Categories
android Apple ATP Defender email EOP exchange exchange online Exchange Online Protection EXO iOS iPhone Office 365 Advanced Threat Protection phish phishing spam

Exchange Online Warning On Receipt Of New Email Sender

Released recently to no fanfare at all, Microsoft now has a SafetyTip that appears if you receive email from a first time recipient.

Most often phish emails will come from an address you have never received email from before, and sometimes this email will try to impersonate people you communicate with or are internal to your organization. Warning for attempted spoofed domains or users is part of Microsoft Defender for Office 365 (previously known as Advanced Threat Protection for Office 365) and the functionality to warn based on similar sender is also part of this product if you enable the “mailbox intelligence” option. But the option to warning for a new sender is available for all Exchange Online users without ATP licences.

The user sees the SafetyTip above the email body as shown below once this new feature is enabled:

New Sender Safety Tip

To turn on this option you enable a custom message header in a transport rule and then within 30 minutes or so, every new sender under the scope of the rule is warned when they receive email from a new sender. This also includes senders that have not send a lot of message to you, as I see that this Safety Tip appear on subsequent messages from the same sender. Not sure yet when this stops appearing for slightly less new senders!

To enable this feature create the following transport rule, restricting the scope of the rule to some users only to start with and then when happy with the functionality changing the rule to apply to all users.

First Contact Safety Tip Transport Rule

Open Exchange Online Control Panel (at the time of writing this is in the old UX for this, so these screenshots represent the classic view – this will change at some point in the future) and select Mail Flow > Rules

Click the + icon > Modify Messages and fill in the name “Enable First Contact Safety Tip”

Select under Apply this rule if… The sender is located > Outside the organization

Select under Do the following… Set the message header to this value and click the first option for Enter text and copy and paste the following string X-MS-Exchange-EnableFirstContactSafetyTip

Click the second option for Enter text and enter any value you like. I have had reports that only “enable” works but that is not my experience and I had this working with the value AnythingYouLike!

I turn off the audit option and then save the rule as shown:

New Transport Rule for First Contact Safety Tip

To set the rule for a pilot program, click More options and then the newly displayed add condition button and then select that the rule should only apply if the recipient is and select a few names from your global address list.

Pilot Program for First Contact Safety Tip

Within 30 minutes and then the next new sender and Outlook, Outlook Web Access and Outlook Mobile will display the new safety tip

Categories
exchange exchange online Microsoft 365 Office Office 365 Raspberry Pi

Microsoft 365 From A Raspberry Pi 400 Personal Computer

So my new computer arrived today, its a keyboard and a few cables, and as my first computer was a ZX Spectrum when I was 14, this brings back a few memories.

New boxed Raspberry Pi 400 PC kit

But, is it usable today with services such as Microsoft 365? Lets see…

First, the actual computer is in the keyboard, but its smaller than a standard PC sized keyboard. Indeed the manual the comes with it! is almost as big and heavier than the computer.

The manual, the Pi Keyboard (white) and a standard PC keyboard (black)

Plugging it in was easy, and once connected to the monitor and powered on it runs through a first use series of steps. With all that out of the way and the latest updates downloaded and installed the device rebooted and I logged in.

Cables everywhere. It supports WiFi as well so I could have avoided the purple Ethernet cable

Starting the web browser is easy – there is an icon top left and Chromium opens. Logging into Office 365 via https://office.com is as you would expect, though some of the fonts used are not present and so the login screen looks slightly wrong.

From Office homepage I clicked Teams icon and it presented me with the below – an offer to install the Teams Linux client and two choices, Linux DEB or Linux RPM.

Teams on Pi and an offer of two installers though neither of these work on an ARM processor

Neither of these work with ARM based Raspberry Pi computers though, so need to use the web application. Also from the Teams perspective, there is no built in camera or microphone, but it did only cost £95 for the entire kit. A Bluetooth microphone might connect, but I don’t have one to hand to test with. Any USB microphone would work and a USB camera, with a microphone, can be enabled with a few commands run at the prompt.

Enabling video with the fswebcam installer

Chromium comes with the uBlock Origin extension enabled, which blocks some functionality in Teams such as notifications. I just turned off the EasyPrivacy list for the rest of my introductory testing and not a lot was blocked after that.

Outlook Web App, Word etc all worked efficiently though slightly slow for my preference, but again – its a sub £100 computer.

When using Office in Chromium it offers to add a link to the desktop – this adds the Office icon and then Office appears like an app, though its only Chromium. This is a nice feature akin to Chromebooks.

Office icon on the desktop and Office open and not looking like its really a browser

This functionality is not limited to Office, for example in Outlook Web App I can choose to “Install Outlook” from the three dots icon top right of the browser. This opens Outlook as a separate web app and adds an icon to the desktop like Office got when I opted to “pin” Office when prompted to do so in that web page.

Install Outlook menu item in Chromium when OWA is the open tab
Install App confirmation
Outlook – on the Raspberry Pi

So that will do for now – everything else I can do in the Raspberry Pi for Microsoft 365 is generally as I can do it in any of the web apps on any platform.

Categories
DNS EOP exchange exchange online Exchange Online Protection Exchange Server smtp

Enabling Better Mail Flow Security for Exchange Online

At Microsoft Ignite 2020, Microsoft announced support for MTA-STS, or Mail Transfer Agent Strict Transport Security. This is covered in RFC 8461 and it includes making TLS for mail flow to your domains mandatory whereas it is currently down to the decision of the sender.

You can publish your SMTP endpoint and offer the STARTTLS verb but there is no requirement for the sender to use it unless you have configured the sender as well to ensure that they only email you over TLS (for example RequireTLS and TLSDomain settings in Exchange Server/Exchange Online connectors). MTA-STS allows you, the domain owner, to publish your TLS requirements.

You publish your requirements by placing a policy file in your websites “.well-known” directory. The policy will have version: STSv1 and mode: [testing|enforce|none] and mx record. “Testing” for mode says send the delivery of the email will work regardless of success or failure, but also send a report if it failed. “Enforce” means security must pass or the message delivery fails and “none” clears the policy, acting as if you don’t have a policy but giving you a route to remove the policy cleanly rather than what might happen if the policy was to disappear (mail flow should stop). The policy will also have a max_age value in seconds on how long the sender should cache the policy. For example:

version: STSv1
mode: testing
mx: mail.domain.com
mx: c7solutions-com.mail.protection.outlook.com
max_age: 86400

In the above example, my policy is for testing and so I have set a short max_age value, though a value of weeks or more would typically be expected with 31557600 being the largest value you can set (a year and 1/4 of a day in seconds).

The text file must be called mta-sts.txt in the .well-known folder of the mts-sts domain, for example https://mta-sts.c7solutions.com/.well-known/mta-sts.txt

Finally, the policy is published via DNS with the _mta-sts subdomain record:

_mta-sts.c7solutions.com  TXT  "v=STSv1; id=202009241541"

This DNS record must be v=STSv1 and the id needs to be a value that changes when the policy file changes, so I have just used a date string, but it could be anything that you change as the policy changes. The DNS record can also be a CNAME record instead of a TXT record when someone else hosts your email infrastructure and in this case the value points to the MTA-STS domain of the provider instead.

Testing mode was mentioned above, and that is covered in my second blog post today on this topic – Reporting on MTA-STS Failures

Categories
EOP exchange exchange online Exchange Online Protection Exchange Server

Reporting on MTA-STS Failures

This article is a follow up to the Enabling Better Mail Flow Security for Exchange Online which discusses setting up MTA-STS and in this article we cover the reporting for MTA-STS.

To get daily reports from each sending infrastructure to receive reports on MTA-STS you just create a DNS record in the following format:

_smtp._tls.c7solutions.com IN TXT "v=TLSRPTv1;rua=mailto:hostmaster@c7solutions.com"

It took about a week before I got some reports and at this time they have only come, now daily, from Google. They come as a JSON file compressed in the GZip format and once expanded appear as follows:

{
 "organization-name":"Google Inc.",
 "date-range":
 {
  "start-datetime":"2020-10-08T00:00:00Z",
  "end-datetime":"2020-10-08T23:59:59Z"
 },
 "contact-info":"smtp-tls-reporting@google.com",
 "report-id":"2020-10-08T00:00:00Z_c7solutions.com",
 "policies":
 [
  {
   "policy":
   {
    "policy-type":"sts",
    "policy-string":
    [
     "version: STSv1\r",
     "mode: testing\r",
     "mx: mail.domain.com\r",
     "mx: c7solutions-com.mail.protection.outlook.com\r",
     "max_age: 86400"
    ],
    "policy-domain":"c7solutions.com"
   },
   "summary":
   {
    "total-successful-session-count":1,
    "total-failure-session-count":0
   }
  }
 ]
}

As we can see, nothing interesting – it worked for the one email I got into this domain from Gmail that day! On one result its not time to change the policy from “testing” to “enforce” but it might be soon as I know it is working.

Categories
enhanced filtering EOP exchange exchange online Exchange Online Protection Exchange Server mimecast Office 365 spam

Enable EOP Enhanced Filtering for Mimecast Users

Enhanced Filtering is a feature of Exchange Online Protection (EOP) that allows EOP to skip back through the hops the messages has been sent through to work out the original sender.

Take for example a message from SenderA.com to RecipientB.com where RecipientB.com uses Mimecast (or another cloud security provider). The MX record for RecipientB.com is Mimecast in this example. When EOP gets the message it will have gone from SenderA.com > Mimecast > RecipientB.com > EOP, or it will have gone SenderA.com > Mimecast > EOP if you are not sending via any other system such as an on-premises network.

EOP though, without Enhanced Filtering, will see the source email as the previous hop – in the above example the email will appear to come from Mimecast or the on-premises IP address – and neither of these are the true sender for SenderA.com and so the message fails SPF if it is set to -all (hard fail) and possibly DMARC if set to p=reject. EOP won’t, because of this complexity in routing, reject hard fails or DMARC rejects immediately.

So how can you tell EOP about your complex routing – this is Enhanced Filtering. You add the IPs of your on-premises network and your cloud filter to the inbound connector that you create in EOP to receive your emails. For any source you need the list of IPs and here are the IPs at the time of writing for Mimecast EU datacenters in an easy to use PowerShell cmdlet to add them to your Inbound Connector in EOP.

Set-InboundConnector "Inbound from Mimecast EU" -EFSkipIPs 207.82.80.0/24,146.101.78.0/24,185.58.84.0/22,91.220.42.0/24,195.130.217.0/24,193.7.205.0/24,193.7.204.0/24

In the above, get the name of the connector correct and it adds the IPs for you. It takes about an hour to take effect, but after this time inbound emails via Mimecast EU are skipped for spf/DMARC checking in EOP. For organisations with complex routing this is something you need to implement.

Categories
attribution domain enhanced filtering EOP exchange exchange online Exchange Online Protection Exchange Server mimecast Office 365 smtp transport

Mail Flow To The Correct Exchange Online Connector

In a multi-forest Exchange Server/Exchange Online (single tenant) configuration, you are likely to have multiple inbound connectors to receive email from the different on-premises environments. There are scenarios where it is important to ensure that the correct connector is used for the inbound message rather than any of your connectors. Here is one such example.

With multiple inbound connectors you might be happy and successfully complete your testing if the email from on-premises appears in the correct cloud mailbox. But what about when you use Enhanced Filtering. Here you need to add the intermediate IP addresses of all the hops the message can go through to the specific connector so that Exchange Online Protection can determine the real source IP address and then do spam/spf etc. on the true sender IP and not the hop before Exchange Online Protection (likely your on-premises server and not the actual source).

For example, lets send an email from SenderDomain.com to RecipientDomain.com, where RecipientDomain.com uses Mimecast, has Exchange Servers and has moved mailboxes to Exchange Online. The mail flow for this scenario is:

SenderDomainServer Public IP > MX (Mimecast) > Mimecast IPs > On-Premises IPs (internal) > Public IP for on-premises servers > EOP

From the EOP view point, the email is received from the public IP for the on-premises servers and not from the actual sending IP address. This means that the message will fail SPF as you have complex routing in-front of the receipt by EOP. This, out of interest, is the reason why EOP will not reject SPF failures even if DMARC reject is in place.

When the message arrives at EOP, the message needs to be attributed to the correct connector. If you have multiple Exchange Server orgs in separate on-premises environments you need to make sure that the message is associated (attributed) to the correct Inbound Connector.

This message attribution is done by looking for all Inbound Connectors of type On-Premises in your tenant. If you have more than one connector of type On-Premises, looking up the TlsSenderCertificateName value on the Inbound Connectors to find the connector that best matches the certificate used to encrypt the inbound message. So lets take a look at the example above again. In the “Public IP for on-premises servers > EOP” hop this message will be encrypted with a certificate called (lets say) “mail.recipientdomain.com” and the Exchange Hybrid Wizard will have created the Inbound Connector for this mail flow with TlsSenderCertificateName set to *.recipientdomain.com. Other Inbound Connectors from other on-premises orgs are possibly going to have similar certificates (they should not have the same one) with similar subject names and the Hybrid Wizard could have made more than one Inbound Connector with *.recipientdomain.com as the TlsSenderCertificateName value. If you have multiple Inbound Connectors of type On-Premises and more than one connector with TlsSenderCertificateName set to *.recipientdomain.com then the message could be attributed to the wrong connector.

If you have set Enhanced Filtering IPs to the other connector though, the Enhanced Filtering will not work because the message is not received by the connector you think it should be received by.

So how do you fix this. You modify the Hybrid Wizard created Inbound Connector TlsSenderCertificateName value to be the subject name of the certificate, so not *.recipientdomain.com but mail.recipientdomain.com and you register mail.recipientdomain.com as a domain in Office 365. You need to do both. The reason the Hybrid Wizard sets TlsSenderCertificateName to *.recipientdomain.com is to avoid you needing to add domains to Office 365 that match your certificate precisely, but if you have multiple connectors this is the only way to guarantee message attribution to the correct connector.

Now you can add the IPs you want to skip with Enhanced Filtering to the specific connector, mail flow will use the specific connector and the IPs will be skipped. EOP will resolve the correct sender IP (SenderDomain Public IP in the above example) even though the message has gone through Mimecast and on-premises servers as well. The message headers will now show:

X-MS-Exchange-SkipListedInternetSender ip=[Sender Server IP Address];domain=FQDN of sender

And not list Mimecast (or whomever you are using as a second cloud filter) or your on-premises IP addresses as the true sender.

Categories
android Apple AutoPilot Deployment Endpoint Manager Graph Intune iOS

What Is The Value of enrollmentProfileName

In Microsoft EndPoint Manager there are a few different device registration scenarios that make use of a property called device.enrollmentProfileName. To find and apply other settings (apps, config, etc) to these devices later on you need to have a Dynamic Device Group based on this property. The problem is the value of the property is not available to view in PowerShell or the Endpoint Manager portal.

This value is used by AutoPilot, Apple Business Manager devices (aka DEP) and Android Fully Managed device profiles.

So how can I see what a devices value is so I can create a group to contain that device. I need to use the Graph Explorer.

In the Graph Explorer, using the Beta endpoint, I can get data for my device using the query https://graph.microsoft.com/beta/devices/{objectId}

This gets BETA endpoint graph data, which includes enrollmentProfileName. The version 1.0 endpoint does not return enrollmentProfileName in the response.

If you have never used the Graph Explorer before, here are the steps to get this info:

Open the Graph Explorer from https://developer.microsoft.com/en-us/graph/graph-explorer

Click Sign In button to the left, and once signed in, select Beta (highlighted) and paste in the query replacing /me with /devices/{objectID}

Graph Explorer to look for a device properties (beta endpoint)

You may not have permissions (consent) to view the data you need, so you might need to click on Modify Permissions tab (also highlighted above) to request and approve consent to access the data. This consent may need administrator approval depending upon your security settings in Azure AD.

Click Run Query button and view the results in the Response Preview section below:

Response to a Device query in the Graph

The value of enrollmentProfileName will be the profile the device was enrolled under, at the time of enrollment. Its possible that the profile was renamed or deleted since the device was enrolled, or that you have many profiles, and so actually working out which profile the device is under can be tricky.

Also a top tip – don’t name your profiles all starting with “Test”. In the tenant where the above screenshots where taken from we found DEP profiles called “Test…” and AutoPilot profiles called “Test…”, so creating dynamic device groups where the device.enrollmentProfileName -contains “Test” was returning too many devices!

Categories
mdatp security web windows 10

Free Web Content Filtering With Microsoft Defender ATP

Well free as in you need an MDATP licence first, but as this used to be an add on feature on top of MDATP with an additional cost, this is now effectively free once you are licensed for MDATP. The feature enables your organisation to track and regulate access to websites based on their content categories. Many of these websites, while not malicious, might be problematic due to compliance regulations, bandwidth usage, or other concerns.

So how do you set it up from scratch.

