Enable Azure AD Password Protection for On Premise Windows server Active Directory

In this article we will have a look at enabling Azure AD password protection policy in On Premise Active Directory Server.

By Default this feature is enabled for cloud only users with a basic filter of Azure AD password protection with global banned password list.However if we still require Azure AD password protection with custom banned password list for Cloud only users then we would need to have at-least Azure AD Basic License the default value is below.

We have below options in password protection policies:

Lockout Threshold:
How many failed sign-ins are allowed on an account before its first lockout. If the first sign-in after a lockout also fails, the account locks out again.

Lockout Duration in Seconds:
The minimum length in seconds of each lockout. If an account locks repeatedly, this duration increases.

Enforce custom list:
When enabled, the words in the list below are used in the banned password system to prevent easy-to-guess passwords.

Custom banned password list:
A list of words, one per line, to prevent your users from using in their passwords. You should include words specific to your organization, such as your products, trademarks, industries, local cities and towns, and local sports teams. Your list can contain up to 1000 words. These are case insensitive, and common character substitutions (o for 0, etc) are automatically considered.

Enable Password protection on active directory:
If set to Yes, password protection is turned on for Active Directory domain controllers when the appropriate agent is installed. 

Mode:
If set to Enforce, users will be prevented from setting banned passwords and the attempt will be logged. If set to Audit, the attempt will only be logged.

The Visual representation of how this process works is beautifully shown below from Microsoft technet Source 

Below are the prerequisites for enabling the password protection on Active Directory:

  1. For enabling this service on On Premise Active Directory it requires an Azure AD premium license.
  2. A proxy service agent needs to be installed on a member server running windows server 2012 R2 or later.
  3. Domain controllers where the Azure AD password protection DC agent service will be installed must be running Windows Server 2012 or later.  
  4. All servers running the azure AD components must be fully patched in-order to have Universal C runtime installed.
  5. Network connectivity must be present between the Azure AD proxy server and one domain controller running Azure agent Service.
  6. An Azure AD global administrator account is required to register and consume this service for On Premise AD in Azure AD.
  7. A local domain admin privilege account is required to register windows server AD with Azure AD.
  8. Domain running the DC agent service must use the DFSR replication type  for SysVol Replication.
  9. Azure AD password protection proxy service server must have access to the below Microsoft Protection Endpoints.

https://login.microsoftonline.com  –  For Handling the Authentication Requests.

https://enterpriseregistration.windows.net – Azure AD password protection functionality

       

Download the 2 agents from link – https://www.microsoft.com/en-us/download/details.aspx?id=57071

After download we will have 3 installers as below.

Azure AD Password Protection Proxy Service – It acts as a proxy agent which will forward outgoing requests from domain controllers to Azure AD and incoming requests from Azure AD to the on premise domain controller.

DC Agent password filter dll – Will receive all the password validation requests and forward them to the main component running in onpremise Domain Controller which is Azure AD password protection DC agent.

Azure AD password protection DC agent- Receives the password validation request from the filter agent and processes them with the currently present local password policy and returns the validation response Pass/Fail. This core services queries the Azure AD password protection proxy service to check and download the new versions of password policy.

First step we need to install the proxy agent on a member server which in the same domain. 

Once installation is completed Import the Module –

Import-Module AzureADPasswordProtection

Register the Proxy Agent – 

$tenantAdminCreds = Get-Credential
Register-AzureADPasswordProtectionProxy -AzureCredential $tenantAdminCreds

Enter the Domain Admin Credentials

Later Enter the Azure Global Admin Credentials

Later Register  the  Active Directory Forest –

Register-AzureADPasswordProtectionForest 

On a successful registration we will be getting the below event log on the Azure AD password protection Proxy Server.

$tenantAdminCreds = Get-Credential
Register-AzureADPasswordProtectionForest -AzureCredential $tenantAdminCreds

Register the Proxy configuration on a static Port-

Below command can be run to make the proxy service communication and DC Agent Service to run on a static specific port. This option is preferred to keep a static single port communication from this proxy service server and the Domain Controller and not to have IP to IP communication between them.

Set-AzureADPasswordProtectionProxyConfiguration –StaticPort 135

Install the DC agent on the Domain Controller. After the installation is complete only a restart is required and no further configuration is required at this stage.

