Azure – Route Tables – How To Force Traffic Down A Specific Route

“Create a route table when you need to override Azure’s default routing.”

Why?

  • To force internet traffic via the on-prem network
  • Route via a NGFW (Next Generation Fire Wall)

Scenario Example, if I want to force all traffic via a proxy / NGFW (zScaler) for SSL inspection, Web security, Internet security etc, to control, monitor and protect your business the internet traffic. You could even go one step further and restrict access to approved IP’s or the Proxy / zScaler for Microsoft 365 or Azure access further.

How?

Create a route table > Add >

Set a name

Add route to your table and select the next hop

Example Route set

Office 365 Additional Security, Require MFA to Domain Join Devices in Azure Active Directory

How to enable the feature to prompt for Multi Factor Authentication when joining a device to an Azure Active Directory domain. We would also like to limit the number of devices a user can have to 5.

Start in Azure Active Directory Admin Center

Select Azure Active Directory > Devices

Under Devices click “Device Settings”

Now you can set the max number of devices per user and enforce MFA to join devices

Office 365 – Configure Users To Reset Non-Administrators Passwords

The support desk will require the function to reset users passwords in your environment. Their is a pre-configured role already available in Office 365. Follow these basic steps to assign the “Password Administrator” role to a user.

Open Azure Active Directory Admin Center > Select “Users”> Select a user> Click “Assigned Roles”>”Add Assignment” and Select “Password Administrator” role.

Office 365 How To Configure External Collaboration Settings with Domain Restrictions

In Office 365, how do you configure external collaboration settings but restrict certain domains from collaboration.

This is all configured under Azure Active Directory Admin Center.

A few clicks and your configured

User settings> External Collaboration Settings > Set the level of restrictions and Save. This example is restricting collaboration with *.outlook.com and *.hotmail.com domains

or if security if a higher priority over flexibility, Disable Members and Guests invite and set “Allow invitations only to the specified domains” Example :

Office 365 Password Protection – Custom Banned Passwords – Greyed Out

So you have decided to increase security by adding a banned password list but the option in Azure Active Directory admin center is greyed out. Problem is licensing. This feature is only available in Azure AD P1 Licenses as part of the Enterprise Mobility and Security E3.

The problem greyed out Password Protect

The issue, licenses, and no Enterprise Mobility and Security E3.

Solution

Upgrade to Enterprise Mobility and Security E3 License (please confirm further before purchasing)

https://www.microsoft.com/en-us/microsoft-365/enterprise-mobility-security/compare-plans-and-pricing

https://docs.microsoft.com/en-us/microsoft-365/commerce/licenses/subscriptions-and-licenses?view=o365-worldwide

Example Password List to Ban

Password_123, Manch35t3r, 123456, password, 123456789, 12345, 12345678, qwerty, 1234567, 111111, 1234567890, 123123, abc123, 1234, password1, iloveyou, 1q2w3e4r, 000000, qwerty123, zaq12wsx, dragon, sunshine, princess, letmein, 654321, monkey, 27653, 1qaz2wsx, 123321, qwertyuiop, superman, asdfghjkl

In Office 365 Add users automatically to a group based on property

Dynamic membership rules for groups in Azure Active Directory and automatic licensing.

Configured in Azure Active Directory Admin Center.

Add New Group


Select Dynamic User or Device

 

Example Looks for a property “Sunderland”

Users created with City “Sunderland”, will be added automatically to this group.

Next step, edit the Group “Sunderland Office” by clicking on it.

Click “Licenses” and “+ Assignments”

Select the license and options to assign and save

For more information visit

https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/groups-dynamic-membership

Intune – MDM – Device Enrolment – Create a Profile

Intune – Mobile Device Management – Device Enrolment – Create a Profile

Lets focus on BYOD (Bring Your Own Device)

Example Apple – iOS enrolment

BYOD

  • Devices are not wiped during enrolment
  • Device is associated with a user
  • Users can unenroll the device

At this point we have already completed the Pre Req’s (See Apple MDM Push Certificate if you haven’t done this already)

Now : Create a Profile

You need to create a profile before enrolling a device.

Apple Configurator / Devices

https://devicemanagement.microsoft.com

We need to add a Profile

Profiles > Create


Enrol with User Affinity ( i.e Map the Device to a User) + Auth via company Portal (Example options selected)


Then click “Create”

Success a profile is created


Intune – Apple MDM Push Certificate

Intune – Mobile Device Management – Device Enrolment – Apple MDM Push Certificate

Lets focus on BYOD (Bring Your Own Device)

Example Apple – iOS enrolment

BYOD

  • Devices are not wiped during enrolment
  • Device is associated with a user
  • Users can unenroll the device

MDM push Certificate required

Go to device management https://devicemanagement.microsoft.com

Enrol iOS devices in Intune


Devices > Apple Enrollment > Apple MDM Push Certificate

You will need an Apple ID used on your Device

Step 3 expanded….

Create your MDM push certificate redirects you to login to the Apple portal with your Apple ID

https://identity.apple.com/pushcert/

Click “Create a Certificate

Read, Tick and Accept the terms

Upload your CSR

Download Certificate

Then View Manage Certificates. Note Expiry date!


Now back to step 4.


Enter Apple ID

Step 5


Add your MDM push certificate


Click upload

Success….