Using the Microsoft Graph with multiple tenants

In a recent article:

Making PowerShell automation easier with the Microsoft Graph

I showed how to use the Microsoft Graph to embed an Azure AD application in a single tenant and then use that to make Graph queries against. What happens when you want to that across multiple tenants?

To achieve this you’ll need to basically do three things:

1. Embed a ‘static’ Azure AD application in all the tenants you wish to access.

2. Give those ‘static’ Azure AD applications, in all those tenants, the appropriate permissions to access the tenant values.

3. Run a Graph request against these Azure AD applications in each tenant and extract the results you want.

This article is going to look at Step 1 of this process.

So, the task at hand is to create a ‘static’ Azure AD application in all the tenants we want to access. I have detailed how to achieve this manually before here:

Using interactive PowerShell to access the Microsoft Graph

That may prove time consuming if you wish to do this across many tenants, so I have automated it via a freely available program here:

https://github.com/directorcia/Office365/blob/master/graph-adapp-add.exe

image

You can download the file into any directory on your machine. Best best is to use a Windows 10 machine that already has the AzureAD PowerShell module installed. This program will also generate a number of configuration files in the current directory for each domain you connect to.

image

Running the program will launch the PowerShell script as shown. You’ll then be prompted for the name of your Azure AD application. This is the display name that will appear inside your Azure AD. This name will be the same across all tenants you connect to. Here I’ve chosen to call my Azure AD application ciaops.

image

You’ll then be prompted for the email address of a tenant administrator with the rights to create an Azure AD application.

image

You’ll then be take through the normal sign in process for that tenant with that user as shown above. This will include any MFA if required.

image

The tenant will be check to see if an existing Azure AD application of the same name already exists and if it does you’ll see a warning like shown above. The program will then skip adding an Azure AD Application to this tenant and move on to the next tenant.

image

Assuming no Azure AD application of the same name exists in that tenant you’ll see that a new Azure AD application of that name is created. When a token is created in a tenant there are fours pieces of information that will need to be saved:

1. Application ID

2. Object ID

3. Application secret

4. Tenant ID

Each of these will be written to a secure configuration XML file I’ll explain in detail below. For now, just appreciate that these values need to be written securely to files so they can be used later. To achieve that, the program uses the get-credential PowerShell command to capture these securely to be written.

image

To complete this process all you need to do is use the Paste command (i.e. CTRL+V) when prompted at the password field as shown.

image

So here, simply hit CTRL+V and then ENTER. The actual value you are pasting is a few lines up in the display as you can see above if you need it.

image

You’ll need to complete that process four times for each variable as shown above.

You are then prompted for the next domain you wish to add an Azure AD application to. You repeat the same entry process for each new domain you wish to use.

image

When you have no more domains to configure, simply press Enter at the admin domain prompt. At that point, the program will disconnect from any Azure AD and use the captured credentials to check whether it can access all these tenants. To do this, it reads from the saved configuration files and makes a basic read request to the Microsoft Graph using the Azure AD application details for each tenant to verify success. It merely tests that it can get the Graph API for that tenant.

At this point you now have an Azure AD application of the same name, inside each tenant you configured, with no permissions to anything with the Graph.

image

If you now return to the directory where you ran the program from you’ll see a number of additional files as shown above.

The graph-adapp-set.txt is a log of the whole process so you can see what has happened.

You’ll also see four XML files per tenant. These contain the important variables for the tenant mentioned previously. They are in format of:

<domain>-tenid.xml – holds encrypted Tenant ID

<domain>-appsec.xml – holds the encrypted application secret of the Azure AD application for the tenant

<domain>.objid.xml – holds the encrypted Object ID of the Azure AD application for the tenant

<domain>.appid.xml – holds the encrypted Application ID of the Azure AD application for the tenant

Storing these details on a workstation is not the most secure option I agree, but it’s a starting point for what I’ll show you down track (read Azure Key Vault). However, because some people want the flexibility and simplicity of local files that’s where this starts.

