Category: Office365


Reference article:

https://docs.microsoft.com/en-us/azure/security/fundamentals/steps-secure-identity

Doc to disable the user consent:

https://docs.microsoft.com/en-us/azure/security/fundamentals/steps-secure-identity#restrict-user-consent-operations

Best practices:

There are many aspects to a secure Identity infrastructure, but this five-step checklist will help you quickly accomplish a safer and secure identity infrastructure:

  • Strengthen your credentials.
  • Reduce your attack surface area.
  • Automate threat response.
  • Increase your awareness of auditing and monitoring.
  • Enable more predictable and complete end-user security with self-help.

Details action plan:

  • Make sure your organization uses strong authentication
  • Start banning commonly attacked passwords and turn off traditional complexity, and expiration rules
  • Protect against leaked credentials and add resilience against outages
  • Implement AD FS extranet smart lockout
  • Block legacy authentication
  • Block invalid authentication entry points
  • Implement Azure AD Privileged Identity Management (PIM)
  • Implement user risk security policy using Azure AD Identity Protection
  • Implement sign-in risk policy using Azure AD Identity Protection
  • Monitor Azure AD
  • Monitor Azure AD Connect Health in hybrid environments
  • Monitor Azure AD Identity Protection events
  • Audit apps and consented permissions
  • Implement self-service password reset
  • Implement self-service group and application access
  • Implement Azure AD access reviews

https://docs.microsoft.com/en-us/office365/admin/activity-reports/activity-reports?view=o365-worldwide

How to:

before to configure ADFS smart lockout, remove your account from AD protected users group, else you can get access denied

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-ad-fs-extranet-smart-lockout-protection

Articles:

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-ad-fs-extranet-soft-lockout-protection

https://blog.dacimm.com/audit-adfs-extranet-lockout-protection-81620ec055df

https://community.spiceworks.com/topic/673038-continuous-account-lockouts-from-adfs

https://blogs.technet.microsoft.com/pie/2016/02/02/ad-fun-services-track-down-the-source-of-adfs-lockouts/

https://blogs.msdn.microsoft.com/luzhao1/2015/06/24/demystify-extranet-lockout-feature-in-ad-fs-3-0/

https://s4erka.wordpress.com/2018/11/02/ad-fs-2016-extranet-smart-lockout-eventids-1203-and-1210-clarification/

https://s4erka.wordpress.com/2018/11/09/powershell-script-to-collect-adfs-extranet-smart-lockout-events-sequence/

 

Primary Domain Controller Requirement

AD FS 2016 offers a parameter that allows fallback to another domain controller when the PDC is unavailable.

  • ExtranetLockoutRequirePDC <Boolean> When enabled, extranet lockout requires a primary domain controller (PDC). When disabled, extranet lockout will fallback to another domain controller in case the PDC is unavailable.The following example shows the cmdlet to enable lockout with the PDC requirement disabled:
    Set-AdfsProperties -EnableExtranetLockout $true -ExtranetLockoutThreshold 8 -ExtranetObservationWindow (new-timespan -Minutes 30) -ExtranetLockoutRequirePDC $false

PS C:\WINDOWS\system32> get-adfsproperties | select *extra*

ExtranetLockoutThreshold  : 8
ExtranetLockoutMode       : ADPasswordCounter
ExtranetLockoutEnabled    : True
ExtranetObservationWindow : 00:30:00
ExtranetLockoutRequirePDC : True

PS C:\WINDOWS\system32> $cred = Get-Credential

cmdlet Get-Credential at command pipeline position 1
Supply values for the following parameters:
Credential
PS C:\WINDOWS\system32> Update-AdfsArtifactDatabasePermission -Credential $cred
PS C:\WINDOWS\system32> Set-AdfsProperties -ExtranetLockoutMode AdfsSmartlockoutLogOnly

Confirm
This command will set the extranet lockout mode to AdfsSmartLockout.  Verify all nodes have up to date patches and appropriate database permissions have been assigned by
running Update-AdfsArtifactDatabasePermission.  See https://go.microsoft.com/fwlink/?linkid=864556 for more information.
[Y] Yes  [N] No  [S] Suspend  [?] Help (default is “Y”): Y
WARNING: PS0038: This action requires a restart of the AD FS Windows Service. If you have deployed a federation server farm, restart the service on every server in the farm.
PS C:\WINDOWS\system32> restart-service adfssrv
WARNING: Waiting for service ‘Active Directory Federation Services (adfssrv)’ to stop…
WARNING: Waiting for service ‘Active Directory Federation Services (adfssrv)’ to stop…
WARNING: Waiting for service ‘Active Directory Federation Services (adfssrv)’ to stop…
WARNING: Waiting for service ‘Active Directory Federation Services (adfssrv)’ to stop…
WARNING: Waiting for service ‘Active Directory Federation Services (adfssrv)’ to start…
WARNING: Waiting for service ‘Active Directory Federation Services (adfssrv)’ to start…

 

Observing Audit Events

AD FS will write extranet lockout events to the security audit log:

  • When a user is locked out (reaches the lockout threshold for unsuccessful login attempts)
  • When AD FS receives a login attempt for a user who is already in lockout state

While in log only mode, you can check the security audit log for lockout events. For any events found, you can check the user state using the Get-ADFSAccountActivity cmdlet to determine if the lockout occurred from familiar or unfamiliar IP addresses, and to double check the list of familiar IP addresses for that user.

 

Enable enforce mode

Once you have been running in log only mode for sufficient time for AD FS to learn login locations and to observe any lockout activity, and once you are comfortable with the lockout threshold and observation window, smart lockout can be moved to “enforce” mode using the PSH cmdlet below:

PS C:\>Set-AdfsProperties -ExtranetLockoutMode AdfsSmartLockoutEnforce

For the new mode to take effect, restart the AD FS service on all nodes in the farm

PS C:\>Restart-service adfssrv

How to choose between authn methods:

https://docs.microsoft.com/en-us/azure/security/fundamentals/choose-ad-authn#comparing-methods

 

 

 

Microsoft Office 365 roadmap:

For significant updates, Office customers are initially notified by the O365 roadmap: https://www.microsoft.com/en-us/microsoft-365/roadmap

As an update gets closer to rolling out, it is communicated through your Office 365 Message center.

Microsoft Azure roadmap:

https://azure.microsoft.com/en-us/updates/

Microsoft cloud platform:

https://www.microsoft.com/en-us/microsoft-365/enterprise-mobility-security

Graph explorer: 

https://developer.microsoft.com/en-us/graph/graph-explorer

https://graphexplorer.azurewebsites.net/

News from ignite 2019:

https://developer.microsoft.com/en-us/office/blogs/ignite-2019-microsoft-graph-news/

 

Resources for MS graph API:

https://docs.microsoft.com/en-us/graph/security-concept-overview

https://github.com/microsoftgraph/security-api-solutions/tree/master/Samples/PowerShell

https://www.petri.com/exploring-office-365-graph-explorer

 

How to access Azure AD using Microsoft GRAPH:

https://www.bing.com/videos/search?q=how+to+access+azure+AD+using+microsoft+graph&qpvt=how+to+access+azure+AD+using+microsoft+graph&FORM=VDRE

Previous:

https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-graph-api-quickstart

 

New MS graph API add-on for splunk:

https://techcommunity.microsoft.com/t5/Security-Privacy-and-Compliance/Introducing-the-new-Microsoft-Graph-Security-API-add-on-for/ba-p/815972

 

 

 

https://adsecurity.org/wp-content/uploads/2019/08/2019-BlackHat-US-Metcalf-Morowczynski-AttackingAndDefendingTheMicrosoftCloud.pdf

Here are resources about Azure and Office365,

let me summarize:

Office365 : is an offer of MS services and hosted applications – Saas ; in clear you pay for a service (sharepoint,exchange,office…) and you don’t manage the infra behind (like CPU,RAM,Storage,Security)

Azure: is a cloud (private/public) offer – paas/Iaas ; compared to Office365, MS provide just the plumbery (hyper-v, Storage, CPU, RAM, network) and you manage the applications, the Operating system, the security and patches, the applications ; in short “it is like a lego or a Mecano!”, and with Azure you can mix your on-premises IT infra with Azure in the cloud (and vice-versa)

Web resources for Azure:

Domains FAQ: https://docs.microsoft.com/en-us/office365/admin/setup/domains-faq

Domain take over: https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/domains-admin-takeover

Azure tips and tricks: https://azure.microsoft.com/en-us/blog/azure-tips-and-tricks-become-more-productive-with-azure/

Azure subscription and naming convention: https://blogs.technet.microsoft.com/dsilva/2017/11/10/azure-subscription-governance-resource-group-and-naming-convention-strategies/

Azure RBAC: https://docs.microsoft.com/en-us/azure/role-based-access-control/overview

Manage VM: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/

Main: http://www.windowsazure.com

Azure cost calculator: https://azure.microsoft.com/en-us/pricing/calculator/?scenario=full

White papers: http://aka.ms/livresblancs

Azure health status: https://status.azure.com/en-us/status

Choose the right authentication method: https://docs.microsoft.com/en-us/azure/security/fundamentals/choose-ad-authn

AzureAD connect: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-version-history

Other resources:

To go deeper: https://docs.microsoft.com/en-us/azure/

Forum: https://azure.microsoft.com/en-us/support/community/

Seyf’s blog: https://seyfallah-it.blogspot.com/

Web resources for Office 365:

Office 365 for business get started: https://support.office.com/en-us/article/Get-started-with-Office-365-for-business-d6466f0d-5d13-464a-adcb-00906ae87029

Roadmap: https://products.office.com/en-us/business/office-365-roadmap

Fasttrack: http://fasttrack.microsoft.com/office/drive-value/engage

Productivity library (scenarios): http://fasttrack.microsoft.com/office/envision/productivitylibrary

Technical decks: https://channel9.msdn.com/Events/Ignite/2016?sort=status&direction=desc&r%5B0%5D=Office%20365&page=2

Technical references: https://technet.microsoft.com/en-us/library/office-365-service-descriptions.aspx

Videos: https://www.youtube.com/user/OfficeGarageSeries

eLearning: https://mooc.office365-training.com/en/

‘In the Cloud’: http://blogs.technet.com/b/in_the_cloud/

Office blog: http://blogs.office.com/    and   http://office.microsoft.com/en-us/

Intune blog: http://blogs.technet.com/b/microsoftintune/

Azure AD – Take over a DNS domain

Summary:

The procedure consists in adding DNS TXT records in all domains just like for standard domain registration to prove our ownership and then the process unregister them and add them to tour tenant.

Reference article:

https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/domains-admin-takeover