Visit the MDATP admin portal at https://securitycenter.microsoft.com/ and click the cog icon to change to the settings view.

Under General, Advanced Features enable Preview Features (whilst this feature is in preview, once it stops being a preview feature this step is no longer required).

On the same list of Advanced Features toggle the option for Web Content Filtering to enable the feature and click Save Preferences.

Enabling Web Content Filtering in MDATP Settings

In the option where you enable Web Content Filtering click the link to create a web content filtering policy to take you to the settings for this feature.

This opens a second tab but all it does it takes you to the Web Content Filtering node of the Settings page! Click + Add Item to start adding content filtering categories.

First, give the policy a name and click Next. Then choose a category or parent category. For example you could select the parent category Adult Content which will turn on seven categories, or you could select just a category such as Nudity. The parent categories are, in addition to Adult Content, High Bandwidth (with peer to peer, and streaming media sites included), Legal Liability (with categories such as child abuse, hacking, and criminal activity included), Leisure (including chat, games, and social networking as categories) and the blanket Uncategorized.

Blocked Categories page in MDATP Web Content Filtering policy creation

Click Next and then enable for all devices in your admin scope (so if you are Global Admin, that’s all devices!) or pick one or more device groups.

Roll Out Web Content Filtering To A Device Group

You need to have made the device groups in advance of setting up the policy, and this is available from the Settings page as well. In the above screenshot I have selected the UK device group which is a MDATP Tag set by the registry on all our UK machines. Create a pilot group tag and roll out this feature to a limited number of devices to test.

Click Next to get to the Summary page and then finish the policy creation.

Web Content Filtering Policies in MDATP

The policy you created and others if you have more than one are then shown.

There are no client agents to install for this feature to work – the MDATP sensor built into Windows 10 (1609 and later) does all the work. The website categories that are blocked are blocked in the browser with a warning. Blocks are performed by SmartScreen (Edge) and Network Protection (Chrome and Firefox). Network Protection is not a message in the browser though – it is a popup at the Operating System level. The Web Content Filter interrupts network traffic to the blocked sites, so Chrome and Firefox will show a network level error, and the OS popup will give the reason. Edge Browser integrates with the OS to show a proper error message (unless SmartScreen is disabled, in which case Network Protection will be the experience here in Edge as well).

Edge SmartScreen Block

In addition to the browser “requirement” for a nice error message, you also need to have the latest updates for Windows Defender signatures and platform, known as MoCAMP. An Advanced Hunting query on GitHub allows you to check the versions across your MDATP estate.

All viewed categories, blocked or not blocked, are reported back to MDATP via the telemetry – so you can create reports on the visited site categories even without blocking users. These reports are available from the MDATP portal and Reports > Web Protection:

Web Protection Report in MDATP

The above screenshot shows the only activity at the moment was Custom Indicators (see Blocking Apps With A Low Reputation) but as categories of web content and browsed they will appear on this report.

Web Categories As Shown On Day Web Content Filtering Was Turned On!

You can access the Report details for each card by selecting a table row or coloured bar from the chart in the card. The report details page for each card contains data about web content categories, website domains, and device groups.

If you create a Web Content Filtering Policy that has no blocked items in it, but apply this to all devices, you will get a report within a few days of the scope of all your users across all your devices (in MDATP that is) and the categories of URL they are visiting. Therefore, if you need to know what to block before you block it – create a policy that does not include any categories to block.

Categories
exchange online Exchange Server mailbox migration move powershell

Force Mailbox Migration With Bad Items To Complete (2020)

It used to be easy to complete an Exchange Server > Exchange Online move request that had bad items, but this has changed recently.

In the last short while Move Requests (and Migration Batches) have begun to include a property called DataConsistencyScore

Get-MoveRequestStatistics "Bill Gates" | fl DataConsistencyScore

If the result from the above is “Investigate” then you will not be able to complete the move even if you set the usual properties of -PreventCompletion $false and -CompleteAfter 1, that is – the following will not work:

Set-MoveRequest "Bill Gates "-SuspendWhenReadyToComplete $false -PreventCompletion $false -CompleteAfter 1

You will also need to set the following:

Set-MoveRequest "Bill Gates" -SkippedItemApprovalTime  $(Get-Date).ToUniversalTime()

Upon running the above (the move request will auto resume in my tests), the move will start to complete if completion is allowed (the cmdlets at the top of the post). Obviously you will want to check why there are a number of bad items in the move and what you are going to try and do to fix them.

The SkippedItemApprovalTime property approves all bad items detected before the specified time. So in the above example we are approving all bad items to be discarded that were found before “now”. You could set an earlier specific time as well.

You now do not need to set a bad item limit (BadItemLimit) value as you are approving items by time instead.

Categories
iPhone Microsoft Teams Teams Zoom

Why is the Text in my Teams Background Back To Front

With Teams (and Zoom, and probably other video conferencing apps) as well as apps that add to the live camera image such Chromacam and Snap Camera in popular use, you might have noticed that all the example backgrounds have no text on them.

So what happens when you or your company roll out a set background to use that does contain text – for example, this mockup image:

Teams background mockup with text
Teams Background With Added Text

Now my graphics editing skills are not great, but this is just one of the included background images that come with Microsoft Teams and a logo added as if it were a picture on the wall.

So what happens when I use this as my custom background in Teams (or Zoom etc.) – the following is what I see:

Teams (Presenter View) on Desktop with Text In Background Meeting
Teams (Presenter View) on Desktop with Text In Background Meeting

You can see that in the view of the background I can see the text is back to front. This is correct, as the view from my camera that is presented back to me is usually mirrored for my convenience. This is because they way I see myself is in a mirror, and so to show me “unmirrored” so to speak would look odd to me. Also if I raise one hand or move to one side, the mirrored image of me from my camera shows this happening on the side of the screen I would naturally expect it to be on.

The downside of this is that any text we add to background images will appear back to front for us – but it will appear correct to all attendees, as the Teams will not show the attendees the mirrored image. Just as we expect to see a mirror image when looking at ourselves, others who look at us do not expect to see that, and the video conferencing apps will not show that to them – so they see your logo, or text or whatever, correctly as you intended.

Teams Attendee View (iPhone)
Teams (Attendee View) on iPhone, with text the correct orientation

Categories
Microsoft 365 Office Office 365 Outlook

Deploying Zoom Add-In To All Outlook Users

With the sudden change in working practices, a (large) number of companies has start to use Zoom as their video conferencing software. Though this software is not from Microsoft, that does not stop an Office 365 or Exchange Server administrator helping their users out in terms of scheduling Zoom meetings via an add-in in Outlook.

On the Zoom website the user can download and install their own add-in and the Zoom application, but the steps below will push the Outlook add-in to all users (or all Zoom users if you have a group containing just these users).

These steps are run from the Office 365 Admin Center and not from Zoom, and they push the add-in to Outlook without end end-user interaction

To deploy an add-in, and in this case the Zoom Outlook add-in, first go to the Microsoft 365 Admin Center at https://admin.microsoft.com/.

Click Show All on the left and then select Settings > Add-ins from the expanded menu.

In the Add-In main page click + Deploy Add-In.

Deploy Add-In Screen
Deploy Add-In Screen

This screen outlines the Centralized Deployement service for Office Web add-ins. These add-ins work across the web version of the application, the desktop versions (PC and Mac) and in some cases the mobile version as well. The important thing to learn here is that they are not just for the web version, so not just for OWA. In the context of the Zoom add-in, on the Zoom website it says the add-in only works in Outlook for the Web (OWA), and this is not correct.

Click Next and click Choose from the Store as shown:

Choose from the Store
Deploy A New Add-In Screen

You will now see a list of all the add-ins in the Microsoft Store (once you have logged into the Store if you needed to do this).

Add-In Store
Select Add-In From Store

As we are discussing the Zoom for Outlook add-in at this point, type Zoom in the Search box.

Zoom for Outlook Add-in In the Add-In Store

Click Add next to the Zoom for Outlook add-in. Then accept the licence terms and privacy policy shown to you as shown below. If you click on the title of the add-in then you see a description of the add-in and can complete deployment from that screen.