After this login to Azure AD and enabled the password protection on Windows server Active Directory. Always strictly recommended to start only in Audit mode to understand the current password security and user compliance from the logs.

Once enforced in audit mode we get the below confirmation message in Azure Password protection DC Agent Event logs.

We can verify the password protection agent settings by below commands

Get-AzureAdPasswordProtectionDCAgent | FL

Get-AzureADPasswordProtectionSummaryReport -DomainController DCHostName

Its always better to start this operation by only keeping them in Audit mode since it will create a major impact in the environment without proper end user awareness about enforcing this password policy change.

Also we can monitor the logs in event viewer in below location

A user resetting the password with the compliant characters will get a successful log as below 

If there was a non-complaint password reset by a help-desk operator it would be logged in the audit mode and mention it did not meet the compliant standards.

When the same password is provided to end user and when the end user resets them with non-compliant values then those entries also will be logged in the event viewer.

A Successful password policy update from Azure AD can be seen below from the Azure AD password protection proxy server.

We can also see that a separate Container is created in ADSI Edit and can see 2 certificates folder created with thumbprint name.

Important Notes:

  1. As a best practice its not recommended to  go with enforce mode initially since the end users will have tough time adopting the password policy immediately.
  2. Once the audit mode is enabled better to circulate email floaters about the upcoming password policy change which will create better awareness.
  3. The custom banned password policy is capable of having 1000 entries. We can gradually increase the value which will make this roll out  in  a smoother way.
  4. If we are updating the global banned password in the azure portal they are pushed down to the on premise agents in a polling interval of 1 hour time period.
  5. To Register-AzureADPasswordProtectionForest cmdlet to succeed at least one Windows Server 2012 or later domain controller must be available in the proxy server’s domain.

Exchange Mailbox audit in office 365

Post July 2018 the mailbox audit will be enabled by default for all mailboxes in the cloud.

In a hybrid setup ,Once after the mailboxes are moved to the cloud the mailbox audit will be enabled after they are converted to mailboxes from mail enabled users.

Earlier we have to run the Set-Mailbox -AuditEnabled $True every time we add a new mailbox or a mailbox is migrated to the cloud so that mailbox Audit is turned on.

Once the mailbox audit logging is enabled for owner actions we might see lots of items getting occupied for user actions in audit folder. This Audit logs is stored individually on users mailboxes itself in Hidden audit folder.

Get-MailboxFolderStatistics -Identity Helpdesk@exchangequery.com | select name,itemsinfolder,foldersize

This audit folder will not come under the user mailbox quota. It will consume the recoverable items quota for each user mailbox. In order to overcome this mailbox quota limit for these recoverable items the storage quota for the recoverable items folder is automatically increased from 30 GB to 100 GB when a hold is placed on a mailbox in Exchange Online.

Without hold the default value will be 30 GB


We can also see that the audit will be enabled by default in the organizational config.

To enable audit org level – Set-OrganizationConfig -AuditDisabled $false
To disable audit orglevel – Set-OrganizationConfig -AuditDisabled $True

we can see the audit is enabled by default 

Get-Mailbox helpdesk | fl *audit*

 For AuditOwner we can see the below 

Get-Mailbox helpdesk | Select-Object -ExpandProperty auditowner

We can see the mailbox login which will record the client logins for the owner actions inclusive of protocols POP and IMAP. Apart from this we have for inbox rules and calendar delegation which will be definitely useful in terms of troubleshooting or investigation of an compromised account.

When your tenancy begins auditing all mailboxes by default, the per-mailbox AuditEnabled setting will be overridden. However, you may still choose to disable audits for a subset of your users if there is a business need. You can elect this option by configuring audit bypass associations on the identities you intend to ignore with the Set-MailboxAuditBypassAssociation cmdlet. We can also customize the audit logging entries based on our requirement using set-mailbox and -AuditOwner option.

Below command will bypass audit for the specified mailbox.

Get-Mailbox usteam | Set-MailboxAuditBypassAssociation -AuditBypassEnabled $true

We can run a audit report from the security and compliance center to generate audit report during an investigation. We have export operation as well.

More filter options are available 

Based on the monitored mailbox audit actions we can also create an alert and notify the information security team mailbox/group for these actions which are not meeting the organization compliance.

