Using multiple authenticator apps with a single Microsoft 365 user account

One of the best ways to ensure an account is secure is to enable Multi Factor Authentication (MFA) for it. This means, the user logs in as normal with their username and password but before the login process is complete they must enter another form of verification. That form is typically via an SMS, Phone call or an authenticator application on their mobile device.

The best practice with Microsoft 365 is to use the Microsoft Authenticator app, which is available on both iOS and Android. Here’s an overview video:

The way that you set up MFA for a Microsoft 365 account is to login to the Microsoft 365 portal as an administrator and navigate to the Admin center.

image

Then do a search for MFA as shown above. One of the returned results should be Azure multi-factor authentication settings as shown, which you should select.

You should be aware that here you are configuring Multi-Factor Authentication for Office 365 which is a subset of all the features available in Azure Multi-Factor Authentication. You can see the feature comparison here:

MFA version feature comparison

All versions of Office 365 and Microsoft 365 come with Multi-Factor Authentication for Office 365 the more advanced Microsoft 365 plans, such as E3 and E5 come with Azure Multi-Factor Authentication. The discussion here is focused on Multi-Factor Authentication for Office 365 and this applies to all plans. 

image

After selection of that option, a notification should now appear from the right of the windows. Select the Manage multi-factor authentication link that appears as shown above.

image

This should take you to a list of your users as shown above. This will show the MFA status of each user. The above shows you that Alex Wilber currently has an Enforced setting, while everyone else has Disabled.

image

Select the user you want to enable on the right and then select the Enable link on the right as shown.

image

You should now see the above message. Select enable the multi-factor auth button to continue.

image

After a moment or two, you should receive confirmation that MFA is now enabled for the account as shown above. Select the close button to continue.

SNAGHTML1980450f

As shown above, you will now see that the status of that user is now Enforced. This means that they have yet to complete their MFA enrolment. Once they have, their status will change to Enabled.

image

After the user enters their login and password into the Office 365 tenant the next time they login, they will see the above message telling them they basically need to enrol in MFA.

image

They should now see a screen like that shown above. In this case we are going to use a Mobile app as a means of authentication so we select that option from the top box. In the, How do you want to use the mobile app? box select Use verification code. This will request the user to end a unique code from the authenticator app to verify their identity during login. There is also the option to receive push notifications BUT if you are going to be using multiple authenticators then best practice is not to do this, and I’ll detail why further down when I talk about the scenarios where this multiple authenticator environment can be used. For now, select Use verification code and then the set up button underneath.

image

You’ll now see a QR code like shown above that you can use with your Microsoft Authenticator app. However, using this does come with limitations.

Firstly, this method doesn’t support third party authenticator like Google Authenticator or Lastpass Authenticator.

file

If you try to use those you’ll get an error like you see above and be unable to configure the third party authenticator.

file2 (002)

Secondly, if you try and use the same QR code on another device running a second Microsoft Authenticator app then you’ll see the above error, basically telling you that the QR code has been used before (which it has).

image

The trick to overcoming both of these limitations is to select the link Configure app without notifications to the right of the QR code as shown above.

image

When you do so, you’ll get a new QR, that looks very similar but has different wording a link.

You can now use this QR to set up multiple Microsoft Authenticator apps on different devices as well as third party authenticators. You may also want to take a screen shot of this QR code for future reference if you wish to set up or reconfigure authenticator devices in the future.

Some considerations here. All devices you now use with this QR code will configure the same identical sequence of rolling numbers for authentication. Thus, when you configure multiple devices this way you’ll see that the pin numbers will be identical on all devices and will change more or less at the same time. What you have effectively achieved here is a duplication of the MFA token for that user. Is that a good thing? Best practice is to only have ONE and only ONE authenticator per account but there are scenarios I will illustrate later where having a duplicate is acceptable. However, please remember, the more tokens you have for an account, the less secure it is.

image

Once you have used the QR with all the devices you wish to use, select Next and then Next. You’ll then be prompted to enter a verification code from any of the devices (as they all show the same code now anyway) to verify the account set up. Enter the code and continue.

image

You’ll then need to enter a phone number as a fall back option. Select the Next button when this is complete.

image

You’ll then see a single app password you can use if needed, but best practice is that you shouldn’t be using these so select the Done button.

image

Now when the user logs in to Microsoft 365, they’ll enter their login and password as before but then also be prompted for a code from an authenticator. If you have duplicated the authenticator as shown above, the code on the devices will be the same and thus all you need to access that account is any of the devices just configured.

image

So where might a duplicated authenticator make sense? Perhaps as an administrator of a tenant I move between different locations and devices. Or perhaps I want to have the same code for everyone using authenticators for access. Perhaps different people need to read me the code from an authenticator on their device. There are scenarios where duplicated authenticators may make sense, so it is an option if needed.

Duplicating authenticators is probably ok if there is only one user accessing the account, but what happens when multiple need to access the one account using MFA? They should use a unique authenticator as best practice I would suggest.

To set up multiple unique authenticators (rather than just duplicates), complete the above process but just for a SINGLE authenticator app. Again, it is recommended not to enable push notifications and just use a pin code entry. Once the single MFA has been configured for the account, login to that account using MFA. Select the user icon in the top right of the screen. That should display a menu like shown above. From this menu, select My account.

image

In the window that appears, locate the Security & privacy section and select the Manage security & privacy button.

image

Now select Additional security verification at the bottom as shown above.

image

This will display two additional options as shown. Select Update your phone numbers used for account security.

image

This should display the above options, where you can configure the MFA settings for the account. At the bottom of this screen you will see that there is already one Authenticator app, which is the initial one configured for the account. To add a second independent authenticator tied to this account select the Set up Authenticator app button as shown.

image

This should display the now familiar MFA configuration window as shown above. The default option will be for push notifications. This means that any time the account logs in a push notification will be send to ALL the authenticator apps configured to this account whether they have been set up as duplicates or separate authenticators. As mentioned previously, this option also only allows a single Microsoft Authenticator configuration and no third party options.

image

Thus, best practice is again to select the Configure apps without notifications link on the right to make more authenticator options available.

image

This will again give you a slightly different screen with a QR code to configure the authenticator device. Remember, here you are not duplicating the existing authenticator that was created initially, you are creating a separate independent authenticator app that is tied to the same user account.

image

When you have completed the configuration process for this authenticator you’ll again need to verify it as shown above.

image

When you return to the Additional security verification screen you will now see two authenticator apps at the bottom of the screen as shown above.

image

This might appear confusing, but in my example I configured two different authenticator apps independently on the same device (one Microsoft, one Google). If you configure authenticator apps on two different physical devices it should look more like the above where you can tell the difference between the devices. In my experience, if there is ever confusion or duplicates, the more recent configurations appear at the top of the list if you ever wish to delete one.

image

You may want to ensure that you DON’T select the option to Notify me through app, because doing so will send a push notification to all configured and supported apps for verification. If you have different people, all with their own authenticator app configured, on separate devices, you don’t want them all getting a notification when ANY one of them attempts to login to the account. Not only is it annoying, but any of the other devices can approve the login request, even though they didn’t initiate it. You can use the notification option for authentication if you wish BUT, use it with care and an understand of the risks it brings.

Screenshot_20190115-084113_Authenticator file1 (002)

The above shows you that I have configured authentication on two separate devices (Android on left, iPhone on right). Note how the time is the same on each device, along with the account it protects. You’ll also notice that one device is using the Google Authenticator while the other is using the Microsoft Authenticator, just to show you that you can mix and match authenticators as you please. These are two independent authenticators tied to the one account as I have just shown you how to configure. Thus, if I now try and login to the configurated account, I use the one user name, plus the one password and either of the two numbers on the authenticators I have configured on these devices.

Now, where does this multiple authenticators to a single Microsoft 365 account make sense? The most common scenario is for IT resellers who need to support multiple customer tenants with multiple technicians securely using MFA. A typical scenario would be to configure a single management account in each customer’s tenant that is a global administrator for the tenant. That account would have an initial MFA authenticator enabled during set up. Then, for each technician who needs access, each of their personal devices would also be enabled for MFA on that same single customer admin account using the process I detailed above. Thus, the admin login details would be shared amongst the technicians along with the password BUT each would use their own authenticator app to gain access to the customers management account. Thus, each technician use the same username and password to access the account but a unique MFA pin code that is generated on their own personal device and is unique to them.