Zoom Add-In Terms and Conditions
Zoom for Outlook License Terms and Privacy Policy
Zoom for Outlook Details
Zoom for Outlook Details

If after clicking Add and accepting the licence you get a correlation error similar to that shown, it means the add-in was already deployed. There is a bug in the new Admin Center that does not show existing deployed add-ins and you need to go to the old old Office 365 admin center (switch the slider top right) and search for the add-in:

Configure Add-In Error
Configure Add-In Error
Add-In Shown in Old Admin Center
Zoom for Outlook Add-In Shown in Old Admin Center

If you had no error on deploying the add-in, then you will be asked who to deploy the add-in to. The options are to Assign Users and choose all or some of the organization and also the Deployment Method and Fixed, Available or Optional. This last option controls whether the add-in is deployed for the user to the ribbon in the Office application and they cannot remove it (Fixed), where the user can choose to add the add-in to the office app (Available), or where the add-in appears on the application ribbon, but the user can remove it (Optional). This is shown below:

Configure Zoom for Outlook Add-In
Configure Zoom for Outlook Add-In

Select your user and deployment options. For users, any group cannot be a nested group and the requirements for groups is covered in the documentation. For this blog post I selected Everyone and Fixed. Click Deploy to start the deployment to the users.

Deploy Zoom for Outlook
Deploy Zoom for Outlook

The listed time is dependent upon the number of users in your deployment scope or your Office 365 tenant. You will get an email upon completion.

Once completed the add-in appears in the Office application. In this particular case, Zoom for Outlook appears in the New Appointment window in Outlook.

If you deployed the add-in as Available then the user needs to click the Get Add-In button in Outlook to install Zoom as shown:

Admin Add-Ins
Admin Add-Ins

Once the add-in is deployed, it will appear in the New Appointment screen as shown (on the right):

Zoom for Outlook New Appointment
Zoom for Outlook Add-In in New Appointment

Clicking the Add a Zoom Meeting button will present a dialog box where you can login with your Zoom account or if you have set up Zoom as an Enterprise Application then click the Sign in with SSO button.

Zoom for Outlook Add-In Login

In the below screenshot, Outlook Appointment shows the Zoom meeting details automatically added. The HTML view for the meeting details is an option available in your Zoom account settings, as is the location for your audio dial in settings (here shown as UK) as you don’t get to choose these options per meeting as you can do when meetings are made via the web browser on the Zoom site.

Zoom Meeting Created

The Settings button on the tool bar allows you to control other meeting settings such as Meeting ID (personal or auto-generated), password or not!, and video and audio settings for the meeting.

Zoom for Outlook Settings
Zoom for Outlook Settings

To edit the Add-In deployment you need to visit the old Microsoft 365 Admin Center (switch off “Try new admin center” to top right of admin center). From here you can adjust the status of the add-in and who it is deployed to, as well as removing the add-in.

Zoom for Outlook Add-In Settings
Zoom for Outlook Add-In Settings (old Office 365 Admin Center)

Finally, for info, the Teams Add-in to do the same thing in Teams is automatically added to Outlook if you have the Teams client installed and your deployment option is not Skype for meetings – for example if you are in Islands Mode you will be able to see both Skype and Teams buttons in Outlook!

Categories
Live Event Microsoft 365 Microsoft Teams Stream Teams

Microsoft Teams Live Events For Running a Church Service

Or, how to run a Microsoft Teams Live Event with average technical capability presenters, or how to run a Microsoft Teams Live Event for events that you would not normally consider this service for!

So with this title and alternative titles in mind we are going to look at how I set up and ran a Microsoft Teams Live Event for a weekly church service because access to the church building was closed due to social distancing because of the SARS-CoV-2 (Covid-19 Coronavirus global outbreak). The previous week at church we ran a YouTube live streaming event as we could get access to the church building and we needed five people to put the service together (preacher, piano player, camera operator, sound desk and computer [for hymn words] operator). The second week of self isolation, government rules made this method of live broadcast impossible. So we turned to Microsoft Teams Live Events.

Microsoft Teams Live Events requires an Office 365 E3 or higher licence. The other requirements are that the producer(s) role and the presenters need to install Microsoft Teams and have a login to your tenant, but the attendees do not need a licence at all (as this particular Live Event will be open to anonymous attendees).

So how do we put this together:

  1. Set up the live event and a practice live event (as you cannot reuse a live event twice, so set up at least one practice event as well)
  2. Publish your event on your church website, and if interested use a URL shortening service that you can update (we use https://rebrand.ly) as this gives you click count and geo-location of the audience. Our first live event had attendees in India, northern Africa, and North and South America (as well as the UK where the church is based).
  3. Have all presenters arrive early to the live event (we went for 30 minutes) and aim to go live around 10 minutes before the actual event
  4. Have a collection of presenters for different roles – in social isolation it is of great benefit to see many different people taking part in the church event rather than it being run by one preacher
  5. Audio is open from all presenters unless they are muted – this allows the attendee to hear more than one person in different locations at the same time – this allowed us to have a pianist 15 miles from the person displaying the hymn words on the screen.

Create a Teams Live Event

To create a live event open the Teams app or website and go to the Calendar component.

To the top right, click the down arrow next to New Meeting and choose Live Event:
image

Fill in the details for the Live Event. This will include a title, a location (which we will leave blank due to self isolation!) and a start and end time. The start time should not include the pre-show preparation by the presenters and does not need to include time for the pre-event greeting which we will discuss below. So in our example here, church starts at 10:30am on a Sunday so that is the start time for the event.

Also invite the presenters. You can come back and edit this information later and add and remove presenters as the event information changes regarding what and who is going to be involved in the event.

image

Click Next and then select your audience. In our case this is an anonymous audience:

image

Scroll down in the New Live Event dialog and ensure that you select Recording available to all attendees (this allows attendees to watch the event at a later time on the Teams Live Event URL). Ensure that you pick the translations that support your expected audience and choose the Audience Engagement Report to be able to download a list of attendees who signed in after the event.

image

Click Schedule to create the Live Event. This sends the invitation to your other presenters and producers.

You then see the following dialog:

image

From the above you grab the attendee URL, which we will use in the next section and also from here you can edit the live event. You can return to this dialog box if you open the event later from your calendar in Teams (remember to show “Whole Week” from the calendar view as it just shows “Working Week” by default).

URL Shortening

Your live event is now created and its time to tell the audience how to get to the event. The below is what the Teams Live Event URL looks like (this below will not work):

https://teams.microsoft.com/l/meetup-join/19%3ameeting_ZDA5OWZhNDYtYzdlMS00ZWXxXxXxXjYtZTc4NzJjNDc1NDJk%40thread.v2/0?context=%7b%22Tid%22%3a%22046f8910-0ef6-412a-xxxx-yyyyyyyyyyyy%22%2c%22Oid%22%3a%224bd86ae6-7fa8-470e-8578-59214991d892%22%2c%22IsBroadcastMeeting%22%3atrue%7d

We used a URL shortening service where we could send the attendees a single URL that we updated the target of each Friday or Saturday. We do not update the URL shortener link earlier in the week as the attendee can click the link after the Sunday and watch the event again or maybe for the first time. We did not use Bitly for link shortening as we could not update the link target without buying an expensive package.

So our church service can be reached at https://rebrand.ly/wrbcliveevent. We also placed this link on our website and wrote instructions on how to connect to the event and this is at https://wrbc.org.uk/live/ so that the user has some advice on how to connect as well (for example, mobile apps need the Teams app installed, but PCs can view the event in a modern browser).

Presenter Practice

I highly recommend running a presenter practice. In our example of a church service we wanted the ability to play music via a keyboard and to wire that keyboard into the PC that was running Teams. During practice for the first week we were unable to do this because of a suspicious device driver that impacted the ability to connect in a audio source via Line In. So in practice we decided just to place the PC near the piano and audio quality was acceptable but not great. We left this to fix for the second week!

Presenter practice also allows each presenter to get familiar with the application and what they see on the screen. For example in our case I as the producer was also sharing my second monitor to show the hymn words in our projection software (not PowerPoint). Each presenter could see my second monitor image large and the live view quite small (as can be seen below) which caused some questions during the rehearsal, and I as the producer could see something else (producers can see the live screen and the queued video image).Screen Shot 2020-03-26 at 17.05.16

Above is an example of what a presenter can see when the producer is sharing content. You can see the minature video streams for the other presenters and the yellow “pre-live” notice. Once the session goes live (again this was a practice session), the presenters can see the following:

Screen Shot 2020-03-26 at 17.37.22

Now there is a red “live” notice on the control bar and the image that is live is shown boxed in red.

On the producers screen they can see each video feed at the bottom and have the ability to share an app or desktop. During practice we shared the second desktop with the plan to run our hymn projection software (Zionworx) but as this has a control application on screen one and display on screen two it was too busy to try and do that and the Teams live meeting production – so during rehearsal we decided to have all the hymns and other slides (welcome, sermon, notices, reading and exit slide) as a single PowerPoint with presentation viewer option turned off (so running only on the second screen and press enter to move to next slide). This is what the producer could see:

image

Here you can see we are pre-live (yellow) and we can see the final attendee view to the bottom right as well as each video feed and the mute status of each presenter – the producer can mute (but not unmute) presenters. The content (producers second screen) can be seen on the right of the video feed screens.

Going Live

The plan for the live event was that all presenters would be online 30 minutes before the service start time, and that at 10:20 (10 minutes before start time) we would “go live”. At this point all presenters where muted and ensured the holding slide in PowerPoint was displayed on the right-hand view. It looks like this:

image

To get the PowerPoint presentation as a valid source of data you click the Share button on the bottom row and choose the application to share. We decided during the practice that we would share only PowerPoint and have a single slide desk for the whole service rather than sharing individual different presentations. The slides where structured in order, notices and hymns as required. We did not use PowerPoint Presenter View, as that would appear on the monitor that Teams Live Event controller was running on. So in turning off Presentation View all I needed to do was Alt+Tab between the Live Event (Teams app) and PowerPoint and press Enter to move to the next slide in time with the pre-planned order of service.

At five minutes to the start the pianist unmuted her Teams client and started to play some music. This ensured that attendees could both see and hear audio – we briefly swapped video feed to the pianist so that people knew they should be hearing something. This meant that attendees could be sure they were looking at the pre-start notice and that their volume was up.

At 10:29am we went live (there is about a minutes delay to the attendees but real time between the presenters, so this meant we started on time!)

To go live we clicked the Content option on the bottom row – this added it to the Queue (left larger video window) and we clicked “Send live” to place it on the right. We then clicked the video feed of the service leader and this added him to the Queue – this is what you can see above. At the start time we just clicked “Send live” – the pianist stopped and muted herself, the leader was unmuted in advance (but kept quite) and the producer (my role) used hand signals to indicate they were live – the leader and I were about a mile apart, the preacher was eight miles away and the pianist 15 miles away – hand signals via my video feed worked great as a way to communicate.

As each part of the service progressed, I added the next video or PowerPoint content to the queue on the left and sent it live as I needed to.

Finishing and Downloading Recordings

The service went fine, a few people had issues connecting that we later worked out to be issues installing apps on phones (no Apple account set up or credit card saved with Google, and both of these stop you installing any app) and one person had issues with Internet Safety software blocking the Rebrandly URL shortner service! We recommend that you get people to attempt to join the service in the days before Sunday so that they can follow up issues that they have rather than trying one device at the start time on the Sunday and giving up disappointed that it did not work for them.

Once the service finished we placed the final thank you slide on the screen and stayed muted for about 1 minute and then clicked “End”. This finishes the live event and after this point it cannot be restarted – so you need to confirm you really want to end the event. Don’t click Leave at the top as that pauses the event if there are no producers online.

The automatic recording is stopped and all the presenters can talk freely. We each left the meeting and a few hours later I came back and downloaded the recording along with the attendance engagement report. This showed the times people connected and who had a dodgy connection and kept needing to reconnect. If the user is logged into Teams it shows the username as well.

The video stream was then uploaded to our YouTube channel so that anyone who could not connect still had a way to listen to the service, though not in real time.

Now all ready to repeat this next week! And each week until self-isolation in the UK is lifted…

Categories
Advanced Threat Protection Application Guard ATP mdatp Office 365 ProPlus Safe Attachments Safe Documents windows 10

Office ATP Safe Documents

This is a new feature in Office 365 Advanced Threat Protection Plan 2 in addition to Safe Attachments. Safe Documents at the time of writing is only available in US based Office 365 tenants and only used by Office 365 ProPlus 2002 Monthly Channel (Targeted) builds (build 12527.20092) and later.

image

When a user receives an Office document from an external source the document is marked as such and can only be opened in “protected mode”. This stops editing and printing, but also (more importantly) stops macros and the like running as well. This reduction in functionality of editing and printing is enough for the user to often just take the document out of protected mode and impact your network.

When the document is emailed to the user, Office 365 ATP Safe Attachments (a Plan 1 feature) will process the document, but if the document is obtained another way, such as via a download link or copied onto a local file share, but is an externally sourced document, then the Safe Attachments vector of protection over email no longer applies.

This is where this new feature of Safe Documents comes into play. The entire document is uploaded to Microsoft’s datacentre and processed as if it where an attachment in email being processed via Safe Attachments.

An EU/UK datacentre version of this feature will come in due course.

What now happens is that the document is scanned in the cloud for “maliciousness” and the user is allowed to open the file and turn off  “protected mode” only if the document is considered safe. If the document is considered malicious then the user is not allowed to take the document out of “protected mode”.

This functionality was announced at Microsoft Ignite in November 2019 and is now in early preview at the time of writing this article. Future updates to this functionality will include the ability to open “protected mode” documents in a virtual machine automatically so that if the document does go rogue then closing the document results in closing the virtual machine and the removal of the impact, as all the changes were confined to the virtual machine. This feature is due Summer 2020 and is known as Application Guard for Office ProPlus. Application Guard will be included in subscriptions that include Windows 10 E5 (Windows 10 + Microsoft Defender Advanced Threat Protection).

More info: https://techcommunity.microsoft.com/t5/office-365-blog/new-functionality-to-make-it-easier-to-customize-manage-and/ba-p/1003047 and https://www.microsoft.com/security/blog/2020/02/12/building-on-secure-productivity/ and the documentation at https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-docs

Categories
AADConnect AADSync Azure AD AzureAD baseline conditional access MFA

MFA, Admin Roles and AADConnect Sync Failures

Come Feb 29th 2020 and Microsoft are turning off the baseline security policies. If you used these policies to do MFA for all admins (as that was an easy way to achieve this), then a replacement Conditional Access rule might cause errors with AADConnect.

The reason being is that you could create a new Conditional Access rule that stops all administrative roles from logging in unless they perform MFA. The AADConnect service sync account is an account that is created for you automatically by AADConnect in Azure AD and it has some special admin roles – but cannot operate with MFA enabled.

If your MFA Conditional Access rule (or Admin only from Compliant Devices or similar type of rule) does not exclude the sync account then expect sync to stop working. It will stop with MA errors on the connection to Azure AD and if you run Start-ADSyncSyncCycle you get the following error message about a modal dialog box or form when the application is not running in UserInteractive mode.

The fix is to add the sync account to the group that contains your break glass accounts, so that you bypass MFA for this account. If you do not have a break glass account then make one, and ensure it and the sync account bypass MFA or other limiting conditional access rules. The sync account is called “On-Premises Directory Synchronization Service Account” and is named sync_computername_uniquestring@tenant_domain.

The full error message for a search engine to find and bring you here is:

Windows PowerShell
Copyright (C) 2014 Microsoft Corporation. All rights reserved.

