Category Archives: Azure

Sign up for the new Microsoft Security Public Webinars

Microsoft have just released the following dates for all their new Security webinars. Go and check them out.

Below please find the full list. Details and registration are at https://aka.ms/SecurityWebinars.

JAN 27 – Azure Purview | Introduction to Azure Purview

FEB 3 – Azure Confidential Computing | Confidential computing nodes on Azure Kubernetes Service

FEB 4 – Azure Sentinel | Accelerate Your Azure Sentinel Deployment with the All-in-One Accelerator

FEB 16 – Microsoft Security Public Community | The Billion-Dollar Central Bank Heist

FEB 18 – Azure Sentinel | Best practices for converting detection rules

Interested in some bite-sized security tips? Check out our short videos at https://aka.ms/SecurityCommunityVideos.

To stay informed about future webinars and other events, join our Security Community at https://aka.ms/SecurityCommunity.

Regards
The Author – Blogabout.Cloud

Heres your chance to take Az-900 Fundamentals Exam for free

This year Microsoft have made AZ-900 free for all thoses that attend both days of the below events and for probably the last time this year. Heres another opportunity for you to take the exam for FREE!

Having completed this exam myself, I do strongly suggest you take this opportunity and get this base line certification on your transcript.

DateLink
16th December 2020 10:00-13:45

17th December 2020 10:00-13:45
https://mktoevents.com/Microsoft+Event/209890/157-GQE-382?wt.mc_id=AID3023748_QSG_488072
9th December 2020, 10:00 – 13:05

10th December 2020, 10:00 – 13:05
https://mktoevents.com/Microsoft+Event/211664/157-GQE-382?wt.mc_id=AID3023845_QSG_488067

Regards
The Author – Blogabout.Cloud

PowerShell Tip: Obtaining the ImmutableID from your Active Directory Objects on-prem and in the cloud

When working with Azure Active Directory Connect you may experience issues with account duplicating due to the ImmutableID not matching. If it does happen its is a pain to resolve as you have to;

Desynchronize the affected accounts
Delete from the Deleted Users OU in Azure Active Directory
Obtain the on-premises ImmutableID
Obtain the cloud ImmutableID
Compare the IDs
Set the cloud ID with the on-premises ID

Now wouldnt it be easier if someone had a bunch of PowerShell commands to help you get the ImmutableID. This is where I come in

Obtaining ImmutableID from on-premises Active Directory Object

The following PowerShell script extracts all the ImmutableID’s from every single Active Directory User Object and store in a CSV file on your desktop.

$reportoutput=@()
$users = Get-ADUser -Filter * -Properties *
$users | Foreach-Object {

    $user = $_
    $immutableid = "[System.Convert]::ToBase64String($user.ObjectGUID.tobytearray())"
    $userid = $user | select @{Name='Access Rights';Expression={[string]::join(', ', $immutableid)}}

    $report = New-Object -TypeName PSObject
    $report | Add-Member -MemberType NoteProperty -Name 'UserPrincipalName' -Value $user.UserPrincipalName
    $report | Add-Member -MemberType NoteProperty -Name 'SamAccountName' -Value $user.samaccountname
    $report | Add-Member -MemberType NoteProperty -Name 'ImmutableID' -Value $immutableid
    $reportoutput += $report
}
 # Report
$reportoutput | Export-Csv -Path $env:USERPROFILE\desktop\ImmutableID4AD.csv -NoTypeInformation -Encoding UTF8 }

Obtaining ImmutableID from Azure Active Directory Object

The following PowerShell script extracts all the ImmutableID’s from every single Azure Active Directory User Object and store in a CSV file on your desktop.

$reportoutput=@()
$users = Get-AzureADUser -All $true
$users | Foreach-Object {

    $user = $_

    $report = New-Object -TypeName PSObject
    $report | Add-Member -MemberType NoteProperty -Name 'UserPrincipalName' -Value $user.UserPrincipalName
    $report | Add-Member -MemberType NoteProperty -Name 'SamAccountName' -Value $user.samaccountname
    $report | Add-Member -MemberType NoteProperty -Name 'ImmutableID' -Value $user.immutableid
    $report | Add-Member -MemberType NoteProperty -Name 'DisplayName' -Value $user.displayname
    $reportoutput += $report
}
 # Report
$reportoutput | Export-Csv -Path $env:USERPROFILE\onedrive\desktop\ImmutableID4AAD.csv -NoTypeInformation -Encoding UTF8 }

Recommendation

When I have had to compare the two exports at scale for an entire environment, it can be a complete nightmare but the ImportExcel module was brilliant in getting the data merged into a single sheet.

https://www.powershellgallery.com/packages/ImportExcel/7.1.1

Regards
The Author – Blogabout.Cloud

Quick Tips: How do I restore a deleted Microsoft Teams Team using PowerShell.

