IT

Azure AD Password Protection Setup Summary

Microsoft have a nice way of preventing the use of bad passwords. Yes, all passwords are bad, but some are worse than others :)

Azure Active Directory Password Protection is a service that looks at password changes and blocks passwords it deems as weak. This could be from checking it’s an easy password to break using a dictionary attack, or other easily guessable variants. It leverages Microsoft online services to do so, which requires some setup and agents installed on the on-premises environment.

Microsoft’s documentation for this is detailed and fairly easy to follow, but I thought I’d do a quick rundown.

Installing the agents:

  • There are two agents – the ‘Azure AD Password Protection DC agent’ and the ‘Azure AD Password Protection proxy service’. Both can be downloaded here.
  • The ‘Azure AD Password Protection proxy service’ needs to be installed on all Domain Controllers (DCs), but the ‘Azure AD Password Protection proxy service’ only needs to be installed somewhere once. You CAN install it on a Domain Controller, and you can install it on ALL Domain Controllers, but Microsoft highlighted this as a potential security risk allowing any DC internet access. At least two installs of this is recommended for redundancy.
  • The ‘Azure AD Password Protection proxy service’ can’t be installed alongside (on the same server) as ‘Azure AD App Proxy Service’ – which is probably the same utility server you’d think of putting this on.
  • After installing the ‘Azure AD Password Protection proxy service’ you’ll need to run a few PowerShell commands to register it with global admin rights – you don’t need to create a service account for this, it’s just a one time registration process.

    The commands are:

    Register-AzureADPasswordProtectionProxy -AccountUpn ‘yourglobaladmin@yourtenant.onmicrosoft.com’
    (run this on each install)

    Register-AzureADPasswordProtectionForest -AccountUpn ‘yourglobaladmin@yourtenant.onmicrosoft.com’
    (run this after the first install only)
  • Installing the ‘Azure AD Password Protection DC agent’ is easier again, but will need a reboot of the DC to start working.
  • Both clients automatically update themselves.

Configuring in Azure Active Directory

  • You’ll need to enable on-premises Azure Active Directory Password Protection on the Azure AD portal – that link should take you right to ‘Password Protection’ but it’s located under Azure Active Directory > Security > Authentication methods > Password protection.
  • Start with ‘Audit mode’ rather than ‘Enforced Mode’ so you can get an idea of how many users might get affected by this change, and allow you to communicate this out before forcing.
  • You can also add custom banned passwords which might include your company name and common terms in your business and industry, to ensure easily guessed passwords aren’t used.

There are other catches to this, like making sure your domain is using DFSR rather than FRSR so please go through the official documenation carfeully.

Once set up, you can either read through the logs on a DC, or run this PowerShell command on each DC to see the results.:

Get-AzureADPasswordProtectionSummaryReport

You’ll need to either wait for users to change their passwords, or do some yourself and work out which DC the changes were done against. These stats will give you an idea of how many ‘failures’ were audited, so you can decide how much of a user impact enforcing the policy will be.

You could of course ship these event viewer logs to a central repository, but the service should just do it’s thing and just block users from setting a new password that’s really bad.

Migrating from a Synology 8 bay NAS to a 6 bay NAS

I currently have a Diskstation 1813+ 8 bay NAS which is doing a great job, but since Synology gave me a 1618+ to review, and the 1813+ is 7 years old, I’m migrating over to that instead. The catch is that I have 7 drives already in the 1813+ in a single SHR setup. How do I get that across to the newer 6 bay NAS? This is actually a writeup of the planned migration, rather than the success at the end… and the goal is to reduce costs. I could just buy 6 new 10TB drives and have an easy migration!

Yes, I’ve lied in bed at night thinking about this and the best approach. I have 40TB of space, ~30TB in use in a SHR setup:

If I had somewhere to just copy 30TB of data to temporarily, it’d be easy. Copy the data off, move 6 of the drives, create a new SHR, copy the data back and done. Except, I don’t have 30TB of space anywhere.

It isn’t possible to take a disk out of the SHR setup (i.e. shrining the volume size and somehow telling it to abandon one of the disks), so I can’t get a disk that way. I can however, take one disk out and break it’s redundancy while moving data. Risky, but that could give me at least the 12TB disk to use as temporary space. That’s a start.

It’s unavoidable, I’ll need to buy some more disks for temp space. I can get two external 10TB Seagate HDD for $283AU each and use those as temporary space along with the 12TB disk. That’ll get me my 30TB to copy everything off while I juggle the rest of the disks.