In the event that a technician leaves, the IT reseller could merely remove that technician’s authenticator app from the customer’s admin account and probably change the password and re-share that updated password amongst the remaining technicians. In an environment with lots of tenants and technicians, manually doing this would be time consuming. I’d be confident that this process could be scripted using PowerShell but can’t say for sure until I look at that in more detail. Stay tuned. But at least you can have multiple technicians accessing multiple shared accounts with their own unique MFA authenticator app.

So there you have it. Yes, it is possible to have multiple authentication apps providing MFA to a single Microsoft 365 account. Yes, it is possible to achieve this with both Microsoft and third party authenticator apps. Yes, it is possible to have duplicate and independent authenticator configurations for one account. And finally, YES, it makes an account LESS SECURE by having multiple authenticator apps configured against a single account, so use with CARE and THINK before you implement.

My Apps – 2019

I will happily admit that I am not a big app user. I have a number of keys apps that I use all the time and many that I test. However, the ones I test normally don;t last long and get deleted. I like to keep my devices as clean as possible rather than being filled with lots and lots of random apps.

To see what I was using at the beginning of last year check out the article:

My Apps – 2018

My most used apps on mobile devices over the last year were:

Podcast Addict – for all my podcasts. Easy to use, listen and update as well as working in the car thanks to Android auto.

Google Authenticator – used to provide two factor authentication for access to Google accounts as well as for Lastpass password manager.

Microsoft Authenticator – I use this for a number of select web sites as well as Office 365.

Android auto – connects to my daily drive to provide the ability to listen to podcasts (via Podcast Addict) as well as use Waze for navigation.

OneNote – is a must on every device I own. Syncs all my notes to every device. Allows me to not only truly have my information everywhere I am but also capture information quickly and easily.

Office Lens – available on all platforms. Allows capturing of information such as documents, whiteboards, etc to OneNote. I have written about the importance of this app previously:

A mobile device must have

Tripview – One of the few apps that I have happily paid for. I use this to let me know the Sydney train schedule to help me get around when I need to negotiate the ‘real world’.

Audible – If I can’t read my Kindle then I can normally always listen. This app allows me to listen to my audio books where ever I am.

Amazon Kindle – If I don’t have access to my Kindle then I can still read my books. In my case that will most likely be on my iPad. I also use the Kindle app on the iPad when the ebook has a lot of images that sometime don’t display well or are too small for the Kindle device.

The following as currently only iOS:

Oak – For mindfulness, breathing and meditation

Rode Reporter – which I use for recording many of my presentations when I am out on the road.

Of course I have all the social media apps, such as Twitter, Linkedin and Facebook on my devices.

I also have all the Microsoft/Office 365 apps. The ones I use the most are probably To-Do, Outlook, SharePoint, OneDrive, Teams and Yammer, although Word and Excel also get used regularly. Just about every Microsoft Office 365 service has an app that you should have on your mobile device.

I’ve also added the Intune app to all my devices so they can be better managed.

I use the Microsoft Next Lock Screen on my Android device.

Some occasional ones I use include:

Meetup

Pocket

Duolingo

The above are my used apps across my various mobile devices. I certainly use a wide variety of apps on my devices by prefer the desktop versions if available simply because my finger are too fat and my patience too short to be productive for long stints on mobile devices. My kingdom, my kingdom for a full keyboard and screen I cry.

Become Microsoft 365 Certified with CIAOPS

image

I’m pleased to announce that I’m taking all of my experience as a Microsoft Certified Trainer and learnings with Microsoft 365 and creating a 7 week intensive study program dedicated to helping people pass the recently announced Microsoft MS-100 certification exam.

In broad strokes this exam covers:

– Design and Implement Microsoft 365 Services

– Manage User Identity and Roles

– Manage Access and Authentication

– Plan Office 365 Workloads and Applications

The CIAOPS program will provide 2 hours per week of presented content (lecture + lab) as well as additional content each will be expected to completed and submitted prior to the next week. In my experience, having ‘required homework’ is the best way to ensure that you are learning the content. All the material will be available in a downloadable portable for access on demand (including presented content). Having the material on demand means that you can attend this course even if you can’t make the live sessions.

This program is limited to a maximum of 15 students and is filling fast, so if you want to take advantage of this round then please contact me via email (director@ciaops.com) to express your interest. The cost for anyone not in my CIAOPS Patron program is AU$399 inc GST for all the material.

You may want to read my thoughts on why I believe certification is becoming increasingly important with the cloud:

The benefits of certification

Stay tuned for more certification training programs like this that will be available from the CIAOPS.

