Cloud App Security offers the ability to leverage Conditional Access for Exchange Online and SharePoint Online but how do we configure this functionality?
Let’s start with your Azure Portal and browse to Conditional Access –> New Policy
Conditional Access
So as I previously mentioned this control only works for Exchange Online and SharePoint Online so you will need to select;
Under Session, you need to select Conditional Access App Control and as you can see below we only have 3 options
– Monitor only (Preview) – Block downloads (Preview) – Use custom policy…
Session
For the purpose of this post, I am going to just Monitor what happening their Cloud App Security to discover what’s happening within my tenancy.
Once the policy is enabled, sign into Exchange Online or SharePoint Online and you will be welcome by the below message. This demonstrates that Conditional Access App Control is now in place.
Welcome to Conditional Access App Control
From you Cloud App Security console you will be able to see this activity and all future activities
Recently my partner and I allowed our daughter to have her very first mobile but as a Security Consultant within the world of IT, I wanted to make sure that we could protect her and also ourselves. As you hear horror stories all the time with children building up hundreds of pounds of mobile phone charges.
After a bit of research and testing, I realized I could easily protect our child using native a application from the Google Play store.
The Family Link app from Google helps parents stay in the loop as their child or teen explores on their Android device, and lets parents set certain digital ground rules for their family.
With Family Link you can perform the following; – Check your child location using Location Services on their Android phone – Check what applications your child is using and how long for – Lock the device if your child device is lost, or if you want to prevent usage – Set daily screen time limits – Set bedtime screen access – Check what applications have been installed if you dont set “Adult Approval for Applications from Play Store”
As parents we are always concerned what our child can access from their mobile devices
With Family Link you can prevent; – Access to Age rated applications that are not appropriate for your child – Block mature sites
Common Questions
Will my child be able to use their phone when locked in case of an emergency?
Yes, your child will be able to make phone calls to emergency services or favorite contacts from their device.
Is my child device compatible for Family Link?
Family Link runs on Android devices running version 7.0 (Nougat) and higher devices running Android versions 5.0 and 6.0 (Lollipop and Marshmallow) may also be able to run Family Link. You will need to check the Google Help Center for more details.
What child age is Family Link targeted at?
Parents can also use Family Link to create a Google Account for their child under 13 (or the applicable age in your country). Once complete, children can sign-in to their device with their new account.
Can I add accounts to Family Link I have already created for my child(ren)?
If a child/teen already has a Google account, Family Link will walk their parent through linking their account to their child’s account. As part of that process, the child/teen may also need to download the Family Link (Child/Teen) app on their phone to complete the process of linking the accounts.
Once the accounts are linked, parents can use Family Link to help them do things like keep an eye on screen time and manage the content they use.
If your child is using Andriod device today, go and get Family Link.
The following post contains the new features and updated features from August 2019. This post enables you to quickly glance at the Microsoft Teams Roadmap based on the latest information provided from Microsoft.
One thing I have included in this month round up is Microsoft Bookings as it now integrates with Skype and Teams.
Microsoft Bookings has recently come to my attention as Bookings will integrate with Teams and Skype meeting capabilities. This will enable businesses to set up services with online Skype/Teams meeting enabled. A meeting link will be added to the booking invite which customers can use to join the appointment.
This feature is being rolled out Worldwide (Standard Multi-Tenant), Online, Exchange, Education tenants.
What is Microsoft Bookings?
Microsoft Bookings is an online and mobile app for small businesses who provide services to customers on an appointment basis. Examples of businesses include hair salons, dental offices, spas, law firms, financial services providers, consultants, and auto shops.
Bookings has three primary components:
A booking page where your customers can schedule appointments with the staff member who should provide the service. You can show this page on Facebook, where your customers can schedule appointments, or your own web site.
A set of web-based, business-facing pages where business owners can record customer preferences, manage staff lists and schedules, define services and pricing, set business hours, and customize how services and staff are scheduled
A business-facing mobile app where business owners can see all of their bookings, access customer lists and contact information, and make manual bookings
Is Booking enabled for subscription?
Bookings are turned on by default for customers who have the Office 365 Business Premium, or Office 365 A3 and Office 365 A5 subscriptions. Bookings is also available to customers who have Office 365 Enterprise E3 and E5, but it is turned off by default.
Enabling Booking
Get the free Microsoft Bookings add-on for Enterprise subscriptions
If you subscription is Office 365 for Business, Office 365 Enterprise E3 or E5, the Microsoft Bookings app offered through the Business Apps (free) add-on is off by default. Follow these steps to get licenses and assign to your users.
Turn Bookings off for your entire organization using Exchange Online PowerShell
If
you don’t have access to the Bookings setting in Microsoft 365 admin
center, you can turn off Bookings by running the following command in
PowerShell.
In this example I have local Active Directory with AAD Connect installed one of the Azure Region, which sync users and password hash to Office 365. I have now decided to migrate the authentication from local Active Directory to Office 365 and decommission on-premises Active Directory.
Azure Active Directory Connect Diagram
In order to transition from on-premises “Synced Identity” to “In Cloud Identity”, we will need to complete the following process.
Sign into the AAD Connect Server and Sync the Delta
The following command performs a sync of all AD Objects before attempting to convert into Cloud Only.
1
Start-ADSyncSyncCycle Delta
Turn off AAD Connect Sync
The following command turns off Azure Active Directory Connector while we perform all the following tasks. In this post I have outlined all steps which can be taken to convert AD Users account into Cloud Only.
1
Set-MsolDirSyncEnabled -EnableDirSync $false
Convert Single User to Cloud Only
The following command converts a single user into a Cloud Only account
Foreach($user in $csv) { Set-MsolUser -UserPrincipalName $user.UserPrincipalName -ImmutableID $immutableID }
Turn on Azure Active Directory Connect Sync
Once you have completed all the required conversions of AD accounts to Cloud. Head back to your local Active Directory, move user(s) to an OU that isn’t synchronized using AADC.
This helps you as an IT Pro understand who has been converted at a quick glance now not worry about using PowerShell to discovery who is or isn’t.
The following command turns on Azure Active Directory Connector now that we have converted the users accounts to Cloud Only
1
Set-MsolDirSyncEnabled -EnableDirSync $true
Enable Force Sync if the Sync didn’t work
1
Start-ADSyncSyncCycle -PolicyType Initial
If you are using an ADFS Server there is an additional step providing you have moved all your users to the Cloud. You will need to change the Federated Domain to Standard Domain
All that is left now is to log in as one of the converted users to prove Single Sign-On is working and logon as a Global Admin into Office 365 to check the sync status of the users has a pretty cloud for “In-Cloud”
So I have been recently cleaning up my test lab Azure Active Directory and accidentally removed a device which I was still actively using within my tenant. I received the following error;
“Your organization has deleted this device. To fix this, contact your system administrator and provide error code 700003”
When trying to access organizational resources
In order to resolve this issue, you need to complete the following steps
– Remove the Work account from the Windows 10 device under your account –> Access Work or School and remove the account – Open command line or PowerShell windows with Admin rights – Enter the following command; – dsregcmd /leave
dsregcmd /leave
Enter command: “dsregcmd /status” to check if the system is now left the Azure AD
dsregcmd /status
You will now been able to register your device and access your organisation once again.
Azure Update Manager allows customers manage their Azure VM and on-premises devices using an agent called (MMA) Microsoft Monitoring Agent. The client will by default check if its compliant every 12 hours and the agent initiates a scan to check for update compliance within 15 minutes of the agent being restarted, before an installation and after update installation.
Azure Update Manager only supports the following OS for patch cycles
Supported Client Types
Operating System
Notes
Windows Server 2008, Windows Server 2008 R2 RTM
Supports only update assessments.
Windows 2008 R2 SP1 and later (including Windows Server 2012 and 2016)
.Net Framework 4.5.1 or later is required Windows Powershell 4.0 or later is required Windows PowerShell 5.1 is recommended for increased reliability.
CentOS 6 (x86/x64) and 7 (x64)
Linux agents must have access to an update repository. Classification-based patching requires ‘yum’ to return security data which CentOS doesn’t have out of the box. For more information on classification-based patching on CentOS
Red Hat Enterprise 6 (x86/x64) and 7 (x64)
Linux agents must have access to an update repository.
SUSE Linux Enterprise Server 11 (x86/x64) and 12 (x64)
Linux agents must have access to an update repository.
Ubuntu 14.04 LTS, 16.04 LTS, and 18.04 (x86/x64)
Linux agents must have access to an update repository.
Unsupported Client Type
Operating System
Notes
Windows Client
Client operating systems (such was Windows 7 and Windows 10 arent supported.
Windows Server 2016 Nano Serverq
Not Supported
However, the Windows Client arent supported for patch management. The MMA agent can be installed if you just require update reporting using Azure Monitor.
Where do I start in configuring Azure Update Management?
The first thing we need is an Azure Automation Account
You will need to provide details as specified below
Please Note:
Log Analytics Workspace is required later in this process and its only currently available in the following locations;
Australia Southeast Canada Central Central India East US Japan East Southeast Asia UK South West Central US West Europe West US 2
Once the account has been created, select the newly account and go to Update Management Section and Update Management. This will show the Location you specified, Log Analytics Workspace subscription and you can now create the Log Analytics Workspace.
Configure Automation Account for Update Management
Once you press Enable, you’ll receive a message that “The installation of the Update Management solution is in progress.”
Enable Update Management with Log Analytics Workspace
Now we have successful created the Log Analytics Workspace you will be able to build the “Schedule Update Deployment” as shown below
Update Management – Schedule Update Deployment
Now we can get down with the nit and gritty of configuring deployment schedules based on your own requirement. This section will be configured down to personal preference for my Test Lab Machine.
Please Note:
The following information will only reference Windows Operating System, Linux is also available but will not be discussed.
Groups to update
In this section, you can filter the machines you would like to manage using Azure Update Management. This also includes the Non-Azure machines feature which is currently In Preview at the time of this post.
In this sectrion, depending how you are providing your client machines into the Azure Portal, you can use one of the three Types to select your machines
Saved Searches
Imported groups (AD,WSUS,SCCM)
Machines
Machines to update
Update classifications
In this section, you can select 8 individual classifications based on your requirements.
Critical updates
Security updates
Update rollups
Feature packs
Service packs
Definition updates
Tools
Updates
Select the type of update classifications you would like to apply to your client machines.
Include/Exclude updates
In this section you can Include or Exclude particular Microsoft update using the KB number without the KB prefix.
Schedule settings
In this section, you can specify the require schedule whether its run once or needs to recurrence cycle.
Pre-scripts + Post-scripts
In this section, Pre-scripts and Post-scripts are tasks that can be automatically executed before or after an update deployment run. You can configure up to one Pre-script and Post-script per deployment.
Finishing touches
Maintenance Window – To set the maintenance window, the duration must be a minimum of 30 minutes and less than 6 hours. The last 20 minutes of the maintenance window is dedicated for machine restart and any remaining updates will not be started once this interval is reached. In-progress updates will finish being applied
Reboot options – There are currently 4 reboot options available
Global VNet Peering? This function has recently come to my attention while working with an international customer who is in the process of integrating into their new owners Azure Active Directory. Global VNet peering enables resources in your virtual network to communicate across Azure regions privately through the Microsoft backbone. Resources communicate directly, without gateways, extra hops, or transit over the public internet. This allows a high-bandwidth, low-latency connection across peered virtual networks in different regions.
Example of Vnet Peering between Regions
You can use Global VNet Peering to share resources within a global, private network. You can then easily replicate data across regions for redundancy and disaster recovery.
In my case I was integrating the Active Directory Domains and using Azure Active Directory Connector located in primary region to synchronize the AD Objects from one domain into the other. This approach provided a quick and simply migration without really complexity.
Global Vnet Peering is only currently supported for the following regions.
Americas: West Central US (Wyoming), West US 2
(Washington), Central US (Iowa), US East 2 (Virginia), Canada Central
(Toronto), Canada East (Quebec City)
Asia Pacific: Southeast Asia (Singapore) Korea South (Buscan), South India (Chennai), Central India (Pune), West India (Mumbai)
Europe: UK South (London), UK West (Cardiff), West Europe (Netherlands)
Cost of VNET Peering within the same region
Inbound data transfer
$0.01 per GB
Outbound data transfer
$0.01 per GB
Cost of Global VNET Peering
Zone 1
Zone 2
Zone 3
US Gov
Inbound data transfer
$0.035 per GB
$0.09 per GB
$0.16 per GB
$0.044 per GB
Outbound data transfer
$0.035 per GB
$0.09 per GB
$0.16 per GB
$0.044 per GB
Virtual Network TAP preview
Virtual Network TAP is a feature that allows customers to
enable mirroring of their virtual machine network traffic to a packet
collector.
Global
US Gov
VTAP
$0.0125 per hour
$0.0125 per hour
IP addresses
Public IP addresses, and reserved IP addresses can be used in
services running inside a virtual network. They carry a nominal charge
as outlined here
VPN Gateways
A virtual network can have one or more VPN gateways to connect back to on-premises network or other virtual networks in Azure. The VPN Gateway is charged as detailed here
One of the many cool things about Microsoft Intune is the granular configuration of Windows 10 devices using the native functions available us today. In this little post we will look at just how easy is it to create a corporate Windows 10 layout and publish to all of your client desktops automatically.
The general prerequisites for this feature is that your Windows 10 desktops are synchronized and present in Azure Active Directory.
Export the Start Layout
When you have the Start screen layout that you want your users to see, use the Export-StartLayout cmdlet in Windows PowerShell to export the Start screen to an .xml file.
From Start, open Windows PowerShell.
At the Windows PowerShell command prompt, enter the following command:
Once you have an exported Start Layout you can use the XML file to apply this start layout to your entire organization using Microsoft Intune. Browse to your Intune Portal and go to Device Configuration –> Profile
Hopefully you may already have a Windows 10 – Device Restriction Profile.
If not, dont worry you will just have to create a new profile for Windows 10 and Device Restrictions.
Device Configuration Profiles
Once in the profile properties, go to Settings and look for “Start” as at this point you can upload your Windows 10 start menu layout. If you may chose you will also be able to affect the look of the start menu by blocking or hide elements on the menu. For example you can block Fast Switching and hide File Explorer from the Start.
Device Restriction Profile for Start Menu Settings
Once you have saved your configured and your Windows 10 device has checked in, it will receive your new and improved Start Menu
As the power of Microsoft Intune grows with great force, in this blog post we are going to look at how to install Google Chrome and manage via Microsoft Intune. I have been recently looking how to leverage Microsoft Intune for more than just Microsoft based tooling and Google Chrome can be installed and managed for Windows 10 desktop estate.
First of all, we need to log into your Azure Portal and go to the following location;
Microsoft Intune
Client Apps
Add
Microsoft Intune –> Client Apps –> Add
Line-of-business app
App Type
Now we need to select the GoogleChromeStandaloneEnterprise msi located within the zip file package
Google Chrome Enterprise PackageApp package file
You will now need to populate a bit of information under App information field below App package files before being able to assign Google Chrome to all your enterprise or selected security groups.
As you can see from the image below I have targeted several security groups within my personal tenant and make the app required for all users / all devices.
Make sure you save you configured as you exit this configuration.
Next to Devices configuration – Profiles, click Create profile.
Enter the following text in these fields:
Field
Text to enter
Name
Windows 10 – Chrome configuration (or use any descriptive name)
Description
Enter a description (optional)
Platform
Windows 10 and later
Profile type
Custom
Settings
Custom (select from drop-down list)
Selecting Custom in the step above opens a new menu for OMA-URI settings. Click Add to add specific policies you can configure and enter the following text:
