Search

Håvard Siegel Haukeberg

Paste life: Ctrl+C -> Ctrl+V [MVP]

Tag

Azure AD

MDM enrollment with Azure AD Join

This is how you both join Azure AD and enroll for MDM. Your admin need to have configured Automatic MDM enrollment into intune over at http://manage.windowsazure.com for this to work.
1 - system2 - aad join

3 - notification
Disclamer from Windows
4 - login
Note how my icon and text have been pulled Down from Office 365
5 - mfa loading
Azure MFA gateway
6 - custom policy approvment screen
Customizable Policy template for Your org

7 - org check

8 - spell check
Despite the translation error, all is okay now.

 

 

Enable Azure MFA on Outlook 2016 with ADAL for Exchange Online

If you have Outlook 2016 or Outlook 2013 and want to use Azure MFA but you do not want to use Application Passwords there are one thing you need to do.

First;

ADAL for Exchange Online is Off by default turn it on here: How to turn on ADAL for Exchange Online

 

  1. Allow scripting

    • Set-ExecutionPolicy RemoteSigned
  2. Run Windows Powershell and Connect to Office 365.

    • $UserCredential = Get-Credential
    • $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential
    • $UserCredential -Authentication Basic -AllowRedirection
    • Import-PSSession $Session
  3. Check if ADAL is on

    • Get-OrganizationConfig | fl *Oauth*
  4. If ADAL is off, here is how to enable it

    • Set-OrganizationConfig -OAuth2ClientProfileEnabled:$true
  5. Close Your session

    • Remove-PSSession $Session
 Now, for me I had to wait 48 hours for this to work. I also installed a fresh Version of Office 2016 Click to Run from Office 365

Second;

Enable Azure MFA for your user in http://portal.office.com

Click here to see: This is how Outlook Click to Run behaves with Azure MFA turned on

Thanks to MS Exchange Org for some great tutorials.
http://www.msexchange.org/articles-tutorials/office-365/exchange-online/exchange-online-identity-models-authentication-demystified-part7.html

 

 

Outlook 2016 behavior when you ENFORCE Azure MFA

When you click enforce Azure MFA your users will not be able to Connect to Office 365 With Clients that does not support modern auth.

When they set up Outlook they will see this screen and be stuck there:

1 - autodiscover
Without modern auth enabled on Office 365 and Outlook your users will be stuck here

 

When you have enabled MFA on your Exchange Online Tenant this is what will happen:

2 - modern auth prompt3 - mfa prompt in outlook 2016

 

Azure MFA on Windows 10 Native Mail Client

If you enable Azure MFA in Office 365 and try to sync mail using the native Windows 10 Mail client, this is what the user will see:

(Sorry for the Language. Just the buttons and boxes are all the same)

1 - add mail account
User needs to Select Office 365 for Azure MFA
2 - add user
User needs just now to enter his UPN, it can not be username
3 - autodiscover looks for your account
If it fails here then Autodiscover is broken.
4 - enter password
Observe that the mail app has pulled Down my Company details including logo and custom text
5 - Azure AD MFA calls
Right now yor phone would ring or you would get a sms/app challenge
6 - account added
Thats it
7 - policies
Your Company Security settings will now be Applied. Usually you get this Box regardless just to tell you that it might tighten security
8 - mail recieved
You recieve mail. If you do not see mail, mabye the mail is older than a month. Then you need to change the sync settings to enable all mail to sync down

 

 

Azure AD password reset Windows Phone 10 behavior

What happens on your Windows Phone when you reset your Azure AD Password?

This happens on Windows Phone 10 Outlook:

wp_ss_20160523_0003
You get a settings out of date notification
wp_ss_20160523_0002
There is a triangle next to your account. Click it
wp_ss_20160523_0004
Password dialog box
wp_ss_20160523_0001
Type your password

 

 

Outlook 2016 behavior when you ENABLE Azure MFA

Scenario: You select “ENABLE” on Azure MFA but you do not Enforce. The user has not logged onto Office 365 before and is setting up his Outlook for the first time.

Spoiler warning: Nothing happens, YET.

Here is how Outlook 2016 behaves when you activate Azure MFA for your Account.

1 - mfa on
AZURE MFA portal
2 - fresh outlook 2016
Fresh Outlook boot

3 - add account4 - user entered5 - searching for autodiscover

6 - credential popup
Normal login
7 - enter pwd
standard password
8 - success
success
9 - read email
mail approved

 

 

 

Add my Machine to Azure AD out of the box

If you are setting up a new machine and you have Office 365, Azure AD, Intune or CRM why not Azure AD join it and get all the benefits!?10 - Azure AD Enrollment

9 - Azure AD Enrollment

8 - Azure AD Enrollment
or who manages your PC?

7 - Azure AD Enrollment

6 - Azure AD Enrollment
Supports ADFS ofcourse

5 - Azure AD Enrollment

4 - Azure AD Enrollment

3 - Azure AD Enrollment2 - Azure AD Enrollment1 - Azure AD Enrollment

11 - Azure AD Enrollment
notice here who Printer, Network Drives and WiFi settings have been pushed!

Here is the whole thing in a Sway:

 

 

 

Weekly Report from Cloud App Discovery

Once you have set up the Cloud App Discovery feature then the service will send admins a weekly report with new apps and a one-button click to start managing them.

Here is what I used last week:

weekly digest
If you click manage appliation then users may log onto these apps with their Azure AD creds

AzureAD knows which SaaS services you REALLY use

In Azure AD you have this service called Cloud App Discover. It consist of an agent you install on a local machine and a web service which polls the data and visualizes it.

Take a look at this:

azure ad knows
Azure Cloud App Discovery Report

This service is a great way to discover what your employees/users/students/family really uses and how much they use it. e.g. You have bought Google apps, but your users use OneDrive or Box.

You can read more here: https://azure.microsoft.com/nb-no/documentation/articles/active-directory-cloudappdiscovery-whatis/

I did not know I even used all these services. And best of all you can manage them with Azure AD which means you can use your Office 365 credentials to logon to these services.

apps
Here are the aggregated results for all agents and all users. Click on the numbers to access the data.

 

Here is how you set up cloud discovery on a local machine:

settings
Click Settings
manage agent
Click Manage Agent
download agent
Click “Download”
local files
You get a ZIP package with a CERT file. Click the MSI file.

Remember that if you want to distribute this application you need to include the CERT file as well.

Blog at WordPress.com.

Up ↑

%d bloggers like this: