Windows 10 mobile hot spotting

Annoyingly, I currently have an issues with my ADSL on my phone line. I am getting about a 25% packet loss, which effectively makes the connection unusable. I’ve done everything at my end to troubleshoot the issue and now it is up to the ISP to hopefully resolve the issue.

The problem is that I need internet to work! Luckily, I have a 4G mobile plan that includes unlimited (yes, I said unlimited data). I can easily turn my phone into a hot spot and connect my devices. Problem, is I then I can’t access my local resources and easily share between machines.

image

The solution I found is to turn my phone into a hot spot as normal and connect one of my devices that is on my internal network to it. I then share that device connection out using the hot spotting capabilities built into Windows as shown above.

image

On the other machines, I connect to the Windows 10 hotspot to gain Internet connectivity but I also go into these connections and change the option Set as metered connection to Off as shown above. This means the other Windows devices will see this Windows 10 hotspot like a LAN connection, thus giving it a higher priority for data than a ‘metered connection’.

Just to be 100% sure I have turned off the modem to my problem ADSL connection to ensure that traffic doesn’t try and head that way.

Now all my machines can work together as normal on the LAN but also be connected to the Internet via their own WiFi to the Windows hot spotted machine that is ‘sharing’ my 4G mobile connection.

In many ways, it is better that what I had with ADSL!

Get-Formatdata issues when connecting to Exchange Online with PowerShell

*** Update 10 July 2020. This is a back end service issue that Microsoft is working on to resolve. See the following for more details – https://techcommunity.microsoft.com/t5/exchange/error-when-connecting-to-exchange-online-vis-powershell/m-p/1512141#M5466

image

To connect to Exchange Online with PowerShell you simply type a command like:

connect-exchangeonline

as shown above. This “should” work with Exchange Online PowerShell V2. However, as you can also see from the above screen shot this generates the following error on a number of tenants:

Import-PSSession : Data returned by the remote Get-FormatData command is not in the expected format

This therefore, prevents you from connecting to Exchange Online via PowerShell.

Interestingly, you get the same issue if you use the older method of connecting to Exchange Online via PowerShell (aka V1) to those same specific tenants. It is also independent of the device you use to connect, updates, etc. It seems to be tied to only a limited number of tenants for some reason.

image

The fix for now is to specify the –delegatedorganization parameter with the full .onmicrosoft.com user identity. When you do that, to exactly the same tenant, you can gain access as shown above without an error.

So, if you need access use:

connect-exchangeonline –delegatedorganization <tenantname>.onmicrosoft.com

and you should be able to gain access. The problem is that this is ok for interactive sessions but if you already have bulk automated scripted in place that don’t use this then it is painful to start changing these just to accommodate a ‘limited’ number of affected tenants.

I am chasing down some leads to try to determine a reason for this and hopefully find a resolution soon.

Protecting your Microsoft 365 environment using Azure AD Privileged Identity Management (PIM)

If you are managing a Microsoft 365 environment my recommendation is to do so using a Microsoft 365 E5 SKU, no matter what else in in that tenant. The reason for having at least one Microsoft 365 E5 SKU in your environment is that it provides a wealth of additional features that directly benefit administrators. One of these is Azure AD Privileged Identity Management (PIM).

image

In a nutshell, PIM allows you to do just-in-time (JIT) role escalation. This means that users can be given the permissions they need to do things, only when the need them. It means that you don’t need to have users with standing global administrator access, they can be escalated only when they actually need those privileges. Standing elevated privileges is something that you should be looking to minimise or eliminate in your environment so that if an account does get compromised it won’t have access to the ‘family jewels’. PIM is also a way to potentially minimise the threat of a ‘rogue administrator’ given that it can have an approval process tied to it as well. Most important, all PIM actions are audited in detail which is always handy to have.

PIM is a feature of Azure AD P2 and as mentioned, included in Microsoft 365 E5. Best practice is to ensure you have an ‘emergency break-glass’ administration account tucked away as a backup before you start restricting existing administrators with PIM. Once you have both the license and a ‘get out of jail’ account you are ready to use PIM.

A good example to help you understand the benefits of PIM is to illustrate how I use it myself in my own production environment. The account that I use for my day to day work used to be a global administrator but best practices dictates that it really shouldn’t be. However, given the number of browser sessions I have open already I didn’t want to add yet another one to be checking administrative tenant level ‘stuff’. PIM to rescue! With PIM, my account can stay as a member account by default and I can escalate it to be a global administrator as needed.

image

One of the things I like to check is Microsoft Cloud App Security for my tenant. As you can see above, by default, I now have no privileges.

To elevate my privileges I follow this process:

Activate my Azure resource roles in Privileged Identity Management

 image

This means that I login to the Azure Portal and then navigate to Azure AD roles in PIM as shown above. Here I can see that I can activate the Global administrator role by selecting the Activate link as shown.

image

When I do this a dialog box appears and my credentials are verified. You can enable the requirement to again prompt for MFA during this validation process if you wish. That means, even if I am already logged in successfully, I need to complete an MFA challenge again to proceed.

