Category Archives: Office 365

Microsoft Azure – Leverage Manage Engine AD Manager and delegate MFA reset action to the Helpdesk Team

Currently there is no option as per this uservoice to delegate the MFA reset action to help desk team via an admin role. As of now only the global admin have the required privileges to perform this action from the azure portal. In this article we had a look into how to reset this option by creating an automation account and integrating with Microsoft Flow. Though this is a good option there is another way where this action can be delegated via ManageEngine AD manager plus. 

Most of the organizations have AD Manager plus and its features integrated on their on premise tenant. This can be used to execute office 365 and Azure AD operations in a hybrid environment. In this article we will have a look at the steps to integrate AD manager plus with Azure AD to  delegate this action to the help desk team.

Below are the prerequisites :

  1. AD manager plus server must be present in the hybrid domain. Not necessarily a hybrid domain it works well for cloud only accounts as well.
  2. The connectivity to the Azure IPs and URLs are required to connect azure module connect-msolservice
  3. Azure AD modules must be downloaded  on the AD manager plus server.
  4. AD delegation must be already assigned to the help desk team with AD management role.
  5. Global admin account is required to specify them as encrypted credentials with key on the AD manager plus server. This global admin account will only be used by the manage engine AD manager server in the backend and not exposed to the helpdesk team.

Implementation Steps:

First we need to create the encrypted credentials and key . Below command can be used.Kindly note that if we try to execute with plain text password it will not work, Since in our case we are doing an invoke session from AD manager plus and hence it works only with key file.

A very important note here is if there is a password policy for the global admin accounts, ensure to regenerate this key by re-running this script once after the new password is changed on the Global admin account.

$KeyFile = "Z:\ManageEngine\ADManager Plus\bin\AES256.key"
$Key = New-Object Byte[] 32
$Key | out-file $KeyFile
$credential = Get-Credential
$credential.Password | ConvertFrom-SecureString -Key $Key | Out-File "C:\ManageEngine\ADManager Plus\bin\credential.cred"

Later place this script on the AD manager plus bin folder as .ps1.

Connect-MsolService -Credential $cred
"`nConnected to MSOL" | Out-File $MFAlog -Append
Set-MsolUser -UserprincipalName $userPrincipalName -StrongAuthenticationMethod @()
"`nUpdated User $userprincipalname" | Out-File $MFAlog -Append

The above script will also  generate MFAActions.log file in the bin folder which will help us to track the MFA actions performed via AD manager by the help desk admins. Even this script must be placed in the bin folder in the AD manager plus server.

Now having done the Azure AD part we need to access Manage Engine AD Manager Plus admin portal and perform the below action:

  1. Go to AD Mgmt – User Modification Templates – Click Create New Template.
  2. Leave all the fields on all the tabs as default – Navigate to Custom Attributes – Select Run Custom Script on successful user modification script command:  add the below format to call our script via AD manager plus – PowerShell  -File mfa.ps1 %userprincipalname%
  3. Once done click on save template.
  4. Assign this template to the helpdesk team.

Once this above action is completed help desk can reset via below method – 

AD mgmt – Modify Single user – Search for affected user – Modify user – Change template – Choose MFA reset template – then click on update user.

Now the MFA value will be cleared for the requested user.

We can also check the status from Azure AD connected Powershell 

(Get-MSOlUser  -UserPrincipalName user@domain.com).strongauthenticationmethods

The value should return null for a user where the MFA reset is successful.

This action will help in achieving the delegation of MFA reset via manage engine. Helpdesk admins can for perform the MFA reset through the manage engine delegated help desk portal by selecting the assigned template and can perform this action.

Thanks & Regards
Sathish Veerapandian

Microsoft Intune – Configure customized role based access control in a redistributed IT environment.

In a huge enterprise scale deployments there will be various teams who handles the services with multiple administrator accounts.These executives must be furnished with administrator accounts which are appropriate to their boundaries.Microsoft intune being a device,apps and office 365 administration management there are high prospects that this element may be used over various departments,applications,devices and from various areas. Microsoft Intune having lots of features and capabilities now most of the organizations are moving as managed tenant with Microsoft intune.

