AuthorJulian Rasmussen

Change to Opt-In in MyAnalytics

Since MyAnalytics is an “Opt-Out” feature in Office 365, some companies wants to change this behavour for their users, meaning that each users should enable this feature them self instead of the service being automatically enabled when users are created.

Changing settings in Office 365 to change this behavour:

Remove the three ticks on the MyAnalytics service window to change the default behavour for new users. removing these ticks will ensure that users need to “opt-in” their self by accessing “Myanalytics.microsoft.com” and change settings there.

And in each user can ustomize their own MyAnalytics settings by opt-in or opt-out in the dashboard “myanalytics.microsoft.com”

Remove the service from each user forcing the users to enable the service themself

#Connect to Exchange Online with MFA
Import-Module $((Get-ChildItem -Path $($env:LOCALAPPDATA+"\Apps\2.0\") -Filter CreateExoPSSession.ps1 -Recurse ).FullName | Select-Object -Last 1) #download module from Exchange Online Admin Center under "hybrid" and using IE.
#Connect to Exchange Online
Connect-EXOPSSession -UserPrincipalName julian.rasmussen@xxxxxxxxxx.no
#This will make sure when you need to reauthenticate after 1 hour that it uses existing token and you don't have to write password and stuff
$global:UserPrincipalName="julian.rasmussen@xxxxxxxxxx.no"

#check what state the users is in today
Get-UserAnalyticsConfig –Identity julian.rasmussen@xxxxxxxxxx.no

#Opt-out from service - users can opt-in again at https://myanalytics.microsoft.com/ 
Set-UserAnalyticsConfig –Identity julian.rasmussen@xxxxxxxxxx.no -PrivacyMode Opt-out

#multiple opt-out
$privacyMode = "Opt-Out"

$users = Get-Mailbox *
ForEach ($user in $users)
{
$user.Userprincipalname
$upn=$user.UserPrincipalName

Set-UserAnalyticsConfig –Identity $upn -PrivacyMode $privacyMode
Get-UserAnalyticsConfig –Identity $upn
}

S for Security in EMS – AAD Premium

Let`s start off with the EMS E3 package and that will give you access and user rights to use Azure AD Premium P1 features.

So do you need it?

Well, Azure AD Premium P1 gives you capabilities for your hybrid users to access both on-prem and cloud resources. The synchronization also provides write-back capabilities so self-service password reset for on-prem users can be achieved. Along with advanced features as Dynamic groups, self-service group management and “Microsoft Identity Manager” (on-prem identity and access management).

And one more important feature which is one of the most powerfull regarding securing your cloud services is “Conditional Access”. Yes we have “Security Defaults” witch is a free service but if you need to do some exclutions you need to upgrade to Azure AD Premium P1 to gain “Conditional Access” features.

Over to EMS E5 – that gives you several additions to the P1 license with all the Azure AD P2 features.

Those features are at the time “Azure Identity Protection” and “Priviledged Identity Management”

When going to P2 i will say that PIM is the feature you want to configure right the way as this gives you access management in a whole new level. Users who have been givven additional roles within your AzureAD does not have the role active at all time lowering the attack vector for users. When users need to use their priviledge roles they have to activate it and by adding a second factor to the activation your priviledge roles are more secure! Hey, you can also add approvers to roles so that a second person need to approve the request.

Many options on this part as you see!

As this blogg post is in a series of several posts please stay tuned for the next service within EMS and this blog post series “S for security in EMS”

S for Security in EMS – Overview
Part 1 – S for Security in EMS – Azure AD Premium
Part 2 – S for Security in EMS – Information Protection
Part 3 – S for Security in EMS – Microsoft Intune
Part 4 – S for Security in EMS – Advanced Threat Analytics
Part 5 – S for Security in EMS – Cloud App Security

S for Security in EMS

Since Enterprise Mobility + Security (EMS) is a core component of Microsoft 365 services you need to understand what services is present within the EMS package. In the same way that Microsoft 365 services comes with a E3 or E5 service level does EMS also that. I will try to give a easy and understandable overview of all the core components of EMS within the next 5 blog posts.

We will dig into all the main topics that you se in the table below.

In the table below you will see the difference between the EMS E3 and EMS E5

Service EMS E3 EMS E5
Azure AD Premium P1 P2
Azure Information Protection P1 P2
Microsoft Advanced Threat Analytics Incl. Incl.
Microsoft Intune Incl. Incl.
Cload App Security   Incl.

By now you probably trying to figure out on some questions;

Do I need EMS in my organisation?

Witch EMS subsctiption do I need?

Should we move to Microsoft 365 subscriptions?

The short answered for this is; Yes, depends and maybe. Not much of an answer but if you stay put on the next few blog posts, I will walk through the services on what it does and what it can be used for to make it a little easier to choose the right licenses for your organisation.