Need to Know podcast–Episode 199

I speak with Program Manager Windows Defender ATP, Iaan Wiltshire, from Microsoft all about this security offering and how it fits into the market. We discuss what Defender ATP is and what it includes, so if you are keen to hear how Microsoft is integrating threat management from the desktop through to the cloud, listen along.

Brenton and I, of course, give you all the latest Microsoft Cloud news in this first episode for 2019. There is still lots happening so listen in to stay up to date.

Also, don’t forget our invite to join us during the live recording of episode 200 on the 21st of January 2019. Just sign up at http://bit.ly/n2k200

Take a listen and let us know what you think –feedback@needtoknow.cloud

You can listen directly to this episode at:

https://ciaops.podbean.com/e/episode-199-iaan-wiltshire/

Subscribe via iTunes at:

https://itunes.apple.com/au/podcast/ciaops-need-to-know-podcasts/id406891445?mt=2

The podcast is also available on Stitcher at:

http://www.stitcher.com/podcast/ciaops/need-to-know-podcast?refid=stpr

Don’t forget to give the show a rating as well as send us any feedback or suggestions you may have for the show.

Resources

Iaan.Wiltshire@microsoft.com

@contactbrenton

@directorcia

MSP risks for clients

Questions to ask your MSP

Report into MSP hacking

Discounted cyber security for your client

December updates video

Ignite 2019 – Sydney agenda

Contextualizing Attacker Activity within Session in Exchange Online

MyAnalytics, the fitness tracker for work is now more broadly available

Watch Microsoft Stream on the go

SharePoint Roadmap Pitstop: December 2018

Introducing new advanced security and compliance offerings for Microsoft 365

Evaluating Windows Defender ATP

Windows defender Test Ground

Microsoft Security Blog

Defender ATP Overview

Using PowerShell to download all my Office 365 scripts together

I really like GitHub but the problem is that it is really a developer not IT Pro style environment. That means there is no easy way (that I know of at least) to simply to copy every file in a repository to a directory on your local computer. Yes, you can do that with Visual Code like I do, but what if you just want a complete copy so you can run the scripts that I have created quickly and easily?

Have no fear, PowerShell to the rescue once again.

I have just created the following script:

https://github.com/directorcia/Office365/blob/master/o365-getrepo.ps1

which, when run, will basically grab every file in my Office 365 repository and download it to the directory you nominate in the variable at the top of the script.

image

So the process is to copy the above script into the PowerShell ISE. Modify the variable $DestinationPath to suit your environment and then simply run the script.

The great thing is that you can re-rerun the script at any time to grab the latest updates I have made in that repository.


My software and services 2019

startup-photos

Here’s last year’s post for comparison:

My software and services – 2018

All my PC’s are running the latest version of Windows 10 (1809) without any issues and none during the upgrade process either. I do have Windows 10 and Office Insider builds happening on an original Surface PC as a testbed. All Windows 10 Pro machines are directly joined to Azure AD and managed via Intune. All machines run no third party AV as Windows Defender is a far better option in my experience.

The WD Sentinel DX4000 Runs Windows Storage Server 2008 and I would really like to upgrade this to a newer version of Windows Server, but given an in place upgrade is risky, it will probably be replaced at some stage. However, for the time being it is till doing its job but I’m starting to get more and more issues connecting to it using the Windows 10 Pro machines that are purely Azure AD joined so I maybe forced to make a change soon. I am kind of hanging out till I get better broadband when the NBN rolls into my location (due any day they tell me). When that does happen I’m going to see whether I can shift my whole on Windows Storage Server infrastructure completely to Azure and access it all remotely. I’m kind of hesitant to shell out for new hardware that I don’t really need. Moving all or part of my environment to Azure is going to give much more experience in accomplishing this which is a good things as more and more businesses are looking to do exactly the same. If I can lift and shift to Azure and with all my workstations now directly Azure AD joined it should be a seamless experience, however I won’t know until I try it. Stay tuned here for progress.

My two main tenants are an Office 365 E5 demo and Microsoft 365 Business production environments. The Windows 10 Pro machines are Azure AD joined to the Microsoft 365 Business production domain.

