Azure

Azure AD Password Protection Setup Summary

Microsoft have a nice way of preventing the use of bad passwords. Yes, all passwords are bad, but some are worse than others :)

Azure Active Directory Password Protection is a service that looks at password changes and blocks passwords it deems as weak. This could be from checking it’s an easy password to break using a dictionary attack, or other easily guessable variants. It leverages Microsoft online services to do so, which requires some setup and agents installed on the on-premises environment.

Microsoft’s documentation for this is detailed and fairly easy to follow, but I thought I’d do a quick rundown.

Installing the agents:

  • There are two agents – the ‘Azure AD Password Protection DC agent’ and the ‘Azure AD Password Protection proxy service’. Both can be downloaded here.
  • The ‘Azure AD Password Protection proxy service’ needs to be installed on all Domain Controllers (DCs), but the ‘Azure AD Password Protection proxy service’ only needs to be installed somewhere once. You CAN install it on a Domain Controller, and you can install it on ALL Domain Controllers, but Microsoft highlighted this as a potential security risk allowing any DC internet access. At least two installs of this is recommended for redundancy.
  • The ‘Azure AD Password Protection proxy service’ can’t be installed alongside (on the same server) as ‘Azure AD App Proxy Service’ – which is probably the same utility server you’d think of putting this on.
  • After installing the ‘Azure AD Password Protection proxy service’ you’ll need to run a few PowerShell commands to register it with global admin rights – you don’t need to create a service account for this, it’s just a one time registration process.

    The commands are:

    Register-AzureADPasswordProtectionProxy -AccountUpn ‘yourglobaladmin@yourtenant.onmicrosoft.com’
    (run this on each install)

    Register-AzureADPasswordProtectionForest -AccountUpn ‘yourglobaladmin@yourtenant.onmicrosoft.com’
    (run this after the first install only)
  • Installing the ‘Azure AD Password Protection DC agent’ is easier again, but will need a reboot of the DC to start working.
  • Both clients automatically update themselves.

Configuring in Azure Active Directory

  • You’ll need to enable on-premises Azure Active Directory Password Protection on the Azure AD portal – that link should take you right to ‘Password Protection’ but it’s located under Azure Active Directory > Security > Authentication methods > Password protection.
  • Start with ‘Audit mode’ rather than ‘Enforced Mode’ so you can get an idea of how many users might get affected by this change, and allow you to communicate this out before forcing.
  • You can also add custom banned passwords which might include your company name and common terms in your business and industry, to ensure easily guessed passwords aren’t used.

There are other catches to this, like making sure your domain is using DFSR rather than FRSR so please go through the official documenation carfeully.

Once set up, you can either read through the logs on a DC, or run this PowerShell command on each DC to see the results.:

Get-AzureADPasswordProtectionSummaryReport

You’ll need to either wait for users to change their passwords, or do some yourself and work out which DC the changes were done against. These stats will give you an idea of how many ‘failures’ were audited, so you can decide how much of a user impact enforcing the policy will be.

You could of course ship these event viewer logs to a central repository, but the service should just do it’s thing and just block users from setting a new password that’s really bad.

Conditional Access Baseline Policies Out, Security Defaults In for Azure Active Directory

Something I stumbled across today – it appears that Microsoft has decided to abandon Baseline Protection Policies, and replace them with a single ‘on/off’ switch called ‘Security Defaults’

Baseline Protection policies (also called Baseline Policies, it seems both terms have been used) were in preview, and were a pre-canned set of policies based on Microsoft recommendations on standard security settings that should be in place – such as forcing any administrator account to use MFA at each sign in, and blocking legacy authentication.

Here’s what the Conditional Access page currently shows. There might be something wrong with the detection though, as I clearly have a Baseline Policy enabled:

It’s not difficult to recreate the Baseline policies, so I’d suggest migrating off of them now while they’re still functional – you don’t want to be left in a state where you didn’t realise MFA for admins was now not being forced.

The replacement Security Defaults option can be found by going to Azure Active Directory > Manage – Properties > Manage Security Defaults (it’s not in the Conditional Access area):

Before flipping this switch to ‘On’, you’ll need to have a really good read of the documentation. There’s a lot this option does, and may break many environments who aren’t ready for this – such as making sure you have no Legacy Authentication requirements, and that all users will register for MFA within 14 days or be blocked from sign-in until they register.

Although I can see this option being turned on by an uninformed administrator and causing some chaos, I like the idea of this. It means a new tenant can now have a single option to start with to implement several critical aspects to protect the tenant against attacks – right now there’s a lot you need to go through to lock it down, and especially for a small business who doesn’t have the time or resources to do this as well as a larger one, a single on/off switch solves a lot of security problems.

Security Defaults is also available to all customers on all tiers – Azure AD Free tier, which means those who have basic needs can now be protected in several ways they weren’t able to do via Conditional Access before.

Security Defaults isn’t listed as being in Preview as far as I can tell, so it may be an option that’s just rolled out and a ready to go. I am guessing there’ll be a bit of kickback around this being a single option that has no other configurable options in it, so we’ll have to wait and see if the product changes, or Microsoft’s vision of a security toggle stays as their goal.

CIAOPS Academy

Today I’m sharing Robert Crane‘s CIAOPS Academy service. He’s an Australian based Microsoft Office Servers and Services MVP, and seems to be rather busy with all his different projects, including the CIAOPS Need To Know podcast.

That podcast I highly recommend as an easy way to keep on on the latest Office 365 and Azure news. Even though I try to keep on top of it myself, they often raise other new features or changes that I hadn’t come across yet.

Beyond that though, the CIAOPS Academy is a service I personally pay for that Robert provides. I am on the lowest tier, but the private Facebook group that Robert runs is an invaluable source of fellow professionals who ask and help all things in the Microsoft tech space.

It’s different to other communities with it’s paywall, as everyone is invested and cares about the topics raised.

There’s also a referral program for signups – sure you can use my affiliate link to CIAOPS Academy or use one that doesn’t help me pay for my own access here. I’m not one to suggest services or products I don’t believe in myself, but I’ve had several questions raised already which has more than paid for the service in my mind.

The bronze level (which is what I use) is enough for me right now, but higher levels give you access to videos and other training materials.

The bonus news I can share here is that there is now a 7 day trial available, which is mentioned at the bottom of the patron page above. If you want to see what it’s about and check it’s worthwhile, you can now do it for free!

In summary, if you’re someone who is either new to, or currently managing Office 365 and Azure, this is a great group of people to be a part of. I’m not the only other Microsoft MVP there, which I think shows the value of this service.

Azure AD B2B PowerShell Invites

I’ve written about Azure AD B2B before, as well as then giving those invited users access to SharePoint Online, but there’s been a lot of changes since I started using it. Have a read of my original article if you’re interested to see how I’m using B2B and why.

Azure AD B2B is still in preview, but in Feb 2017 a bunch of improvements were added. Part of these changes were around using the new Azure portal rather than the Classic Portal, and with that is the removal of inviting users via CSV file and uploading it to Azure AD. This was exactly the way I was using it, so I had to change to one of the newer methods.

Although CSV support is gone, it’s been replaced by PowerShell which can just call the same CSV file being used before, so it’s not a huge change. There’s a PowerShell example on this technet page which shows how to do it. There is a catch though, the ability to add the user to groups as part of the import is gone.

The other big change that impacted me was the invitation emails. This is the email that gets sent to the recipient when being invited – it was originally a plain text email from a generic Microsoft address, but it’s now changed to a much more professional looking email. The catch with this is, rather than coming from a generic Microsoft email account, it now comes from the user that sends the invites out. I found this out the hard way when invited parties started seeing my details and photo with the invite!

There’s four approaches I can come up with around this new invite method –

1. Leave it as showing the admin user who does the invites (not ideal)

2. Create and use a seperate service account for these invites, so it comes from a generic looking internal email address (quite good)

3. Get the users themselves to send the invites out – by default, all users have access to invite others to their tenant (worst option, users won’t do this themselves, need training and support, can’t automate)

4. Use APIs and send the invites out on behalf of the user (‘best’ option but requires the most work, most complex)

While I look at option 4, option 2 is a good middle ground and will probably do for most companies.

I’ve written and tested the below script, which works on a single user by user basis. This uses just the Azure AD Preview module for PowerShell, which is at version 2.0.0.85 at the time of writing. To use the method mentioned on that page to install, I had to first install Windows Management Framework 5.0.

$group = get-azureadgroup -SearchString "Put your exact search string here" | where {$_.dirsyncenabled -eq $null}
$newuser = New-AzureADMSInvitation -InvitedUserEmailAddress emailaddress@contoso.com -InvitedUserDisplayName "Full Name" -sendinvitationmessage $true -InviteRedirectUrl "http://myapps.microsoft.com"
Add-AzureADGroupMember -objectid $group.objectid -RefObjectId $newuser.InvitedUser.Id

 

This script requires you to first authenticate against Azure AD with the command connect-azuread : the same way you’d use connect-msol for Office 365. More on how to automate that part in an upcoming blog post.

I’ve written this on the basis that you already have a group to add the guest user into, which gives them the permissions required after being invited into your Azure AD tenant. It’s also more a proof of concept script, which shows how to automate these steps enough to then be able to do what you want with it – such as wrap it around a ‘for each’ and feed multiple users into it.

The first thing the script does is get the group name. As objects in Azure AD don’t have to have unique names like on-prem Active Directory, this script will fail if it finds multiple results the same. It’s also making sure the result that comes back is only a cloud based group, because you can only add B2B invited users into Azure AD groups (not ones synced from on-prem).

Next it will send out the invite to the user. This is the important part. If you don’t want an email to go out, you can change the -sendinvitationmessage value to $false.

Finally we’re adding the invited user into the group by ObjectIDs of each object – straight forward.

—-

The end result is a user who will be able to accept their invite, log in and have access to whatever they need to. Note that the way I do this is by having an app and advertising it to the group that also gives permissions to SharePoint Online, so they’ll see the single link on their myapps.microsoft.com page.

If you’re mucking about with Azure AD B2B this should give you somewhere to start. The Microsoft Technet pages for Azure AD are very comprehensive now as well as being easy to read, so check them out.

If you have any questions on Azure AD B2B feel free to ask!

Update 23rd August 2017

I’ve now gotten around to making a mass invite script. I used Eric Schrader’s script, and made some of my own modifications.

It will pick up a file in the same path as the script called azure_ad_b2b.csv which needs to be comma delimited with just “InvitedUserEmailAddress,Name”

It will also prompt for the group name which you want to add invitees to, and bomb out if you get more or less than 1 result (because display names aren’t unique fields in Office 365)

Another prompt is for the project URL, which is where you want invitees to be sent to (which for me, is usually a SharePoint Online site). It’s also set to send the invites out from a generic service account, so change “specifyupn@yourdomain.com” in the send-mailmessage line to whatever you’re sending as. Feel free to ask any questions!

#1.) Install Azure AD PS module – https://www.powershellgallery.com/packages/AzureADPreview

#2.) provide O365 tenant admin cred

$cred = Get-Credential

Connect-AzureAD -Credential $cred

#2.second cred for O365 email account (merge var with above if for non-demo O365 tenant)

$adminemailcred = get-credential specifyupn@yourdomain.com

$groupname = Read-Host -Prompt 'Input the Group Name to add users to e.g. SharePoint Online XXX Portal External Full'

$project = Read-Host -Prompt 'Input the project name, 1 word e.g. TestSite'

#2.External User Security Group ID

$group = get-azureadgroup -SearchString $groupname | where {$_.dirsyncenabled -eq $null}

if ($group.count -ne 1) {echo "Not Exactly One Group Found"; break}

$projecturl = Read-host -Prompt 'Input the project URL XXX for https://yourdomain.sharepoint.com/XXX'

#3 import CSV, update url and csv location below.

$invitations = import-csv azure_ad_b2b.csv

foreach ($email in $invitations) {

$result= New-AzureADMSInvitation -InvitedUserEmailAddress $email.InvitedUserEmailAddress -InvitedUserDisplayName $email.Name -InviteRedirectUrl $projecturl -InvitedUserMessageInfo $messageInfo -SendInvitationMessage $false

$inviteurl = $result.InviteRedeemUrl

$userid = $result.InvitedUser.Id

#automatically add the new user to your Security Group

Add-AzureADGroupMember -objectid $group.objectid -RefObjectId $userid

#send the user a custom email from your Office 365 tenant. Supports HTML.

Send-MailMessage -To $result.InvitedUserEmailAddress -from specifyupn@yourdomain.com -Subject ‘Invitation to the $project ’ -Body “<h1>Congrats!</h1><br><strong>This is your invite</strong><br><br>Here:<br>$inviteurl <br>For <strong>help</strong>, contact admin@domain.com” -BodyAsHtml -smtpserver smtp.office365.com -usessl -Credential $adminemailcred -Port 587

}

 

Azure AD Group-Based License Management For Office 365

It’s finally here! At least in public preview…

The ability to allocate Office 365 licenses via groups is now available for everyone to use. This has been a long-awaited feature, up until now licenses have either been applied manually via the portal, or via scripts/3rd party software with logic applied for automation.

Now, you can automatically apply and manage license allocation using whatever logic you like. You can create on-premise AD groups, apply a license set to the groups, and members will be allocated the relevant licensing. If that doesn’t work for you, there’s also cloud based Dynamic Groups which let you use whatever logic you can come up with to add members to the group. You could do it on something like a department name, or use an extension attribute and populate that based on what license you want to allocate.

The above link covers a lot of information about how to deploy this. At the time of writing, I couldn’t get to the Azure Licensing page by searching for the word ‘Licensing’, and instead had to use a direct link: https://portal.azure.com/#blade/Microsoft_AAD_IAM/LicensesMenuBlade/Products

I’ve already deployed it, it seems to work quickly and without issue.

 

Once you’re done, you’ll need to remove the Office 365 licenses applied manually. This TechNet article shows the commands to use for removal. I used this:

$Users = Get-MsolUser -All | where {$_.isLicensed -eq $true}; $Users | foreach {Set-MsolUserLicense -UserPrincipalName $_.UserPrincipalName -RemoveLicenses "litwareinc:ENTERPRISEPACK"}

This removes licenses from all your users, to be more specific add extra criteria to the first ‘Get-MsolUser’ command. Also note you need to swap ‘litwareinc’ with your tenant ID, and ENTERPRISEPACK with whichever license you’re removing. I’d recommend testing on one account first!

To see what your tenant’s license options are just use:

Get-MsolAccountSku

And you’ll see a list of the license options along with existing allocations.

If you have any questions please comment below.