Search

Håvard Siegel Haukeberg

Paste life: Ctrl+C -> Ctrl+V

End-user signup for Azure Self Service Password Reset

If you want to enable a user for Self Service Password Reset the user need to navigate to one of these endpoints and register his/her phone as a second factor.

Endpoints:

  1. This endpoint verifies your phone and enrolls the user in SSPR: http://aka.ms/ssprsetup
    It does not change your password!
  2. This endpoint resets your password and enrolls the user if his or her phone number is already stored on the user. http://aka.ms/sspr (which points here: http://passwordreset.microsoftonline.com)

 

Here is a screen dump of what the user will have to do:

log-in-to-office-365
Standard Login
routed-to-account-setup-in-azure-ad
You get routed to or enrollment service
verify-phone-number-in-azure-ad
asks to verify your phone (if it is already there) if not you have to enter your phone number
if-phone-is-not-registered
If your phone is not registered in azure AD you see this

 

call-to-verify-azure-ad
Call goes fastest

microsoft-calling-phone

one-factor-is-completed
In Azure AD you select how many factors your users need to setup. I have selected 1
myapps-in-azure-after-registration
This is where you end up

Intune upgrading or removing the Exchange Connector

So, what would happen if you upgrade from On-premise Exchange Connector or simply remove the Exchange Connector in Intune?

Here in this blog I remove the Exchange Online connector and test what happens on a iPad that is enrolled with Intune.

The user account has Conditional Access on Exchange Online enabled.

img_0005
Conditional Access enabled

 

Enrolled the device with Intune and checked the Intune Management Portal that the device was registered and active

ipad-activated-and-enabledeas-activated-ipad-in-intune

I now delete the Exchange Connection to see what happens on the iPad for the end-user.

microsoft-intune-exchange-online-connector

delete-exchange-connectionno-connection-defined

Connection Deleted.

-> With the connection deleted you can still send and recieve mails from any device without any Conditional Access. As long as you enter the login credentials into any mail app it works.

Removed the device from the company portal app and severed the Intune connection. There is no conditional access so you can still send and recieve mails.

Then add the exchange connector again from http://manage.microsoft.com and now my device should be blocked since Conditional access prevents non-enrolled devices from reading mail.

exchange-connector-sync-status

Nothing will happen untill the service has synced with exchange so click the “Run Fast Sync”button

exchange-fast-sync-prompt

A prompt will appear, just close it.

Exchange Conditional Access will now apply to all acounts again. If you have a device which is approved in Intune, no action required. If it is not enrolled in Intune you will have to enroll it.

After some hours when Exchange discovered that this device is not enrolled anymore it will also block mail. This takes about two hours.

Exchange Conditional Access on existing mailbox
Notice the top email asking for renrollment.

Background: The Exchange Connector sends power shell cmdlets to the exchange server. In the Azure AD Microsoft saves the ActiveSync ID with the ID of the Object or Device. This enables our service to block or allow certain devices from reading email. The comprehensive overview of what the connector does can be found here: https://docs.microsoft.com/en-us/intune/deploy-use/intune-on-premises-exchange-connector

Microsoft Intune Company Portal Enrollment on iPad for end-users

Here is a complete set of screen dumps which the end user will have to see/do in order to enroll a iOS device into Intune.

img_0001img_0002

img_0004
Conditional Access prevents exchange online sync before enrollment

img_0005img_0007img_0008img_0009img_0010img_0011img_0012img_0013img_0014img_0015img_0016img_0017img_0018img_0019img_0020img_0021img_0022img_0023img_0024img_0025img_0026img_0027img_0028img_0029img_0030img_0031img_0032img_0033img_0034

 

So, I enabled Self Service Password reset. Who signed up?

If you have enabled Self Service Password reset, all users should be prompted to enroll on login. You could also proactively redirect users to https://passwordreset.microsoftonline.com/ or http://aka.ms/ssprsetup

Look at this blogpost for that user experience: Self Service Password Reset User Registration (Same as for MFA registration).

Here is how you get the report for users who signed up for Self Service Password Reset

azure-active-directory-listing-in-azure-management-portal

azure-active-directory-report-catalog-in-azure-management-portal
Azure AD Report Catalog
azure-active-directory-report-catalog-for-activity-logs-on-self-service-password-reset
Activity Logs in Azure AD
report-of-users-registered-in-azure-ad-for-self-service-password-reset
Latest activity for SSPR
download-azure-ad-sspr-reports
Download reports in CSV
excel-self-service-password-reset-activity
The Report in CSV opened in Excel

 

 

 

Azure MFA enrollment experience

If you want to enroll for Azure MFA the users need to go through these steps. When you enforce or enable MFA the user will be prompted for MFA enrollment. This is best done in a browser.

First the user need to access any of our endpoint e.g. http://portal.office.com

creds
Office 365 custom logo login

 

mfa prompt
Office 365 MFA enabled

 

input mfa method
Office 365 MFA input phone number

 

contact options
Office 365 mfa methods

 

 

sms
You will get a text message with a code to enter

 

wp_ss_20160902_0001
code on phone

 

Office 365 app password during enrollment
Use this app-password on your native iOS or Android device or old Outlook 2010 instead of your normal password.

 

 

Additional Office 365 MFA options
Press cancel if you feel done. or just navigate to the indended site. e.g. http://portal.office.com

 

Extended Office 365 MFA options
all your MFA options

 

Azure AD access panel for MFA
The user access panel

Here are all of the pictures in a Sway:
https://sway.com/2fNqmpbe5O17F5Ev

Service based Azure Multifactor Authentication

Now you can enable a certain service for Azure MFA.

In this example i enforce MFA for a security group with 3 users when they try to access Yammer only. Everything else is not enforced with MFA.

Prerequisites: Enterprise Mobility + Security (EMS) License assigned to the user.

 

Go to: http://manage.windowsazure.com

Navigate to your domain and click applications

domain

Use these settings

Note on these settings, I have 3 users in the CA Exchange Online Mobile group. Rest of my users are in the NO CA group and that group is set to Except. I do this to ensure that nothing is enforced globally to all users. The 3 users in the first group have not had Azure MFA Enabled or Enforced but is set to Disabled.

sony disabled
You do not have to enable MFA globaly for this to work

 

yammer mfa settings
I always add an Except group with the remaining users.

 

This is what the user will see now.

 

He will see the normal login but be required to enter a second factor. If he navigates to outlook og Onedrive there will be no such requirement.

yammer endpointcredentials portSetup MFAenter phone

 

Prosjekt Parkeringsplass – Resultatet

Resultatet er storartet om jeg måtte si det selv. Jeg må si det selv, storartet.

FØR

ETTER

WP_20160820_17_14_28_Rich_LI[1]WP_20160820_17_14_44_Rich_LI[1]

Prosjekt Parkeringsplass – Arbeidet med beleggningstein

Det er mye som skal på plass nå. Alt ble lagt klart og så kommer tre steinleggerne fra SPS Bygg AS ledet av Timoleon timo@spsbygg.no

De brukte totalt 3 dager

Bestilte alt fra Steinhandel.no og fikk det levert rett på “døren”.

Prisen på stein og materiale var best i klassen, men pukk og grus var ekstremt dyrt.
jeg betalte 840 kr for tonnet i en sekk, mens prisen per tonn hos Feiring Bruk er på 250kr. Vurder å hente dette selv om du skal gjøre det samme.

Det er fult mulig å spa grus selv på Feiring Bruk, her har jeg dratt for å gjøre dette. Husk at bilen ikke kan overfylles! Dro tre turer for å hente ekstra grus. Totalt 2,6 tonn hentet jeg.

Vi satt opp en støttemur for å holde på massene fra naboen og fra gressplenen vår. Her brukte vi granittblokker som var 50cm lange og veide cirka 65 kilo. De kunne fint løftes uten kran.

Vi la en dreneringslist i front for å ta vekk vannet som kommer fra asfalten. Dette er også for å hindre at vannet renner utover plassen og lager dammer. Dreneringen ble koblet på en ny kum som ble lagt ned under grunnarbeidet.

Vi la granitt kantstein mot jorden for å holde på den. Denne kantsteinen ble støpt med sement. Vi la også kantstein i granitt mot terrassen og mot asfalten

 

 

Steinen vi valgte heter Asak Relieff XXL og er en av de dyrere steinene, men har en utrolig kul og trendy struktur når lyset treffer de.

WP_20160711_09_12_49_Pro_LI

 

For å ha en kul effekt på parkeringsplassen så la vi 6 in-lite fusion 1W lys fra Steinhandel.no husk å bestill hullborring på riktig antall steiner.

WP_20160711_13_02_46_Pro_LI

Her er noen diverse bilde fra grunnarbeidet.

 

 

 

 

 

 

 

 

Prosjekt Parkeringsplass – gravingen

Da er Sandbo Graving & Transport i gang med graving!

Fredrik Sandbo i sin nesten nye 2012 modell gravemaskin gjør det gravemaskiner gjør.

WP_20160525_14_36_08_Pro_LI

 

Blog at WordPress.com.

Up ↑