image

If you examine one of these XML configuration files more closely, as shown above, you’ll see that the variable name (here AppSec) is stored in the Username field and the Password field has a long string of characters. You’ll notice that these characters actually don’t in anyway match the actual Appsec value that was captured earlier. That value was:

SNAGHTML10314b8e

This means that the actual tenant variables save in the files are encrypted, so they can’t be easily recovered.

image

To get the unencrypted values back you’ll need to use the PowerShell import-clixml as shown above.

image

Well, you maybe thinking that it is easy enough to copy these configuration files to another PC and decrypt them there. Not so fast my sneaky friend, because the way these details are encrypted is that they are locked to just THAT machine and just THAT logged in user! As you can see from the above, if you try and decrypt these files with another user on that same PC or on another machine, you can’t.

All of this comes about because of the use of the export-climxl command to save the variables, which says:

The Export-Clixml cmdlet encrypts credential objects by using the Windows Data Protection API. The encryption ensures that only your user account on only that computer can decrypt the contents of the credential object. The exported CLIXML file can’t be used on a different computer or by a different user.

That’s why you needed to do that CTL+V paste command for each variable previously so that the variable could be saved as a credential object and take advantage of this encryption process.

This has now achieved STEP 1 in the process I spoke about initially to allow secure access to multiple tenant using the Microsoft Graph.

image

So what does the program actually do to each tenant behind the scenes? It is easy to see. Simply visit the Azure AD Directory location in the Azure portal for that tenant. If you then select the App registration from the menu on the left, and ensure you are viewing All Applications, you should see the application with the name you entered displayed on the right as shown above. Here, ciaops.

image

If you select the application name to get more details you’ll many of the variables saved to XML files as shown above.

image

If you then select API permissions on the left you will see that, as yet, no permissions have been given to this Azure AD Application (although they will be in an upcoming article).

However, we are not quite done yet as I have also created a program that will remove all of these Azure AD applications created quickly and easily. To do that download the program:

 https://github.com/directorcia/Office365/blob/master/graph-adapp-del.exe

image

You need to place it into the directory where all the tenant configuration file are located as shown. Double click the program to run.

image

To remove that Azure AD application you’ll need to log back into every tenant interactively as shown above. You’ll see the same of the tenant that it wants credentials for in the program flow.

image

Once you have provided access to the tenant, the Azure AD application will be deleted along with the configuration files. You’ll then be take to the next tenant and asked to repeat the process.

image

Once there are no more configuration files found the program will end.

Remember, this program will delete every matching tenant it finds configuration files for in the current directory. If you only want to delete a subset of the total tenants you have configured, move the other configuration files out of the current directory until this process is complete.

In summary then, the programs that I have created and made available for free will create a ‘static’ Azure AD application in all the tenants you select. The idea in upcoming articles will be to show you how this ‘static’ embedded Azure AD application can now be used to report and potentially change the configuration of multiple tenants quickly and easily. I also provided a program to also remove all these Azure AD applications from tenants.

Next step will be to give the Azure AD applications appropriate permissions and then get some information from the tenants WITHOUT the need of manually logging into each.

Full Azure AD P1 is coming to Microsoft 365 Business

image

One of the frustrating things about Microsoft 365 Business was that it didn’t include the full Azure AD P1 feature set. It had about 80%. This unfortunately created a lot of confusion for people to know exactly was and was not included. For example, Dynamic Groups WAS part of Azure AD P1 but NOT part of Microsoft 365 Business.

That was until now! Per the above Message Center notification, Microsoft 365 Business will receive the full Azure AD P1 from April 2020! Seems like all of us (including Alex Fields, got our Christmas wish)

Thanks Microsoft, that’s going to make things much easier.