For instance there can be multiple app protection policies, device compliance policies, app configuration policies ,etc., are created for multiple services one for meeting room management, another for BYOD devices and for corporate windows devices. In these situations we need to create customized role based access control for each users.

With the default intune admin role assignments, we cannot manage to provide custom permissions and hence need to take little bit different approach in order to deploy in a decentralized environment.

We shall consider a scenario where there are 2 different cases of leveraging Microsoft Intune as a managment authority one for Meeting rooms and another one for managing office 365 and Line of business apps in BYOD devices.

Ideally in this scenario we must be having two sets of policies ,intune services with different role sets and visibility of policies to the administrators.

Below policies for BYOD devices were created –

App Protection Policies

App Configuration Policies

Compliance Policies

Below Policies for Meeting rooms were created –

App Protection Policies

App Configuration Policies

Compliance Policies

Having the policies created now we need to segregate them by tagging to associated admin groups, device groups and scope tags.

Created Admin Groups –

Group 1: MRM Admins – To manage only the Meeting room  intune policies.

Group 2: Pilot Mobile Admins – To manage only the Andriod/IOS Intune  device policies.

Created Device Groups –

Group 1: Meeting Rooms – Created to add the meeting room devices and service accounts. This is required to scope this group in the custom RBAC role that we are creating and targeting for meeting room systems and their service accounts.

Group 2: IntuneMobileDevices – Created to add the BYOD users accounts . This is required to scope this group in the custom RBAC role that we are creating and targeting for byod users.

Created Scope Tags –

Scope Tag 1: Mobile-Admin – To tag all the BYOD mobile IOS/Andriod policies, users and devices. We have added the created group for intune users. One important point to note here is that all new users who needs to be part of intune policies needs to be added to this group.

The policies can be tagged to their related scope tags from the properties page.

Scope Tag 2: SRS-Admin – To tag all the meeting room devices and the service accounts.

In the same way we did for BYOD devices meeting room policies were tagged to this scope tag.

Scope tags are very much required and they are the basic benchmarks which are used to segregate the roles, permissions, devices and users. In this case we have created two scope tags and associated them to their corresponding policies,users,devices and admins.

Created 2 Custom RBAC roles –

Role 1: Meeting Room Admin – Clone copy of policy and profile manager role scoped only to MRM admins group. Tagged this role to SRS-Admin scope tag.

Role 2: Mobile Administrators – Clone copy of policy and profile manager role scoped only to Pilot Mobile Admins  admins group. Tagged this role to Mobile-Admin Scope tag.

The default RBAC roles will provide visibility to all the policies and hence we need to create new roles.Here we have created two clones of the default policy (policy and profile manager). Tagging these two roles to the appropriate scope tags is very important. Ideally scope tags are the components which seperates the role segregation based on policies and users defined on them.

Finally created few policies and tagged them separately for Mobile devices and meeting rooms.

Admin log in experience:

Policies  visibility from Global Admin account where we could see all the policies in the intune portal.

When logging in from mobile admin we see only mobile device policies for byod associated with him.

Only BYOD device compliance policies are present.

In the same way when logging from SRS admin we see only the meeting room policies associated with him.

Only meeting room app protection policies are found.

Caveats :

  1. For custom RBAC role it is requesting an EMS license to be assigned mandatorily for the admin accounts. I attempted the admin accounts without the licenses and it is not working.
  2. Once the policy is applied to admin accounts it is taking almost 24 hours’ time to be in effect.

We can utilize role based access control in combination with scope tags to ensure that the privilege administrator accounts have the correct access and perceivability to the right Intune objects. Scope tags figure out which objects administrators can see from their admin portal.

Thanks & Regards

Sathish Veerapandian

Analyze the office 365 adoption with Microsoft 365 usage analytics

Office 365 adoption preview helps to have insights of the Office 365 utilization trends for the whole organization.This helps organization on identifying the departments who needs training and places where there is real success on office 365 aquisition.

With Microsoft 365 usage analytics integrated with Power BI , we get much visibility on how Office365 is been utilized.It is a pre built content pack and do not need to create any customization on getting the reports.

This content pack is free of charge and works well with powerBI free service and can customize the dashboards with reports.We do not need to have a powerbi pro or premium license to utilize this service.Once we connect this content pack it can be shared with anybody. However if the user attempts to share, export the report then powerbi pro license is required. For viewing only the data powerbi free license is much sufficient.

The moment when we connect the data pack it provides the data for last 12 months. Later it refreshes in a weeks time. We do have an option to customize the refresh schedule.

Below are the steps to enable the Microsoft 365 usage analytics:

Sign into office365 admin center with global admin privilege – navigate to reports – click on usage

Enable the option make data available to powerbi

Now login to power bi – navigate to service content packs – select office 365 adoption preview

Now we need to use the tenant id and connect to the services

Now we will have the office 365 adoption preview connected to the associated work space.

Once done we see the visibility on utilization of all the services. Example we have the adoption overview on the Teams.

Exchange online utilization

As of now we have the reports that can be pulled over and customized in powerbi for Exchange, Skype for business , teams, yammer , onedrive, sharepoint, adoption by department, product , region and yammer usage.

Script to generate office 365 groups created on last 30 days

By default it is enabled for users to create the office365 groups. There are few organizations where they do not need to restrict this group creation because these groups are heavily influenced on utilizing the office365 services Sharepoint,Yammer, Microsoft Teams, PowerBI , Outlook, Planner and Road Map which in turn might decline the office 365 user adoption rate.

The below script can be used to run in task scheduler on a monthly basis for reviewing the Office 365 groups which have been created in last 30 days and will email us the report.

Below is the sample output of the script which will provide us the below details.


########################################################################################################################
# Description   :- Powershell Script To extract office365 groups created less than 30 days time and send them in email
# Author        :- Sathish Veerapandian
# Created       :- 15-Jul-2019
# Updated       :- 15-Oct-2019
# Version       :- 0.2
# Notes         :- 
#########################################################################################################################

$Header = @"

TABLE {border-width: 1px; border-style: solid; border-color: black; border-collapse: collapse;}
TH {border-width: 1px; padding: 3px; border-style: solid; border-color: black; background-color: #6495ED;}
TD {border-width: 1px; padding: 3px; border-style: solid; border-color: black;}

"@

# Load MFA Module
$MFAExchangeModule = ((Get-ChildItem -Path $($env:LOCALAPPDATA+"\Apps\2.0\") -Filter CreateExoPSSession.ps1 -Recurse).FullName | Select-Object -Last 1)
. "$MFAExchangeModule"

# Initiate Session
Connect-EXOPSSession -UserPrincipalname mentionadminid@domain.com

# Get Office365 Groups
Get-UnifiedGroup -ResultSize unlimited | select DisplayName,PrimarySMtpAddress,WhenCreated,ManagedBy,RecipientTypeDetails,AccessType | Export-Csv C:\Scripts\365groups.csv -NoTypeInformation

# Define the date variable for Cutoffdate less than 31 days
$CutoffDate = get-date -date $(get-date).adddays(-31) -format "M/dd/yyyy h:mm:ss tt"

# Get the office365 groups created lesser than 31 days
$Data = Import-CSV "C:\Scripts\365groups.csv" | Where-Object {$_.WhenCreated -as [datetime] -gt $CutoffDate}


# Export the office365 groups  created lesser than 31 days in csv file
$data | ConvertTo-Html -Head $Header | Out-File -FilePath C:\Scripts\365.html


# Send the exported csv email to the helpdesk team for evaluation
Send-MailMessage -From senderemailID -To recipientemailid -Attachments "C:\Scripts\365.html" -BodyAsHtml -SmtpServer mentionsmtpserver -Subject Office365GroupStatus 

Thanks

Sathish Veerapandian

Configure Exchange Online to reject emails that fail DMARC validation with organizations having policy of reject

By default Office 365 DMARC validation for internet emails that fails for policy P=Reject will make the email to land in junk folder of the recipient mailbox.Microsoft 365 will treat DMARC policies of quarantine and reject in the same way, which means that if the sender’s DMARC policy is set to reject or quarantine, the emails that fail DMARC will be sent to the junk folder of the recipient mailbox.

Microsoft believes that the main agenda of doing this is to ensure that any legitimate emails which misses in DMARC alignment shouldn’t be lost and its better to get them delivered to recipient junk mail folder. There are few cases wherein few organizations would still need the DMARC policy to be stringent due to their security regulations.

Microsoft validates DMARC and overrides the failure with a header value for a domain whose DMARC TXT record has a policy of p=reject oreject. Instead of deleting or rejecting the message, Office 365 marks the message as spam.

To test it further we are publishing SPF, DKIM and DMARC record for the domain ezcloudinfo.com as below:

SPF record: Adding only Exchange online as authorized sender.

DKIM Record: Having the Signing key only for office 365

DMARC Record: Having strict policy of P=reject

For a successful email from a legitimate sender where it has passed spf, dkim & dmarc we see the below value for DMARC.

dmarc=pass action=none

Now we are triggering an email from a registered mailchimp account for ezcloudinfo.com where we do not have the SPF and DKIM records added in our DNS records.

The email from mailchimp from sender address sathish@ezcloudinfo.com gets landed in junk email.

We can see the header value of above email and the DMARC validation is failed.

WorkAround:

We received a workaround which can be accomplished to reject the emails that fails with DMARC validation from redsift cyber security analysis .

Create a Transport Rule:

Include the below value oreject or action=oreject or dmarc=fail in the message header include option.

Reject the message with the custom status code.

Now if we send a test email after this transport rule from an unauthorized sender the email will be rejected and could see the below NDR message.

So after this transport rule any spoof emails that are coming from a domain that is DMARC protected will not be delivered to the spam folder. They will all be rejected and never reach the recipient.

Thanks & Regards

Sathish Veerapandian

Readiness and steps to Configure Direct Routing in Microsoft Teams

Earlier to enable enterprise voice with calling plan on skype for business online we would need to install cloud connector locally on a virtual machines as a separate appliance which requires complex configuration for integrating with the certified session border controllers.

Now Microsoft have made it easier to configure them with direct routing where we do not need to deploy the cloud connector agent locally in the on-premise systems.

When paired with Microsoft Calling plans or direct routing with local ISP calling plan, they provide a full enterprise experience for office 365 users in Teams on a global scale. With Direct Routing we can Connect Existing Telephony Infrastructure to MS teams with the help of  local session border controllers. A SIP connection is created between the cloud call controllers and our local session border controllers.

In this article we will look at the options , readiness and steps  to Enable users for Direct Routing from the Microsoft office 365 perspective.

Readiness for Direct Routing:

Decide on Session Border Controller (Self or hosted SBC):

Session border controller connects Teams call to PSTN next hop or to the configured sip trunk with the local ISP. Here we have two options either to have own session border controllers on premise or to have this functionality hosted to a managed service provider who will host the session border controller for your organization to perform the SIP proxy and the PSTN routing for Microsoft Teams.

Make sure to select the supported session border controllers by Microsoft to configure direct routing in Microsoft Teams.

Figure out licenses based on deployment: Decide on media bypass Configuration

We need to figure out licenses on Microsoft office 365 to utilize the full enterprise functionality of Microsoft Teams.

Option1: Full Microsoft License

In this case no direct routing is required unless there is coexistence required with existing telephony system because we will be having the full calling plan with Microsoft and will utilize the Microsoft call controller, PSTN, Media controllers and Media processor.