PS C:\Users\administrator> Start-ADSyncSyncCycle
Start-ADSyncSyncCycle : System.Management.Automation.CmdletInvocationException: System.InvalidOperationException:
Showing a modal dialog box or form when the application is not running in UserInteractive mode is not a valid operation. Specify the Service Notification or DefaultDesktopOnly style to display a notification from a service
application.
    at
Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Platform.WebUI.<AcquireAuthorizationAsync>d__12.MoveNext()
— End of stack trace from previous location where exception was thrown —
    at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
    at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
    at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Flows.AcquireTokenInteractiveHandler.<AcquireAuthorizationAsync>d__11.MoveNext()
— End of stack trace from previous location where exception was thrown —
    at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
    at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
    at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Flows.AcquireTokenInteractiveHandler.<PreTokenRequestAsync>d__10.MoveNext()
— End of stack trace from previous location where exception was thrown —
    at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
    at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
    at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Flows.AcquireTokenHandlerBase.<RunAsync>d__57.MoveNext()
— End of stack trace from previous location where exception was thrown —
    at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
    at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
    at Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext.<AcquireTokenCommonAsync>d__39.MoveNext()
— End of stack trace from previous location where exception was thrown —
    at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
    at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
    at Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext.<AcquireTokenAsync>d__30.MoveNext()
— End of stack trace from previous location where exception was thrown —
    at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
    at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
    at Microsoft.Online.Deployment.Client.Framework.AzureAuthenticationProvider.AuthenticateADAL(String userName,SecureString password, Azure Service azureService, Boolean useCachedToken, String& accessToken, String& adalErrorType,String& additionalDetails, Boolean throwOnException)
    at Microsoft.Online.Deployment.Client.Framework.AzureAuthenticationProvider.AcquireServiceToken(AzureServiceazureService, String userName, SecureString password, String& serviceEndpoint, String& additionalDetail,AuthenticationStatus& status, Boolean throwOnException)
    at Microsoft.Online.Deployment.Client.Framework.AzureAuthenticationProvider.AcquireServiceToken(AzureServiceazureService, String& service Endpoint, String& additionalDetail, AuthenticationStatus& status, BooleanthrowOnException)
    at Microsoft.Online.Deployment.Client.Framework.AzureAuthenticationProvider.AcquireServiceToken(AzureServiceadalResource, String& additionalDetails, Boolean throwOnException)
    at Microsoft.Online.Coexistence.ProvisionHelper.GetSecurityToken()
    at Microsoft.Azure.ActiveDirectory.Synchronization.ProvisioningWebServiceAdapter.ProvisioningWebServiceAdapter.InitializeProvisionHelper()
    at Microsoft.Azure.ActiveDirectory.Synchronization.ProvisioningWebServiceAdapter.ProvisioningWebServiceAdapter.Initialize()
    at Microsoft.Azure.ActiveDirectory.Synchronization.ProvisioningWebServiceAdapter.ProvisioningWebServiceAdapter.GetCompanyConfiguration(Boolean includeLicenseInformation)
    at Microsoft.Azure.ActiveDirectory.Synchronization.AADConfig.get_CloudEnforcedSyncSchedulerInterval()
    at Microsoft.MetadirectoryServices.Scheduler.SchedulerSettingUtilities.get_CurrentSchedulerSettings()
    at SchedulerUtils.GetCurrentSchedulerSettings(SchedulerUtils* , _ConfigAttrNode* pcanList, UInt32 ccanItems, Char**syncSettingsSerialized, Char** errorString) —> System.InvalidOperationException: System.InvalidOperationException:Showing a modal dialog box or form when the application is not running in UserInteractive mode is not a valid operation. Specify the ServiceNotification or DefaultDesktopOnly style to display a notification from a service
application.
    at
Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Platform.WebUI.<AcquireAuthorizationAsync>d__12.MoveNext()
— End of stack trace from previous location where exception was thrown —
    at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
    at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
    at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Flows.AcquireTokenInteractiveHandler.<AcquireAuthorizationAsync>d__11.MoveNext()
— End of stack trace from previous location where exception was thrown —
    at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
    at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
    at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Flows.AcquireTokenInteractiveHandler.<PreTokenRequestAsync>d__10.MoveNext()
— End of stack trace from previous location where exception was thrown —
    at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
    at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
    at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Flows.AcquireTokenHandlerBase.<RunAsync>d__57.MoveNext()
— End of stack trace from previous location where exception was thrown —
    at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
    at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
    at Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext.<AcquireTokenCommonAsync>d__39.MoveNext()
— End of stack trace from previous location where exception was thrown —
    at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
    at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
    at Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext.<AcquireTokenAsync>d__30.MoveNext()
— End of stack trace from previous location where exception was thrown —
    at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
    at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
    at Microsoft.Online.Deployment.Client.Framework.AzureAuthenticationProvider.AuthenticateADAL(String userName,
SecureString password, AzureService azureService, Boolean useCachedToken, String& accessToken, String& adalErrorType,String& additionalDetails, Boolean throwOnException)
    at Microsoft.Online.Deployment.Client.Framework.AzureAuthenticationProvider.AcquireServiceToken(AzureServiceazureService, String userName, SecureString password, String& serviceEndpoint, String& additionalDetail,
AuthenticationStatus& status, Boolean throwOnException)
    at Microsoft.Online.Deployment.Client.Framework.AzureAuthenticationProvider.AcquireServiceToken(AzureServiceazureService, String& serviceEndpoint, String& additionalDetail, AuthenticationStatus& status, BooleanthrowOnException)
    at Microsoft.Online.Deployment.Client.Framework.AzureAuthenticationProvider.AcquireServiceToken(AzureService
adalResource, String& additionalDetails, Boolean throwOnException)
    at Microsoft.Online.Coexistence.ProvisionHelper.GetSecurityToken()
    at Microsoft.Azure.ActiveDirectory.Synchronization.ProvisioningWebServiceAdapter.ProvisioningWebServiceAdapter.InitializeProvisionHelper()
    at Microsoft.Azure.ActiveDirectory.Synchronization.ProvisioningWebServiceAdapter.ProvisioningWebServiceAdapter.Initialize()
    at Microsoft.Azure.ActiveDirectory.Synchronization.ProvisioningWebServiceAdapter.ProvisioningWebServiceAdapter.GetCompanyConfiguration(Boolean includeLicenseInformation)
    at Microsoft.Azure.ActiveDirectory.Synchronization.AADConfig.get_CloudEnforcedSyncSchedulerInterval()
    at Microsoft.MetadirectoryServices.Scheduler.SchedulerSettingUtilities.get_CurrentSchedulerSettings()
    at SchedulerUtils.GetCurrentSchedulerSettings(SchedulerUtils* , _ConfigAttrNode* pcanList, UInt32 ccanItems, Char**syncSettingsSerialized, Char** errorString)
    at Microsoft.DirectoryServices.MetadirectoryServices.UI.WebServices.MMSWebService.GetSchedulerSettings(String&settingsDeserialized, String& errorString)
    at Microsoft.IdentityManagement.PowerShell.Cmdlet.GetADSyncScheduler.ProcessRecord()
    — End of inner exception stack trace —
    at System.Management.Automation.Runspaces.PipelineBase.Invoke(IEnumerable input)
    at System.Management.Automation.PowerShell.Worker.ConstructPipelineAndDoWork(Runspace rs, Boolean performSyncInvoke)
    at System.Management.Automation.PowerShell.Worker.CreateRunspaceIfNeededAndDoWork(Runspace rsToUse, Boolean isSync)
    at System.Management.Automation.PowerShell.CoreInvokeHelper[TInput,TOutput](PSDataCollection`1 input,PSDataCollection`1 output, PSInvocationSettings settings)
    at System.Management.Automation.PowerShell.CoreInvoke[TInput,TOutput](PSDataCollection`1 input, PSDataCollection`1output, PSInvocationSettings settings)
    at System.Management.Automation.PowerShell.Invoke(IEnumerable input, PSInvocationSettings settings)
    at Microsoft.Online.Deployment.PowerShell.LocalPowerShell.Invoke()
    at Microsoft.Online.Deployment.PowerShell.PowerShellAdapter.TypeDependencies.InvokePowerShell(IPowerShellpowerShell)
    at Microsoft.Online.Deployment.PowerShell.PowerShellAdapter.InvokePowerShellCommand(String commandName,InitialSessionState initialSessionState, IDictionary`2 commandParameters, Boolean isScript)
    at Microsoft.Azure.ActiveDirectory.Synchronization.PowerShellConfigAdapter.SchedulerPowerShellAdapter.GetCurrentSchedulerSettings()
    at Microsoft.MetadirectoryServices.Scheduler.Scheduler.StartSyncCycle(String overridePolicy, BooleaninteractiveMode)
    at SchedulerUtils.StartSyncCycle(SchedulerUtils* , Char* policyType, Int32 interactiveMode, Char** errorString)
At line:1 char:1
+ Start-ADSyncSyncCycle
+ ~~~~~~~~~~~~~~~~~~~~~
     + CategoryInfo          : WriteError: (Microsoft.Ident…ADSyncSyncCycle:StartADSyncSyncCycle) [Start-ADSyncSyncCycle], InvalidOperationException
     + FullyQualifiedErrorId : System.Management.Automation.CmdletInvocationException: System.InvalidOperationException
    : Showing a modal dialog box or form when the application is not running in UserInteractive mode is not a valid operation. Specify the ServiceNotification or DefaultDesktopOnly style to display a notification from a service application.
        at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Platform.WebUI.<AcquireAuthorizationAsync>d__12.MoveNext()
— End of stack trace from previous location where exception was thrown —
    at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
    at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
        at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Flows.AcquireTokenInteractiveHandler.<AcquireAuthorizationAsync>d__11.MoveNext()
— End of stack trace from previous location where exception was thrown —
    at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
    at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
        at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Flows.AcquireTokenInteractiveHandler.<PreTokenRequestAsync>d__10.MoveNext()
— End of stack trace from previous location where exception was thrown —
    at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
    at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
        at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Flows.AcquireTokenHandlerBase.<RunAsync>d__57.MoveNext()
— End of stack trace from previous location where exception was thrown —
    at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
    at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
        at Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext.<AcquireTokenCommonAsync>d__39.MoveNext()
— End of stack trace from previous location where exception was thrown —
    at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
    at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
    at Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext.<AcquireTokenAsync>d__30.MoveNext()
— End of stack trace from previous location where exception was thrown —
    at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
    at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
        at Microsoft.Online.Deployment.Client.Framework.AzureAuthenticationProvider.AuthenticateADAL(String userName, SecureString password, AzureService azureService, Boolean useCachedToken, String& accessToken, String& adalErrorType, String& additionalDetails, Boolean throwOnException)
        at Microsoft.Online.Deployment.Client.Framework.AzureAuthenticationProvider.AcquireServiceToken(AzureService azureService, String userName, SecureString password, String& serviceEndpoint, String& additionalDetail, AuthenticationStatus& status, Boolean throwOnException)
        at Microsoft.Online.Deployment.Client.Framework.AzureAuthenticationProvider.AcquireServiceToken(AzureService azureService, String& serviceEndpoint, String& additionalDetail, AuthenticationStatus& status, Boolean throwOnException)
        at Microsoft.Online.Deployment.Client.Framework.AzureAuthenticationProvider.AcquireServiceToken(AzureService adalResource, String& additionalDetails, Boolean throwOnException)
    at Microsoft.Online.Coexistence.ProvisionHelper.GetSecurityToken()
        at Microsoft.Azure.ActiveDirectory.Synchronization.ProvisioningWebServiceAdapter.ProvisioningWebServiceAdapter.
    InitializeProvisionHelper()
        at Microsoft.Azure.ActiveDirectory.Synchronization.ProvisioningWebServiceAdapter.ProvisioningWebServiceAdapter.
    Initialize()
        at Microsoft.Azure.ActiveDirectory.Synchronization.ProvisioningWebServiceAdapter.ProvisioningWebServiceAdapter.
    GetCompanyConfiguration(Boolean includeLicenseInformation)
    at Microsoft.Azure.ActiveDirectory.Synchronization.AADConfig.get_CloudEnforcedSyncSchedulerInterval()
    at Microsoft.MetadirectoryServices.Scheduler.SchedulerSettingUtilities.get_CurrentSchedulerSettings()
        at SchedulerUtils.GetCurrentSchedulerSettings(SchedulerUtils* , _ConfigAttrNode* pcanList, UInt32 ccanItems, Char** syncSettingsSerialized, Char** errorString) —> System.InvalidOperationException: System.InvalidOperationException: Showing a modal dialog box or form when the application is not running in UserInteractive mode is not a va
  lid operation. Specify the ServiceNotification or DefaultDesktopOnly style to display a notification from a service application.
        at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Platform.WebUI.<AcquireAuthorizationAsync>d__12.MoveNext()
— End of stack trace from previous location where exception was thrown —
    at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
    at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
        at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Flows.AcquireTokenInteractiveHandler.<AcquireAuthorizationAsync>d__11.MoveNext()
— End of stack trace from previous location where exception was thrown —
    at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
    at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
        at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Flows.AcquireTokenInteractiveHandler.<PreTokenRequestAsync>d__10.MoveNext()
— End of stack trace from previous location where exception was thrown —
    at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
    at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
        at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Flows.AcquireTokenHandlerBase.<RunAsync>d__57.MoveNext()
— End of stack trace from previous location where exception was thrown —
    at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
    at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
        at Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext.<AcquireTokenCommonAsync>d__39.MoveNext()
— End of stack trace from previous location where exception was thrown —
    at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
    at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
    at Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext.<AcquireTokenAsync>d__30.MoveNext()
— End of stack trace from previous location where exception was thrown —
    at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
    at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
        at Microsoft.Online.Deployment.Client.Framework.AzureAuthenticationProvider.AuthenticateADAL(String userName, SecureString password, AzureService azureService, Boolean useCachedToken, String& accessToken, String& adalErrorType, String& additionalDetails, Boolean throwOnException)
        at Microsoft.Online.Deployment.Client.Framework.AzureAuthenticationProvider.AcquireServiceToken(AzureService azureService, String userName, SecureString password, String& serviceEndpoint, String& additionalDetail, AuthenticationStatus& status, Boolean throwOnException)
        at Microsoft.Online.Deployment.Client.Framework.AzureAuthenticationProvider.AcquireServiceToken(AzureService azureService, String& serviceEndpoint, String& additionalDetail, AuthenticationStatus& status, Boolean throwOnException)
        at Microsoft.Online.Deployment.Client.Framework.AzureAuthenticationProvider.AcquireServiceToken(AzureService adalResource, String& additionalDetails, Boolean throwOnException)
    at Microsoft.Online.Coexistence.ProvisionHelper.GetSecurityToken()
        at Microsoft.Azure.ActiveDirectory.Synchronization.ProvisioningWebServiceAdapter.ProvisioningWebServiceAdapter.
    InitializeProvisionHelper()
        at Microsoft.Azure.ActiveDirectory.Synchronization.ProvisioningWebServiceAdapter.ProvisioningWebServiceAdapter.
    Initialize()
        at Microsoft.Azure.ActiveDirectory.Synchronization.ProvisioningWebServiceAdapter.ProvisioningWebServiceAdapter.
    GetCompanyConfiguration(Boolean includeLicenseInformation)
    at Microsoft.Azure.ActiveDirectory.Synchronization.AADConfig.get_CloudEnforcedSyncSchedulerInterval()
    at Microsoft.MetadirectoryServices.Scheduler.SchedulerSettingUtilities.get_CurrentSchedulerSettings()
        at SchedulerUtils.GetCurrentSchedulerSettings(SchedulerUtils* , _ConfigAttrNode* pcanList, UInt32 ccanItems, Char** syncSettingsSerialized, Char** errorString)
        at Microsoft.DirectoryServices.MetadirectoryServices.UI.WebServices.MMSWebService.GetSchedulerSettings(String&settingsDeserialized, String& errorString)
    at Microsoft.IdentityManagement.PowerShell.Cmdlet.GetADSyncScheduler.ProcessRecord()
    — End of inner exception stack trace —
    at System.Management.Automation.Runspaces.PipelineBase.Invoke(IEnumerable input)
        at System.Management.Automation.PowerShell.Worker.ConstructPipelineAndDoWork(Runspace rs, Boolean performSyncInvoke)
        at System.Management.Automation.PowerShell.Worker.CreateRunspaceIfNeededAndDoWork(Runspace rsToUse, Boolean isSync)
        at System.Management.Automation.PowerShell.CoreInvokeHelper[TInput,TOutput](PSDataCollection`1 input, PSDataCollection`1 output, PSInvocationSettings settings)
        at System.Management.Automation.PowerShell.CoreInvoke[TInput,TOutput](PSDataCollection`1 input, PSDataCollection`1 output, PSInvocationSettings settings)
    at System.Management.Automation.PowerShell.Invoke(IEnumerable input, PSInvocationSettings settings)
    at Microsoft.Online.Deployment.PowerShell.LocalPowerShell.Invoke()
        at Microsoft.Online.Deployment.PowerShell.PowerShellAdapter.TypeDependencies.InvokePowerShell(IPowerShell powerShell)
        at Microsoft.Online.Deployment.PowerShell.PowerShellAdapter.InvokePowerShellCommand(String commandName, InitialSessionState initialSessionState, IDictionary`2 commandParameters, Boolean isScript)
        at Microsoft.Azure.ActiveDirectory.Synchronization.PowerShellConfigAdapter.SchedulerPowerShellAdapter.GetCurrentSchedulerSettings()
        at Microsoft.MetadirectoryServices.Scheduler.Scheduler.StartSyncCycle(String overridePolicy, Boolean interactiveMode)
        at SchedulerUtils.StartSyncCycle(SchedulerUtils* , Char* policyType, Int32 interactiveMode, Char** errorString)
    ,Microsoft.IdentityManagement.PowerShell.Cmdlet.StartADSyncSyncCycle

Categories
Advanced Threat Protection Azure Active Directory Azure AD Deployment EM+S Endpoint Manager Intune mcas mdatp MDM Microsoft Cloud App Security Microsoft Defender Advanced Threat Protection Mobile Device Management Web Application Proxy

Blocking Apps With a Low Reputation

One of the benefits of Microsoft 365 is the interaction across many products and features to create services that otherwise you might not have available to you or need to implement unrelated and unconnected additional software and maybe client agents as well.

Recently announced is an interaction between Windows Defender (client AV and other security protections on Windows 10), Microsoft Cloud App Security – MCAS (cloud based reverse proxy for cloud app protection), Microsoft Defender Advanced Threat Protection (cloud service for analysing activity on end compute devices and determining if the activity could be malicious or warrant further investigation) and Microsoft Endpoint Protection Manager (recently renamed from Microsoft Intune) for pushing the settings needed to enable all of this. This interaction is to take apps that your users are browsing to, read the discovered app score and if the score is too low then to tag the app as unsanctioned and push the URLs for this app to the client (via MDATP) and have Windows Defender block access to the app shortly afterwards.

