Category: Office365


Introduction to device management in Azure Active Directory:

https://docs.microsoft.com/fr-fr/azure/active-directory/devices/overview

https://docs.microsoft.com/en-us/azure/active-directory/device-management-introduction#getting-devices-under-the-control-of-azure-ad

As a rule of a thumb, you should use:

  • Azure AD registered devices:
    • For personal devices
    • To manually register devices with Azure AD
  • Azure AD joined devices:
    • For devices that are owned by your organization
    • For devices that are not joined to an on-premises AD
    • To manually register devices with Azure AD
    • To change the local state of a device
  • Hybrid Azure AD joined devices for devices that are joined to an on-premises AD
    • For devices that are owned by your organization
    • For devices that are joined to an on-premises AD
    • To automatically register devices with Azure AD
    • To change the local state of a device

How to Setup: https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-plan

c

Azure AD registered devices:

https://docs.microsoft.com/en-us/azure/active-directory/device-management-introduction#azure-ad-registered-devices

 

Hybrid Azure AD joined devices:

https://docs.microsoft.com/en-us/azure/active-directory/device-management-introduction#hybrid-azure-ad-joined-devices

 

To configure Hybrid Azure AD joined devices, kindly visit the link:

https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-manual-steps

 

Azure AD joined devices:

https://docs.microsoft.com/en-us/azure/active-directory/device-management-introduction#azure-ad-joined-devices

 

Azure AD Join vs Azure AD Device Registration:

https://blogs.technet.microsoft.com/trejo/2016/04/09/azure-ad-join-vs-azure-ad-device-registration/

 

Manage devices:

https://docs.microsoft.com/en-us/azure/active-directory/device-management-azure-portal#manage-devices

 

Device management tasks:

https://docs.microsoft.com/en-us/azure/active-directory/device-management-azure-portal#device-management-tasks

 

Configure On-Premises Conditional Access using registered devices:

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-device-based-conditional-access-on-premises

 

 

Advertisements

ProxyAddress attribute is used by different applications and it can store different type of user addresses (sip, smtp, x500).

If you sync accounts with non-verified domain to O365, those addresses can be replaced with the default onmicrosof.com domain.

Some interesting reading regarding this topic:

ADConnect not Syncing ProxyAccount for email Alias from on Premise AD to Azure AD

https://social.msdn.microsoft.com/Forums/azure/en-US/3226e41c-1db1-4299-9f24-0179e05fac09/adconnect-not-syncing-proxyaccount-for-email-alias-from-on-premise-ad-to-azure-ad-i-am-using?forum=WindowsAzureAD

List of attributes that are synced by the Azure Active Directory Sync Tool

https://social.technet.microsoft.com/wiki/contents/articles/19901.dirsync-list-of-attributes-that-are-synced-by-the-azure-active-directory-sync-tool.aspx

A mail user who has proxy addresses that use non-verified domains isn’t synced in an Exchange hybrid deployment

https://support.microsoft.com/en-us/help/3124148/a-mail-user-who-has-proxy-addresses-that-use-non-verified-domains-isn

Wrong domain address when synchronizing from on premise AD

https://social.msdn.microsoft.com/Forums/azure/en-US/7ddc1885-850d-487f-bf40-a91f1f5d15c8/wrong-domain-address-when-synchronizing-from-on-premise-ad?forum=WindowsAzureAD

Azure AD Connect sync: Attributes synchronized to Azure Active Directory

https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnectsync-attributes-synchronized

Disabling SSL/TLS Protocols and Cipher Suites for ADFS:

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/manage-ssl-protocols-in-ad-fs

https://jorgequestforknowledge.wordpress.com/2017/03/01/hardening-disabling-weak-ciphers-hashes-and-protocols-on-adfs-wap-aad-connect/