I use all the major browsers:

– Edge – mainly for logging into my production tenant

– Firefox – used with demo tenants

– Chrome – mainly used for non Office/Microsoft 365 browsing. I log into the Chrome with my Google identity to sync extension, bookmarks, etc as well as login to Google properties like YouTube

– Internet Explorer – mainly for logging into my Office 365 E5 tenant and the Azure environment that is also connected to that

I also generally use in private sessions in all the browsers to move between different online identities as needed.

Services like SharePoint Online and OneDrive I use regularly both in the demo and production tenant. I have the OneDrive sync client installed, running and connected to various locations on my production tenant. I am looking forward to the up coming OneDrive sync client feature that well allow me to sync across different tenants with the one sync client. That will allow me to easily sync both my production and demo environments.

I used to have Skype for Business automatically load at start up but that has been replaced by Microsoft Teams which is now my main messaging application. All the CIAOPS Patron resources like the intranet, team, etc all reside in the Office 365 E5 demo tenant but I connect to it on my desktop normally via an Azure B2B guest account from my production tenant. Thus, I can admin the Patron resources in a browser if need be but I get the same experience on my desktop as any Patron would. Handy to know what works and doesn’t work with Microsoft Teams guest access.

I use Lastpass to keep my passwords and private information secure. It allows me to do things like generate and store unique passwords for each website that I sign up for. It is also available across all browsers on my machine (including Microsoft Edge). I also now also use Lastpass to store secure notes.

The extensions I run in all my browsers are:

LastPass

The extensions I use in Chrome are:

Windows 10 accounts (allows Single Sign In to Azure Ad identity)

Windows Defender Browser protection

Pushbullet which connects alerts from my Android phone to my desktop browser and allow me to share information easily between them.

GetPocket which allows me to save and categorise websites URLs, which I then typically read at a later time. Has its own dedicated mobile that I can use on any device.

The Great Suspender which puts unused tabs in Chrome to ‘sleep’ to save memory.

Nosili which provides productivity enhancement thanks to background sounds. My favourite is rain.

Timeline Support which integrates the browser history into Windows Timeline. Really, really handy across multiple machines.

I use the automation sites If This Then That and Zapier to automate many different tasks. A good example of one of these is automatically publishing to various social media sites. I am now using Microsoft Flow more and more for automation and I am still looking to dive deeper using things like Azure Functions in 2018. I also use Socialoomph to post precisely scheduled social media posts, however I am aiming to replace this totally with Microsoft Flow this year.

For my Office 365 and Azure email newsletters I use Mailchimp.

My preferred public social networks for business, in order are:

1. Twitter

2. Linkedin

3. Facebook

Google Plus, which I use for posting my blog announcements to is going away shortly, so that’ll be one less thing to worry about.

The Apowersoft software allows me to display both iOS and Android devices on my Windows desktop which is really handy for demonstrations and presentations.

I also use Yammer extensively but for more specialised roles and thus don’t consider it really a ‘public’ social network, more a private one.

I consume a lot of content from YouTube both for business and personal interest. I also also use YouTube extensively for my publicly available training video training.

Microsoft Office desktop software is still part of my everyday workday via applications such as Outlook, Word, Excel, PowerPoint, etc. I use the desktop version of Outlook on my Surface Pro 4 which lives on my desk but I only use Outlook Web App on my travelling Surface Pro 3 device. I could happily not use Outlook on the desktop any more I believe but I still use so I understand the experience for most users. However, I do see the day when Outlook on the desktop begins to lose its appeal.

One of the things I have just added to my desktop version of Outlook is a digital certificate that signs every email that I now send. This helps the receiver confirm that the message they have received is in fact from me and that it hasn’t been altered in any way. I need to spend some more time playing around with email certificates to understand what role they can play in enhancing email security. Add yet another item to the ‘to-do’ list.

The key application from the suite for me is OneNote. OneNote is my go to Swiss Army knife for just about everything digital. I use it to capture all sort of data. I even use it as a diary as I have detailed previous here:

One of the ways I use OneNote

The reason OneNote is key is because:

1. Just about everything I put in there us searchable

2. It is freely available across all platforms.

3. All my information is synced and accessible on all devices.

4. It is available on the web or offline if needed.

There are now two version of OneNote, the Windows store OneNote and OneNote 2016. Microsoft have confirmed that there will be no future upgrades to OneNote 2016 and in fact they are starting to remove it from Office 365 implementations. I fully understand support that move BUT the Windows store version of OneNote does not yet have nearly feature parity with OneNote 2016. I’d love to make the switch to only using one version but can’t until many of the features I use in OneNote 2016 appear in the Windows store version. C’mon Microsoft, let’s get them to feature parity please.

