Office 365 Additional Security, Require MFA to Domain Join Devices in Azure Active Directory

How to enable the feature to prompt for Multi Factor Authentication when joining a device to an Azure Active Directory domain. We would also like to limit the number of devices a user can have to 5.

Start in Azure Active Directory Admin Center

Select Azure Active Directory > Devices

Under Devices click “Device Settings”

Now you can set the max number of devices per user and enforce MFA to join devices

Office 365 – Configure Users To Reset Non-Administrators Passwords

The support desk will require the function to reset users passwords in your environment. Their is a pre-configured role already available in Office 365. Follow these basic steps to assign the “Password Administrator” role to a user.

Open Azure Active Directory Admin Center > Select “Users”> Select a user> Click “Assigned Roles”>”Add Assignment” and Select “Password Administrator” role.

Office 365 How To Configure External Collaboration Settings with Domain Restrictions

In Office 365, how do you configure external collaboration settings but restrict certain domains from collaboration.

This is all configured under Azure Active Directory Admin Center.

A few clicks and your configured

User settings> External Collaboration Settings > Set the level of restrictions and Save. This example is restricting collaboration with *.outlook.com and *.hotmail.com domains

or if security if a higher priority over flexibility, Disable Members and Guests invite and set “Allow invitations only to the specified domains” Example :

Office 365 Password Protection – Custom Banned Passwords – Greyed Out

So you have decided to increase security by adding a banned password list but the option in Azure Active Directory admin center is greyed out. Problem is licensing. This feature is only available in Azure AD P1 Licenses as part of the Enterprise Mobility and Security E3.

The problem greyed out Password Protect

The issue, licenses, and no Enterprise Mobility and Security E3.

Solution

Upgrade to Enterprise Mobility and Security E3 License (please confirm further before purchasing)

https://www.microsoft.com/en-us/microsoft-365/enterprise-mobility-security/compare-plans-and-pricing

https://docs.microsoft.com/en-us/microsoft-365/commerce/licenses/subscriptions-and-licenses?view=o365-worldwide

Example Password List to Ban

Password_123, Manch35t3r, 123456, password, 123456789, 12345, 12345678, qwerty, 1234567, 111111, 1234567890, 123123, abc123, 1234, password1, iloveyou, 1q2w3e4r, 000000, qwerty123, zaq12wsx, dragon, sunshine, princess, letmein, 654321, monkey, 27653, 1qaz2wsx, 123321, qwertyuiop, superman, asdfghjkl

In Office 365 Add users automatically to a group based on property

Dynamic membership rules for groups in Azure Active Directory and automatic licensing.

Configured in Azure Active Directory Admin Center.

Add New Group


Select Dynamic User or Device

 

Example Looks for a property “Sunderland”

Users created with City “Sunderland”, will be added automatically to this group.

Next step, edit the Group “Sunderland Office” by clicking on it.

Click “Licenses” and “+ Assignments”

Select the license and options to assign and save

For more information visit

https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/groups-dynamic-membership

Task : Output A List Of Home Drive Paths Configured In Active Directory

#DSQuery

dsquery user -name “*” -limit 0 | dsget user -samid -hmdir -hmdrv -profile >c:\temp\usersV2.txt

 

#PowerShell # More flexibility # Includes the state of the computer account (Enable or Disabled)

Get-ADUser -Filter * -Property Name,CanonicalName,CN,DisplayName,DistinguishedName,HomeDirectory, HomeDrive,SamAccountName,UserPrincipalName | export-csv -path (Join-Path $pwd HomeDrive.csv) -encoding ascii -NoTypeInformation

List all users in the domain and email addresses

 import-module activedirectory

#List all users in the domain

# Display Name and Email Address

get-aduser -Filter *  -SearchBase “dc=Test,dc=com” -Properties Displayname,emailaddress | select displayname ,emailaddress | Export-Csv C:\temp\users_and_email.csv   

 

PowerShell Script to find all AD users who have the “cannot change password” box checked in a specific OU

# script to find all AD users who have the “cannot change password” box checked in a specific OU

# Windows Server 2016

# Powershell

Get-ADUser -Filter * -Properties CannotChangePassword -SearchBase “OU=specificOU,DC=TEST,DC=com” | where { $_.CannotChangePassword -eq “true” } | Format-Table Name, DistinguishedName