Secure logging with Microsoft 365 presentation

Here’s the slides from my longer presentation today at Ignite Copenhagen

Securely logging to Microsoft 365

Getting access to your information in Microsoft 365 starts with logging in but is it secure as it could be? Understanding security options at the point of entry like MFA, Legacy Authentication and Conditional Access on all devices is critical to keeping information protected as it is not only you that is trying to log into your account these days! Learn what security technologies you can add at login and the best practices approaches to configuring and monitoring these. Security starts  at the doorway to Microsoft 365 and simple configurations can greatly reduce your risks of unauthorised access. Come and learn what can be done.

https://www.slideshare.net/directorcia/securely-logging-to-microsoft-365

Moving to the Cloud–Part 3

This is part 3 of a multi part examination of moving to the Microsoft cloud. If you missed the first episode, you’ll find it here:

Moving to the Cloud  – Part 1

which covered off setting up a site to site VPN to Azure and

Moving to the Cloud – Part 2

which looked at creating traditional ‘dive mapped’ storage as PaaS.

It is now time to consider identity. We need to know where a user’s identity will live in this new environment because there are a few options. Traditionally, a user’s identity has lived on premises in a local domain controller (DC) inside an Active Directory (AD). With the advent of the cloud we now have Azure Active Directory (AAD) as an option as well. It is important here to remember that Azure Active Directory (AAD) is NOT identical to on premises Active Directory (AD) per:

image

What this means is that native Azure AD (AAD) can’t do some things that on premises Active Directory (AD) can do. Much of that is legacy services like Group Policy and machine joins, etc. You’ll see that Windows 10 machines can be joined to Azure AD (AAD) directly but legacy systems, like Windows 7, 8 and Windows Servers can’t be directly joined to AAD. That’s right. As we stand today, even the latest Windows Server cannot be directly joined to AAD like it can be joined to an AD on premises.

Thus, if you have legacy services and devices as well as Windows Servers you want to remain as part of your environment, you are going to need to select an identity model here that supports traditional domain joins. I will also point out that, as of today (changing in the future), if you want to implement Windows Virtual Desktop (WVD), you will also need a traditional AD to join those machines to. However, if you have no devices that require legacy services, for example if your environment is totally Windows 10 pro based with no servers (on prem or in Azure IaaS), then all you will need is Azure AD.

Thus, not every one can jump directly to AAD immediately. Most will have to transition through some form of hybrid arrangement that supports both AAD and AD in the interim. However, most transitions are ultimately aimed at eliminating on premises infrastructure to limit costs such as patching and updating things like physical servers. This will be what we are aiming for in this scenario.

In a migration from a traditional on premises environment with a domain controller (DC) and AD we now have a number of options when it comes to identity in the cloud.

1. You can maintain the on premises domain controller and AD, while using Azure AD Connect to synchronise (i.e. copy) the user’s identity to the AAD. It is important to note here that the identity in Azure is a COPY and the primary identity remains on premises in the local AD. This is still the case if you implement things like password write back that are part of Azure AD P1 and Microsoft 365 Business. Having the user’s primary identity still on premises means this is where you need to go to make changes and updates.

2. You can swing the domain controller from on premises to Azure IaaS. This basically means setting up a new VM in the Azure VNET that has been created already, joining it to the existing on premises domain across the VPN, then using DCPromo to make it a domain controller. To make it the ‘primary’ domain controller, you swing across the domain infrastructure roles via the following in PowerShell:

Move-ADDirectoryServerOperationMasterRole -Identity “Target-DC” -OperationMasterRole SchemaMaster,RIDMaster,InfrastructureMaster,DomainNamingMaster,PDCEmulator

and then DCPromo the original on premises domain controller out and then remove it altogether. This way you now have your Domain Controller and AD on the VM in Azure IaaS working with machines in the Azure VNET and on premises thanks to the site to site VPN established earlier (told you it would be handy!). In essence, this is like picking up the domain controller hardware and moving it to a new location. Nothing else changes. The workstations remain on the same domain, group policy is unaffected, etc, etc. The downside is that you still need to continue to patch and update the new domain controller VM in Azure but the maintenance and flexibility is superior now it is in Azure IaaS.

3. You replace the on premises domain with Azure AD Domain Services. Think of this like a cloud domain controller as a service. It is a Domain Controller as PaaS. This means that when you use Azure AD Domain Services Microsoft will spin up two load balanced domain controller VMs and connect this directly to AAD so the users there now appear in the PaaS domain controllers. Using Azure AD Domain Services removes the burden of you having to patch, update, scale, etc domain controllers for your environment. It also gives you a traditional AD environment you can now connect things like servers to. However, there are some trade offs. When you use Azure AD Domain Services you must start a new domain. This means you can’t swing an existing domain across onto it, like you can in step 2 above. This means detaching and reattaching all your legacy devices, like servers, from the original to new domain. You also get limited functionality with traditional AD services like Group Policy. You should see Azure AD Domain Services as a transitionary step, not an end point.