Another key service I use everyday along with Office 365 and OneNote is Azure. Typically, I use it for running up virtual machines that I test various things with but I also use it to backup my local data as well as that of other members of my family using Azure Backup.

Azure desktop backup

There is just so much that can be done with Azure and I pretty much use it everyday.

For a subset of my local data that I wish to remain secure I use Truecrypt to create encrypted volumes. All my Windows 10 machines run with full disk encryption thanks to Bitlocker, but stuff like financial and customer data I keep inside Truecrypt volumes for that extra layer of security. I understand that Truecrypt is no longer maintained and may have some very minor security flaws, but for how and why I use it, it is more than adequate.

To capture my desktop for my online training academy or my YouTube channel I use Camtasia. I use SnagIt to capture screen shots and add highlights and emphasis to these. Snagit allows me to capture complete screens or specific areas quickly and easily.

To compose and publish blog articles I use Open Live Writer.

The majority of images I get, like the one at the top of this article, I get from Pexels. Pickit is also another great option and I use the desktop app regularly.

For improved meeting management productivity I use Microsoft FindTime.

A major addition in 2018 was Visual Studio Code in which I do most of my PowerShell editing and publishing. The end result typically is my GitHub repository where you will find a range of scripts and other resources that I maintain regular. With Visual Studio Code I can edit publish and sync all my machines and my GitHub repository no matter where I am. Very handy.

Here are also a few of the other items I use regularly that are not for business:

Amazon Prime Video – only place to the latest The Grand Tour action. I also liked the Jack Ryan series and well as the Gymkana Files.

XBox Live Gold – access to all the online Xbox goodness.

Duolingo – language learning, Japanese and Italian at the moment

Tinycards – language and facts learning via flashcards. Also handy for certification exams.

So there you have it, the major software and services that I use regularly. I continue to search out additional software that will improve my productivity and I speak more about what I have changed in an upcoming article, so stay tuned. If you use something that you’ve found really handy, please let me know and I always keen to explore what works for others.

Core Microsoft Cloud IT Professional Skills

pexels-photo-1216544

Last year I wrote an article about:

Core Professional Skills

which are still valid and I encourage you to go and read that article as well as this one.

For this article I want to focus on the more specific core skills for IT Professionals working with Microsoft Cloud Technologies such as Microsoft 365, Office 365 and Azure.

PowerShell

Being able to use PowerShell comfortably in today’s Microsoft Cloud landscape is mandatory I believe. There is so much that you can only do using PowerShell as well as it being the way to be more efficient when managing multiple environments. I am not saying however, that you need to become a developer or start using something like Visual Studio. As I often say, to be proficient in PowerShell you really only need two commands – Ctrl + C and Ctrl + V.

PowerShell allows you to easily take what others have created and run it or improve on it. I fully appreciate however, that getting up and running with PowerShell can be challenging, especially with so many services. With that in mind I wrote this article:

Microsoft Online PowerShell Setup/Update scripts

that will help you get up and running quickly. In fact you’ll find a whole swag of my scripts freely available at:

https://github.com/directorcia

Ensure you check back there regularly as I constant update and add more scripts.

The best way to become familiar with PowerShell is to use it! If you are doing things using the web interface, try replicating that task with a PowerShell script. Yes, it might take a little longer initially, but once you have the script you can re-use it over and over again. That’s one of the benefits of scripting.

PowerShell skills are not merely limited to the cloud, just about every Microsoft product support PowerShell in some form. That is a big differentiator when considering suppliers. For example, if you become a CIAOPS Patron, you get access to a best practices script that I have created and configures over 20 different items and services in a tenant to make it more secure and easier to use. You couldn’t do that easily with different vendors.

An investment in PowerShell as an IT Pro is simply a ‘must’ for anyone who wants to remain relevant in the Microsoft world going forward.

Identity

Understanding identity is something few IT Pros really have a good grip on in my experience, especially when it comes to the cloud. In short, there has to be a single master source of user identity somewhere in the environment. On prem, that was typically the domain controller. In the pure cloud that is Azure AD. However, things start to get complicated when you are talking about Azure AD Connect syncing and stuff like ADFS. This can place identity in multiple locations BUT the master is still in one place (on prem for both again). Now add to the mix things like Azure B2B and B2C, where is the master identity now? Further, add Azure AD Premium and enable attribute write back. Again, where is the master identity? Now add device management with the likes of Intune and you see pretty quickly how all of this stuff depends on identity. Get that wrong and stuff just doesn’t work.