Part 1 – S for Security in EMS – Azure AD Premium
Part 2 – S for Security in EMS – Information Protection
Part 3 – S for Security in EMS – Microsoft Intune
Part 4 – S for Security in EMS – Advanced Threat Analytics
Part 5 – S for Security in EMS – Cloud App Security

Azure Tags

Azure tags is an important tool of marking your resources with some additional information. 

This information can be what your business requires and is not set by any templates or so. 

Keep in mind that when you start with tagging it must give you some sort of value in some reasons this is cost-related that meaning you can tag resources with a costcenter tag like 

CostCenter : BusinessApplication 
CostCenter : Human Resources 

Other departments can also be in use of tags and then i`m thinking of the Security department and their Incidence and Respond team. By adding additional information to your Azure resources, you can set an value on resources and with that also prioritize what resources to mitigate first if there is an security incident.  

Setting tags can be done at creation of the resource in the Azure Portal but also within ARM templates or you can use Azure Policy to add tags after deployments aswell.  

When adding tags to a existing resource navigate to the resource and hit the Tags pane in the menu then add a TagName and a Value of the tag. 

Going forward this can also be done when creating a new resource within the Wizard and also by ARM temlates by adding this to the “Parameter” section of your ARM temlate:

"resourceTags": {  
      "type": "object",
      "defaultValue": {
      "CostCenter": "BusinessApplication"}
      }

And this to the actual resource 

"tags": "[parameters('resourceTags')]", 

If using Azure Policy to remidiate existing resources you can use a built in policy named “Add a tag to resource” and deploy that to your subscription.  

By using Azure Policies you can also block creation of new resources without having a Tag set to the resources upon creation.  

All of these methods are powerfull methods but i like the Azure Policy methods the most as these policies can be givven a logic to it – but more on Azure Policies in another blog post. 

Keep tagging all your resources and grow your value of your assets in Azure!  

Security Defaults – a lifesaver for some and a little pain for others

So lets talk about “Security Defaults” a bit, this new feature in AzureAD who replaces “Baseline policies: ” in the Conditional Access pane within Security in AzureAD.

First of all – the baseline policies where in preview and could be changed before the feature went GA so we cant blame anyone of the service changing before production.

The Baseline policies gave us remediaton of MFA and and blocking of legacy authentication within 4 policies that everyone could use within Conditional Access, these four policies where free so no cost and that sweet!

  • Baseline Policy: Require MFA for admins (Preview)
    • Enabled MFA to all administrator roles within AzureAD
  • Baseline Policy: End user protection (Preview)
    • Enabled MFA registration to all users and required MFA for users with leaked password or other risky signins.
  • Baseline Policy: Require MFA for Service Management (Preview)
    • Require MFA for accessing the Azure Portal, Azure PowerShell modules or Azure CLI
  • Baseline Policy: Block legacy authentication (Preview)
    • Blocked the usage of legacy authentication on all services (such as pop, IMAP, native android clients etc.

For a good time now we cound enabled one or more of those 4 baseline rules – but that ends! At February 29th 2020 Microsoft will discontinue the use of Baseline policies so if you are using some of them you need to enable Security Defaults in AzureAD.

Head into portal.azure.com -> Properties -> Security Defaults and enable it.

Please not that if you have license for using Conditional Access (Azure AD Premium P1) you cannot a Conditional Accessrule without disabling Security Defaults.

And if you have Azure AD Premium P1 you should be creating the Conditional Access rules manually and that gived you several advantages such as exclude users, pinpoint to some cloud apps or exclude them and set other requiremets aswel.

Best practice says that you should always have a “Break the glass administrator” account who is excluded from all the Requirements – but please note! That account need to be monitored and high security alerts should be raised every time the account is used.

AIP is deprecated, move to Unified labels now!

At 06.01.2020 Microsoft released the deprication notice for Azure Information Protection client and Label management in the Azure portal. The service is deprecated as of March 31, 2021.

The notice is telling us that within 15 months you all need to migrate all your labels from AIP in the Azure portal over to the new Unified label experience within Office 365 portals.

You find the new label management in several places;

So heres a easy pointer on how to migrate you labels from Azure Information Protection to Unified labels within Office 365.

Navigate to portal.azure.com and head into the Azure Information Protection pane.

From there click on “Unified Labeling” in the left menu and acitvate it.

When this is done you can start using the Unified labeling clients and stop rolling out the classic Azure Information Protection client.

Please keep in mind that you need to have a specific version of Office applications installed on your machine or phone.

  • Windows Desktop – 1910 or higher
  • Mac Desktop – 16.21 or higher
  • iOS mobile – 2.21 or higher
  • Android mobile – 16.0.11231 or higher

For the licensing part here is the license requirement to use Sensitivity labels.