Note: dont forget to reboot the WAP and ADFS servers to take effect

To test SSL/TLS and much more you can use the free online tool from Qualys:

https://www.ssllabs.com/ssltest/index.html

 

https://support.office.com/en-us/article/Hybrid-Modern-Authentication-overview-and-prerequisites-for-using-it-with-on-premises-Skype-for-Business-and-Exchange-servers-ef753b32-7251-4c9e-b442-1a5aec14e58d

 

 

mono-tenant versus multi-tenant: https://support.office.com/en-us/article/office-365-inter-tenant-collaboration-eb45fd8b-1d5d-4b0c-9c5a-479dbb176e7d

There are drawbacks using multi-tenant ! like,

  • We cannot share domain namespace across multiple tenants; each tenant must have its own namespace; upn, smtp and sip namespaces cannot be shared
  • Exchange organisation and azure ad connect cannot be split across multiple tenants
  • Accounts cannot be shared and cannot be duplicated between the tenants
  • Licenses management and subscriptions are managed separately

Reference article:

https://docs.microsoft.com/en-us/exchange/recipients-in-exchange-online/delete-or-restore-mailboxes

 

remove-user -identity UPN

wait synchro

disable-mailbox UPN -permanentlydisable -ignorelegalhold

 

To test SSL/TLS and much more you can use the free online tool from Qualys:

https://www.ssllabs.com/ssltest/index.html

Links related to TLS which I have consulted: Solving the TLS problem ==> https://www.microsoft.com/en-us/download/details.aspx?id=55266

How to restrict the use of certain cryptographic algorithms and protocols in Schannel.dll ==> https://support.microsoft.com/en-us/help/245030/how-to-restrict-the-use-of-certain-cryptographic-algorithms-and-protoc

TLS/SSL Settings ==> https://technet.microsoft.com/en-us/library/dn786418(v=ws.11).aspx#BKMK_SchannelTR_TLS10

Managing SSL/TLS Protocols and Cipher Suites for ADFS:

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/manage-ssl-protocols-in-ad-fs

https://jorgequestforknowledge.wordpress.com/2017/03/01/hardening-disabling-weak-ciphers-hashes-and-protocols-on-adfs-wap-aad-connect/

 

This will simplify the lineup of troubleshooting tools available for Outlook while at the same time provide the same level of Outlook scanning capabilities as OffCAT. In addition, SaRA also offers several enhancements including the ability to identify and fix specific issues with Outlook, Office Setup, OneDrive for Business, and several other Office programs.

https://blogs.technet.microsoft.com/exchange/2018/04/17/offcats-replacement-microsoft-support-and-recovery-assistant-sara/

Which OffCAT features are not found today in SaRA?

The OffCAT team migrated the most frequently used features to SaRA. Here are the features that were not migrated and links to alternative resources (if available).

Note, SaRA does provide scenarios that identify and address issues with the following Office programs:

  • Outlook
  • Office Setup and Activation
  • OneDrive for Business
  • Skype for Business
  • KMS client activation

To troubleshoot KMS activation issues, we recommend these resources:
Troubleshoot volume activation for Office 2016
Troubleshoot volume activation for Office 2013

  • Real-time logging

Understanding the precedence of Retention policy with Security&Compliance center and the other O365 applications

https://support.office.com/en-us/article/overview-of-retention-policies-5e377752-700d-4870-9b6d-12bfc12d2423#principles

Office 365 groups retention and expiration:

retention policy define with Security&Compliance wins

After expiration (inactivity days), the o365 group will be soft deleted and can be recovered in the next 30 days, except if a retention policy is greater. The owner(s) will be informed 30 days,15 days,1 day before group expiration.

https://www.petri.com/better-office-365-group-expiration

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-groups-lifecycle-azure-portal

 

Onedrive data deletion and retention:

by default 30 days

https://support.microsoft.com/en-us/help/3042522/onedrive-for-business-retention-and-deletion

http://info.adaptivedge.com/blog/2017/04/30/how-to-enable-office-365-group-writeback-for-a-hybrid-coexistence-environment