Over the next several months, Microsoft will enable the default-auditing configuration on all tenants with a steady ramp-up with all commercial customers to be covered by the end of the calendar year. So we can expect this to be covered for all tenants by the end of this calendar year.

Mailbox audits will be stored for all user mailboxes within the commercial service by default.
The default audit configuration will change and include more audit events.

Quick Tips – Search mailbox operation in office 365

In office 365 the search can be used to search in-place items from email, documents, Skype for business and Microsoft Teams.In this article we will look into the steps to search emails from  mailboxes present in office 365.

The search and delete operation can be executed when an important confidential  message is sent by mistake to unintended recipients, a suspicious message have been circulated to few users or it can be even a phishing email. Admin can run into any of the above scenario and can be requested to perform this action.

In office 365 we can use the native search-mailbox , compliance search or the content search available in the office 365 security and compliance center.

The search-mailbox is exactly similar to what we have in on premise.We have to be a member of Mailbox Search and Mailbox Import Export role group to execute the search and delete operation.

We need to establish PSSession to office 365 with below:

$Cred = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $Cred -Authentication Basic -AllowRedirection
Import-PSSession $Session

Search-Mailbox

SMBX0

Then we need to execute the search operation based on the search parameter , search query and operators as per our requirement to search the required data.

Example of basic search which allowed to log data to a target mailbox

Search-Mailbox -identity mbx@domain.com -SearchQuery ‘subject:test’ -Logonly -LogLevel full  -TargetMailbox mbx@domain.com -TargetFolder SearchResults

SMBX

SMBX1

The delete operation can be used to delete the content.

Search-Mailbox -Identity mbx@domain.com -SearchQuery ‘subject:test’ -DeleteContent

SMBX2

Compliance Search

We can use the compliance search operation to search and delete any emails from mailboxes present in office 365. We need to establish new pssession to compliance as below.

$Cred = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.compliance.protection.outlook.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection

CS1

Once connected we can initiate new compliance search with New-Compliance search commandlet.

First New-Compliance search with required  parameter and content match query needs to be created.

New-ComplianceSearch -Description Marketing-Search -Name MarketingTeam -Exchangelocation alias@domain.com -ContentMatchQuery “‘Teach English in China'”

CS2

Then we need to start the compliance search with Start-ComplianceSearch

Start-ComplianceSearch -Identity searchname

Post this operation we have 3 options with New-ComplianceSearchAction report only mode , export the searched data also delete the search results as below example.

Report Mode

New-ComplianceSearchAction -SearchName SearchName -Report

CS3

Export Mode

New-ComplianceSearchAction  -SearchName SearchName -Export

CS11

After we run the command with export once export is completed it will be available in the security and compliance center in the export section ready for download.

Untitled24

We can also use the delete option

New-ComplianceSearchAction -SearchName SearchName Puirge -PurgeType softdelete

CS4

Get-ComplianceSearch can be run to check the existing executed compliance searches.

untitled41

Content Search

We can also use the content search option available in office 365 security and compliance center. Here we can specify the content locations from where it has to be searching the required content.

Here we have 3 options to search.

New Search – which is the default option and provides the search query parameters and conditions.

Untitled26

Guided Search –  Guided search  has the same options like new search except it has an addition guided wizard like below. Rest of the search query parameters and the conditions remains the same.

Untitled26

ID Search –  We can perform a targeted search based on providing a csv input file.

Untitled26

For ID search we need to provide a well formatted CSV input as mentioned in this Technet  format the document ID column and populate the selected column as mentioned in the article.

Once the CSV is prepared and imported it will be ready for  save and run as below.

Untitled26

After the save and run operation we get the results as below

Untitled26

We have options to choose the locations from where the data has to be fetched from modify location. This option is available only on New Search and Guided Search.

After specifying the location – add the search query keywords – date range – sender and other required parameters based on the search requirement.

Content

 

once the search query is completed we can see the search results in the searches tab like below

Content1

 

We have an option to download the search results

Content2

We have options  to export the report  like below.

Untitled25

Imp Notes:

  1. The ID search is limited and supported only for mailbox items.
  2. We need to be member of Organization Management or at least Compliance Administrator role group in-order to consume this service from Security & Compliance Center.

Configure DKIM in office 365 Environment

In this article we will go through the steps to enable DKIM in pure  office 365 cloud environment.

For understanding DKIM concepts and  Enabling DKIM in on premise environment you can follow my previous blog 

The main difference between enabling DKIM in on premise environment and office 365 is:

  1.  In on premise we keep the private keys in our outgoing Anti spam gateway or DKIM agent which will be responsible for signing every outbound emails with DKIM stamp. Later we publish the public key in the DNS record.
  2.  But office 365 requests the customers to publish the CNAME and point them to a public key in DNS which will delegate the corresponding name space to office 365.

With this office 365 CNAME option we can rotate the keys whenever required. Because in this case the private key is owned by Microsoft and the public key is maintained in their office365 DNS records. We just need to create CNAME in our DNS console only for the first time. Later we need to create CNAMES only for the new domains we are adding in office 365.

First we need to enable DKIM from the Exchange admin center from the office 365 portal – navigate to protection – click on DKIM tab

We can enable for the routable domains registered with office 365. But when we enable them without publishing the DNS records for DKIM then we will get the below error.

Untitled

We have to publish DKIM DNS records as below:

Create 2 CNAME records for 2 selector’s to sign the outgoing emails with DKIM.

In our case we need to create below records from the DNS hosting provider console.

Host name: selector1._domainkey.exchangequery.com
Points to address or value: selector1-exchangequery-com._domainkey.exchangequery.onmicrosoft.com
TTL: 3600

Host name: selector2._domainkey.exchangequery.com
Points to address or value: selector2-exchangequery-com._domainkey.exchangequery.onmicrosoft.com
TTL: 3600

Untitled1

Untitled2

Once we create these 2 CNAME records office 365  will take care of signing all the outgoing emails with DKIM with their signing agents.

Now if we go to office 365 portal and enable the DKIM it will get enabled. If we have a closer look we have an option to  rotate DKIM keys just in one radio button which is amazing option. Ideally its  not required to do this option from our side  since office 365 will do the rotation  of their keys once in a while as a part of their security checks.

Untitled3

To verify if the mail is signed by DKIM we can send one test email to gmail and if it says signed by your domain name then its DKIM enabled outbound email.

Untitled4

In the message headers we can see the DKIM status as passed.

Untitled8

Further if we look into the message headers we can see

Authenticated Received Chain (ARC)- New email security mechanism standard Which is currently used by office 365.
DomainKeys Identified Mail (DKIM)-  If the DKIM is enabled we see the DKIM value as pass.
Sender Policy FrameWork(SPF)-  SPF verification results.

Untitled6

Also in the DKIM signature we can see the selector and the domain name like below

Untitled5

Further we can look into the DKIM public keys by running the below command.

Get-DkimSigningConfig -Identity exchangequery.com | fl

Untitled9

Additional General Info:

Below can be the possible results as a part of DKIM test in the message header.

  • DKIM=Pass – Message was Signed.
  • DKIM=Fail – The message was signed and the signature or signatures were acceptable, but they failed the verification test(s).
  • DKIM=None – The messages were not signed.
  • DKIM=Policy – The messages were signed but the signatures were not acceptable.
  • DKIM=neutral = The message was signed, but it was not formed correctly. This is possibly a configuration error on the sending domain side.
  • DKIM=temperror – This is a temproary error where unable to verify the public key for the DKIM verification.
  • DKIM=permerror = The message could not be verified due to some error that is unrecoverable.

Configure Microsoft Intune to secure office 365 apps in Mobile Devices

Microsoft intune is a  cloud service which was introduced in office365. This intune service is charged per user license. It can be configured for cloud only users as well as hybrid users.

Intune can be used for end users end point protection, MDM ,MAM ,application distributed storage, software license inventory reports , hardware inventory reports , mobile device app publishing, security monitoring.

This blog focuses only  on configuring the in tune  MDM\MAM for cloud only users to secure the office 365 services configured in mobile devices.Using this we would be able to enroll Mobile devices, manage devices and applications, protect the corporate data and retire them when required.

First thing is to see the license required for intune to assign them to end users.

Get-MsolAccountSku

Untitled

We need to see the MDM user Scope set in the azure portal.

https://portal.azure.com

By default it is not set to any users. We can create a group and assign the scope to the group. This will perform the MDM enrollment for Android, iOS devices.

Here we have three URL’s:

  1. MDM/MAM Terms of use – Can be used to set company terms of use.
  2. MDM/MAM discovery URL – This is the device enrollment URL.By default it is set to office 365 enrollment url and can leave them as it is if you are using only intune as MDM/MAM service.
  3. MDM/MAM Compliance URL– URL to be used to give more information to users on why the device  is non-compliant if it doesn’t meet the standards.

All the above options can be customized based or left blank based on the current MDM/MAM setup. If we are rolling out the MDM/MAM first time for all users then we can leave these url’s as default and can update only the terms of use and compliance url as per the company’s security policy.

Untitled2

Now we need to create  below policies:

  1. Device Compliance Policy –To manage compliance for IOS & Android devices.
  2. Device Management policy- for IOS and Android device management.
  3. App Protection policy-Can be created to protect targeted apps only.
  4. Client Apps – Can be used to assign curated managed apps, such as Office 365 apps, to iOS and Android devices
  5. Create one Conditional Access Policy for MDM (Optional)–  Can be enforced to use only Outlook for IOS Andriod, restrict logins from geo locations.

Create Device Compliance Policy-

We need to navigate to the https://portal.office.com – Admin – Select Microsoft Intune and navigate to intune blade

Untitled5

We need to create compliance policy for Android and IOS devices.Example below for Android where the minimum version is 7.1 and blocking rooted devices can be done.

Untitled6

Compliance policies conditions and actions can be created based on the requirement.

Create Configuration Policy:

Configuration policies can be created for Android, Android Enterprise and IOS  in our case , since we are focusing only on configuring the MDM for mobile devices.

Untitled4

Example of creating one configuration  policy for Android devices and restrictions that can be applied to secure corporate data like disable  screen capture, copy paste.

Untitled3

App Protection Policy:.

The app protection policy can be used to protect  and enforce policy only on selective apps. This helps the admins to control only the corporate data even on BYOD devices.

Untitled7

 

Targeted apps can be selected here we can select only required corporate apps.

Untitled8

We have policy settings which can be controlled for the apps installed on the mobile phone.

Example we have an option to choose which storage can be enforced to end users to save the data. These restrictions are applicable only for the targeted apps which we have selected in the previous section.

 

Untitled9

Further sign in security requirements can be controlled based on Device Manufacturers, Pin Attempts etc..,

Untitled10.png

 

Create Client Apps:

Also Intune Client apps can be assigned Android/IOS to end users through intune company portal.

Example one created for publishing VLC player in the Intune Company portal for Android Users.

Untitled21.png

Once applied end user can see this apps  from the android device from the Intune Company Portal App.

Conditional Access Policy  for MDM can be created like below:

Select apps – Create one only for Exchange Online

Untitled19

Login location can be set from where the user access can be controlled based on physical location.

Untitled18

Required approved client app only can be selected.

Untitled20

List of Intune enrolled devices can be seen.

Untitled17

When drill down further it would show all the installed apps in  the discovered apps section.

Untitled16

Further we can see the device compliance status. In below case my device is compliant except for the password which i did not configure as per the password policy set for Android devices.

Untitled23

From the client side in Android device user needs to download the company portal to access all Intune features.

  1. Example VLC app which we published from Client apps for end users.
  2. If the device is not meeting the compliance requirements we get the alert on devices tab.
  3. We get the user warning when the user configures the email.

WhatsApp Image 2018-10-25 at 14.29.37WhatsApp Image 2018-10-25 at 14.33.34WhatsApp Image 2018-10-25 at 14.33.34 (1)

Notes:

  1. This blog gives an overview of how to start enrolling mobile devices through Intune for Office 365 Apps. There are more options available in intune for MDM\MAM and these have to be configured based on the  requirement.
  2. If there are currently any MDM solution in place we need to analyze the current user experience provided to the end users and provide the same or enhance more than the current one.
  3. Its always recommended to test all these features in staging domain evaluate the results before moving into production
  4. Best recommended to roll out the MDM intune only for few pilot test users in beginning and later perform a staged roll outs  based on the  end user  responses.