  • Microsoft 365 E3 or above
  • Office 365 E3 or above
  • Azure Information Protection P1

For more advanced use like Automated labeling with sensitivity labels you need to go to E5

  • Microsoft 365 E5
  • Office 365 E5
  • Azure Information Protection P2

Azure AD Connect sync issues

Now and then we get errors in our Azure AD Connect syncronization, or that said – my customers get errors.

And every now and then there is a error wich are not easy to spot what can be wrong.

In this case the sollution was not that easy – but when you think of it, it makes kind of sense sort of.

So this is the Error i got.

Other Error 
onmicrosoft.com 
Description 
Error Details 
pro perty 
Error Type 
Last Attem pted At 
Related Articles: 
Attribute 
o 
x 
The object failed synchronization. For more information, please see the error details. If the problem continues and 
cannot be fixed, please contact Microsoft Support. 
Value 
WorkflowException 
12/17/2019, PM 
1. Azure AD Connect: Troubleshooting Synchronization Errors 
user Principal Name 
Object GUID 
Synchronization Status 
Details 
Attribute Value 
0625<71 
On premises AD only 
52fde7d7eab1

Looking into Azure AD Connect it throwed a error on syncronization.

After some investigation back and forth i with the GUID who did not match the Azure AD Sync error – i found out that a deleted group was configured as a licensing group within Azure AD. Therefor when it was deleted from On-prem AD it could not be deleted in Azure AD since it still was in use.

By removing it from the license sku it removed it self on next sync.

Using the new Sensitivity labels in Teams and SharePoint

These days the preview of Sensitivity labels in Microsoft Teams and SharePoint is rolling out, and I got the new feature up and running in my tenant allready!

If you have been waiting on this feature you may have noticed that the rollout came in stages and is taking some time to be rolled out.

After opt-in to the preview feature by following the guide lines from docs.microsoft.com. You can start creating your new Sensitivity labels tailord for Office 365 groups, SharePoint sites and Microsoft Teams.

Head into Compliance center and create a new label and set the settings you want to test! In my case i created two new labels (naming is for test and to make it easy for me to divided these two :))

Basicly now you finally can block untrusted devices to gain access to higly confidential information stored within SharePoint or Teams – AND also prevent guests to be invited into the site.

For this to be working you need to be using Intune aswell so that company devices such as computers, laptops and mobile devices can be marked as compliant devices.

A usefull scenario also for this is when you only allow Limited, web only access to site or team then you block downloads from untrusted devices such as kiosk, home computers etc.

What do you think of this new feature?

I can`t wait to be going production with this!

How do I know all my users are enabled for and using MFA?

More and more organizations is taking advantage of using MFA for their users and there is no reason for them not to since it`s free for all Office 365 users and also for all Azure AD users if you are not using the Office 365 services. But after you enable it for your users, are you sure everyone is enabled?

You may have seen at the Secure Score that not all users are registred for MFA, and if you do so you have users with no MFA! So these users may be victims for bruteforce attacks so it`s super important to remediate all users to see how everything is configured! Some of the users with no MFA maybe legit and should not have it.

So let`s dig into the materials for a second or two.

First thing is that there is a “Secure Score” check for MFA registered users that will show you how many of your users which are not registered (if any)

If you have any users in that list it would not show who the users are so we need to go deeper in the material to retreive this status.

So to get the list of users who don`t have setup MFA you need to run this PowerShell command with the AzureAD PowerShell module loaded.

Connect-MsolService

Get-MSOLUser -all | where {$_.StrongAuthenticationMethods.methodtype -eq $null} | Select Displayname,UserPrincipalName,BlockCredential,LastPasswordChangeTimestamp,UserType |Out-GridView

And now that we have found all users we can check them out why they don`t use MFA and make sure that they use it 🙂

Further on we can check what method users are using when authenticating with MFA. For this I use this script located in Technet PowerShell archives HERE

If you have deployed MFA the Conditional Access way (recommended) you will see that the MFA status on all user are set to “Disabled” but the method is set to what the user are using.

Have checking status on your users! 🙂

SharePoint Online PowerShell module

To install, update og uninstall the SharePoint Online PowerShell module there are some few simple PowerShell commands you can use.

First of all, set your Execution policy to restricted

Get-ExecutionPolicy #for checking the current ExecutionPolicy setting
Set-ExecutionPolicy -ExecutionPolicy  Unrestricted

Install

 Install-Module -Name Microsoft.Online.SharePoint.PowerShell

Check current version

Get-Module -Name Microsoft.Online.SharePoint.PowerShell -ListAvailable | Select Name,Version

Update

Update-Module -Name Microsoft.Online.SharePoint.PowerShell

Uninstall

Uninstall-Module -Name Microsoft.Online.SharePoint.PowerShell

© 2021 IdefixWiki

Theme by Anders NorénUp ↑