Client Experience

So lets take a look at what this looks like from the users perspective and then how to set it up. First on the left if Microsoft Edge (either the old or the new version) and Firefox on the right. The action is the viewing of a URL that is unsanctioned. This particular app that I chose is an news agency and I browsed to the site directly. If the site is browsed indirectly (say via an embedded advert or graphic) then a different view will appear.

image image

Making This Work

Now lets see what we needed to put together to make this work. First Intune (Endpoint Manager) for the settings on the client, then MDATP for the interaction with MCAS and then MCAS for the app protection:

Endpoint Manager (Intune)

For this protection feature we need to ensure that you have a Device Configuration policy for Windows 10 or later that sets both Endpoint Protection and Device Restrictions in place. These two policies need to be in place and scoped to all the users that you want to protect.

The first policy is an Endpoint Protection policy, and you may have one of these already configuring Windows Defender on your Windows 10 endpoints. You need to make sure that the Microsoft Defender Exploit Guard and then the Network Filtering policy is set to Enable. This is supported in Windows 10 1709 and later, and I have seen this break outbound network connectivity on Windows 10 version 1703 machines that had the Microsoft Firewall disabled (where it did not break later versions of Windows).

image

Save and apply this policy.

Create a second Device Configuration policy, again for Windows 10 or later and for Device Restrictions this time. For this policy select Microsoft Defender Antivirus and then Enable the Real-Time Monitoring option, the Cloud Delivered Protection option also to Enabled, for Prompt users before sample submission, select Send all data without prompting and for Submit samples consent select Send all samples automatically. These are shown in the following two screenshots, both showing the same set of settings, but as its quite a long list the second picture is scrolled down.

image image

Again save and apply this policy. Now wait for it to download to your client machines, or in the MDM settings on Domains and Accounts, click Sync to speed this process up.

MDATP

Next you need to set up the interaction between MCAS and MDATP. This is done in the Settings > Advanced Features. Here ensure that Custom Network Indicators is enabled. This ensures that machines can be set to allow or block URLs. This feature requires Windows 10 version 1709 and later as well and an up to date version of the antimalware platform. The network protection in block mode, which is also listed as a requirement, is what we have enabled above.

You also need to make sure that the integration with Microsoft Cloud App Security (MCAS) is enabled. Again, a list of client requirements is displayed along with the requirement that you are running EMS E5 licences for all targeted users.

image

If you don’t have the MCAS or EMS E5 licence then you can add the URLs and other indicators directly into MDATP via Settings > Indicators > URLs/Domains. It is here the MCAS pushes the URLs that the client will block against, and so any way of pushing data into the indicators in MDATP will generate the same result.

MCAS

In MCAS we need to set up the pushing of unsanctioned apps to MDATP and configure unsanctioned apps either manually or automatically.

To push the status of unsanctioned apps click the cog to the top right and choose Settings. Select Microsoft Defender ATP and ensure that Block unsanctioned apps is enabled here.

image

Finally we can go to the Discovered Apps portal in MCAS. If you recently enabled the integration between MDATP and MCAS then this list of apps on the Discover > Discovered Apps will be empty. This will populate over time and store up to 90 days of information on the cloud apps your users are browsing.

image

On the report, possibly called the “Win10 Endpoint Users” report, which is client data from MDATP, click on the Score column to sort the list from 0 upward and see the apps that users are browsing that MCAS scores with a low rating. Click the app name to get the stats on why the app gets a low score.

Under the Actions column click the “no entry” sign, which tags an app as unsanctioned. Once you do this, this app will be blocked in Windows 10 that is under the scope of the Intune policy created above within 2 hours (allowing 8 hours for Intune to sync the new settings in the first instance).

To automatically unsanction any app with a low score (for example 0 to 3) then select Policies from the Control menu. Create a new App Discovery Policy by clicking the Create Policy option. This new policy will have a name like “Unsanction Apps With A Low Score” and the policy setting will be Risk Score equals 0-2. It will apply to All Continuous Reports. Decide if you want to be alerted to this app running and finally select Tag app as unsanctioned.

image

Shortly after you create this rule apps that fall into the category will be tagged as unsanctioned. Before you enable this rule it would be wise to check the list of apps with the same score as shown under the Discovery reports that meet your score to ensure that it would not be business impacting immediately (unless you need that to happen). For example at the time of writing this 3,095 apps where shown as scoring #2 and below and 14 apps of score #2 and below that had been viewed by end users in our company over the last 30 days. In the Continuous reports you can click any app and see who is using it and who would be impacted by blocking it.

I recommend individually unsanctioning an app for testing purposes. You can get the URL for the app by clicking the app name in MCAS and then you can browse this from a end user device that is under the scope of your MDATP deployment and your policy Intune deployment. This takes about 2 hours to take effect first time around. The automated rule to tag apps as unsanctioned automatically takes a bit longer and therefore harder to test.

Once users then access these unsanctioned apps they appear as alerts in MDATP as well. On the Alerts Queue you get a “Connection to a blocked cloud application was detected”. For example I got the following during writing this blog because when my screen-shooting software was capturing the above Firefox image it decided to follow the URL and now I see that snagit32.exe was blocked from making a connection to a blocked cloud application

image

image

Categories
Authentication Azure Active Directory Azure AD AzureAD conditional access

Baseline Policy Replacements: Conditional Access MFA for Administrators

From Feb 29th 2020 Microsoft will remove the “baseline policies” from Azure AD. These were very useful in the past to enable blanket settings like MFA for all admin accounts (well, selected admin roles) and to disable legacy auth for the same admin roles.

With the removal of the baseline policies you need to ensure that before Feb 29th 2020 you have a replacement policy/policies in place. If you are reading this blog post after that date these steps will help you implement MFA for admin roles without using the Microsoft Security Defaults.

The Security Defaults are great for tenants without Azure AD P1 or higher licences (including Enterprise Mobility + Security E3/E5 licences) as they turn all this security on for you. If you have Azure AD P1 or higher licences (including Enterprise Mobility + Security E3/E5 licences) then you can use Conditional Access instead.

These steps below will implement a rule to allow selected admin roles to login only if they perform MFA successfully and to block legacy authentication for the same roles. The configuration below will also include a break glass account so that you always have a way to bypass this security should the need arise (loss of auth code generator device, outage at Microsoft that stops MFA working etc.).

1. Create Conditional Access Policy to force MFA for admin roles

Create a new policy called “Protect All Administrators – Require MFA for All Logins” and set the following options

  • Users and Groups > Directory Roles > select all roles relevant to your organization. Suggest selecting all those that end “Administrator” as a minimum and maybe include Global Reader as well.
  • Users and Groups > Exclude tab > Exclude the group that contains your AADConnect sync account and you break glass accounts. If you have not done this yet, go and do it and then come back here. As a minimum exclude your account for now.
  • Cloud apps or actions > All Cloud Apps
  • Conditions > Client Apps > deselect “Other Clients” to remove clients that only do legacy authentication
  • Grant > Require multi-factor authentication
  • Report Only – this is to make sure that we do not lock ourselves out by getting this wrong – we change it to “On” later once we know it is working

2. Create a policy to block legacy authentication clients from doing administrative actions

Create a second policy called “Protect All Administrators – Block Legacy Authentication” and set the following options:

    • Users and Groups > Directory Roles > select all roles relevant to your
      organization.This list will need to be identical to the above list, and when in future you edit the above list because Microsoft add new administrative roles, you need to match those changes to this policy list as well.
    • Users and Groups > Exclude tab > Exclude the group that contains your
      break glass accounts.
    • Cloud apps or actions > All Cloud Apps
    • Conditions > Client Apps > deselect all options except for “Other Clients” to remove clients
      that do modern authentication (therefore deselect browser and modern clients).
    • Grant > Block Access
    • Report Only – this is to make sure that we do not lock ourselves out by
      getting this wrong – we change it to “On” later once we know it is working

3. Future changes

As mentioned above, when Microsoft release new administrative roles, you you add the first person to a new role you have not used before, come and edit both of these policies to include that administrative role.

Once you are sure that the policy is working (by reviewing the Conditional Access reports) change the policies to “On” instead of “Report Only”.