Blocking ActiveSync with Conditional Access

Microsoft has announced that they’re continuing the path away from Legacy Authentication, with the decommission of legacy auth to EWS on Exchange Online on October 13th 2020. Instead of waiting for that looming date, there’s a bunch of security reasons to only have Modern Authentication for Microsoft 365.

I’ve already written up on Protect Your Office 365 Accounts By Disabling Basic Authentication and Blocking Legacy Authentication – Conditional Access vs Authentication Policies – but when I migrated from Authentication Policies to Conditional Access, I didn’t realise ActiveSync wasn’t included as part of blocking Legacy Authentication, even though it connects without MFA.

The guide from Microsoft on how to block Legacy Authentication doesn’t actually mention ActiveSync, so it’s easy to miss like I initially did! You’ll need to block ActiveSync altogether as far as I know, as it doesn’t support MFA.

Although I still think Conditional Access is easier to manage than Authentication Policies, there is one caveat; even with an ActiveSync block in place via Conditional Access, too many attempts by a user will lock their account briefly. This might cause problems or require work to get those users to clean up whatever device is trying to log in. With an Authentication Policy I don’t believe this happens because it’s blocked earlier in the sign-in process – you won’t see logs, and the account can’t get locked.

There is of course, a checkbox around ActiveSync, and a way to block it using Conditional Access, but I had mixed results in blocking it successfully until I did it exactly this way:

Create a new Conditional Access Policy and set these options:

Users and groups > All Users
Cloud apps or actions > Select Apps > Office 365 Exchange Online
Conditions > Client apps > Tick both ‘Mobile apps and desktop clients’ + ‘Exchange ActiveSync Clients’
Grant > Block Access

In the Users and Groups section, you can narrow this down from ‘All Users’ for testing or for a gradual rollout.

The user experience is interesting on this one – they can still sort of authenticate, but instead of getting their emails, they will see a single email advising that their access has been blocked:

On top of this, you can use Azure AD to audit who might be using ActiveSync before you put any sort of block in place. As per usual, there’s a good Microsoft article on Discovering and blocking legacy authentication which can walk you through this, but in short:

Via the Azure Portal, go to Azure Active Directory > Users. Under Activity, go to Sign-ins. Click Add filters, and choose Client App > Tick the three ‘Exchange ActiveSync’ options and press ‘Apply’. You’ll see the last 7 days of sign in attempts using ActiveSync, which should give you an idea of how many users are using it, and who.

Blocking Legacy Authentication, plus blocking ActiveSync will give you a much more secure environment, protecting from account attacks.

MyAnalytics is Coming (for the rest of us)

MyAnalytics is an extension to Microsoft 365 which provides productivity insights. It looks at what you do over email, OneDrive for Business and Skype for Business Online/Teams, and collates the data to present it with statistics.

The documentation for how this product works is quite good and worth a read. There’s privacy considerations in any product that’s scraping data, but they seem fairly well addressed. Two main points are that the data for MyAnalytics is processed and stored in the user’s Exchange Online mailbox, and nobody but the user can see this data (including system administrators).

MyAnalytics has been around for a while, but mostly for Office 365 E5 / Microsoft 365 E5 customers so many people have not heard of it, or have no experience in it. Microsoft are changing who gets access to this data, and are currently rolling out Digest emails to E3, E1 and Business customers.

If you have the feature already turned on, then your users can probably already access their dashboard at https://myanalytics.microsoft.com/ and start checking it out.

MyAnalytics is controlled by a license under the Microsoft 365 product. Many people probably have all the components on, and therefore although users have had access to this product, it hasn’t really been visible. The Welcome email comes first, and it seems to be rolling out right now to Targeted Release users in Microsoft 365.

Beyond just turning MyAnalytics on, there’s a few admin controls available at the tenant level and user level. You’ll need to consider items like ‘should users be opted-in by default, or opted-out’ if there are concerns around data scraping – even though this all lives in your Microsoft tenant, there could still be staff that are not comfortable with this.

Nascar use MyAnalytics if that helps you point to another company using it:

As you can see, I’ve linked to a bunch of Microsoft documentation around this rather than rewriting what they have – always nice to see quality doco!

It’s worth checking out MyAnalytics now and deciding if it’s something you want – at least check the state of your settings before users start getting Welcome emails!

Update 20th September

The product group have advised me on one extra tip – disabling the ‘Weekly insights email‘ option at the admin end will actually disable the Welcome email too – documentation to be updated shortly.

You do not have permission to open the network connections folder

While testing Always On VPN in Windows 10, I discovered an issue where users couldn’t access the Network Connections settings to see what the VPN profile was up to.

Network Connections is accessible in a few ways, including via Control Panel\All Control Panel Items\Network Connections, or ‘Change Adapter Options’ under Settings > Network and Internet > Ethernet. It was locked down, but I wasn’t sure why.

If I changed a user to be a local administrator, I could then access Network Connections. I couldn’t find any reason why it could be locked down, until I stumbled across this old Group Policy Setting:

Remote Network Connections from Start Menu

Based on it’s name, it should be just doing exactly what it says. Plus, the newsest desktop OS listed for support is Windows Vista.

However, as the help explicitly says:

Network Connections still appears in Control Panel and in File Explorer, but if users try to start it, a message appears explaining that a setting prevents the action.

And that’s exactly what it was doing. After removing the setting from being configured and running ‘gpupdate’, I could immediately access Network Connections again.

Another reason to make sure your Group Policy settings are cleaned up – this setting was set over 10 years ago, and took this long to discover and remove!

Four Generations of the Lenovo ThinkPad X1 Yoga

Lenovo’s X1 Yoga is my favorite business laptop. Ever since the X1 Yoga Gen 1 came out, I liked it over the other X1 options as it was an all-rounder, while doing everything really well.

That first generation came out in 2016, and each year there’s been a new one, the 2nd Gen, 3rd Gen and now in 2019, we’re at the 4th Gen.

It’s about time I did a round up and comparison of these four models.

Lenovo ThinkPad X1 Yoga Gen 1

The Gen 1 came out in 2016 as the X1 Carbon became lighter, thinner and lost it’s touchscreen. There was mixed reaction to this decision from Lenovo, and although the Yoga had existed in several forms previously, this was the first in the ThinkPad X1 series.

Lenovo ThinkPad X1 Yoga Gen 1

Notable on this model is the OneLink+ connector – a shortlived port for a OneLink+ dock that only survived a single generation, to be replaced by USB-C/Thunderbolt. It has the standard rectangle style power plug hole, again this would not be seen on future X1 Yogas.

This is the only model to not have a dedicated Ethernet port, instead a special OneLink+ Ethernet dongle, USB2 100mbit dongle or USB3 gigabit dongle was required.

Lenovo ThinkPad X1 Yoga Gen 2

2017 saw this release with the 7th Gen Intel CPU and the OneLink+ port abandoned, replaced by USB-C. This was great, since it was now an industry standard and meant there was a lot of flexibility with what power pack and dock you could use.

Lenovo ThinkPad X1 Yoga Gen 2

This is the first model to have an OLED display option, and strangely this Gen 2 is slightly thicker and heavier than the Gen 1. There wasn’t that many improvements in this model, but overall it’s pretty well rounded solution.

Battery life on this was claimed to be a lot better than the Gen 1.

Lenovo ThinkPad X1 Yoga Gen 3

It was the third model’s turn in 2018 which saw few changes again. Another generation jump on the Intel CPU, which this time doubled the core count from the 7th to 8th mobile CPU generation.

Lenovo ThinkPad X1 Yoga Gen 3

Other smaller changes included the introduction of a shutter over the camera, a HDR display option with Dolby Vision, and the black colouring a bit different – the chassis is glossier, and anything silver has gone black including the hinges and ThinkPad logo (it still looks silver in this photo sorry!)

Lenovo ThinkPad X1 Yoga Gen 4

And finally, here we are in 2019 with the Gen 4 being released… and it’s a major jump. The biggest jump we’ve seen year to year so far. An all metal chassis, the laptop footprint has been drastically reduced (17% smaller footprint, 11% thinner), the colour is now ‘iron grey’ which I’m personally a fan of, and the screen to bezel distance is much smaller.

Lenovo ThinkPad X1 Yoga Gen 4

There’s also a new connector for a different ethernet dongle, and support for a new style of dock that connects on the left hand side to the combo USB-C/ethernet slot. Of course it’s jumped a CPU generation again, up to Intel’s 8th.

The MicroSD slot has been dropped, probably as part of making the laptop smaller. If you really need that, then look at any of the previous generations.

