Category Active Directory

MS365 – Azure AD – Dynamic Groups and Expiration Settings

Maintain groups in Azure AD with dynamic groups and set expiration settings.

Example scenario : Controlling remote access to sub contractors working on a short term project. The project owner should remove all access for sub contractors after the project completes

How to guide :

If we combine Dynamic Groups and Expiration settings, we can automatically populate groups and then invoke regular check to maintain groups are still required. Group owners will be reminded regularly to verify groups are required. Owners will have a better understanding of who has access and this help assist with your security policies.

Dynamic Group Example

Steps: Azure Active Directory > New Group > Type : Office 365 > Name, Description, Dynamic User > Owner > Dynamic user Members

Group Name : Sub Contractors    – Set the value for department equals “Sub Contractor”

Dynamic User Members    – Add Experssion

(user.department -eq “Sub Contractor”)

Configure Group lifetime / Expiration Settings

Steps: Azure Active Directory > Groups > Expiration > Days > No Owner email > Selected > Group > Save

“Renewal notifications are emailed to group owners 30 days, 15 days, and one day prior to group expiration. Group owners must have Exchange licenses to receive notification emails. If a group is not renewed, it is deleted along with its associated content from sources such as Outlook, SharePoint, Teams, and PowerBI.” Info from the portal Expiration settings.

Azure – Register An Application in AD and Generate App Password

How to guide, in Azure register an application in AD and generate app password

In the Azure portal, browse to Azure Active Directory > App Registrations

New Registration

Enter Application details and account types

Next Click > Certificates & Secrets > New client secret

Enter description and Expirey > Click Add

Make sure to copy the value. You can then sign in as the application with the App ID and value.

Enhance Security : Enforce Mobile Devices to Use Encryption and Password Policy connecting to Exchange Online (O365)

Features available to improve security with mobile devices by using encryption and a password policy when connecting to Exchange Online (O365). Anyone who has been a Active Directory Admin will by default expect to configure additional security, the same logic should apply for the Office 365 admin / Exchange Online Admin.

How to configure, start in Exchange Admin Center

Browse “Mobile” and edit the “Default”

To apply additional security settings to mobile services by default. I’ve highlighted some more restrictive settings to configure from the default.

  • Require Password
  • Require an Alphanumeric Password
  • Require Encryption
  • Min Password Length
  • Wipe Device on Sign-In Failures
  • Sign In time
  • Password Lifetime and Recycle Count

Office 365 Additional Security, Require MFA to Domain Join Devices in Azure Active Directory

How to enable the feature to prompt for Multi Factor Authentication when joining a device to an Azure Active Directory domain. We would also like to limit the number of devices a user can have to 5.

Start in Azure Active Directory Admin Center

Select Azure Active Directory > Devices

Under Devices click “Device Settings”

Now you can set the max number of devices per user and enforce MFA to join devices

Office 365 – Configure Users To Reset Non-Administrators Passwords

The support desk will require the function to reset users passwords in your environment. Their is a pre-configured role already available in Office 365. Follow these basic steps to assign the “Password Administrator” role to a user.

Open Azure Active Directory Admin Center > Select “Users”> Select a user> Click “Assigned Roles”>”Add Assignment” and Select “Password Administrator” role.

Office 365 How To Configure External Collaboration Settings with Domain Restrictions

In Office 365, how do you configure external collaboration settings but restrict certain domains from collaboration.

This is all configured under Azure Active Directory Admin Center.

A few clicks and your configured

User settings> External Collaboration Settings > Set the level of restrictions and Save. This example is restricting collaboration with *.outlook.com and *.hotmail.com domains

or if security if a higher priority over flexibility, Disable Members and Guests invite and set “Allow invitations only to the specified domains” Example :

Office 365 Password Protection – Custom Banned Passwords – Greyed Out

So you have decided to increase security by adding a banned password list but the option in Azure Active Directory admin center is greyed out. Problem is licensing. This feature is only available in Azure AD P1 Licenses as part of the Enterprise Mobility and Security E3.

The problem greyed out Password Protect

The issue, licenses, and no Enterprise Mobility and Security E3.

Solution

Upgrade to Enterprise Mobility and Security E3 License (please confirm further before purchasing)

https://www.microsoft.com/en-us/microsoft-365/enterprise-mobility-security/compare-plans-and-pricing

https://docs.microsoft.com/en-us/microsoft-365/commerce/licenses/subscriptions-and-licenses?view=o365-worldwide

Example Password List to Ban

Password_123, Manch35t3r, 123456, password, 123456789, 12345, 12345678, qwerty, 1234567, 111111, 1234567890, 123123, abc123, 1234, password1, iloveyou, 1q2w3e4r, 000000, qwerty123, zaq12wsx, dragon, sunshine, princess, letmein, 654321, monkey, 27653, 1qaz2wsx, 123321, qwertyuiop, superman, asdfghjkl

AZ-103: Microsoft Azure Administrator – EXAM PASSED!!!

Jan 16, 2020

AZ-103: Microsoft Azure ADMINISTRATOR

EXAM PASSED!!!

#Azure #Administrator #CertifiedProfessional #MicrosoftAzure #MicrosoftCloud #Microsoft #alwaysbelearning #AZ103 #EXAM #PASSED 

PowerShell : Get COMPUTER objects of a specific group ( this example gets the properties “description” of each object )

# Get COMPUTER objects of a specific group ( this example gets the properties “description” of each object ) 
# List in a table format Name and Computer Description Properties

Get-AdGroupMember GROUPNAME | ForEach-Object {
$Computer = ($_.Name)
foreach ($c in $Computer) {
Get-ADComputer $c -Properties Description | ft name, description
}
}

# Expected Output
#Name Descriptions
#----- -------------
#Computername Computer Description
#Computername Computer Description
#Computername Computer Description