That leaves me with 2x 10TB and 4x6TB in the old SHR setup. There is a limitation of SHR which is worth understanding:

For SHR: The capacity of the drive you intend to add must be equal to or larger than the largest drive in the storage pool, or equal to any of the drives in the storage pool.
Example: If an SHR storage pool is composed of three drives (2 TB, 1.5 TB, and 1 TB), we recommend that the newly-added drive should be at least 2 TB for a better capacity usage. You can consider adding 1.5 TB and 1 TB drives, but please note that some capacity of the 2 TB drive will remain unused.

https://www.synology.com/en-au/knowledgebase/DSM/help/DSM/StorageManager/storage_pool_expand_add_disk

What that means is, if I take the very slow approach of building up a SHR with just the two 10TB disks, then look to add more disks after, I can’t add a 6TB disk.

However, I can move all 6 remaining disks across and create a new SHR giving me a bit over 30TB:

Once that’s done, I can then copy all the data off the temporary 2x10TB and 1x12TB disks to the new Synology DiskStation 1618+. Great, except I want to use all four 6TB disks elsewhere and the end result would leave me with 4x10TB, 1x12TB and 1x6TB. I can’t remove the last 6TB disk without having an equal or bigger disk to replace it with, and I don’t want to but a third 10TB disk at this stage.

What I can do is set up the SHR being 1 disk short, leave out the last 6TB disk so I have 2x10TB and 3x6TB, which will give 28TB of space. Enough that I can then copy the contents of any two of the three temporary stoage disks (2x10TB and 1x12TB), and as they get cleared, add them to the SHR.

Each time I add a disk to the SHR it might take a day or two though – this process will take a while. I’ve got multiple points of failure (original SHR has no redundancy, single temporary storage disks all have no redundancy). I can only change one disk at a time.

Once I’m at 4x10TB and 1x6TB in the new SHR, I’ll have enough room to copy the 12TB of data off the spare disk, onto the SHR, then swap out the 6TB for the 12TB.

I also need to make sure for my own neatness, that the 6th bay doens’t have a drive in it at any time. Drives can’t be physically moved around in a SHR, so I don’t want to have 5 drives in a 6 bay NAS and have a ‘gap’ in the middle where there isn’t a drive. Not a dealbreaker on the move, but still :)

In summary:

  • Buy 2x10TB drives
  • Copy 20TB of the 30TB to the two drives I bought
  • Remove 1x12TB drive from SHR in the 1813+ NAS and break redundancy.
  • Copy remaining data to the 12TB drive mounted somewhere else.
  • Move 2x10TB and 3x6TB into the new 1618+NAS and create a SHR.
  • Copy the data off the 2x10TB drives to the new SHR.
  • Swap out one 6TB drive for a 10TB drive and repair the array.
  • Swap out the other 10TB drive for another 6TB drive in the array.
  • Copy the data on the 12TB disk onto the SHR.
  • Swap in the 12TB drive with the final 6TB drive.
  • All 6TB drives can go back in the 1813+ for other purposes

I think that’s my plan. I’ll update this post once I’m at the end of it (currently awaiting the arrival of the 2x10TB drives). Can you poke any holes in my plan?

Set Microsoft Edge as Default Browser One Time

The New Microsoft Edge browser is great and everyone should use it :) Especially if you’re still on Internet Explorer, you can make Edge use IE mode for the sites you have that still require IE, without having to actually use IE.

I had a scenario where I wanted Internet Explorer users to be changed to Microsoft Edge. Previously, we’d had business requirements to set IE as the default – but now that’s no longer required, I wanted to flip their default. At the same time, I didn’t want to change Google Chrome default browser users as they’d already made that choice, and didn’t want to shove a similar Chromium browser down their throats.

As per Microsoft’s doco https://docs.microsoft.com/en-us/deployedge/edge-default-browser you can use an XML file with default associations, and use Group Policy to point to that XML. It doesn’t stop users from changing the associations, but it does reset the associations each time the user logs in – so not ideal if you want to set a default, but also allow flexibility.

I worked out how to do this based on current default browser and using GPO still, so here’s what I did:

As per the doco above, create an XML file that sets Microsoft Edge as the default application for certain protocols:

<?xml version="1.0" encoding="UTF-8"?>
<DefaultAssociations> 
  <Association ApplicationName="Microsoft Edge" ProgId="MSEdgeHTM" Identifier=".html"/>
  <Association ApplicationName="Microsoft Edge" ProgId="MSEdgeHTM" Identifier=".htm"/>
  <Association ApplicationName="Microsoft Edge" ProgId="MSEdgeHTM" Identifier="http"/>
  <Association ApplicationName="Microsoft Edge" ProgId="MSEdgeHTM" Identifier="https"/>  
  <Association ApplicationName="Microsoft Edge" ProgId="MSEdgePDF" Identifier=".pdf"/>
</DefaultAssociations>

Note that .PDF is included, so if you’d rather not default .PDF files to Microsoft Edge, remove that line from the code.