One other interesting feature is a new privacy screen option called PrivacyGuard that can be toggled on and off, and stops people seeing the screen on an angle. The retractable key feature has gone again – there’s no rubber feet to protect the keys, but they might be minutely sunk in, I couldn’t tell with the naked eye.

The final note on this model is that it has a very similar CPU to the Gen 3, still an 8th Generation Intel CPU but a newer variant – Whiskey Lake rather than Kaby Lake.

Let’s have a look at the 4 generations stacked together, going bottom to top Gen 1, Gen 2, Gen 3 and Gen 4:

Front – X1 Yogas
Back – X1 Yogas
Left Side – X1 Yogas
Right Side – X1 Yogas

You can see that footprint difference in the photos above. The 4th Gen looks completely different to the rest.

Each of my individual reviews lists out the possible specs for each model if you want to dive a bit further into the technical differences;

Lenovo Thinkpad X1 Yoga Gen 1
Lenovo Thinkpad X1 Yoga Gen 2
Lenovo Thinkpad X1 Yoga Gen 3
Lenovo Thinkpad X1 Yoga Gen 4

The X1 Yoga will never be as small and light as the X1 Carbon, and never be as portable as the X1 Tablet, nor the powerhouse of the X1 Extreme – but it is all of these devices at once in it’s own way. It’s still my pick of the X1 series for it’s flexibility, but the other choices could also be better for your personal needs if you know how you’re going to use it.

Lenovo ThinkPad Yoga X1 Gen4 Review

Lenovo’s newest ThinkPad X1 Yoga is out, and as soon as I took it out the box there were some vast differences compared to all the other X1 Yogas. I’ve spent some time using one for a few weeks now, so let’s check it out.

Where to start with the differences… it has a smaller footprint, it’s all metal, it’s a different colour (iron gray) and it just doesn’t look like the older X1 Yogas.

I’ve written up a quick comparison of the ‘Four Generations of ThinkPad X1 Yoga’ seperately, so I’ll try to focus on this more as a standalone review.

Here’s an overview of the tech specs with the options I have bolded:

Processor8th Gen Intel® Core™ i5/i7 Processor:
Intel Core i5-8265U (4C / 8T, 1.6 / 3.9GHz, 6MB)
Intel Core i5-8365U (4C / 8T, 1.6 / 4.1GHz, 6MB)
Intel Core i7-8565U (4C / 8T, 1.8 / 4.6GHz, 8MB)
Intel Core i7-8665U (4C / 8T, 1.9 / 4.8GHz, 8MB)
Operating SystemWindows 10 Home 64
Windows 10 Pro 64
Display 14″ 4K UHD (3840 x 2160) IPS with Dolby Vision HDR400, 470 nits, glossy, multi-touch
14″ WQHD (2560 x 1440) IPS, 280 nits, glossy, multi-touch
14″ FHD (1920 x 1080) IPS, low power, 380 nits, glossy, multi-touch
14″ FHD (1920 x 1080) IPS PrivacyGuard, 380 nits, glossy, multi-touch
Multi-touchCapacitive-type multi-touch, AR (anti-reflection), AS (anti-smudge), supports 10-finger gesture
PenThinkPad Pen Pro, on-board rechargeable
GraphicsIntel UHD Graphics
Memory8GB or 16GB / 2133MHz LPDDR3, soldered
Webcam720p HD Camera with microphone
IR & 720p HD Camera with microphone
StorageUp to 1TB PCIe SSD (256GB here)
Dimensions (W x D x H)323 x 218 x 15.5 (mm)
WeightStarting at 1.36 kg
Case colourIron Grey
Case materialDisplay cover: Aluminium
Bottom: Magnesium
Battery4-cell (51 Wh), integrated
Battery life1Up to 18.1 hours
AC adaptor65W USB Type-C (supports RapidCharge)
KeyboardBacklit keyboard with white LED
UltraNav™TrackPoint® pointing device and buttonless Glass surface touchpad
Audio supportStereo speakers 2 x 2W, 2 x 0.8W
Dolby® Atmos™ speaker system
Quad array far-field microphones
ConnectivityWLAN: Intel Wireless-AC 9560, Wi-Fi 2×2 802.11ac + Bluetooth® 5.0W
WAN: Optional integrated Mobile Broadband 4G LTE-A (Fibocom L850-GL)
Ethernet: via optional ThinkPad Ethernet Extension Adaptor Gen 2
SecurityMatch-on-Chip Touch Fingerprint Readerd
TPM 2.0 chip
ThinkShutter camera cover
Security-lock slot
Ports2 x USB 3.1 Gen 1 (1 x Always On)
2 x USB 3.1 Type-C Gen 2 / Thunderbolt™ 3
1 x HDMI 1.4b
1 x Ethernet extension connector
1 x nano-SIM card slot (WWAN model)
1 x headphone/mic jack
1 x side docking connector
Supported dockingThinkPad Thunderbolt™ 3 Dock
ThinkPad Basic/Pro/Ultra Docking Station CS18
ThinkPad USB 3.0 Pro/Ultra Dock

Processor – It’s nice to have the 8th Gen CPU with it’s 4 cores / 8 threads on the entry level option, but this is the first time we’ve not seen a generational jump from the previous year’s X1 Yoga. The 8th Gen for laptops was a good change though, as it doubled the core count. I’m not sure why Lenovo didn’t go for the newer 9th gen CPU; maybe it wasn’t ready in time, and since the 8th to 9th jump isn’t much of a difference they went ahead with the 8th gen again – albeit Whiskey Lake rather than Kaby Lake.
Update: Lenovo have now announced that they’ll be releasing a 10th gen CPU option in September 2019, with everything else being identical.

Display – Although I have the lowest end 1080p screen as usual, it’s a really crisp screen to look at. The viewing angles are impressive, at no stage does the screen become less readable and the bezel itself is small – a lot smaller than previous models. There’s also the PrivacyGuard option which might not be available at the time of writing, but it looks like a nice choice for users who work in public areas. That full 4K option with HDR/Dolby Vision would also look great I’m sure!

Dimensions – Weight wise it’s about the same as previous models, not too heavy – but the footprint it takes up is 17% less than previous models. Those now feel much chunkier that I’ve been using this new one, and it’s not too small. It’s also a bit thinner than previous models too, by 11%.

Audio Support – The speakers have been moved since previous models, and the sound now comes out the top of the keyboard so the sound appears to come straight at you, with the subwoofer on the bottom of the unit.

Ethernet – This is an interesting change – there’s a new Ethernet dongle connector which appears to be due to the new dock support.

New Ethernet Dongle

Personally I’d rather just have a USB3 dongle or an actual Ethernet port, but I also want a thin laptop, and I still *could* use a USB3 dongle – which has the overhead of using the USB BUS instead of getting directly to Ethernet on the laptop.

Let’s see more of this laptop:

Lenovo ThinkPad X1 Yoga Gen 4 Screen

Here’s a photo of the screen (which doesn’t do it justice quality wise), but you can see how much smaller the bezel is on this.

Lenovo ThinkPad X1 Yoga Gen 4 Left Side

On the left side of the laptop going from left to right we have USB-C, USB-C + Ethernet in a single port but can still be used separately, USB 3, full sized HDMI and a 3.5mm audio jack.

Lenovo ThinkPad X1 Yoga Gen 4 Right Side

The right side has the stylus, which is a bit more hidden than previous models (and sometimes I try to press that to power on the unit), power, USB 3, vent, and Kensington lock.

Lenovo ThinkPad X1 Yoga Gen 4 Right Keyboard

The keyboard is nicely laid out without any keys in strange places, backlit also and the keys are easy to type on. The Trackpad too works well – nothing to complain about here at all.

Conclusion

I can honestly say this is the best X1 Yoga yet. There’s no negatives at all to me, beyond price since it’s the newest. If you care about Ethernet you’ll have to use the new adapter, but that comes with it anyway and it’s unlikely you’ve invested in a bunch of those from older models.

The one removal that some people might not like is the inbuild SD Card reader – it was in previous generations – so if that’s a must have for you. you’re out of luck. Look at a different laptop or get used to using a USB SD Card reader.

It’s fast, the screen is great, it feels even higher quality than previous models due to being completely aluminium and magnesium, and it still even has a stylus tucked away. The speakers are improved, so it’s even a better movie watching experience on this business laptop.

RAM is soldered on as usual, the only thing you could upgrade would be the SSD and it’s not a laptop designed to be opened up – so make sure you get specs that’ll keep you happy for a few years.

I hope this review helps you decide what you’re looking for, feel free to post and questions below.

Also, if you want a video review, check out Lisa’s review on MobileTechReview: