Now and then we get
errors in our Azure AD Connect syncronization, or that said – my customers get
And every now and
then there is a error wich are not easy to spot what can be wrong.
In this case the
sollution was not that easy – but when you think of it, it makes kind of sense
So this is the Error
Looking into Azure
AD Connect it throwed a error on syncronization.
investigation back and forth i with the GUID who did not match the Azure AD
Sync error – i found out that a deleted group was configured as a licensing
group within Azure AD. Therefor when it was deleted from On-prem AD it could
not be deleted in Azure AD since it still was in use.
By removing it from
the license sku it removed it self on next sync.
These days the
preview of Sensitivity labels in Microsoft Teams and SharePoint is rolling out,
and I got the new feature up and running in my tenant allready!
If you have been
waiting on this feature you may have noticed that the rollout came in stages
and is taking some time to be rolled out.
After opt-in to the preview feature by following the guide lines from docs.microsoft.com. You can start creating your new Sensitivity labels tailord for Office 365 groups, SharePoint sites and Microsoft Teams.
Head into Compliance center and create a new label and set the settings you want to test! In my case i created two new labels (naming is for test and to make it easy for me to divided these two :))
Basicly now you
finally can block untrusted devices to gain access to higly confidential
information stored within SharePoint or Teams – AND also prevent guests to be
invited into the site.
For this to be
working you need to be using Intune aswell so that company devices such as
computers, laptops and mobile devices can be marked as compliant devices.
A usefull scenario
also for this is when you only allow Limited, web only access to site or team
then you block downloads from untrusted devices such as kiosk, home computers
More and more
organizations is taking advantage of using MFA for their users and there is no
reason for them not to since it`s free for all Office 365 users and also for
all Azure AD users if you are not using the Office 365 services. But after you
enable it for your users, are you sure everyone is enabled?
You may have seen at
the Secure Score that not all users are registred for MFA, and if you do so you
have users with no MFA! So these users may be victims for bruteforce attacks so
it`s super important to remediate all users to see how everything is configured!
Some of the users with no MFA maybe legit and should not have it.
So let`s dig into
the materials for a second or two.
First thing is that there is a “Secure Score” check for MFA registered users that will show you how many of your users which are not registered (if any)
If you have any
users in that list it would not show who the users are so we need to go deeper
in the material to retreive this status.
So to get the list of users who don`t have setup MFA you need to run this PowerShell command with the AzureAD PowerShell module loaded.
Enroute! I`m on my
way to Orlando as we speak (write). I`m so exited to meet the HUGE community
which are present at Microsoft Ignite and can`t wait to meet friends and new
people in the community. That said there are mucho to-do this week!
I`m arriving my
hotel late Sunday and preparing to head into OCCC EARLY to try to get a space
for Sataya`s keynote in The Hub at OCCC.
Get my luggage
Check in at MS Ignite at Orlando airport (rumors says there is almost no queue there)
Grab an Uber straight to the hotel
Go to sleep fast
Get up early and head directly over to OCCC
Enjoy Ignite! 🙂
That said – i have thought about how to store, use and structure all the information and knowledge i get this week.
My plan is to use One Note for taking notes on stuff from sessions and all over – Use Microsoft To-Do to add task that i need to follow up on and LinkedIn for connecting with all the great community people and ofcourse use Twitter to follow the great speakers and people i meet at the conference.
Well.. it’s not that big of a problem, or yes it is! There is to many sessions I want to be at at the same time. As a first timer at Ignite this will be alot of fun and i’m looking forward to meet alot of people and learn much new stuff!
So over to the problem, I have added all the sessions i want to experience and i now have up to 8 sessions at the same time at almost all hours theough out the week. So now the work of fixing my schedule for the week. Good thing is that we can watch almost all content on video on demand after the conference 🙂
Even tho its my frist time to ignite, i have some tips!
The next one is almost as simple as the first one and is enabled in just a few minutes.
Navigate to “protection.office.com” and authenticate, go to “Threat Management” and “Policy” then click “Anti-malware”. Edit the default policy and og to settings, under “Common Attachment Types Filter” set the toggle to “On” – your done! 🙂
3. Use a separate account for administrative tasks
A simple thing to do – if you have administrative privilege’s on your account you should create a separate admin account which is protected with MFA of course. This can also be mitigated using the paid service Azure AD Privileged Identity Management – more on that service i a later blogpost
4. Block Auto-forwarding on email accounts
By blocking auto-forwarding on email accounts you mitigate the attack vector which is when a account is breached and the bad guys setting up forwarding of emails to gain information about the company and how people collaborates. This is the start of a advanced phishing attack.