The Group Policy in the doco to set this XML is called Set a default associations configuration file – and all it’s doing is populating a registry key. Instead of using the Group Policy setting, create a registry setting to apply a value to:

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System
DefaultAssociationsConfiguration - REG_SZ - Path to XML e.g. \\dfs\share\defaultapplication.xml

The Group Policy registry setting will look like this:

We only want this registry setting to apply when the default browser is IE, and not apply any other time. We can use two options to do this – Remove this item when it is no longer applied, and Item-level targeting:

“Remove this item when it is no longer applied” will remove the registry setting when the item-level targeting condition is no longer true, which will stop the default browser applying again and again once the default browser isn’t IE.

“Item-level Targeting” is where we’ll check another registry value to see if IE is the default browser.

This is checking the registry key path Computer\HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice

and the Value name ProgId

and the Value Data IE.HTTP

Only when all this is true, will the XML reg key apply. Next time someone logs on, the default program associations file will be read and apply the new browser default. Then, next time Group Policy evaluates, the registry setting will be out of scope and removed, so the default program assocations file registry setting will be removed.

For reference, Chrome will be the value ChromeHTML and Edge will be MSEdgeHTM.

This method worked quite well and gave me what I was after – a one time change from Internet Explorer to Microsoft Edge, without bothering Chrome and Firefox users.

Note that this will also keep kicking in if the user changes their browser default back to Internet Explorer, which might be what you want – but if not, you’d need to add another Item-level target using a flag file or registry setting to mark that the default browser has already been applied once.

What is Microsoft Editor?

Microsoft Editor is a new tool from Microsoft, which I’d never heard of before.

Funnily enough, I found out that Microsoft Editor existed after upgrading to Windows 10 2004. One of the fifteen tips when you ‘See what else is new in this update’ after upgrading is this tip below. I couldn’t really understand what application the tip was referring to – the home tab, in Word, in browser mode via Edge?

Although I then found other tips that seemed purely Office 365 related (like PowerPoint and Excel tips) which is strange to advertise as part of a Windows 10 upgrade, the button on this tip takes you to a page that does a much better job of explaining what it is:

Microsoft Editor checks grammar and more in documents, mail, and the web

Here it explains that Microsoft Editor (which the full name wasn’t mentioned in the tip!) is an optional add-in available for Microsoft Edge and Google Chrome. It’s also coming to Word and Outlook. Also, if you log into it with an account that has a Microsoft 365 subscription, you’ll get advanced grammar and style refinements.

There’s a bit more info about the Microsoft Editor browser extension here, with direct links for the Chrome and Edge add-ons.

Once installed, you’ll have this little icon in the top bar of the relevant browser:

Clicking it will ask you to sign in:

and you can sign in with a free consumer Microsoft account, or a Work account. After signing in, the icon will turn blue, and you can click it again to see your options.

Note that it uses English (United States) as the default language, which you can change by clicking on the current language which takes you to the options:

‘Show synonyms for spelling suggestions’ is also off by default, so I’ve turned that on.

Here’s a spelling correction and a grammar correction while writing this blog post:

Spelling correction
Grammar correction

I’ll have to use it more to see how good it is, but I am happy to see hopefully a useful tool to help everyone write better. If it’s being added into Word and Outlook, there’ll be extremely elevated expectations of this solution doing its job well!

Synology DiskStation Office 365 Backup Review

Synology sent me a new DiskStation to review after I’d acquired an older one myself to look at it’s ability to back up Office 365 data (or Microsoft 365 Data as the Office 365 name seems to disappear). Being a Microsoft MVP in Office Apps and Services category, so I was very interested to see how it worked.

After reading up on and seeing that it was a completely free piece of software available as part of owning a DiskStation, I was hoping this would be a good solution at an incredibly low price – buy your DiskStation and disks, some time to set it up, and you’re done. To me, that’s already a very appealing offering, along with Synology having a good reputation for maintaining and supporting their hardware several years on – which was proved by the 7 year old DS1813+ I set up a few months ago.

I’ve left the new Intel-based DiskStation 1618+ – Quad Core CPU and 4GB RAM (expandable) running for about a month now, backing up my Microsoft 365 tenant’s data. I ticked ALL the options to see how it went. This tenant is just for me, so the data set is smaller than most tenants – but I do run a few live things through it like email and OneDrive. There’s also a little SharePoint Online data from Micrsoft 365 Groups and Teams I’ve played around with.

Here’s what the dashboard looks like now:

Some useful information there around what’s being backed up and how big it is. You might notice there’s a few errors on the summary. I drilled into those and each was because ‘The Microsoft Server is busy’, and a few minutes later it would try again successfully.

This is likely because I used a backup option to get incremental changes, rather than at a set time. Maybe I’m hitting it too much and getting blocked occasionally.


I know I’ve gotten ahead of myself here, so let’s go back to how to set this up. Assuming you have yourself a Synology DiskStation of some sort that supports ‘Active Backup for Office 365‘ – and which models are those? Here’s the list:

  • 20 series:FS6400, FS3600, FS3400, RS820RP+, RS820+, DS920+, DS720+, DS620slim, DS420+, SA3600, SA3400, SA3200D
  • 19 series:RS1619xs+, RS1219+, DS2419+, DS1819+, DS1019+, DVA3219
  • 18 series:FS1018, RS3618xs, RS2818RP+, RS2418RP+, RS2418+, RS818RP+, RS818+, DS3018xs, DS1618+, DS918+, DS718+, DS418play, DS218+
  • 17 series:FS3017, FS2017, RS18017xs+, RS4017xs+, RS3617xs+, RS3617RPxs, RS3617xs, DS3617xs, DS1817+, DS1517+
  • 16 series:RS18016xs+, RS2416RP+, RS2416+, DS916+, DS716+, DS716+II, DS416play, DS216+, DS216+II
  • 15 series:RS815RP+, RS815+, RC18015xs+, DS3615xs, DS2415+, DS1815+, DS1515+, DS415+
  • 14 series:RS3614xs+, RS3614RPxs, RS3614xs, RS2414RP+, RS2414+, RS814RP+, RS814+
  • 13 series:RS10613xs+, RS3413xs+, DS2413+, DS1813+, DS1513+, DS713+
  • 12 series:RS3412RPxs, RS3412xs, RS2212RP+, RS2212+, RS812RP+, RS812+, DS3612xs, DS1812+, DS1512+, DS712+, DS412+
  • 11 series:RS3411RPxs, RS3411xs, RS2211RP+, RS2211+, DS3611xs, DS2411+, DS1511+, DS411+, DS411+II

From the DiskStation desktop, open Package Center and follow these steps:

This was a very easy setup to do – I took screenshots of every step involved, but it barely needs an explanation for anyone who’s an admin of a Microsoft 365 Tenant.

The program will then go off and start backing up what you told it. The ‘Activities’ section of Active Backup for Office 365 will show any backups running, and you can also use the inbuilt ‘Resource Monitor’ to see upload/download speeds, disk utilization etc.

It’s also worth noting that the backup you created has an ‘account discovery’ option where it’ll find any new accounts created and automatically add them to the backup, which is great for not having to change backup settings each time you have a new user start.


Running a backup is great, but how do you restore the data? There’s a second app you’ll need, ‘Active Backup for Office 365 Portal’. Launching this will take you to a web interface where admins can browse all data, and users can browse just their own (user access can be disabled if you prefer).

On this web interface, you can then find the file(s) you want to restore, and restore them. You also get a nice timeline down the bottom so you can move backwards and forwards to see a snapshot of a certain time.

Although Mail, Calendar, Contact, and Site (SharePoint) support searching across all backups for names and contents, at the time of writing this isn’t possible for OneDrive backups. It’s worth being aware of this – if someone requests a file restore you’ll need to know exactly when from. I don’t see this as too much of an issue though, as OneDrive has great version control natively, and an automatic recycle bin – so you’d probably rely on the native solution for finding a file, but still it’s worth knowing this existing limitation.

That was the only slight negative I could find while testing. Everything else just worked, was quick to browse and restore, and incremental backups appeared to be on the DiskStation within several seconds after creating a new file in OneDrive.

Again, this is an incredibly cheap Office 365 backup solution. Some may question if you need to back up Office 365 at all. You could set up infinite retention against all content, so why take a backup? To me it’s a definite grey area, and partly depends how much you value the data. Microsoft may never lose your data, but will it be available 100% of the time? What if that important document is in your OneDrive and hadn’t synced down, and there was an outage? We’ve seen a few outages lately, including ones that have broken authentication – your data is still there, but you can’t get to it. In that scenario, having a local copy of something time sensitive could be worth it. Considering the relative low cost of buying a Synolgoy DiskStation – your disks are probably going to cost more than the unit itself, I consider it a pretty easy sell.