Autopilot – Provisioning information could not be located. Contact the customer IT admin to troubleshoot

Autopilot – Provisioning information could not be located. Contact the customer IT admin to troubleshoot

I have recently been running into the following issue where using white-glove experience for Windows Autopilot. The error already occurs around the 14-minute mark when “Registering the device for mobile management”.

Device prepartion
Windows Autopilot Configuration

This issue is cause by multiple MDM enrollment applications defined within the Mobility (MDM and MAM) window within your Azure Active Directory

Once I had remove Microsoft Intune Enrolment, Windows Autopilot provisioing was able to successful complete.

Regards
The Author – Blogabout.Cloud

Deploying Cloud App Security

Deploying Cloud App Security

I have been recently investigating Cloud App Security how it can benefit organizations already paying for this functionality without even knowing. Do you already pay for the following Microsoft licenses?

  • Microsoft Cloud App Security
  • Microsoft Cloud App Security + Enterprise Mobility & Security E3 (EMS E3)
  • Enterprise Mobility & Security E5 (EMS E5)
  • Microsoft 365 E5 Security
  • Microsoft 365 E5
  • Microsoft 365 Education A5
  • Office 365 E5
  • Azure AD Premium 1

If yes, you are licensed to enable Cloud App Security for your organization

For more information about the licensing requirements

Click on the following URL
https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2NXYO
Starting with Cloud App Security

Cloud App Security – Dashboard

Getting started with Cloud App Security

Log process flow: From raw data to risk assessment

The process of generating understanding the risk within your organisation from a Cloud Securtity starts here with the following. You can upload data to Cloud App Security and the process takes between a few minutes to several hours depending on the amount of data processed.

  • Upload – Web traffic logs from your network are uploaded to the portal.
  • Parse – Cloud App Security parses and extracts traffic data from the traffic logs with a dedicated parser for each data source.
  • Analyze – Traffic data is analyzed against the Cloud App Catalog to identify more than 16,000 cloud apps and to assess their risk score. Active users and IP addresses are also identified as part of the analysis.
  • Generate report – A risk assessment report of the data extracted from log files is generated.

Note

Continuous report data is analyzed twice a day.

Supported firewalls and proxies

Cloud App Security support data uploads from the following Firewalls and Proxies.

  • Barracuda – Web App Firewall (W3C)
  • Blue Coat Proxy SG – Access log (W3C)
  • Check Point
  • Cisco ASA with FirePOWER
  • Cisco ASA Firewall (For Cisco ASA firewalls, it’s necessary to set the information level to 6)
  • Cisco Cloud Web Security
  • Cisco FWSM
  • Cisco IronPort WSA
  • Cisco Meraki – URLs log
  • Clavister NGFW (Syslog)
  • Digital Arts i-FILTER
  • Forcepoint
  • Fortinet Fortigate
  • iboss Secure Cloud Gateway
  • Juniper SRX
  • Juniper SSG
  • McAfee Secure Web Gateway
  • Microsoft Forefront Threat Management Gateway (W3C)
  • Palo Alto series Firewall
  • Sonicwall (formerly Dell)
  • Sophos SG
  • Sophos XG
  • Sophos Cyberoam
  • Squid (Common)
  • Squid (Native)
  • Stormshield
  • Websense – Web Security Solutions – Investigative detail report (CSV)
  • Websense – Web Security Solutions – Internet activity log (CEF)
  • Zscaler
Create Cloud Discovery snapshot report
Sample Report

Automatic Risk Assessment

Cloud App Security also enables organizations to automatically discovery the Cloud Apps in use via actives on your firewall logs. This is done via Log Collectors that allows organizations upload logs to Cloud App Security. Every single long is automatically transfers to the portal, there is 2 different behaviours if you are using FTP or Syslog

FTP Uploads

FTP logs are uploaded to Microsoft Cloud App Security after the file finished the FTP transfer to the Log Collector

SysLog Uploads

The Log Collector writes the received logs to the disk. Then the collector uploads the file to Cloud App Security when the file size is larger than 40 KB

However, you may what to check that the data being used for Automatic upload is in a valid format. Check out this link for more information. https://docs.microsoft.com/en-us/cloud-app-security/create-snapshot-cloud-discovery-reports#using-traffic-logs-for-cloud-discovery-

App connectors

App connectors use APIs from cloud app providers to integrate the Cloud App Security cloud with other cloud apps. App connectors extend control and protection. They also give you access to information directly from cloud apps, for Cloud App Security analysis.

To connect an app and extend protection, the app administrator authorizes Cloud App Security to access the app. Then, Cloud App Security queries the app for activity logs, and it scans data, accounts, and cloud content. Cloud App Security can enforce policies, detects threats, and provides governance actions for resolving issues.

So how does the look from the portal?

List of Connected Apps available today

Lets connect Office 365 for the purpose of this post.

Connect Office 365
Select the components you would like to monitor and connect the app
Success

Conditional Access App Control protection

Microsoft Cloud App Security Conditional Access App Control uses reverse proxy architecture to give you the tools you need to have real-time visibility and control over access to and activities performed within your cloud environment. With Conditional Access App Control, you can protect your organization:

  • Avoid data leaks by blocking downloads before they happen
  • Set rules that force data stored in and downloaded from the cloud to be protected with encryption
  • Gain visibility into unprotected endpoints so you can monitor what’s being done on unmanaged devices
  • Control access from non-corporate networks or risky IP addresses
Conditional Access App Control protection

With Conditional Access App Control protection you can define you want to Monitor what is being accessed or block.

Conditional Access Policies

When configured you will notice the below appear for all access control applications

Policies

Once you have configured the basics above the next steps is to enable policies you would like run within your environment. Out of the box you will receive a number policies deemed appropriate from Microsoft but there may be additions ones you would like for example;

In my environment I have created a policy that check for OneDrive Documents shared outside my business to specific domains

This policy also has the power to remove the external user to prevent access and this is where Cloud App Security really comes into its own. As it allows organisations and IT Administrators to the power to real take control of corporate data.

I hope you found this run through helpful

Regards,
The Author – Blogabout.Cloud

Windows Information Protection with Enrollment

Windows Information Protection with Enrollment

After a bit of recent investigate App Protection policies I have noticed a large chunk of information missing from Microsoft resources and other blog posts. I have recently experienced an issue where network boundaries were not configured correctly and I had to ensure that all applications that were being protected do not experience any issues access corporate resources.

It is recommended to use the following when adding a network boundary.

TypeNameValue
Cloud ResourcesOffice 365portal.office.com|tasks.office.com|protection.office.com|meet.lync.com|teams.microsoft.com
Cloud ResourcesOutlook Onlineoutlook.office.com|outlook.office365.com
Cloud ResourcesAppCompat/*AppCompat*/
Cloud ResourcesSharePointcontoso.sharepoint.com|contoso-my.sharepoint.com|contoso-files.sharepoint.com
Neutral ResourcesNeutrallogin.windows.net,login.microsoftonline.com
Cloud ResourcesYammerwww.yammer.com|yammer.com|persona.yammer.com
Intune App Protection – Advanced settings

This will provide all the required boundaries relevant to most Microsoft deployments.

Regards
The Author – Blogabout.Cloud

Microsoft Intune Developments from the Office 365 Roadmap for September 2019

Microsoft Intune Developments from the Office 365 Roadmap for September 2019

The following post contains the new features and updated features from September 2019. This post enables you to quickly glance at the Office 365 Roadmap that directly targets Microsoft Intune based on the latest information provided from Microsoft.

New Features

New Features Current Status
Microsoft Intune company portal web site supports SaaS app lifecycle In Development

Updated Features

Updated Current Status
Outlook for iOS: App configuration support without enrollment Launched
Outlook for Android: App configuration support without enrollment Launched
Microsoft Intune support for Managed Home Screen app on kiosks Launched
Microsoft Intune support for fully managed Android Enterprise devices
Launched

Remember if you would like to receive all the Microsoft Roadmaps updates to your Teams Client, check out this post.

Regards
The Author – Blogabout.Cloud

Microsoft Teams Roadmap Announcements for September 2019

Microsoft Teams Roadmap Announcements for September 2019

The following post contains the new features and updated features from September 2019. This post enables you to quickly glance at the Microsoft Teams Roadmap based on the latest information provided from Microsoft.

One thing I have included in this month round up is Microsoft Bookings as it now integrates with Skype and Teams.

New Features

New Features Current Status
Microsoft Teams – Pinned channels In Development
Microsoft Teams – Audio Calling for the Chrome Browser Launched
Microsoft Teams – Enhanced Delegation In Development
Microsoft Teams – Dynamic Emergency Calling for Calling Plans Rolling out

Updated Features

Updated Current Status
Microsoft Teams Education – Redesigned UI Launched
Microsoft Teams – Priority notifications Launched
Microsoft Teams Education – Class Avatars & Stickers Launched
Microsoft Teams Education – GradeSync Launched
Microsoft Teams Education – Turnitin Integration Launched
Microsoft Teams Education – MakeCode Assignments Launched
Microsoft Teams Education – Mobile Grading Launched
Microsoft Teams – Channel Moderation Launched
Microsoft Teams – Interoperability (1:1 Teams-Skype for Business chat) in Office 365 Government GCC and DoD Launched
Microsoft Teams – External Access in Office 365 Government GCC High and DoD Launched
Microsoft Teams – Unified Presence (Skype for Business and Teams unified) in Office 365 Government GCC High and DoD Launched
Microsoft Teams – Auto-updates will use lower network bandwidth Launched
Microsoft Teams – Give Feedback Launched
Microsoft Teams – @-less mentions Launched
Microsoft Teams – Focus Mode Launched
Microsoft Teams – Phone System Updates for GCC Launched
Microsoft Teams – Phone System for GCC High and DoD In Development
Safe Links Protection for Microsoft Teams In Development
Microsoft Teams for Firstline Workers: Import a schedule into Shifts Launched
Microsoft Teams: Music on Hold Rolling out
Microsoft Teams – Per-team and Cross-team analytics Launched
Microsoft Teams – Dynamic Emergency Calling for Direct Routing In Development
Microsoft Teams – Secondary Ringer and Answer From Anywhere Launched
Microsoft Teams – Reverse Number Lookup Rolling out

Remember if you would like to receive all the Microsoft Roadmaps updates to your Teams Client, check out this post.

Regards
The Author – Blogabout.Cloud

Enabling Conditional Access App Control for featured apps

Enabling Conditional Access App Control for featured apps

Cloud App Security offers the ability to leverage Conditional Access for Exchange Online and SharePoint Online but how do we configure this functionality?

Let’s start with your Azure Portal and browse to Conditional Access –> New Policy

Conditional Access

So as I previously mentioned this control only works for Exchange Online and SharePoint Online so you will need to select;

– Office 365 Exchange Online
– Office 365 SharePoint Online

Cloud apps

Under Session, you need to select Conditional Access App Control and as you can see below we only have 3 options

– Monitor only (Preview)
– Block downloads (Preview)
– Use custom policy…

Session

For the purpose of this post, I am going to just Monitor what happening their Cloud App Security to discover what’s happening within my tenancy.

Once the policy is enabled, sign into Exchange Online or SharePoint Online and you will be welcome by the below message. This demonstrates that Conditional Access App Control is now in place.

Welcome to Conditional Access App Control

From you Cloud App Security console you will be able to see this activity and all future activities

Conditional Access App Control

Regards,
The Author – Blogabout.Cloud

Are you worried about how your child is using their Andriod mobile phone? Take control with Family Link

Are you worried about how your child is using their Andriod mobile phone? Take control with Family Link

Hello Readers,

Recently my partner and I allowed our daughter to have her very first mobile but as a Security Consultant within the world of IT, I wanted to make sure that we could protect her and also ourselves. As you hear horror stories all the time with children building up hundreds of pounds of mobile phone charges.

After a bit of research and testing, I realized I could easily protect our child using native a application from the Google Play store.

The Family Link app from Google helps parents stay in the loop as their child or teen explores on their Android device, and lets parents set certain digital ground rules for their family.

With Family Link you can perform the following;
– Check your child location using Location Services on their Android phone
– Check what applications your child is using and how long for
– Lock the device if your child device is lost, or if you want to prevent usage
– Set daily screen time limits
– Set bedtime screen access
– Check what applications have been installed if you dont set “Adult Approval for Applications from Play Store”

As parents we are always concerned what our child can access from their mobile devices

With Family Link you can prevent;
– Access to Age rated applications that are not appropriate for your child
– Block mature sites

Common Questions

Will my child be able to use their phone when locked in case of an emergency?

Yes, your child will be able to make phone calls to emergency services or favorite contacts from their device.

Is my child device compatible for Family Link?

Family Link runs on Android devices running version 7.0 (Nougat) and higher devices running Android versions 5.0 and 6.0 (Lollipop and Marshmallow) may also be able to run Family Link. You will need to check the Google Help Center for more details.

What child age is Family Link targeted at?

Parents can also use Family Link to create a Google Account for their child under 13 (or the applicable age in your country). Once complete, children can sign-in to their device with their new account.

Can I add accounts to Family Link I have already created for my child(ren)?

If a child/teen already has a Google account, Family Link will walk their parent through linking their account to their child’s account. As part of that process, the child/teen may also need to download the Family Link (Child/Teen) app on their phone to complete the process of linking the accounts.

Once the accounts are linked, parents can use Family Link to help them do things like keep an eye on screen time and manage the content they use.

If your child is using Andriod device today, go and get Family Link.

Regards
The Author – Blogabout.Cloud

Microsoft Teams Roadmap Announcements for August 2019

Microsoft Teams Roadmap Announcements for August 2019

The following post contains the new features and updated features from August 2019. This post enables you to quickly glance at the Microsoft Teams Roadmap based on the latest information provided from Microsoft.

One thing I have included in this month round up is Microsoft Bookings as it now integrates with Skype and Teams.

New Features

New Features Current Status
Microsoft Teams – Focus Mode In Development
Microsoft Teams – Feedback surveys In Development
Microsoft Teams – Phone System Launching for GCC High and DoD In Development
Microsoft Teams – Cloud Voicemail enhancements In Development
Audio Conferencing via Direct Routing for GCC High and GCC DoD In Development
Microsoft Teams – Meet now In Development

Updated Features

Updated Current Status
Microsoft Teams – Manage discovery of private teams Rolling Out
Microsoft Teams: Partner Provided Calling Plans for Japan Launched
Microsoft Teams – Broadcast Meetings Launched
Microsoft Teams – Location Based Routing In Development
Microsoft Teams – Interoperability (1:1 Teams-Skype for Business chat) in Office 365 Government GCC and DoD In Development
Microsoft Teams – External Access in Office 365 Government GCC High and DoD Rolling Out
Microsoft Teams – Unified Presence (Skype for Business and Teams unified) in Office 365 Government GCC High and DoD In Development
Microsoft Teams – Phone System Updates for GCC In Development
Microsoft Teams – Screen sharing in Teams/Skype for Business interop Rolling Out
Microsoft Bookings – Online meetings Rolling Out
Microsoft Teams – Dynamic E911 In Development
Microsoft Teams – Cloud Voicemail enhancements Rolling Out

Remember if you would like to receive all the Microsoft Roadmaps updates to your Teams Client, check out this post.

Regards
The Author – Blogabout.Cloud

Microsoft Bookings – What is it and how do I enable it?

Microsoft Bookings – What is it and how do I enable it?

Microsoft Bookings has recently come to my attention as Bookings will integrate with Teams and Skype meeting capabilities. This will enable businesses to set up services with online Skype/Teams meeting enabled. A meeting link will be added to the booking invite which customers can use to join the appointment.

This feature is being rolled out Worldwide (Standard Multi-Tenant), Online, Exchange, Education tenants.

What is Microsoft Bookings?

Microsoft Bookings is an online and mobile app for small businesses who provide services to customers on an appointment basis. Examples of businesses include hair salons, dental offices, spas, law firms, financial services providers, consultants, and auto shops.

Bookings has three primary components:

  • A booking page where your customers can schedule appointments with the staff member who should provide the service. You can show this page on Facebook, where your customers can schedule appointments, or your own web site.
  • A set of web-based, business-facing pages where business owners can record customer preferences, manage staff lists and schedules, define services and pricing, set business hours, and customize how services and staff are scheduled
  • A business-facing mobile app where business owners can see all of their bookings, access customer lists and contact information, and make manual bookings

Is Booking enabled for subscription?

Bookings are turned on by default for customers who have the Office 365 Business Premium, or Office 365 A3 and Office 365 A5 subscriptions.
Bookings is also available to customers who have Office 365 Enterprise E3 and E5, but it is turned off by default.

Enabling Booking

Get the free Microsoft Bookings add-on for Enterprise subscriptions

If you subscription is Office 365 for Business, Office 365 Enterprise E3 or E5, the Microsoft Bookings app offered through the Business Apps (free) add-on is off by default. Follow these steps to get licenses and assign to your users.

Turn Bookings off for your entire organization using Exchange Online PowerShell

If you don’t have access to the Bookings setting in Microsoft 365 admin center, you can turn off Bookings by running the following command in PowerShell.

Before you can do this procedure, you need to Connect to Exchange Online PowerShell.

1
Set-OrganizationConfig -BookingsEnabled $false

Let’s make a Booking

Now we have enabled Microsoft Bookings for your tenant it will now be available within your Office 365 as shown below

Regards
The Author – Blogabout.Cloud

Convert Synced User into In-Cloud only User

Convert Synced User into In-Cloud only User

In this example I have local Active Directory with AAD Connect installed one of the Azure Region, which sync users and password hash to Office 365. I have now decided to migrate the authentication from local Active Directory to Office 365 and decommission on-premises Active Directory.

Azure Active Directory Connect Diagram

In order to transition from on-premises “Synced Identity” to “In Cloud Identity”, we will need to complete the following process.

Sign into the AAD Connect Server and Sync the Delta

The following command performs a sync of all AD Objects before attempting to convert into Cloud Only.

1
Start-ADSyncSyncCycle Delta

Turn off AAD Connect Sync

The following command turns off Azure Active Directory Connector while we perform all the following tasks. In this post I have outlined all steps which can be taken to convert AD Users account into Cloud Only.

1
Set-MsolDirSyncEnabled -EnableDirSync $false

Convert Single User to Cloud Only

The following command converts a single user into a Cloud Only account

1
Get-MsolUser -UserPrincipalName thewatchernode@blogabout.cloud | Set-MsolUser -ImmutableId $null

Remove Immutable ID of all users

The following command removes the Immutable ID for all users

1
Get-MsolUser | Set-MsolUser -ImmutableId $null

Remove Immutable ID for Bulk users

The following scripts allows you to modify users at bulk

$Filepath = $env:userprofile\desktop\file.csv
$csv = Import-Csv -Path $filepath
$immutableID=$null

Foreach($user in $csv)
{
Set-MsolUser -UserPrincipalName $user.UserPrincipalName -ImmutableID $immutableID
}

Turn on Azure Active Directory Connect Sync

Once you have completed all the required conversions of AD accounts to Cloud. Head back to your local Active Directory, move user(s) to an OU that isn’t synchronized using AADC.

This helps you as an IT Pro understand who has been converted at a quick glance now not worry about using PowerShell to discovery who is or isn’t.

The following command turns on Azure Active Directory Connector now that we have converted the users accounts to Cloud Only

1
Set-MsolDirSyncEnabled -EnableDirSync $true

Enable Force Sync if the Sync didn’t work

1
 Start-ADSyncSyncCycle -PolicyType Initial

If you are using an ADFS Server there is an additional step providing you have moved all your users to the Cloud. You will need to change the Federated Domain to Standard Domain


1
Convert-MsolDomainToStandard -DomainName blogabout.cloud -WhatIf<br>Convert-MsolDomainToStandard -DomainName
1
blogabout.cloud -Confirm

All that is left now is to log in as one of the converted users to prove Single Sign-On is working and logon as a Global Admin into Office 365 to check the sync status of the users has a pretty cloud for “In-Cloud”

Regards
The Author – Blogabout.Cloud