Manage Microsoft Teams from Powershell and admin center

This article outlines the steps to manage Microsoft Teams from powershell and admin center.

We need to download the Microsoft Teams Module from the powershell Gallery

Install-Module -Name MicrosoftTeams -RequiredVersion 0.9.0

PWT

PWT1

Verify if the module is installed

Get-Module MicrosoftTeams -ListAvailable

FM1

Connect to Microsoft Teams

Connect-MicrosoftTeams -Credential $cred

PWT2

To view the teams

Get-Team

PWT3

To view Team Guest Settings and Team Fun settings

Get-TeamGuestSettings

Get-TeamFunSettings

PWT5

PWT6

List of team commands available as of now

Get-Command -Module *teams*

PWT8

To create new Team

New-Team -DisplayName TeamName -Description GiveDescription -AccessType private -AddcreatorasMember:$false

PWT9

PWT10

Unfortunately Add-TeamUser is not available for bulk operation as of now. Microsoft will release them in near future very soon from teams module.

PWT12

Bulk adding/removing  the associated group unified group for that team is not populating the users to the Team immediately. The Microsoft Teams PowerShell module is based on Microsoft Graph.This is because of the Microsoft Graph SLA is 24 hours to replicate and synchronize any changes done from azure AD.

Below command can be used to bulk add the users to associated teams group.

Import-Csv D:\Teams\Test.csv | % {Add-AzureAdGroupMember -ObjectID mentionobjectid -Refobjectid $_.objectid}

PWN

Below command can be used to bulk remove the users to associated teams group.

Import-Csv D:\Teams\Test.csv | % {Remove-AzureAdGroupMember -ObjectID mentionobjectid -Refobjectid $_.objectid}

PWN1

The same action can be performed via unified group as well.

Import-Csv E:\Teams\T1.csv | % {Add-UnifiedGroupLinks -Identity T1 -LinkType Members -Links $_.userprincipalname}

FM31

Now the new admin center for Microsoft Teams and SFB have options to manage MS teams

Untitled.png

Adding and updating locations data

Untitled1

Following options are available from end users options in MS Teams

Untitled4

Following meeting policies to control the features are available

Untitled6

Following org wide settings are available

Untitled7

Untitled8

We have the meeting customization settings

Untitled9

Option to customize the real time media traffic to online is also available

Untitled10

Controlling  the live event policies is present

Untitled11

Global user level policies can be enforced

Untitled12

Controlling external access

Untitled13

We have option to control the guest access settings

Untitled14

We have very nice option to have email integration, File sharing option and show organization tab to end users.

Untitled15

Skype for business Interop, search and Bots feature can be customized.

Untitled16

We have the teams upgrade options which have island mode set by default.

Untitled17.png

After this we have the Call quality dashboard and first line worker configuration as a last option. The First line worker configuration will be removed and will not be available after october 2019 according to Microsoft . All these features available in  first line worker configuration are available in MS Teams and customer needs to shift to MS teams.

Above are the list of administrative options available for Microsoft Teams as of now and they will be definitely changing and adding more new features since Microsoft is more focused on enhancing and bringing new features in Microsoft teams.

Thanks & Regards
Sathish Veerapandian

Microsoft Teams – Blur your background experience

Microsoft  recently added a new feature of blur my background in Microsoft Teams. This feature is really cool. This helps participants to attend the meeting on the go  from anywhere like coffee shop, restaurant , even from home without worrying the background  and provide participants to focus only on the person attending the meeting.

Once we have joined the meeting, there is an option to choose blur my background.

Blur3

Once enabled we see the background completely blurred. This is a rock solid feature which is more helpful when we are attending meeting from outside, home and do not need to worry about  on choosing  a right place to attend a video conference.

Blur1

New artificial intelligence (AI) powered option from Microsoft uses facial detection to blur the background during video meetings.

Microsoft through  its machine learning technology brought intelligent meeting recording which will provide speech to text transcription capable of applying captions automatically and searchable transcript. These options will be available worldwide later this year and customers will be able to stream live and on demand events in teams.

 
Source – https://www.microsoft.com/en-us/microsoft-365/blog/2018/09/24/10-new-ways-for-everyone-to-achieve-more-in-the-modern-workplace/

%d bloggers like this: