Office 365 Additional Security, Require MFA to Domain Join Devices in Azure Active Directory

How to enable the feature to prompt for Multi Factor Authentication when joining a device to an Azure Active Directory domain. We would also like to limit the number of devices a user can have to 5.

Start in Azure Active Directory Admin Center

Select Azure Active Directory > Devices

Under Devices click “Device Settings”

Now you can set the max number of devices per user and enforce MFA to join devices

Office 365 – Configure Users To Reset Non-Administrators Passwords

The support desk will require the function to reset users passwords in your environment. Their is a pre-configured role already available in Office 365. Follow these basic steps to assign the “Password Administrator” role to a user.

Open Azure Active Directory Admin Center > Select “Users”> Select a user> Click “Assigned Roles”>”Add Assignment” and Select “Password Administrator” role.

Office 365 How To Configure External Collaboration Settings with Domain Restrictions

In Office 365, how do you configure external collaboration settings but restrict certain domains from collaboration.

This is all configured under Azure Active Directory Admin Center.

A few clicks and your configured

User settings> External Collaboration Settings > Set the level of restrictions and Save. This example is restricting collaboration with *.outlook.com and *.hotmail.com domains

or if security if a higher priority over flexibility, Disable Members and Guests invite and set “Allow invitations only to the specified domains” Example :

Office 365 Password Protection – Custom Banned Passwords – Greyed Out

So you have decided to increase security by adding a banned password list but the option in Azure Active Directory admin center is greyed out. Problem is licensing. This feature is only available in Azure AD P1 Licenses as part of the Enterprise Mobility and Security E3.

The problem greyed out Password Protect

The issue, licenses, and no Enterprise Mobility and Security E3.

Solution

Upgrade to Enterprise Mobility and Security E3 License (please confirm further before purchasing)

https://www.microsoft.com/en-us/microsoft-365/enterprise-mobility-security/compare-plans-and-pricing

https://docs.microsoft.com/en-us/microsoft-365/commerce/licenses/subscriptions-and-licenses?view=o365-worldwide

In Office 365 Add users automatically to a group based on property

Dynamic membership rules for groups in Azure Active Directory and automatic licensing.

Configured in Azure Active Directory Admin Center.

Add New Group


Select Dynamic User or Device

 

Example Looks for a property “Sunderland”

Users created with City “Sunderland”, will be added automatically to this group.

Next step, edit the Group “Sunderland Office” by clicking on it.

Click “Licenses” and “+ Assignments”

Select the license and options to assign and save

For more information visit

https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/groups-dynamic-membership

Intune – MDM – Device Enrolment – Create a Profile

Intune – Mobile Device Management – Device Enrolment – Create a Profile

Lets focus on BYOD (Bring Your Own Device)

Example Apple – iOS enrolment

BYOD

  • Devices are not wiped during enrolment
  • Device is associated with a user
  • Users can unenroll the device

At this point we have already completed the Pre Req’s (See Apple MDM Push Certificate if you haven’t done this already)

Now : Create a Profile

You need to create a profile before enrolling a device.

Apple Configurator / Devices

https://devicemanagement.microsoft.com

We need to add a Profile

Profiles > Create


Enrol with User Affinity ( i.e Map the Device to a User) + Auth via company Portal (Example options selected)


Then click “Create”

Success a profile is created


Intune – Apple MDM Push Certificate

Intune – Mobile Device Management – Device Enrolment – Apple MDM Push Certificate

Lets focus on BYOD (Bring Your Own Device)

Example Apple – iOS enrolment

BYOD

  • Devices are not wiped during enrolment
  • Device is associated with a user
  • Users can unenroll the device

MDM push Certificate required

Go to device management https://devicemanagement.microsoft.com

Enrol iOS devices in Intune


Devices > Apple Enrollment > Apple MDM Push Certificate

You will need an Apple ID used on your Device

Step 3 expanded….

Create your MDM push certificate redirects you to login to the Apple portal with your Apple ID

https://identity.apple.com/pushcert/

Click “Create a Certificate

Read, Tick and Accept the terms

Upload your CSR

Download Certificate

Then View Manage Certificates. Note Expiry date!


Now back to step 4.


Enter Apple ID

Step 5


Add your MDM push certificate


Click upload

Success….


Intune – Mobile Device Management – Register and Assign a Intune License

Setting up Intune on your current Office365 subscription.

Things to know..

  1. Check your Pre Reqs/Supported devices
  2. More than 150 licenses for EMS? Check out FastTrack Center Benefit!
  3. DNS registration
  4. Users and Groups
  5. Intune license required
  6. Apps can be assigned to groups to be installed automatically
  7. You can create profiles on devices
  8. Define app policies / and restrictions

Getting started

Signup, Already using Office 365 = You already have an account

Yes, add it to my account

Try now

Continue

Check your email

Assign the license

Editing users (User Management) https://admin.microsoft.com

Add the Intune license

Save

You will now see the license is assigned to the user

Secure Connectivity to Azure


05.03.2020 – Stephen Hackers, attended the North East Azure User Group – 14th Meetup. Hosted by Frank Recruitment Group.

The core presentation was on Secure Connectivity to Azure by Matthew Bradley Chief Engineer (Azure) at ClearCloud

The session covered:

VPN Offerings, Service Endpoints, VNet Peering and Private Link

The presentation was focused on educating and sharing experiences in securing connectivity into Azure.

A key point : Security to Azure is required and it doesn’t need to come at a great expense to the business. Build it in to your solution from day 1.

Presentation Notes

VPN offerings:

  • Basic options start at £20 a month roughly (06.03.2020)
  • Bandwith is the key difference between levels
  • Number of S2S tunnels is mostly limited to 30 except basic is 10.

Service Endpoints:

  • No additional cost for VNet Service Endpoints
  • VNet ACLs are not supported across AD tenants
  • Service Endpoints add a system route which takes precedence over other routes

VNet Peering:

  • Traffic between resources is private/isolated. Not encrypted
  • Network address space must not overlap
  • VNet peering doesn’t impose bandwiths

Private Link

  • Connect to Azure without a public IP address
  • Private end points mapped to an instance of PaaS (in Preview)
  • Private Link works a bit like NAT, Private Link endpoint is given a private IP in the VNet of the source
  • IP ranges can overlap

Summary

Small event, around 45 technical Azure focused people attended. Keeping the event simple with one good presentation. There are a great community bunch attending this up and coming North East Azure User Group. Thanks to Frank Recruitment Group for hosting the event and essential beer and pizza. Having a recruitment company hosting, minimal sales pitch was a double win. We did discuss careers a little too at the end (in the optional pub near by).

Looking forward to the next event. For anyone wishing to attend https://www.meetup.com/North-East-Azure-User-Group/