Search

Håvard Siegel Haukeberg

Paste life: Ctrl+C -> Ctrl+V

Open Search
Category

Enterprise Mobility Suite

Outlook 2016 behavior when you ENFORCE Azure MFA

When you click enforce Azure MFA your users will not be able to Connect to Office 365 With Clients that does not support modern auth.

When they set up Outlook they will see this screen and be stuck there:

1 - autodiscover
Without modern auth enabled on Office 365 and Outlook your users will be stuck here

 

When you have enabled MFA on your Exchange Online Tenant this is what will happen:

2 - modern auth prompt3 - mfa prompt in outlook 2016

 

0

Azure MFA on Windows 10 Native Mail Client

If you enable Azure MFA in Office 365 and try to sync mail using the native Windows 10 Mail client, this is what the user will see:

(Sorry for the Language. Just the buttons and boxes are all the same)

1 - add mail account
User needs to Select Office 365 for Azure MFA
2 - add user
User needs just now to enter his UPN, it can not be username
3 - autodiscover looks for your account
If it fails here then Autodiscover is broken.
4 - enter password
Observe that the mail app has pulled Down my Company details including logo and custom text
5 - Azure AD MFA calls
Right now yor phone would ring or you would get a sms/app challenge
6 - account added
Thats it
7 - policies
Your Company Security settings will now be Applied. Usually you get this Box regardless just to tell you that it might tighten security
8 - mail recieved
You recieve mail. If you do not see mail, mabye the mail is older than a month. Then you need to change the sync settings to enable all mail to sync down

 

 

0

Azure AD password reset Windows Phone 10 behavior

What happens on your Windows Phone when you reset your Azure AD Password?

This happens on Windows Phone 10 Outlook:

wp_ss_20160523_0003
You get a settings out of date notification
wp_ss_20160523_0002
There is a triangle next to your account. Click it
wp_ss_20160523_0004
Password dialog box
wp_ss_20160523_0001
Type your password

 

 

0

Outlook 2016 behavior when you ENABLE Azure MFA

Scenario: You select “ENABLE” on Azure MFA but you do not Enforce. The user has not logged onto Office 365 before and is setting up his Outlook for the first time.

Spoiler warning: Nothing happens, YET.

Here is how Outlook 2016 behaves when you activate Azure MFA for your Account.

1 - mfa on
AZURE MFA portal
2 - fresh outlook 2016
Fresh Outlook boot

3 - add account4 - user entered5 - searching for autodiscover

6 - credential popup
Normal login
7 - enter pwd
standard password
8 - success
success
9 - read email
mail approved

 

 

 

0

Add my Machine to Azure AD out of the box

If you are setting up a new machine and you have Office 365, Azure AD, Intune or CRM why not Azure AD join it and get all the benefits!?10 - Azure AD Enrollment

9 - Azure AD Enrollment

8 - Azure AD Enrollment
or who manages your PC?

7 - Azure AD Enrollment

6 - Azure AD Enrollment
Supports ADFS ofcourse

5 - Azure AD Enrollment

4 - Azure AD Enrollment

3 - Azure AD Enrollment2 - Azure AD Enrollment1 - Azure AD Enrollment

11 - Azure AD Enrollment
notice here who Printer, Network Drives and WiFi settings have been pushed!

Here is the whole thing in a Sway:

 

 

 

4

Weekly Report from Cloud App Discovery

Once you have set up the Cloud App Discovery feature then the service will send admins a weekly report with new apps and a one-button click to start managing them.

Here is what I used last week:

weekly digest
If you click manage appliation then users may log onto these apps with their Azure AD creds
0

Education Licenses and Administration Licenses on same tenant

Hey, are you a municipality, county or another complex organization? Do you have education users and corporate users and want all of them to be in the same Azure AD?

Good news for you. It’s possible!

edu and corp
And I have here Both E3 and Education (E1) for students.

Here is how you do it.

  1. You do not have Office 365/EMS or Azure AD

    • Create a EDUCATION trial here: NORWEGIAN TRIAL ENGLISH TRIAL
    • Add your education domain to verify EDU status
    • Buy EDU Licenses and The CORP licenses should also be in the same list under “Purchase Services”

  2. You have a CORP tenant that you need EDU licenses on.

    • Email your License supplier hand have them reach out to your local Microsoft Education Team.
    • The local MSFT EDU team can tag your tenant as EDU. YOu need to provide them with your tenant name: e.g. MYTENANT.onmicrosoft.com
    • Wait 48 hours after the MSFT EDU team has submitted the request.

Here is proof that it works:

buy
I can select between EDU and CORP plans

Limitations,risks and warnings.

  1. Risks include students having access to the entire GAL
    • Do a GAL segregation please.
  2. Volume License plans – it has not been tested and no one knows how exactly it will pan out with the agreement you have. So be warned the deployment of licenses may take a LOOOOOOONG time.
  3. You do this at your own risk at the moment and there is no guarantee it will work in the end either.
  4. This scenario works fine when you buy licenses in the portal (MOSP) shown. The problems arrive when you use a partner which sells you licenses. And that applies for most of you.

Some benefits:.

  1. Only need 1 AD with 1 Azure AD Connect
  2. 1 ADFS environment
  3. 1 portal
  4. 1 GAL or Two 🙂

 

 

0

AzureAD knows which SaaS services you REALLY use

In Azure AD you have this service called Cloud App Discover. It consist of an agent you install on a local machine and a web service which polls the data and visualizes it.

Take a look at this:

azure ad knows
Azure Cloud App Discovery Report

This service is a great way to discover what your employees/users/students/family really uses and how much they use it. e.g. You have bought Google apps, but your users use OneDrive or Box.

You can read more here: https://azure.microsoft.com/nb-no/documentation/articles/active-directory-cloudappdiscovery-whatis/

I did not know I even used all these services. And best of all you can manage them with Azure AD which means you can use your Office 365 credentials to logon to these services.

apps
Here are the aggregated results for all agents and all users. Click on the numbers to access the data.

 

Here is how you set up cloud discovery on a local machine:

settings
Click Settings
manage agent
Click Manage Agent
download agent
Click “Download”
local files
You get a ZIP package with a CERT file. Click the MSI file.

Remember that if you want to distribute this application you need to include the CERT file as well.

0

Help, Azure AD says my credentials Leaked!

So, waking up to leaked credentials can be frustrating. Probably since you do not know how exactly they got leaked. Fortunatly Azure AD have some sugestions on what to do.

Read more about leaked credentials here:

https://blogs.microsoft.com/cybertrust/2015/06/18/the-risk-of-leaked-credentials-and-how-microsofts-cloud-helps-protect-your-organization/

This is what it looks like in Azure Identity Protection and how you mitigate the impact:

control panel
A very high risk, click the risk to see what it is.

 

what happened
Here you see what it was all about, click on the event to se which user

 

who had it leaked
here you see the user. click on the user to get actions on what to do

 

what to do.
Here is what yo can do

 

solutions
Here is what I did to mitigate the event.

 

I simply requested the user for a password change. Keep in mind that the malware that did this might have stolen all other passwords as well. It might also be active on the target device, så MFA might be something you should consider.

Also have the user change passwords on all other services he uses!

And, have him wipe his device!

2

Blog at WordPress.com.

Up ↑