With all that in mind, you need to make a decision on what works best for your environment, now and in the future. Considering that most environments I see want to eliminate the on premises domain controller hardware as soon as possible and not replicate this going forward. That desire therefore means a migration to PaaS using Azure AD Domain Services.

The first step in this process then is going to be to ensure that all your users are in Azure AD. The assumption here is that you have already set up your Microsoft 365 environment and the users are configured in Azure AD. If you retaining an on premises domain controller you’ll need to have set up Azure AD Connect to copy the user identities to Azure AD. Azure AD is where Azure AD Domain Services will draw it’s identities when it is installed, so the users need to be there first. Once the users appear in Azure AD, next step will be to set up Azure AD Domain Services. You can kind of think of a traditional on premises domain controller as somewhat being equivalent to Azure AD combined with Azure AD Domain Services.

Setting up Azure AD Domain Services is done via the Azure portal.

image

Login as a global administrator and locate Azure AD Domain Services and select that.

image

You’ll most likely find that no services are as yet configured. Select the Add option from the menu across the top as shown above.

image

You then need to complete the details. Here we face an interesting question, what should we call this new ‘traditional’ managed domain we are about to create with Azure AD Domain Services? Should it be the same as what is being used in Azure AD already?

image

image

How you configure this is totally up to you. There is guidance, as shown above, which can be found at:

Active Directory: Best Practices for Internal Domain and Network Names

In this case I have decided to go for a sub-domain, as recommended, and prefix the new Azure AD Domain Services with the letter ‘ds’ i.e. ds.domain.com.

image

With all the options completed, select Next – Networking to continue.

image

Unfortunately, you can’t configure Azure AD Domain Services on the same subnet that has service endpoints as you can see above. You’ll see this if you configured your Azure storage to use private endpoints as we have, which has been previously recommended.

If so, then you can select the Manage link below this box and simply add a new subnet to your Azure VNET and then use that to connect Azure AD Domain Services to.

image

Before you continue to Administration, ensure that you are adding Azure AD Domain Services to your existing Azure VNET as the default is to create a new VNET, which is NOT what you want here. You want to connect it to an existing VNET you have established previously.

When you have selected your existing Azure VNET and a suitable subnet, select the Next – Administration button to continue.

image

Here you’ll need to decide which users will be administrators for the domain.  So from the documentation:

What can an AAD DC Admin do?

Only Microsoft has domain admin and enterprise rights on the managed domain. AAD DC Admins can do the following:

  • Admins can use remote desktop to connect remotely to domain-joined machines

  • Admins can join computers to the domain

  • Admins are in the administration group on each domain-joined machine

Considerations for the AAD DC Administrators group

  • Pick group members for the AAD DC Administrators group that have these needs:

    • Users that need special administrative permissions and are joined to the domain

    • Users that need to join computers to the domain
  • Do not change the name of the AAD DC Administrators group. This will cause all AAD DC Admins to lose their privileges.

The default will be your global administrators and members of a special group called AAD DC Administrators, that will be created. So, you can simple add any Azure AD user to this group and they will have admin privileges in the  Azure AD Domain Services environment going forward.

You can of course configure these permissions any way you wish but generally the defaults are fine so select the Next – Synchronization button to continue.

image

The final question is whether you wish to have all or a subset of your Azure AD users synchronised into the Azure AD Domain Service environment. In most cases, you’ll want all users, so ensure that option is select and press the Review + create button to continue.

image
image

You should now see all your settings and importantly, note the box at the bottom about consenting to store NTLM and Kerberos authentication in Azure AD. This is because these older protocols have potential security concerns and having them stored in a place other than a  domain controller is something you need to be aware of. Generally, there won’t be any issues, but make sure you are aware of what that last box means for your security posture.