Below Licenses are required:

  1. Enable Microsoft Teams.
  2. Office 365 Phone System License
  3. Skype for business online plan2  License
  4. Audio Conferencing
  5. Microsoft Calling plan (Available in selected regions as of now)

The first 4 licenses are available by default in office365 E5 License. For other license types separate SKus needs to be procured along with the calling plan available in the region

Below is the call flow for all in the cloud for Teams:

Option 2 : Full Teams feature plus Local Telcom Calling plan

This option requires to perform direct routing with Microsoft Teams SIP proxy  services to create the SIP trunk between Microsoft Teams in the cloud and local session border controllers to utilize the calling plan from local PSTN provider.

Below Licenses are required:

  1. Microsoft Teams
  2. Phone System
  3. Skype for business online plan2 
  4. Audio Conferencing
  5. Local SIP calling plan with your telecom provider

Phone System with own carrier via Direct Routing:

SBC readiness:

Decide on SBC Host Name:

Microsoft communicates to session border controllers only via FQDN. We need to decide on a hostname for Session border controller which will be public available to configure direct routing. In our case we will be having voicegw.ezcloudinfo.com

Configure the certificate:

The SBC must be configured with a certificate from public certificate authority with the decided host name. We could also use wild card and SAN certs but the CSR needs to be generated from the certified SBC.

Firewall:

Below source and destination ports needs to be opened for communication between Microsoft PSTN hub FQDNs and the session border controllers.

Above Necessary source and destination ports needs to be opened in Firewall for the SIP Signaling, SIP Proxy ,Media Processing and Media Bypass to happen for the STUN, TURN , ICE connectivity and for successful Teams audio/video call .

Direct Routing configuration in Microsoft Teams:

Ensure that the users are fully transformed to Teams Only Mode.

Pair the SBC to the Direct Routing Service of Phone System:

Connect to Skype for Business Online admin center using PowerShell

Verify the online PSTN gateways.

Get-Command *onlinePSTNGateway*

Now add the new online PSTN gateway to add our SBC in the list.

New-CsOnlinePSTNGateway -Fqdn voicegw.ezcloudinfo.com -SipSignallingPort 5067 -MaxConcurrentSessions 50 -Enabled $true

Check the added SBC configuration.

Get-CsOnlinePSTNGateway -Identity sbc.contoso.com

Configure the phone number and enable enterprise voice.

Set-CsUser -Identity “Will Smith” -OnPremLineURI tel:+97155368846 -EnterpriseVoiceEnabled $true -HostedVoiceMail $False

Create the Voice Route to go via SBC.

New-CsOnlineVoiceRoute -Identity “UAE” -NumberPattern “^\+9(71|206)(\d{7})$” -OnlinePstnGatewayList voicegw.ezcloudinfo.com -Priority 1 -OnlinePstnUsages “UAE and India”

IMP Notes:

  1. Flow differs for external and internal media bypass.
  2. Internal media bypass – Flows within the network teams and SBC and traffic is routed to local PSTN provider.
  3. External Media bypass – Flows users will try to connect via certified SBC if now will take the SIP Proxy Route.
  4. Office 365 network is enhanced for teams traffic.
  5. Call Queues and Auto attendant configuration needs to be verified and configured according to the current setup.

Thanks & Regards

Sathish Veerapandian

Script to offboard resigned employee in a hybrid environment

The below script can be used in off-boarding below tasks for a resigned employees as a bulk operation.

This script will help in below actions for Exchange online and AD tasks to be removed in a Exchange hybrid environment:

  1. Convert exchange online mailbox to shared Mailbox.
  2. Disable the Mailbox protocols – OWA,ActiveSync, POP, IMAP, MAPI & OWA for devices.
  3. Hide the user from GAL.
  4. Remove the user from respective licenses E3,E5,EMS E3 & EMS E5 Licenses.
  5. Cancel all the calendar future meetings.
  6. Remove the user account from all groups.
  7. Set the account expiry of the AD account.
  8. Remove the IP Phone Attribute.
  9. Remove the manager field.
  10. Set out of office.