I can now select the time required to complete my work up to a pre-defined Duration limit. Here I’m going to select the full 8 hours for a full work day at my desk. I also need to provide a Reason for elevation. This information will be recorded and held with the auditing information. This means I can track when and why I elevated.

When complete, I press the Activate button at the bottom of the page to continue.

image

The activation request is then processed according to pre-define rules. In my case, I have elected to have automatic approvals but you can refer approvals to a third party if you wish for greater protection.

image

In about 30 seconds my activation is complete and if I now look in the Active roles area of the console I see that I am indeed a global administrator.

image

If I now refresh my Microsoft Cloud App Security page, you see that I can get access as a normal administrator. This is also the same with all the other administrator areas in the tenant thanks to undergoing the elevation to a Global Administrator thanks to PIM.

The good thing is now I can work using my normal account, check and monitor what I need to without using a different account. I can also rest easy that after the 8 hour time limit my account will again be de-activated back to being a member user. Thus, at the end of the day, I simply shut down and the account will automatically be de-activated for me without me needing to remember to do it. I can of course, manually de-activate the account at any time if I wish, say if I needed to go out somewhere. It is also easy enough for me to re-activate again if I need to do any additional work.

image

What I also like is the audit logging as shown above. Having it all in one place in the PIM console makes it easy for me to verify what has been happening with the process over time.

So in summary, I am using PIM to elevate my normal work account to an escalated level as needed during the day. This means that I don’t have to maintain standing administrator access for the account but I still have the convenience of using it to perform administrator roles as needed.

To set this up for yourself, you’ll need M365 E5 or Azure AD P2 as well as a ‘break-glass’ account. Then you’ll need to configure the roles you wish to escalate to via:

Configure Azure resource role settings in PIM

You can get quite granular here if you wish, but my advice is that you keep it simple to start with and go from there. For me, I just wanted the simple process of becoming a ‘normal’ global administrator.

You can have multiple roles, with different access for different users if you wish. In my case, I’m just focusing on the role of the tenant administrator. As I said, you can also have approvals sent to a third party or parties if you want for an extra level of protection if desired. There lots of settings you can customise with PIM.

Using PIM now gives me extra level of protection when it comes to administration rights. It means my production user isn’t a global administrator by default. I can however, use that same account as a global administrator, by going through a simple automated escalation process that requires MFA for greater security. Additional benefits include that I get great auditing and tracking, I can manually de-activate those rights at any point and those rights will also be automatically de-activated for me after a specified time limit and I also get alerting.

If you want to make your Microsoft 365 environment, especially you administrator logins, more secure then I suggest you take a look at PIM. Even for a small environment like mine, it is great value.

Create a Bing Custom Search

I detailed in a previous article how I had created a custom search:

A dedicated Microsoft Cloud Search Engine

The benefits were that I could target it to a specific set of URL’s to search through when producing a result. It also eliminated many of the commercial elements you see in common search engines. This makes it much cleaner and faster.

The good news is that you too can easily go and create your own custom search. Before you do so however, you will need to have an Azure subscription as there are generally costs that are incurred depending on the functionality you desire. the Custom Search capability is found under Cognitive Services in Azure. However, the easiest way to start creating your own custom search is to visit:

https://www.customsearch.ai/

and sign in with your tenant credentials.

image

You’ll come to the above screen first. Simply select I agree and then the Agree button below to continue.

image

You can go through he Welcome messages if you wish.

image

Next, select the Create new instance button at the bottom of the page.

image

Give your instance a name (here Demo) and select Ok.

image

You’ll then end up on the above page where you can input the URLs you wish to have be part of your custom search.

image

Just keep adding the URL’s you desire. As you do you’ll notice a yellow banner appear at the top of the page as shown above. This is a reminder that you need to Publish your results for them to be visible to others.

image

When you do elect to publish you will see the above dialog. Press the Publish button to continue.

image

You should begreeted with a successful result, as shown above. You can return and keep editing the environment or you can select the Go to production environment option.

image

In the production environment, if you now select the Host UI menu option on the left, the windows on the right will show you a dialog box towards the button as shown above. Copy this URL.

image

If you Paste this URL into a new browser window, you should see your custom search engine as shown above.

Pretty easy to get going right?

image

If you navigate to the Azure portal and search for Cognitive services you should see your new Bing CustomSearch as shown above, along with any other services that utilise Cognitive Services (here a Q and A bot).

You can go in here and customise different aspects of your Custom Search, which I’ll cover off in up coming articles. However, hopefully, you see how easy it is to get started creating a Custom Search in Azure. Remember, you can always test out what I have created using this here:

https://bit.ly/ciasearch

Need to Know podcast–Episode 245


FAQ podcasts are shorter and more focused on a particular topic. In this episode I speak about what Office 365 Alerts is and provide some best practice suggestions.

