Dynamic Distribution group to regular Distribution group

I have been strugling with a “Set-CalendarProcessing” cmdlet to be able to restrict booking of meeting room using the -BookInPolicy setting.

After some (ALOT) of testing it`s clear that this setting only supports regular “Distribution groups” and therefore i cannot use the already created dynamic group created.

I therefore created this little script for copy-ing members from the Dynamic group over to the regular group!

### Copy members from dynamic distribution group to regular group"
Connect-ExchangeOnline -UserPrincipalName julian.rasmussen@idefix365.no

$users = Get-DynamicDistributionGroupMember -Identity "xAuto Meetingroom bookers"

foreach ($user in $users) {
    Add-DistributionGroupMember -Identity "xManual Meetingroom bookers" -member $user.PrimarySmtpAddress
}

MFA settings

In order to optain a secure infrastructure you need to have controll over your MFA settings. There are several settings you need to configure and know how it works.

In this post I`ll go through all settings like

Notifications

Maybe the easiest setting but yet som important.
You need to configure who will get the notification whenever there is a issue with one of your users. To do this please go here and and your desired address:
Azure Active Directory > Security > Multi-Factor Authentication > Notifications

Fraud Alert

Fraud alert is verry important to configure! This feature will block signins for the end-user when the user is deny’ing a unknown or suspicious MFA promt on their Authenticator app or phone. The user is blocked in 90 days or until a Administrator un-blocks the user.
Head into – Azure Active Directory > Security > MFA > Fraud alert
And enable the “Fraud alerts” settings on your tenant.

Account Lockout

So this Multi-Factor feature will let you configure your environment to handle MFA request attacks. Meaning that you can configure the Account Lockout settings for how many denials before triggering a account lockout and also you can configure how many minutes until the counter resets.

The settings are set here: Azure Active Directory > Security > MFA > Account lockout

These are my recomended settings for this.

Block/Unblock users

So the Block / Unblock feature is a feature that allows you to block a user it their device is stolen or lost. The user you put on this block list is blocked for 90 days or until a Administrator unblocks the user.

Block a user: Azure Active Directory > Security > MFA > Block/unblock users.
Write in UPN and a reason for blocking.

Unblock a user: Azure Active Directory > Security > MFA > Block/unblock users.
Select unblock on the user you want to unblock and write a reason for unblocking.

New MFA capabilities in Azure AD

So these day`s we all uses MFA right? But not all MFA methods are as good as we think.

There have been several cases where “SIM Swapping” or “SIM Hijacking” has been the case and therefor – can we trust using SMS for Multi-Factor Authentication?

In short notes this is how SIM Swapping is done.

  1. You loose personal information.
  2. Your information is used to gain trust at the mobile carrier to convice them to switch from current to new SIM card (the new SIM is already in the hands of the bad guy)
  3. With controll of mobile number the bad guy log`s onto your services with one-time password or completing MFA challenge.
  4. Your account is compromised

With that said, you should disable SMS as an authentication method.
See my other blog post on how that`s done!

Since you now uses Microsoft Authenticator as your primary MFA factor you get a push notification with “Allow” or “Block” access whenever the authentication is done.
At this point the bad guy start using a method called “MFA Fatigue attacks” and blasts lot`s of authentications against you, and somethimes a user clicks on “Allow” and thinks; “It`s most likely my phone or tablet or something…”.

But with the new capabilities from Microsoft within using Azure MFA you can now add “Number matching” and “additional context” to the signin (both features are in preview at the momemt (04.05.2022).

OK – so here`s how it looks!

So you see that when ever the authentication is done a number is shown and it needs to be matched on your Microsoft Authenticatior application. In addition we also see a map and location of where the authentication is getting from!

Here`s how you can configure it!

  1. Head over to portal.azure.com
  2. Navigate to Azure AD -> Security -> Authentication methods and click on “Microsoft Authenticator”
  3. Hit “Add users and Groups” and add a group or user to test with and click “Select”
  4. Then open the settings of the group and “Require number matching” and “Show additional context in notifications”

There you have it!
Next time you authenticate with a user that`s configured to this setting you will get a number matching 🙂

Elevation prompt for std. users

Ever thought about your end-users really think before clicking?

How often does your end users (who have local administrator rights in some way) just install stuff without thinking?

To start with, your end-users should not be local administrators on their machines, but many still are. If they are not all the time lot`s of companies have sollutions where end-users can elevate them self for a certain time frame.

But let`s make them think an extra time before actually installing stuff that require administrator privilegdes on their machine by forcing them to type their username and password instead of just “Yes/No”.

One way to change this is to use the Registry and force the UAC to prompt username / password.

Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "ConsentPromptBehaviorAdmin" -Value 1

for several of my customers I deploy this registry setting to the end-user using Endpoint Manager (Intune), and this is really easy!

Head into Endpoint Manager (Intune)

  1. https://endpoint.microsoft.com
  2. Dive into “Device” and and choose “Scripts” and hit “+ Add”

3. Give it a “name” and “Description” hit next.
4. Upload the script (see code block over and save it as .ps1)
5. Lett all settings be at “no”

6. Assign it to “All Devises”, next and add!

Now all your devices will get this deployed and after the next reboot your users will need to provide both username and password to be able to install something that requires administrative rights.

Reset sign-in information on guest accounts

Ever stubled over the need of changing a guest`s sign-in information on one or more guest accounts?
Well, this has been a issue for several companies and the way forward was to delete the guest accounts and re-invite them.

When doing this all access to Teams, SharePoint Online and OneDrive for business for that guest account was also deleted and they needed to be added to the resources again with the new guest account.

