you face more than expected delays as described on the temple kindly let me know.

Turn off an activity alert for Auditing

You can turn off an activity alert so that an email notification isn’t sent. After you turn off the activity alert, it’s still displayed in the list of activity alerts for your organization, and you can still view its properties.

  • Go to https://protection.office.com.
  • Sign in to Office 365 using your work or school account.
  • In the left pane, click Alerts, and then click Manage activity alerts.
  • In the list of alerts for your organization, click the alert that you want to turn off.
  • On the Edit alert page, click the On toggle switch to change the status to Off, and then click Save.

The status of the alert on the Activity alerts pages is set to Off.

To turn an activity alert back on, just repeat these steps and click the Off-toggle switch to change the status to On.

Create activity alerts in the Office 365 Security & Compliance Center
https://support.office.com/en-us/article/create-activity-alerts-in-the-office-365-security-compliance-center-72bbad69-035b-4d33-b8f4-549a2743e97d

Reference: https://docs.microsoft.com/en-us/office365/securitycompliance/enable-mailbox-auditing

Scripts:

https://github.com/O365AES/Scripts

To get status:

Get-Mailbox “office365user”| FL Audit*

AuditEnabled : True
AuditLogAgeLimit : 90.00:00:00
AuditAdmin : {Update, Copy, Move, MoveToDeletedItems…}
AuditDelegate : {Update, Move, MoveToDeletedItems, SoftDelete…}
AuditOwner : {}

 

To setup mailbox audit logging for all user mailboxes in your organization:

Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq “UserMailbox”} | Set-Mailbox -AuditEnabled $true