This episode was recorded using Microsoft Teams and produced with Camtasia 2020

Take a listen and let us know what you think – feedback@needtoknow.cloud

You can listen directly to this episode at:

https://ciaops.podbean.com/e/episode-245-alerts/

Subscribe via iTunes at:

https://itunes.apple.com/au/podcast/ciaops-need-to-know-podcasts/id406891445?mt=2

The podcast is also available on Stitcher at:

http://www.stitcher.com/podcast/ciaops/need-to-know-podcast?refid=stpr

Don’t forget to give the show a rating as well as send us any feedback or suggestions you may have for the show.

Resources

CIAOPS Patron Community

Office 365 Alerts

@directorcia

MVP for 2020-21

MVP_Logo_Horizontal_Preferred_Cyan300_RGB_300ppi

It is with pride that Microsoft has again graciously awarded me as a Most Valued Professional (MVP) for 2020 in the Office Servers and Services category. This makes it now nine awards in a row for me. I thank Microsoft for this special award and acknowledge the responsibilities it entails.

This award is not possible without members of the community out there who take the time to do things like read and comment on my blog, watch my YouTube channel, attend events where I speak and more. Thanks everyone.

It is great to see the growth in recent years of the Microsoft Cloud technologies and the increasing number of people adopting them. It is something that continues to add so many new features it is hard to keep up. For me, that makes it really exciting and something I am always keen to be involved with. I enjoy the constant challenge of staying on top of everything in the space. I’m also keen to share that journey with others and help others solve problems and make the most from their technology investments.

The end of the past twelve months has been a very different place from the initial. The world we live is now a very different place from what it used to be. It has changed dramatically and we must all adapt to the new environment that has been forced upon us. Success in this new world will be with the help of others. That means being part of a community and working for the collective good. Being an MVP is being part of a unique worldwide community of very dedicated and smart people who truly love to share their knowledge. They are the benchmark that I aspire to, both technically and professionally. I therefore take the opportunity to also congratulate all those who were also awarded for this year. It is a great community to be part of and I am honoured to be a part.

Again, I thank Microsoft for this honour and will work hard to live up to the expectations it sets again for 2020-21, for without them and their technology, this award would not be possible.

CIAOPS Need to Know Microsoft 365 Webinar–July

laptop-eyes-technology-computer

Getting everything done in today’s modern world is a challenge, but Microsoft 365 has your back. Chief amoung the tools you can use to get organised in your business is Microsoft Planner.  This month I’ll take a deeper look at Microsoft Planner and show you how to set it all up and make best use of it as well as integrate with other task management options inside Microsoft 365. I’ll also have the  the latest Microsoft Cloud updates plus open Q and A as well.

You can register for the regular monthly webinar here:

July Webinar Registrations

The details are:

CIAOPS Need to Know Webinar – July 2020
Friday 31st of July 2020
11.00am – 12.00am Sydney Time

All sessions are recorded and posted to the CIAOPS Academy.

The CIAOPS Need to Know Webinars are free to attend but if you want to receive the recording of the session you need to sign up as a CIAOPS patron which you can do here:

http://www.ciaopspatron.com

or purchase them individually at:

http://www.ciaopsacademy.com/

Also feel free at any stage to email me directly via director@ciaops.com with your webinar topic suggestions.

I’d also appreciate you sharing information about this webinar with anyone you feel may benefit from the session and I look forward to seeing you there.

Need to Know podcast–Episode 244

Sarah Young from Microsoft joins us again to talk about Azure Sentinel. We run through what it is and why you should be using it to protect your IT environments. Brenton joins us as well to cover off the latest news and certifications he has achieved. Listen in for all the details.

This episode was recorded using Microsoft Teams and produced with Camtasia 2020

Take a listen and let us know what you think – feedback@needtoknow.cloud

You can listen directly to this episode at:

https://ciaops.podbean.com/e/episode-244-sarah-young/

Subscribe via iTunes at:

https://itunes.apple.com/au/podcast/ciaops-need-to-know-podcasts/id406891445?mt=2

The podcast is also available on Stitcher at:

http://www.stitcher.com/podcast/ciaops/need-to-know-podcast?refid=stpr

Don’t forget to give the show a rating as well as send us any feedback or suggestions you may have for the show.

Resources

Sarah Young

@contactbrenton

@directorcia

L400 Sentinel Ninja Training

MS Tech Community Sentinel blog

Sentinel GitHub repo

Sentinel documentation

MS Security Community webinars

Defender ATP for Linux now GA

Defender ATP for Android

OneDrive Roadmap Roundup – May 2020

PowerPoint Live is now generally available

What’s New: Livestream for Azure Sentinel is now released for General Availability

Azure responds to COVID-19

20 updates for Microsoft Teams for Education, including 7×7 video and Breakout Rooms

Outlook for Windows: Signature cloud settings