A new configuration within Azure AD now gives you the ability to change the E-mail address for the user and reset the sign-in information – and it`s quite easy!!

Let`s go through the config changes and change a guest account`s sign-in information.

So! I have 1 guest account “jr@ptaken.no” and this guest account have access to 1 Team.

I want to change the sign-in information for this user (at the same time as the PTaken.no company changes the UPN on their side.

So let`s change it at our side,

We edit the guest account and set the new UPN on the user on the “email” and “alternate email” attribute like this – (the old UPN was jr@ptaken.no).

When this is changed we can go ahead and re-send the guest invitation to the new address by clicking the “Invitation Accepted” button and reset invitation status.

The guest now get`s a new invitation that needs to be accepted

Now when the guest is signed into for example Microsoft Teams the account will show that he is logged in with the new UPN.

Ref.: https://docs.microsoft.com/en-us/azure/active-directory/external-identities/reset-redemption-status

A new year! Welcome 2022

After two years of “blog silence” from me, i`m no working on several new blog posts and are accelerating my community work again!

2020 and 2021 was two years where the work presure was very very high and automaticaly community work was not prioritized due to high prio on family life on all ours available after delivering my working hours.

anyhow! All that behind – and 2022 will be “The year of community” for me!

With several blog post ready, the planning of several in-person “Office 365 User Group Agder” meet-ups and also several call-for-paper delivered to conferences and communities!

2022! LET`S GO!

BitLocker issues after upgrading to Windows 11

After upgrading my machine from Windows 10 to Windows 11 (Insider) i stumbled onto an issue with BitLocker witch was not enabled anymore on my machine.

I have compliance policies in Microsoft Endrpoint Manager (Intune) witch need`s BitLocker enabled to give the machines the “Compliant” stamp.

When trying to enable BitLocker we got the error message:

So a work-arround to fix this is to delete some registry entries from this location

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE

In my system I deleted all marked entries and rebootet the machine.
After the reboot I could enable BitLocker as normal.

CosmosDB access keys

From when ever there is need to rotate access keys to your CosmosDB or any other storage service using Access keys this is the best practis method to do so.

So for CosmosDB these are the steps needed to be used.

  1. Head into Azure portal and navigate to your CosmosDB and select “keys” from the menu.
  2. rotate the “Secondary Access key” by selecting the “Regenerate Secondary Key” from the ellipsis menu
  3. Change the key used within your application to use the newly generated “Secondary Access key
  4. Head back to the Azure portal and rotate the “Primary Access key
Screenshot of the Azure portal showing how to regenerate the secondary key

After these four steps you have rotated both keys within your services and your application is now running on the secondary key. No need to switch to the primary key at this point.

Windows365 – So easy!

Windows365

Windows365 is a Cloud pc for all users and it`s so easy to start using!
In this post I will go through a setup of Windows365 Business in a cloud only tenant and show you how fantasticly easy this is!

There are some pre-requisites that need to be taken in considiration and I`l list them here

  • Azure AD – IAM
  • Maximum 300 users in your tenant
  • Microsoft Endpoint Manager (Intune) for admin/config

So with that “short” list the joker here is that you should have Intune configured allaready as that makes the Windows365 deployment soooo super easy.

Let`s first talk about licenses.

There are Windows365 Business and there is Windows365 Enterprise, as mentioned I will cover the Business version here – so let`s have a look at the different machine sizes.

The pricing is ranged between $24 for the cheapes one and $162 for the most expensive one with most vCPU`s, most RAM and biggest Storage.

  • 1 vCPU and 2GB RAM + 64 GB Storage
  • 2 vCPU and 4GB/8GB RAM + 64GB/128GB/256GB Storage
  • 4 vCPU and 16GB RAM + 128GB/256GB/512GB Storage
  • 8 vCPU and 32GB RAM + 128GB/256GB/512GB Storage

So there are some different licenses to choose from as you see. 12 of them to be exact and i`m guessing everyone can find a license fitting their needs.

In my scenario I`m using the $45 machine with the spec`s “2 vCPU, 8GB RAM and 128GB Storage” this is a machine that run`s the most of my regular work tools.

Provisioning the beauty!

So to the easy part! First off is to buy the license that you need based on your machine size – and when that`s done just simply add the licence to the user you are going to provition a cloud PC for.

That easy!

The user (maybe your own..) can simply logon to https://windows365.microsoft.com/ and access the machine 🙂 First time when you click the to connect the machine it will provition and get ready – in my case this took about 30 minutes – but after that the machine was ready for me to connect to.

about 1 hour later the machine was reporting into Intune that it`s a Compliant computer just like any other physical machine out there!

From the management pane of your cloud pc you can do actions like Restart, Reset, Rename and Troubleshoot.

De-provisioning and cleanup

This is even easier! Just remove the license from the user and the Cloud PC is removed after approximently 30 minutes.

I`m back!

So! I`m back again after not blogging, speaking or “anything” for the community for the last one and half year (since the pandemic started in Norway 12.03.2020)!

I have been spending the summer in paternity leave at home with my 1 year old son and been been recharging my batteries to full and from now on I will be starting with community work again as I feel ready to meet, great and have fun with all you fellow community people again.

The pandemic has physically drawn me down to a place where i have not been able to contribute to the community at all. I used all my energy on delivering my hours at work and spending time with my family at home.

Now that we see the end of the pandemic i feel energized and ready to work hard both from our company offices and from home when that`s needed!

Next community talk is our “Office 365 User Group Agder” meetup in Kristiansand Norway where I will be delivering the “What`s new” section. This will be a in-person event with both food and drinks complimented to our guests! SO EXITED!!

I will also work hard on getting back on stage on other conferences and meetups moving forward!

See you guys arroud – Cheers