You soon see that identity can involve a lot of moving parts very quickly. However, there are still basic principles that it conforms to, but in my experience few IT Pros seem to know these. Without these basic skills you are going to really end up chasing you tail when troubleshooting or potentially creating security holes during configuration.

Start with understanding the basic three Microsoft Cloud identity models – Cloud only, Synchronised, and Federated. Understand what the fundamental differences are between on premises AD and Azure AD (and there are plenty). Once you have a good grip on that start adding options like B2B, B2C, Azure AD Premium and so on.

Understanding how identity works in a hybrid and mobile world is critical for many aspects today and no more so than security. Spend the time and learn the basics and you’ll greatly reduce the chance of over sights or misunderstandings.

Use the stuff you sell

Another things that constantly amazes me is the number of IT Pros who DON’T use the services like Office 365 they actually sell to customers. Many still use on premises mail servers! Yes, there is an investment to be made coming up to speed with a range of new technologies but the best way to do this is to use them every day and learn in small increments. Simply ignoring them is merely kicking the can further down the road and making the mountain to eventually climb that much higher.

Sure, everything in Office 365 may not be relevant, but IT Pros should know something about everything on there. They should have some very basic idea of what the service does and how it could potentially help their customers. They don’t need to be an expert in it. If need be they can delegate that off to a partner who specialises in that particular service. Office 365 is now so large that most can’t, and shouldn’t do everything. However, they should always have the option to refer a colleague who can help if asked by a customer for anything they don’t know about because sooner or later the customer is going to ask what that service they have no idea about does. Not even knowing the basic of what it does looks really bad.

Some of the services in Office 365 you’ll probably need to play with and work out how they can benefit a business. This make it easier to sell and support customers. A recent good example I saw was a large Microsoft reseller business sending out surveys using the free version of Surveymonkey! Sure Surveymonkey can do the job but what about using Microsoft Forms and then integrating that with Microsoft Flow for automation, because the survey task doesn’t end with just collecting responses now does it? I’ve built a number of automated services in my business using Microsoft Flow, many of these I can sell to customers to also help streamline their business. What about things like Power BI and what it can do, etc, etc.

Every service in the Microsoft Cloud provides the potential to offer services around and therefore generate revenue. You don’t make money doing what everyone else does (i.e. migrating emails), that is a commodity market. You make money doing what few others can or want to do. The more work it takes to get into that area, the less competition there is and will be and higher the margins. That’s just simple business investment mathematics for you.

The opportunities inside the Microsoft Cloud of Office 365, Microsoft 365, Azure, etc are endless yet I see the majority of resellers doing almost next to nothing with these services themselves. Selling and supporting the stuff is so much easier when you actually use the stuff! Most partners also get the stuff from Microsoft for free. Go use it! NOW!

Become certified

For those that need some sort of syllabus to follow to learn the Microsoft Cloud I would suggest you consider completing the new certifications that are available for both Azure and Microsoft 365. I have written about

The benefits of certification

in the above article. It is not about getting a ‘bit of paper’ it is about using them as a focused way to learn the products, with the added benefit of being able to prove that you know your stuff.

I see that such certifications are going to become a real point of differentiation going forward. Office 365, Microsoft 365, Azure and the like are now common services that anyone and everyone can purchase and access. Thus, many believe they know what they are doing with these services but few really do. The only real way to get an independent verification of this knowledge is going to be via certifications.

I have been called into help so many customers with absolutely criminal Microsoft Cloud configurations done by some so-called ‘cloud guru’ who clearly had no idea at all of the products or what they were doing in any way shape or form. Many customers are becoming far more cautious about whom they trust their cloud services to, as they should be. They should really be asking questions about the experience and knowledge of those working with these systems. Ask yourself, how can you truly and honestly demonstrate your knowledge and experience with the Microsoft Cloud? If you can’t, then certifications maybe an option worth considering.

