How to enable the feature to prompt for Multi Factor Authentication when joining a device to an Azure Active Directory domain. We would also like to limit the number of devices a user can have to 5.
Start in Azure Active Directory Admin Center
Select Azure Active Directory > Devices
Under Devices click “Device Settings”
Now you can set the max number of devices per user and enforce MFA to join devices
The support desk will require the function to reset users passwords in your environment. Their is a pre-configured role already available in Office 365. Follow these basic steps to assign the “Password Administrator” role to a user.
Open Azure Active Directory Admin Center > Select “Users”> Select a user> Click “Assigned Roles”>”Add Assignment” and Select “Password Administrator” role.
In Office 365, how do you configure external collaboration settings but restrict certain domains from collaboration.
This is all configured under Azure Active Directory Admin Center.
A few clicks and your configured
User settings> External Collaboration Settings > Set the level of restrictions and Save. This example is restricting collaboration with *.outlook.com and *.hotmail.com domains
or if security if a higher priority over flexibility, Disable Members and Guests invite and set “Allow invitations only to the specified domains” Example :
Start in Microsoft 365 Admin Centre and browse to Azure Active Directory
Browse all services and click “App Registrations”
Click “New Registration”
Enter application details and URL
So you have decided to increase security by adding a banned password list but the option in Azure Active Directory admin center is greyed out. Problem is licensing. This feature is only available in Azure AD P1 Licenses as part of the Enterprise Mobility and Security E3.
The problem greyed out Password Protect
The issue, licenses, and no Enterprise Mobility and Security E3.
Solution
Upgrade to Enterprise Mobility and Security E3 License (please confirm further before purchasing)
https://www.microsoft.com/en-us/microsoft-365/enterprise-mobility-security/compare-plans-and-pricing
Example Password List to Ban
Password_123, Manch35t3r, 123456, password, 123456789, 12345, 12345678, qwerty, 1234567, 111111, 1234567890, 123123, abc123, 1234, password1, iloveyou, 1q2w3e4r, 000000, qwerty123, zaq12wsx, dragon, sunshine, princess, letmein, 654321, monkey, 27653, 1qaz2wsx, 123321, qwertyuiop, superman, asdfghjkl
Dynamic membership rules for groups in Azure Active Directory and automatic licensing.
Configured in Azure Active Directory Admin Center.
Add New Group
Select Dynamic User or Device
Example Looks for a property “Sunderland”
Users created with City “Sunderland”, will be added automatically to this group.
Next step, edit the Group “Sunderland Office” by clicking on it.
Click “Licenses” and “+ Assignments”
Select the license and options to assign and save
For more information visit
https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/groups-dynamic-membership
#DSQuery
dsquery user -name “*” -limit 0 | dsget user -samid -hmdir -hmdrv -profile >c:\temp\usersV2.txt
#PowerShell # More flexibility # Includes the state of the computer account (Enable or Disabled)
Get-ADUser -Filter * -Property Name,CanonicalName,CN,DisplayName,DistinguishedName,HomeDirectory, HomeDrive,SamAccountName,UserPrincipalName | export-csv -path (Join-Path $pwd HomeDrive.csv) -encoding ascii -NoTypeInformation
import-module activedirectory
#List all users in the domain
# Display Name and Email Address
get-aduser -Filter * -SearchBase “dc=Test,dc=com” -Properties Displayname,emailaddress | select displayname ,emailaddress | Export-Csv C:\temp\users_and_email.csv
# Get a list of users which have logged on to the domain in the last 7 days
$Date = (Get-Date).AddDays(-7)
Get-ADUser -Filter {LastLogonDate -gt $Date} | Select distinguishedName
# script to find all AD users who have the “cannot change password” box checked in a specific OU
# Windows Server 2016
# Powershell
Get-ADUser -Filter * -Properties CannotChangePassword -SearchBase “OU=specificOU,DC=TEST,DC=com” | where { $_.CannotChangePassword -eq “true” } | Format-Table Name, DistinguishedName