Sometimes accidents happen and things get deleted by mistake but what do you do if you delete a Microsoft Team by mistake?

When the team is deleted, it is held in the “recycle bin” for 30 days until it is permanently deleted. The following is the process of restoring a deleted team in Microsoft Teams.

  • Once Team is deleted, option to recover it exists for up to 30 days
  • All of it including (Channels, files, tabs, etc.) will reappear as it was before
  • Restore can take up to 4 hours
  • To restore, from exchange admin center, select recipients, then groups
  • Locate the group (only if soft deleted)
  • Select the group and choose restore

This is where my favourite Microsoft tool comes into action, PowerShell

Prerequisites

AzureAD Module is installed
Global Admin to your Azure AD Tenant

Process

Launch PowerShell as an administrator


1
Connect-AzureAD

When a team is created in Microsoft Teams, it creates an Office 365 group. In order to restore the group you will need to obtain the Id using the following cmdlet


1
Get-AzureADMSDeletedGroup

1
Restore-ADMSDeletedDirectoryObject –ID <objectID>

As mentioned above the restore could take up to 4 hours to complete.

Regards
The Author – Blogabout.Cloud
           

Configuring Office 365 Service Communications API within your own Azure Active Directory.

Office 365 Service Communications API enables an organization to gather data about the Microsoft 365 tenancy and in this post we will be looking at Service Health.

Prerequisites

  • Relevant Azure Active Directory Permissions to create an app
    • Global Administrator,
    • Application Administrator
    • Cloud Application administrator
  • Licensed for Power Automate either;
    • Per-user plan
    • Per-user plan with attended RPA
    • Per Flow plan

Configuring Azure Active Directory

Login into the Azure Portal via http://portal.azure.com and browser to Azure Azure Directory then select App Registrations –> New Registration

Now enter a Name for the application i.e. Office 365 Service Communications API, select Accounts in this organizational directory only

The Redirect URI can be ignored as it no longer necessary and then click Register.

The registered app you just created will now be displayed – click on API permissions on the left hand menu. Click on the Add a permission button in the Configured permissions section. Select Office 365 Management API in the Request API permissions section.

Select Application permissions as the type of permissions your application requires. Then Select ServiceHealth.Read as the permissions required and then select the Add permissions button.

Granting Tenant Admin Consent

The application is now configured with the permissions it needs to use the Office 365 Management APIs but first it needs an admin to grant these permissions. A Global Administrator, Application Administrator or Cloud Application administrator must explicitly grant your application these permissions. This is granting the app permissions to use the APIs to access your tenant’s data. 



If you do not have the necessary role please advise the admin to follow this link and provide them with the name of your App Registration to review and approve.

If you have the necessary Global Administrator, Application Administrator or Cloud Application administrator role click on the Grant admin consent to <tenant name> button.

Generate a new key / client secret for your application

Navigate to the main page for the App Registration you just created, now make a note of the Application (client) ID and Directory (tenant) ID as you will need these later to access the Office 365 Management API using the app just created. Now Client secret needs to be generated to be used for authentication to the APIs – click on Certificates & Secrets on the left hand menu.

IMPORTANT: Now make a note of the Client Secret created i.e. BlahBlah-BlahBlah. It is important that this is done now as once this window is closed the Client secret will no longer be visible.

This completes the process for configuring Office 365 Service Communications API. The next step will be using either PowerShell or Power Automate to present the data.

If you would to utilize Power Automate check out this blog post I created.

Regards
The Author – Blogabout.Cloud

Understanding Azure Active Directory Connector soft matching

It is has become very common across most organizations that they set up an Office 365 tenancy or Azure tenancy without configuring integration with their own on-premises Active Directory or another scenario an organization has been brought by another company. The end-users are then given cloud-only accounts until such a time where they can be fully integrated. In going down this road it can potentially cause a number of issues that need to be resolved by either soft matching or hard matching the on-premises AD User with the Cloud Account.

How do I soft match?

Soft matching is driven by the SMTP Address of the user account and usually, the UPN matches the SMTP Address. So in the diagram below that, I have created you can see I have captured the two scenarios organizations move their on-premises identities to Azure Active Directory. What I have also done is put a deliberate mistake into the images, can you spot what it is?

So User D and Cloud D are the same users but the UPN is different, why have I done this? This is to explain the behavior that will happen if the account cannot be correct identified with its cloud account. User A to C will all synchronize successfully and correctly however, User D will not succesfully be synchronized as the UPN that doesn’t match Cloud D. While this isn’t a bad issue for this scenario but if you were actioning at scale, I hope you are ready for a host of complaints from users.

Its is important to ensure that the SMTP Addresses on-premises vs. the cloud but please be aware there are limitations like in any Microsoft product

SMTP matching limitations

The SMTP matching process has the following technical limitations:

  • SMTP matching can be run on user accounts that have a Microsoft Exchange Online email address. For mail-enabled groups and contacts, SMTP matching (Soft match) is supported based on proxy addresses. For detailed information, refer to the “Hard-match vs Soft-match” section of the following Microsoft Azure article: 

    Azure AD Connect: When you have an existent tenant

    Note This doesn’t mean the user must be licensed for Exchange Online. This means that a mailbox that has a primary email address must exist in Exchange Online for SMTP matching to work correctly.
  • SMTP matching can be used only one time for user accounts that were originally authored by using Office 365 management tools. After that, the Office 365 user account is bound to the on-premises user by an immutable identity value instead of a primary SMTP address.
  • The cloud user’s primary SMTP address can’t be updated during the SMTP matching process because the primary SMTP address is the value that is used to link the on-premises user to the cloud user.
  • SMTP addresses are considered unique values. Make sure that no two users have the same SMTP address. Otherwise, the sync will fail and you may receive an error message that resembles the following: Unable to update this object because the following attributes associated with this object have values that may already be associated with another object in your local directory services: [ProxyAddresses SMTP:john@contoso.com;]. Correct or remove the duplicate values in your local directory.

Hard-match works in a simalar way but uses the ImmutableID of the user accounts. This is unique value that each account has, so to hard match the on-premises ImmutableID to the cloud account would mean that you modify every single Cloud account with the correct on-premises account value. I know this from experience as I had to do just that for one of my customers and created a powershell script to enable the change.

Regards
The Author – Blogabout.Cloud

Microsoft Azure Virtual Training Day: Fundamentals with Free Exam Voucher

Microsoft is providing more exam vouchers if you complete the following training. Just to clarify exam voucher can be used for any Microsoft exam

To create your vision for tomorrow, you need to understand what the cloud can do for you and your company today. In this introductory course, Microsoft Azure Virtual Training Day: Fundamentals, you will learn about cloud computing concepts, models and services, covering topics such as public, private and hybrid cloud, as well as infrastructure as a service, platform as a service and software as a service.

During this training event, you will explore how to:

  • Get started with Azure
  • Integrate Azure with your existing networks
  • Better understand key cloud concepts and core services, including pricing, support and cloud security

After completing this free training, you’ll be eligible to take the Microsoft Azure Fundamentals certification exam at no cost.

Here’s what you can expect:

Part 1Part 2
IntroductionIntroduction
Module 0: Course Introduction
Module 1: Cloud Concepts
Module 2: Security, Privacy, Compliance & Trust
Break: 10 minutesBreak: 10 minutes
Module 3: Core Azure ServicesModule 4: Azure Pricing and Support
ClosingClosing

The Microsoft Azure Virtual Training Day: Fundamentals event and associated vouchers are open to the public and offered at no cost. Prior to registering for this training, government employees must check with their employers to ensure their participation is permitted and in accordance with applicable policies and laws.

DateLink
5th August 2020, 10:00-12:40
6th August 2020, 10:00-12:20
https://mktoevents.com/Microsoft+Event/191076/157-GQE-382?wt.mc_id=AID3018136_QSG_446888
12th August 2020, 10:00-12:40
13th August 2020, 10:00-12:20
https://mktoevents.com/Microsoft+Event/191199/157-GQE-382?wt.mc_id=AID3017870_QSG_446891
19th August 2020, 10:00-12:40
20th August 2020, 10:00-12:20
https://mktoevents.com/Microsoft+Event/191515/157-GQE-382?wt.mc_id=AID3018009_QSG_447872

Regards
The Author – Blogabout.Cloud

Take an Azure Exam for Free

Hello Readers,
Due to Covid-19 Microsoft has been offering free training online for the AZ-900 exam. There have been a number of sessions in recent months and the uptake as been so high Microsoft has now added more sessions throughout June, July and August: 

Head over to the following URL where you can sign up for the events today.

https://azure.microsoft.com/en-us/community/events/?query=fundamentals

These session are split into two half-day sessions. And at the end, you receive a free voucher to take Any Azure exam within 7 working days.

In case you do not receive the voucher you can reach out to techsfb@microsoft.com to get the vouchers

So, if you have been studying for AZ-103, 104, 300, 301, 303, 304 or 203 and have not booked it yet, perhaps this is the perfect time to take up this offer.

Regards
The Author – Blogabout.Cloud

Going Passwordless with YubiKey by Yubico

This has been on my To-Do list for such a long time and because of Covid-19 I have finally found the hours required to get this done. A while back I received two Yubico and never got around to testing them 🙁 naughty I know. So let’s look at Yubico;

Microsoft and Yubico have been created a path for a passwordless future for organizations of all shapes and sizes. With a technology standard called FIDO2 and U2F which Yubico co-authored with, Microsoft and Google. Yubico became a founding member of the FIDO Alliance.

How does it all work, I hear you

The Yubikey supports multiple methods for authentication, enabling and the same key to be used across services and applications. With an out of the box native integration for the Microsoft environment provides a rapid deployment.

Diagram that outlines the steps involved for user sign-in with a FIDO2 security key
  1. The user plugs the FIDO2 security key into their computer.
  2. Windows detects the FIDO2 security key.
  3. Windows sends an authentication request.
  4. Azure AD sends back a nonce.
  5. The user completes their gesture to unlock the private key stored in the FIDO2 security key’s secure enclave.
  6. The FIDO2 security key signs the nonce with the private key.
  7. The primary refresh token (PRT) token request with signed nonce is sent to Azure AD.
  8. Azure AD verifies the signed nonce using the FIDO2 public key.
  9. Azure AD returns PRT to enable access to on-premises resources.

Enabling support for Yubikey

Time to log into your Azure Active Directory via http://portal.azure.com

Select Security
Select Authentication methods
Select FIDO2 Security Key and Enable for your environment

Now thats the easy bit completed, the next step is educating the users.

NOOooooo That's impossible!!!!! - Luke Skywalker - quickmeme

Configuring Yubikey

Each user will need to visit the following your https://myprofile.microsoft.com/

Select Security Info
Click Add Method
Select Security Key –> Add
Select USB device
Press Next
Insert your Security Key into one of your USB ports.
Specify a security key PIN
Touch the button on the security key
Provide a name to identity the security key
All Done!!

Hows does the sign-in work?

Well, really simple. Check out the video below

Regards
The Author – Blogabout.Cloud

Receive a voucher to take the AZ-900 for free!!

Microsoft has decided to run a number of multiple full day virtual training events on the Fundamentals of Azure! This is excellent news for all those affected by Covid19 as there is no excuse not to attend 🙂 also in attending the attend your will receivey a free Microsoft Exam voucher so you can go take the AZ-900 Exam from home.

The course details are as followed;


To create your vision for tomorrow, you need to understand what the cloud can do for you and your company today. Microsoft Azure Virtual Training Day: Fundamentals explains cloud-computing concepts, models, and services, covering topics such as public, private, and hybrid cloud as well as infrastructure as a service, platform as a service, and software as a service. 

  • Common cloud concepts 
  • Benefits of Azure 
  • Strategies for transitioning to Azure cloud 
  • Azure computing, networking, storage and security basis 
AZ-900 Free

During this free virtual event you will learn: 

By attending the event, you will have the knowledge needed to take the AZ-900 Microsoft Azure Fundamentals certification exam and receive a voucher to take the exam for free at a date and time of your choice. 

Virtual training will be in English.


So here are the options available for attending the virtual event.

April 21st , GMT+2 timezone :
https://info.microsoft.com/CE-AzureINFRA-WBNR-FY20-04Apr-21-MicrosoftAzureVirtualTrainingDayFundamentalsMaster-SRDEM17525_LP01Registration-ForminBody.html

May 5th, Eastern Time Zone:
https://info.microsoft.com/en-us-landing-MicrosoftAzureVirtualTrainingDayFundamentalsMaster-may5-none.html?ls=Website&lsd=AzureWebsite

June 17th (Pacific Time Zone):
https://info.microsoft.com/en-us-landing-MicrosoftAzureVirtualTrainingDayFundamentalsMaster-jun17-none.html?ls=Website&lsd=AzureWebsite

June 2nd (Eastern Time Zone):
https://info.microsoft.com/en-us-landing-MicrosoftAzureVirtualTrainingDayFundamentalsMasterJun02-none.html?ls=Website&lsd=AzureWebsite

Two day Virtual Event

This will be the same content but delivered over two days. Each day will deliver 2 of the 4 modules listed above.

May 12 – 13 (Eastern Time Zone):
https://info.microsoft.com/en-us-landing-MicrosoftAzureVirtualTrainingDayFundamentalsMaster-none.html?ls=Website&lsd=AzureWebsite

May 27 – 28 (Pacific Time Zone):
https://info.microsoft.com/en-us-landing-MicrosoftAzureVirtualTrainingDayFundamentalsMastermay27-none.html?ls=Website&lsd=AzureWebsite

June 24 – 25 (Pacific Time Zone):
https://info.microsoft.com/en-us-landing-MicrosoftAzureVirtualTrainingDayFundamentals-None.html?ls=Website&lsd=AzureWebsite

There are more options available and you can see them all over here: https://azure.microsoft.com/en-ca/community/events/?query=Microsoft+Azure+Training+Day%3A+Fundamentals

PS: Additional assistance available for passing your exam as Pluralsight is also free for the entire month of April 2020

Regards
The Author – Blogabout.Cloud