Above all else, I believe certifications provide a structured learning path and testing of your knowledge. You shouldn’t be afraid of failing a certification exam, you won’t die. Believe me you won’t. I haven’t and I’ve failed plenty of exams! See it as a way to confirmed your knowledge in a controlled environment. Personally, I’d rather find out that my knowledge wasn’t as strong as I thought in an exam rather than in the heat of battle. See certifications as a primary way to verify and expand your knowledge while reinforcing your commitment to professionalism in your chosen field.

Security starts at home

There is little doubt that IT security is now a big thing in the age of the cloud. Everyone is so dependent on IT systems today. No matter what the size of the business, IT security matters! Bad actors are smart operators. They know where Aladdin’s cave is typically located, inside an IT business. Why? Because inside an IT business is normally the keys to many, many other systems. If they can get in here, then the rewards can be enormous. That means IT Pros and IT businesses are big and enticing targets to crack.

If you are IT Pro, ask yourself whether you take security seriously. Are all your devices, phones, computers, files, etc encrypted at rest? Are you using MFA everywhere you can? Do you have good and unique passwords. Do you have alerting set up on your own environment? Have you reduced the surface area for attack as much as you can? Where is your documentation? What is your disaster recovery plan in case of internet outage, power outage, building inaccessibility, etc.

Unfortunately, my experience is that many IT Pros don’t have good best practices when it comes to security. They don’t follow industry best practices. They don’t have a good understanding of attacks and vulnerabilities and tend to give security best practices a low priority over getting the job done. For example, creating full admin accounts just to get something working or overriding security just to get a PowerShell script running. Yes, more security is painful, but that’s the idea. You want to make it as hard as you can for the bad actors.

Take a good hard look at all your systems and ask yourself if they are as secure as they could be. You’ll have to ask this question over and over again because the landscape is constantly changing. The price of security is eternal vigilance. Have you got things like Protection alerts enabled? What about Activity alerts? Activity auditing? Most importantly, do you have a checklist which you use to enable security? If you don’t, why don’t you? Do things randomly, get random results or in this case vulnerabilities.

Yes, security is hard. Yes, there are lots of options. But this is exactly what the bad actors exploit. They exploit the simple fact that people don’t want to put in the effort to be secure. That lack of effort sooner or later results in real financial loss.

The best way to sell security is to implement throughout your business. Ask yourself regularly, is this as secure as I can make it? Once you are serious about security other will see that and understand why they should also be. If they don’t, even after you have shown them, why should you continue to deal with them? Perhaps those businesses are not ones you should be associating with, because we are all only as secure as the weakest link in the chain and the closer you are to the vulnerable system the more financial damage your business is likely to feel when something inevitably happens.

Take responsibility for IT security seriously. Start with your own systems and be the example why others should be as well.

Write stuff down

Whether you use pen and paper, OneNote, a blog, or whatever, there is NO WAY you can keep all this stuff in your head! My number one destination for information is OneNote for many, many reasons. It doesn’t matter what you use. Just use something!

The benefit of maintaining a blog is that firstly it is available everywhere there is the Internet. Next, it may in fact help someone else. If you are reading this then you have benefited from what I post publicly. That’s the power of blogging. Adding to the aggregated knowledge of Microsoft Cloud services available for free is a good thing. Your unique experience and situation many one day turn out to help someone else in need. Pay it forward, as they say.

Another benefit of a blog is that you can point people to it to demonstrate your knowledge and dedication to your craft. Even if your destiny is not as a business owner, having a regularly updated blog stands you out from all the ‘wanna –be’s’ out there claiming to be IT Professionals. You don’t have to be more right that everyone else, you just need to show you are learning. True IT Professionals NEVER stop learning. They are not afraid to try and fail because that teaches them what not to do next time.

Learning is the one skill that once mastered will serve you no matter what changes happen in the industry, in your profession or in your life. You become better when you learn something. You become great when learning becomes part of your daily routine. Remember, most people in this game don’t actually have a structured learning system. They react, scramble around, do internet searches until something random puts out the fire. As they say, do random things and you get random results. Winners have systems. Be a winner, build a system.

True IT Professionals take a professional approach to their business and career. They are proud of the work they do and look to push themselves to improve. They are always looking to improve, invest in themselves and add value while helping others. They are humble enough to appreciate they need to continue to learn in this profession and welcome the challenge of developing their knowledge of the products and services that are available. They are always willing to help others and recognise those that help them. But most of all, they embrace the challenge that that IT profession provides them.