Prerequisites:

1.Run this from a management server where it has Exchange, Active Directory, MSonline and exchange online MFA PowerShell modules installed on it.

2.This will run from MFA enabled Admin accounts from windows powershell,connect to exchange online and msonline. Make sure to run this script from an elevated windows powershell mode.

3.Change the csv file location to your location
Connect-EXOPSSession -UserPrincipalname adminid@domain.com – Change the admin userprincipalname to your admin id.
Export-csv “c:\ops\Output\disabledusers.csv” – mention the location of the csv file

4. Create a CSV file which has only the userprincipalname of the resigned employees.

5. Change the OOF message details with the required information.


$MFAExchangeModule = ((Get-ChildItem -Path $($env:LOCALAPPDATA+"\Apps\2.0\") -Filter CreateExoPSSession.ps1 -Recurse).FullName | Select-Object -Last 1)
. "$MFAExchangeModule"
$cred= Get-Credential
Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn
Import-Module activedirectory
Connect-MsolService -Credential $cred
Connect-EXOPSSession -UserPrincipalname adminid@domain.com
$E3 = "tenantname:ENTERPRISEPREMIUM"
$E5 = "tenantname:ENTERPRISEPACK"
$EMSE3 = "tenantname:EMSPREMIUM"
$EMSE5= "tenantname:EMS"
Import-csv  "mention the CSV path location" | foreach {
$UPN = $_.userPrincipalName
#Convert to shared mailbox
Set-Mailbox $UPN -Type “Shared” 
#Disable the Mailbox protocols
Set-CASMailbox  -identity $upn -OWAEnabled:$false -ImapEnabled:$false -MAPIEnabled:$false -PopEnabled:$false -ActiveSyncEnabled:$false -OWAforDevicesEnabled:$false -Confirm:$false -verbose
#Cancel all the future meetings
Remove-Calendarevents -identity $UPN.userprincipalname -CancelOrganizedMeetings -Confirm:$False 
#Remove the license
$msolupn= Get-Msoluser -Userprincipalname $UPN | select Objectid,Userprincipalname,Licenses 
Set-MsolUserLicense -UserPrincipalName $UPN.UserPrincipalName -RemoveLicenses $E3 -ErrorAction SilentlyContinue
Set-MsolUserLicense -UserPrincipalName $UPN.UserPrincipalName -RemoveLicenses $E5 -ErrorAction SilentlyContinue
Set-MsolUserLicense -UserPrincipalName $UPN.UserPrincipalName -RemoveLicenses $EMSE3 -ErrorAction SilentlyContinue
Set-MsolUserLicense -UserPrincipalName $UPN.UserPrincipalName -RemoveLicenses $EMSE5 -ErrorAction SilentlyContinue
#Hide from GAL
Set-RemoteMailbox  -identity $upn -HiddenFromAddressListsEnabled:$True
#Set the OOF
Set-MailboxAutoReplyConfiguration -Identity $UPN -AutoReplyState Enabled -ExternalMessage "“Please note that i no longer work for ezcloudinfo anymore.Kindly contact HR department via hr@ezcloudinfo.com for further communication.“"    
#Remove from Distribution Lists
Get-ADUser -Identity $UPN -Properties MemberOf | ForEach-Object {
  $_.MemberOf | Remove-ADGroupMember -Members $_.DistinguishedName -Confirm:$false
#Remove the manager field
Set-Aduser -Identity $UPN -Manager $null
#Remove IP Phone attribute
Set-ADuser -Identity $UPN -Clear ipPhone
#Set the Account Expiry
Set-ADAccountExpiration -Identity $UPN -TimeSpan 0.0:30
Write-Host The Users have been offboarded successfully -ForegroundColor Green
Get-Mailbox $UPN | select-Object name,recipienttypedetails | Export-csv "c:\ops\Output\disabledusers.csv"  -NoTypeInformation -Force -Append
}
}

Thanks & Regards

Sathish Veerapandian

%d bloggers like this: