Now and then we get
errors in our Azure AD Connect syncronization, or that said – my customers get
And every now and
then there is a error wich are not easy to spot what can be wrong.
In this case the
sollution was not that easy – but when you think of it, it makes kind of sense
So this is the Error
Looking into Azure
AD Connect it throwed a error on syncronization.
investigation back and forth i with the GUID who did not match the Azure AD
Sync error – i found out that a deleted group was configured as a licensing
group within Azure AD. Therefor when it was deleted from On-prem AD it could
not be deleted in Azure AD since it still was in use.
By removing it from
the license sku it removed it self on next sync.
More and more
organizations is taking advantage of using MFA for their users and there is no
reason for them not to since it`s free for all Office 365 users and also for
all Azure AD users if you are not using the Office 365 services. But after you
enable it for your users, are you sure everyone is enabled?
You may have seen at
the Secure Score that not all users are registred for MFA, and if you do so you
have users with no MFA! So these users may be victims for bruteforce attacks so
it`s super important to remediate all users to see how everything is configured!
Some of the users with no MFA maybe legit and should not have it.
So let`s dig into
the materials for a second or two.
First thing is that there is a “Secure Score” check for MFA registered users that will show you how many of your users which are not registered (if any)
If you have any
users in that list it would not show who the users are so we need to go deeper
in the material to retreive this status.
So to get the list of users who don`t have setup MFA you need to run this PowerShell command with the AzureAD PowerShell module loaded.
Enroute! I`m on my
way to Orlando as we speak (write). I`m so exited to meet the HUGE community
which are present at Microsoft Ignite and can`t wait to meet friends and new
people in the community. That said there are mucho to-do this week!
I`m arriving my
hotel late Sunday and preparing to head into OCCC EARLY to try to get a space
for Sataya`s keynote in The Hub at OCCC.
Get my luggage
Check in at MS Ignite at Orlando airport (rumors says there is almost no queue there)
Grab an Uber straight to the hotel
Go to sleep fast
Get up early and head directly over to OCCC
Enjoy Ignite! 🙂
That said – i have thought about how to store, use and structure all the information and knowledge i get this week.
My plan is to use One Note for taking notes on stuff from sessions and all over – Use Microsoft To-Do to add task that i need to follow up on and LinkedIn for connecting with all the great community people and ofcourse use Twitter to follow the great speakers and people i meet at the conference.
Well.. it’s not that big of a problem, or yes it is! There is to many sessions I want to be at at the same time. As a first timer at Ignite this will be alot of fun and i’m looking forward to meet alot of people and learn much new stuff!
So over to the problem, I have added all the sessions i want to experience and i now have up to 8 sessions at the same time at almost all hours theough out the week. So now the work of fixing my schedule for the week. Good thing is that we can watch almost all content on video on demand after the conference 🙂
Even tho its my frist time to ignite, i have some tips!
So in the previously
post I went through how to activate MFA for Administrator roles i a really
simple and effective way.
In this post we will
focus on activating MFA for all regular users. And first off all we need to
evaluate who should be activated first or should we activate on all users at
the same time and do a evaluation on service accounts! If we enable MFA on for
example a serivce account used for scan to email on “multi functional
printers” or on a mailbox account witch are used on a thirdparty
ticketingsystem (POP/IMAP) we could break those service by just enabling MFA on
My recomandation is
when you are more then 30 users in your company you should select a few
ambasadeurs who is getting the MFA activated first and can therefore be the
power users who can help others with the registration if there is any hick-ups
(should not be many).
And to activate MFA
for end users I highly recomend to use Conditional Access for
all users and exclude a AzureAD Group which contains a “Break the glass Admin” and other service accounts.
All cloud apps (no exeptions)
Grant Access – but require MFA
Easy like that! And
It`s a realy quick solution for your company.
Drawback here is
that you need “Azure AD Premium P1” licenses to use Conditional
Access and a second drawback is that it`s not scored at the Microsoft Secure
A public folder in Office 365 Hosted Exchange will be assigned a @onmicrosoft.com address by default. And there is of cource no way of changing this to your primary domain.
Conncect to the Windows Azure Active Directory Module for Windows PowerShell using the following commands.
Create a placeholder for your credentials:
$LiveCred = Get-Credential
Popup box will ask for your Office 365 Global Administrator credentials.
Create a placeholder for your Powershell Session towards Exchange Online.
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $LiveCred -Authentication Basic -AllowRedirection
Import your Powershell Session to connect to Exchange Online.
Run this command to allow all scripts:
Then run the following command to disable the Policy for assigning email Adresses in public folders.
Set-MailPublicFolder -Identity “\” -EmailAddressPolicyEnabled $False
Now, in your Office 365 tennant web admin go to Exchange – Public Folders – Highlight the public folder (email enabled) – Click the pencil (edit) – Click on Email Address – highlight the address you want to use as default – Click pencil – Check the default email address checkbox.
Save, close and test.
Lately Microsoft have changed its layout in Office365 and in that same change made it harder to find Exchange Control (ECP) Panel.
At the moment the easiest way to open ECP is to log in to your office 365 Outlook Web Access.
Then, change the url from something like this: https://pod51049.outlook.com/owa/ to this: https://pod51049.outlook.com/ecp/
As you can see you change OWA to ECP and youre in!