Press the Create button when complete.

image

You’ll then receive the above warning about what configurations options can’t be changed after the fact. Once you have reviewed this and you wish to proceed, select the OK button.

Your deployment into Azure will then commence. This process should generally take around 1 hour (60 minutes).

image

You should see the above message when complete and if you select Go to resource you’ll see:

image

You’ll note that it still says Deploying here, so you’ll need to wait a little longer until that process is complete.

image

In about another 15 minutes you should see that the domain is fully deployed as shown above. Here you will note that two domain controllers have automatically been allocated. In this case they are 10.0.1.5 and 10.0.1.6 on the subnet into which Azure AD Domain Services was deployed. You can select from a number menu options on the left but the service is pretty basic. Most times you’ll only need to look at the Activity log here from now on.

Can you actually manage the domain controllers like you can on premises? Yes, somewhat. To do that you’ll need to download and install the:

Remote Server Administration Tools for Windows 10

on a Windows 10 workstation that can access these domain controllers.

image

You can then use that to view your domain in the ‘traditional way’ as shown above.

Thus, with Azure AD Domain Services deployed, you have a ‘traditional’ domain but without infrastructure and with your Azure AD users in there as well.

The summary of the options around identity here are thus:

1. Primary = local AD, Secondary = none (which can be linked to Azure via a VPN)

2. Primary = Azure AD, Secondary = none (no on premises infrastructure like servers to worry about)

3. Primary = local AD, Secondary = Azure AD (thanks to Azure AD Connect, but need a VPN again to connect to Azure IaaS)

4. Primary = Azure AD, Secondary = Azure AD Domain Services (which can be linked backed to on premises via a VPN)

In this case, we’ll be going with Option 4. You can see however that a VPN is going to be required for options 1, 3 and 4. That’s why one of the first steps in this series was to set one up.

With all that now configured, let’s now look at the costs involved. The costs here will vary on what identity solution you select. If you stay with an on premises domain controller only, you will need to have site to site VPN to resources in Azure. The costing for this has been covered previously:

Moving to the Cloud  – Part 1

and equates to around AU$36 per month with less than 5GB of traffic inbound to Azure. Azure AD Connect software you use to synchronise user identities to Azure AD is free.

If you move the domain controller to a virtual machine in Azure, there will be the cost of that virtual machine (compute + disk storage). The cost will therefore vary greatly on what VM type you select. I’ll be covering more about VM options in this migration in an upcoming article, but for now let’s keep it simple and say we use a A2v2 Standard VM (4GB RAM, 20GB HDD) for a single role as just a domain controller. The cost for that is around AU$76 per month. If you also still have on premises infrastructure, like Windows Servers, that need access to the domain, then you’ll also need a site to site VPN to communicate with the domain controller VM in Azure IaaS. Thus, to move the domain controller to Azure IaaS and still allow access to on premises infrastructure the cost would be around AU$112 (Azure VM + VPN). Of course, if you can migrate all your on premises server infrastructure to Azure IaaS, you probably wouldn’t need the VPN but there would then be the costs of the additional infrastructure in Azure. Balanced against this cost in Azure IaaS is the saving in local hardware, power, etc.

Again, let’s keep it simple for now and say we want to maintain on premise infrastructure but have a dedicate domain controller in the Azure IaaS so the one on premises can be de-commissioned. That means the costs would be AU$112 per month for a domain controller in Azure IaaS and a VPN back to on premises.

Finally, the last identity option is if we wanted to use the Azure PaaS service, Azure AD Domain Services, which means no infrastructure at all but also means we need to start with a new ‘clean’ domain separate from the existing on premises one. The costs of this Azure PaaS service can be found at:

Azure Active Directory Domain Services pricing

which reveals:

image

For smaller directories (<25,000 objects) the cost is going to be AU$150 per month flat. Remember, here when equating costs, there are no VMs to backup or operating systems to patch because it is PaaS. This is a domain controller as a service and Microsoft will take care of all the infrastructure “stuff” for you as part of that service. Of course, if you need on premises infrastructure to access Azure AD Domain Services, you’ll again need a site to site VPN to get there. If all your infrastructure is cloud based, then no site to site VPN is required. However, in this scenario, we still want access to on premises infrastructure so the costs would be AU$186 per month (Azure AD Domain Services + VPN).

In summary then, the configuration options/costs will be:

Option 1. Retain on premises AD = AU$36

Option 2. Move domain controller to Azure IaaS = AU$112 (estimated typical cost)

Option 3. Migrate domain controller to Azure PaaS = AU$186 per month

Going forward we’ll be selecting Option 3, because we are aiming to minimise the amount of infrastructure to be maintained and we want to move to PaaS as soon as possible. That means the total cost of the migration so far is:

1. Site to Site VPN = AU$36

2. Storage = AU$107

3. Identity (PaaS) = AU$150

Total maximum infrastructure cost to date = AU$293 per month

This means we have:

1. Eliminated the old on premises domain controller (hardware, patching, backup, power, etc costs)

2. Can connect to on premises infrastructure to Azure AD (via Azure AD Domain Services and the VPN)

3. Have mapped tiered storage locations for things like archiving, profiles, etc that are PaaS

4. We can now build out a Windows Virtual Desktop environment

The next item that we’ll focus on is setting up a Windows Virtual Desktop environment as we now have all the components in place to achieve that.

Upload Bitlocker keys to Azure AD

Bitlocker is the Microsoft technology that allows you to full encrypt your Windows PC hard disk. This is a good thing as it provides additional security and protection for that device, especially if that device ever gets lost or stolen. Typically, Bitlocker will use the Trusted Platform Module (TPM) chip on your PC to provide the encryption key for BitLocker. This means that the user doesn’t have to type in a password to unlock their drive for use. Now having an automatically managed key raises a question, what happens if you actually need that key? If everything is automated and I never see the key how can I get access to it if needed? If, say, the original PC died and I wanted to recover the original encrypted drive how would I recover? To do that, you’d need the encryption key.

You can manually backup you BitLocker Recovery key to a file or USB drive however, if your device is Azure AD joined then that Recovery Key should be saved directly into Azure AD. Here’s how you check this.

SNAGHTML1d8570c5

If you are using something Microsoft 365 Business and Intune navigate to Intune inside the Azure portal. Select Devices.

image

Select All Devices.

image

Select the PC in question from the list.

image

Now select the Recovery keys option.

image

On the right you should see the Recovery keys listed. You’ll note here that I don’t see the expected BitLocker Key.

image

If you don’t see the Recovery Key for your device go to that device and open BitLocker management on your PC. Select the option to Back up your recovery key as shown.

image

Then select the option to Save to your cloud account as shown. This should then upload the Recovery Key to Azure AD, provided you have an Azure AD joined machine first of course.

image

If you return to the device in Intune and refresh the display, you should now see the Recovery key for you device as shown above.

image

If you do not have access to the Intune portal, perhaps because you are not an administrator, simply navigate to:

https://account.activedirectory.windowsazure.com

and login with your Microsoft 365/Office 365 credentials and view your profile. You should then see any registered device plus the option to get the BitLocker keys as shown. Remember BitLocker is for Windows devices, not iOS or Android.

Even though Azure AD joined machines should save BitLocker keys automatically, I’d suggest you go and have a look and make sure that they are indeed actually there! Best be sure I say.

How I protect my parents using Microsoft 365

boy-car-child-1266014

I’m sure there are many of us out there that continue to provide free unpaid support for our family members. Well, many it isn’t so much free, as a ‘barter’ arrangement in that every time I’m on site I get fed. That type of compensation may of course vary in your particular situation but many IT Pros are expected to support our own family as they use technology. That can be extremely challenging if you don’t do it right. Thanks to the tools available in the Microsoft Cloud, you can quite easily!

One of the benefit of doing security right for your family is that it is going to drastically reduce the amount of support calls you receive. So here’s some of the stuff I do:

1. Everyone has Microsoft 365 Business

This one license ensures that they have commercial grade email and the latest version of Office on their desktops. It ensures that they have both Safe Links and Safe Attachments for their mailboxes to protect against inbound malware and viruses.

2. Everyone runs the latest version of Windows 10 Professional on their desktop

Windows Home has lots of limitations and does not allow connection to Azure AD. Thus, all machines are Windows 10 Professional and all machines update automatically.

3. All machines are joined to Azure AD

I don’t want to have a traditional on premises domain controller to manage these Window 10 machine. By joining all the Windows 10 Professional workstations directly to Azure AD I get the management, security and control that I want all from the cloud.

4. All machines have Intune compliance and configuration policies applied

image

Thanks to Intune, which is part of Microsoft 365 Business, at a glance I can ensure all the machines, including my own, are compliant and configured appropriately.

5. All machines only use Windows Defender as their AV

Windows Defender is the best solution for AV in my experience. I can manage many settings thanks to Intune, although I would like some more I would admit, but I have never had an viruses or malware issues wince ditching third party AV providers a number of years ago. I am considering potentially upgrading to Windows Defender ATP but it is probably not worth the investment given the other steps I am already taking.

6. All machines are covered by Azure AD Premium P1

Azure AD Premium P1 is an add on to Microsoft 365 Business but has a number of very, very handy security features that I use to keep everyone safe.

7. Conditional access is limiting access to devices via IP address

One of the features that Azure AD Premium P1 provides is the ability to set conditional access policies. I have restricted access to my parents logins to be ONLY available on two unique IP addresses, theirs and mine. This means that if they were phished and gave up their logins a remote user would be prevented from logging in thanks to these conditional access policies as they are not connecting from these allowed IP addresses.

In my own personal cases, I also use conditional access policies but I have them set a little broader, typically limited to allowing access just from Australia. If I travel, I need to temporarily adjust the policy to accommodate where I’ll be and then set it back to just Australia when I return.

8. All POP and IMAP access has been disabled to all mailboxes

image

The most common way that random bad actors on the Internet are trying to gain access to accounts is using IMAP and POP3 as you can see from a recent log above. Conversely, all Microsoft 365 mailboxes have both POP3 and IMAP enabled for all mailboxes by default unfortunately. No user needs to access mail via old protocols and thus it is disabled across the tenant.

9. Basic authentication has been disabled on the tenant

Because I have modern devices and software connecting to my information, as I have said before:

Disable basic auth to improve Office 365 security

‘nuff said.

10. All accounts have Multi Factor enabled

All accounts have the requirement for MFA on them. Now, my parents don’t have smart phones or devices other than their PC’s, so how do they access their accounts using MFA? Well, they actually don’t! See item 11 as to how I achieve this.

11. Trusted IPs have been enabled

Once again, thanks to magic of Azure AD Premium P1, I am able to implement Trusted IPs. This means that when a login request comes from a configured Trusted IP the user will not be prompted for MFA even if the account requires it. Thus, thanks to the locations I have already set up with Conditional Access I can also use these same IP addresses to configure Trusted IPs for my parents logins. This means, that their accounts ARE protected by MFA but since they are always logging in from a single IP address that is now trusted, they WON’T be asked for MFA. This, makes it easy on them and hard on the bad guys.

12. I have Office 365 Cloud App Discovery

Again, thanks to the wonders of Azure AD P1 I have Cloud App Discovery which enables me a far more granular logging of events in my tenant. I can see exactly what my parents are actually doing.

I’ve talked about the benefits of Cloud App Security before:

A great security add on for Microsoft 365

and recommend you have it.

13. All machines use password-less Windows Hello logins

All the machines are using Windows Hello, either biometric or a PIN to access the machines. No complex passwords to remember, just a simple PIN number or just sitting in front of the machine now gives my parents access to their desktops. It couldn’t be easier and yet secure.

There are a lot more actions I take on my production tenant to ensure it is secure but the above items are the ones that most affect and protect my parents and their information. As you can see, via the implementation of Microsoft Cloud technologies I have made it both super secure and super easy for them. In most cases they don’t even realise what I’ve done, and that’s the way it should be.

Now, if I can do this for my parents, why are you not doing the same for your business users? Eh?