Need to Know podcast–Episode 200

Well we made it! 200 episodes are now done and dusted. We thanks our special guests for attending this episode live, Mark O’Shea and Marc Kean.  Of we can’t forget the co-host Brenton Johnson, who helped make this episode special. We’d also like to thank everyone who shared best wishes and congratulations. It is fantastic to know that people are out there and enjoying what we put together.

This of course is only the beginning of the march towards our next 200 episodes and we hope you’ll all join us for the journey. We’ve come a long way in around 10 years of podcasting and so too has the Microsoft Cloud. What’s it going to be like in another 10 years? Join us on the journey.

Thanks again to both Mark O’Shea and Marc Kean for being part of our special episode and supporting the podcast over the years.

Take a listen and let us know what you think – feedback@needtoknow.cloud

You can listen directly to this episode at:

https://ciaops.podbean.com/e/episode-200-lets-celebrate/

Subscribe via iTunes at:

https://itunes.apple.com/au/podcast/ciaops-need-to-know-podcasts/id406891445?mt=2

The podcast is also available on Stitcher at:

http://www.stitcher.com/podcast/ciaops/need-to-know-podcast?refid=stpr

Don’t forget to give the show a rating as well as send us any feedback or suggestions you may have for the show.

Resources

@intunedin

@marckean

@contactbrenton

@directorcia

Microsoft Ignite sessions on YouTube

CIAOPS Techwerks whiteboard training–Sydney 31 January

I’ll be hosting an all day focused, hands on, technical whiteboard training session on Microsoft Cloud technologies (Office 365, Microsoft 365, Azure, etc) in Sydney on Thursday January the 31st 2019. The course is limited to 15 people and there are still a few places available if you wish to attend.

The content of these events is driven by the attendees. That means we cover exactly what people want to see and focus on doing hands on, real world scenarios. Attendees can vote on topics they’d like to see covered prior to the day and we continue to target exactly what the small group of attendees wants to see. Thus, this is an excellent way to get really deep into the technology and have all the questions you’ve been dying to know answered. Typically, the event produces a number of best practice take aways for each attendee. So far, the greatest votes are for deeper dives into Intune, security and PowerShell configuration and scripts, however that isn’t finalised until the day.

The CIAOPS Techwerks events are run regularly in major Australian capital cities, so if you can’t make this one or you aren’t in Sydney on that date, stay tuned for more details and announcements soon. If you are interested in signing up please contact me via emails (director@ciaops.com) and I can let you know all the details as well as answer any questions you may have about the event.

I hope to see you there.

Using multiple authenticator apps with a single Microsoft 365 user account

One of the best ways to ensure an account is secure is to enable Multi Factor Authentication (MFA) for it. This means, the user logs in as normal with their username and password but before the login process is complete they must enter another form of verification. That form is typically via an SMS, Phone call or an authenticator application on their mobile device.

The best practice with Microsoft 365 is to use the Microsoft Authenticator app, which is available on both iOS and Android. Here’s an overview video:

The way that you set up MFA for a Microsoft 365 account is to login to the Microsoft 365 portal as an administrator and navigate to the Admin center.

image

Then do a search for MFA as shown above. One of the returned results should be Azure multi-factor authentication settings as shown, which you should select.

You should be aware that here you are configuring Multi-Factor Authentication for Office 365 which is a subset of all the features available in Azure Multi-Factor Authentication. You can see the feature comparison here:

MFA version feature comparison

All versions of Office 365 and Microsoft 365 come with Multi-Factor Authentication for Office 365 the more advanced Microsoft 365 plans, such as E3 and E5 come with Azure Multi-Factor Authentication. The discussion here is focused on Multi-Factor Authentication for Office 365 and this applies to all plans. 

image

After selection of that option, a notification should now appear from the right of the windows. Select the Manage multi-factor authentication link that appears as shown above.

image

This should take you to a list of your users as shown above. This will show the MFA status of each user. The above shows you that Alex Wilber currently has an Enforced setting, while everyone else has Disabled.

image

Select the user you want to enable on the right and then select the Enable link on the right as shown.

image

You should now see the above message. Select enable the multi-factor auth button to continue.

image

After a moment or two, you should receive confirmation that MFA is now enabled for the account as shown above. Select the close button to continue.

SNAGHTML1980450f

As shown above, you will now see that the status of that user is now Enforced. This means that they have yet to complete their MFA enrolment. Once they have, their status will change to Enabled.

image

After the user enters their login and password into the Office 365 tenant the next time they login, they will see the above message telling them they basically need to enrol in MFA.

image

They should now see a screen like that shown above. In this case we are going to use a Mobile app as a means of authentication so we select that option from the top box. In the, How do you want to use the mobile app? box select Use verification code. This will request the user to end a unique code from the authenticator app to verify their identity during login. There is also the option to receive push notifications BUT if you are going to be using multiple authenticators then best practice is not to do this, and I’ll detail why further down when I talk about the scenarios where this multiple authenticator environment can be used. For now, select Use verification code and then the set up button underneath.

image

You’ll now see a QR code like shown above that you can use with your Microsoft Authenticator app. However, using this does come with limitations.

Firstly, this method doesn’t support third party authenticator like Google Authenticator or Lastpass Authenticator.

file

If you try to use those you’ll get an error like you see above and be unable to configure the third party authenticator.

file2 (002)

Secondly, if you try and use the same QR code on another device running a second Microsoft Authenticator app then you’ll see the above error, basically telling you that the QR code has been used before (which it has).

image

The trick to overcoming both of these limitations is to select the link Configure app without notifications to the right of the QR code as shown above.

image

When you do so, you’ll get a new QR, that looks very similar but has different wording a link.

You can now use this QR to set up multiple Microsoft Authenticator apps on different devices as well as third party authenticators. You may also want to take a screen shot of this QR code for future reference if you wish to set up or reconfigure authenticator devices in the future.

Some considerations here. All devices you now use with this QR code will configure the same identical sequence of rolling numbers for authentication. Thus, when you configure multiple devices this way you’ll see that the pin numbers will be identical on all devices and will change more or less at the same time. What you have effectively achieved here is a duplication of the MFA token for that user. Is that a good thing? Best practice is to only have ONE and only ONE authenticator per account but there are scenarios I will illustrate later where having a duplicate is acceptable. However, please remember, the more tokens you have for an account, the less secure it is.

image

Once you have used the QR with all the devices you wish to use, select Next and then Next. You’ll then be prompted to enter a verification code from any of the devices (as they all show the same code now anyway) to verify the account set up. Enter the code and continue.

image

You’ll then need to enter a phone number as a fall back option. Select the Next button when this is complete.

image

You’ll then see a single app password you can use if needed, but best practice is that you shouldn’t be using these so select the Done button.

image

Now when the user logs in to Microsoft 365, they’ll enter their login and password as before but then also be prompted for a code from an authenticator. If you have duplicated the authenticator as shown above, the code on the devices will be the same and thus all you need to access that account is any of the devices just configured.

image

So where might a duplicated authenticator make sense? Perhaps as an administrator of a tenant I move between different locations and devices. Or perhaps I want to have the same code for everyone using authenticators for access. Perhaps different people need to read me the code from an authenticator on their device. There are scenarios where duplicated authenticators may make sense, so it is an option if needed.

Duplicating authenticators is probably ok if there is only one user accessing the account, but what happens when multiple need to access the one account using MFA? They should use a unique authenticator as best practice I would suggest.

To set up multiple unique authenticators (rather than just duplicates), complete the above process but just for a SINGLE authenticator app. Again, it is recommended not to enable push notifications and just use a pin code entry. Once the single MFA has been configured for the account, login to that account using MFA. Select the user icon in the top right of the screen. That should display a menu like shown above. From this menu, select My account.

image

In the window that appears, locate the Security & privacy section and select the Manage security & privacy button.

image

Now select Additional security verification at the bottom as shown above.

image

This will display two additional options as shown. Select Update your phone numbers used for account security.

image

This should display the above options, where you can configure the MFA settings for the account. At the bottom of this screen you will see that there is already one Authenticator app, which is the initial one configured for the account. To add a second independent authenticator tied to this account select the Set up Authenticator app button as shown.

image

This should display the now familiar MFA configuration window as shown above. The default option will be for push notifications. This means that any time the account logs in a push notification will be send to ALL the authenticator apps configured to this account whether they have been set up as duplicates or separate authenticators. As mentioned previously, this option also only allows a single Microsoft Authenticator configuration and no third party options.

image

Thus, best practice is again to select the Configure apps without notifications link on the right to make more authenticator options available.

image

This will again give you a slightly different screen with a QR code to configure the authenticator device. Remember, here you are not duplicating the existing authenticator that was created initially, you are creating a separate independent authenticator app that is tied to the same user account.

image

When you have completed the configuration process for this authenticator you’ll again need to verify it as shown above.

image

When you return to the Additional security verification screen you will now see two authenticator apps at the bottom of the screen as shown above.

image

This might appear confusing, but in my example I configured two different authenticator apps independently on the same device (one Microsoft, one Google). If you configure authenticator apps on two different physical devices it should look more like the above where you can tell the difference between the devices. In my experience, if there is ever confusion or duplicates, the more recent configurations appear at the top of the list if you ever wish to delete one.

image

You may want to ensure that you DON’T select the option to Notify me through app, because doing so will send a push notification to all configured and supported apps for verification. If you have different people, all with their own authenticator app configured, on separate devices, you don’t want them all getting a notification when ANY one of them attempts to login to the account. Not only is it annoying, but any of the other devices can approve the login request, even though they didn’t initiate it. You can use the notification option for authentication if you wish BUT, use it with care and an understand of the risks it brings.

Screenshot_20190115-084113_Authenticator file1 (002)

The above shows you that I have configured authentication on two separate devices (Android on left, iPhone on right). Note how the time is the same on each device, along with the account it protects. You’ll also notice that one device is using the Google Authenticator while the other is using the Microsoft Authenticator, just to show you that you can mix and match authenticators as you please. These are two independent authenticators tied to the one account as I have just shown you how to configure. Thus, if I now try and login to the configurated account, I use the one user name, plus the one password and either of the two numbers on the authenticators I have configured on these devices.

Now, where does this multiple authenticators to a single Microsoft 365 account make sense? The most common scenario is for IT resellers who need to support multiple customer tenants with multiple technicians securely using MFA. A typical scenario would be to configure a single management account in each customer’s tenant that is a global administrator for the tenant. That account would have an initial MFA authenticator enabled during set up. Then, for each technician who needs access, each of their personal devices would also be enabled for MFA on that same single customer admin account using the process I detailed above. Thus, the admin login details would be shared amongst the technicians along with the password BUT each would use their own authenticator app to gain access to the customers management account. Thus, each technician use the same username and password to access the account but a unique MFA pin code that is generated on their own personal device and is unique to them.

In the event that a technician leaves, the IT reseller could merely remove that technician’s authenticator app from the customer’s admin account and probably change the password and re-share that updated password amongst the remaining technicians. In an environment with lots of tenants and technicians, manually doing this would be time consuming. I’d be confident that this process could be scripted using PowerShell but can’t say for sure until I look at that in more detail. Stay tuned. But at least you can have multiple technicians accessing multiple shared accounts with their own unique MFA authenticator app.

So there you have it. Yes, it is possible to have multiple authentication apps providing MFA to a single Microsoft 365 account. Yes, it is possible to achieve this with both Microsoft and third party authenticator apps. Yes, it is possible to have duplicate and independent authenticator configurations for one account. And finally, YES, it makes an account LESS SECURE by having multiple authenticator apps configured against a single account, so use with CARE and THINK before you implement.

Become Microsoft 365 Certified with CIAOPS

image

I’m pleased to announce that I’m taking all of my experience as a Microsoft Certified Trainer and learnings with Microsoft 365 and creating a 7 week intensive study program dedicated to helping people pass the recently announced Microsoft MS-100 certification exam.

In broad strokes this exam covers:

– Design and Implement Microsoft 365 Services

– Manage User Identity and Roles

– Manage Access and Authentication

– Plan Office 365 Workloads and Applications

The CIAOPS program will provide 2 hours per week of presented content (lecture + lab) as well as additional content each will be expected to completed and submitted prior to the next week. In my experience, having ‘required homework’ is the best way to ensure that you are learning the content. All the material will be available in a downloadable portable for access on demand (including presented content). Having the material on demand means that you can attend this course even if you can’t make the live sessions.

This program is limited to a maximum of 15 students and is filling fast, so if you want to take advantage of this round then please contact me via email (director@ciaops.com) to express your interest. The cost for anyone not in my CIAOPS Patron program is AU$399 inc GST for all the material.

You may want to read my thoughts on why I believe certification is becoming increasingly important with the cloud:

The benefits of certification

Stay tuned for more certification training programs like this that will be available from the CIAOPS.

Need to Know podcast–Episode 199

I speak with Program Manager Windows Defender ATP, Iaan Wiltshire, from Microsoft all about this security offering and how it fits into the market. We discuss what Defender ATP is and what it includes, so if you are keen to hear how Microsoft is integrating threat management from the desktop through to the cloud, listen along.

Brenton and I, of course, give you all the latest Microsoft Cloud news in this first episode for 2019. There is still lots happening so listen in to stay up to date.

Also, don’t forget our invite to join us during the live recording of episode 200 on the 21st of January 2019. Just sign up at http://bit.ly/n2k200

Take a listen and let us know what you think –feedback@needtoknow.cloud

You can listen directly to this episode at:

https://ciaops.podbean.com/e/episode-199-iaan-wiltshire/

Subscribe via iTunes at:

https://itunes.apple.com/au/podcast/ciaops-need-to-know-podcasts/id406891445?mt=2

The podcast is also available on Stitcher at:

http://www.stitcher.com/podcast/ciaops/need-to-know-podcast?refid=stpr

Don’t forget to give the show a rating as well as send us any feedback or suggestions you may have for the show.

Resources

Iaan.Wiltshire@microsoft.com

@contactbrenton

@directorcia

MSP risks for clients

Questions to ask your MSP

Report into MSP hacking

Discounted cyber security for your client

December updates video

Ignite 2019 – Sydney agenda

Contextualizing Attacker Activity within Session in Exchange Online

MyAnalytics, the fitness tracker for work is now more broadly available

Watch Microsoft Stream on the go

SharePoint Roadmap Pitstop: December 2018

Introducing new advanced security and compliance offerings for Microsoft 365

Evaluating Windows Defender ATP

Windows defender Test Ground

Microsoft Security Blog

Defender ATP Overview

Disable basic auth to improve Office 365 security

image

In a recent article:

Investigating an Office 365 account compromise

I detailed how, if you go into the Azure AD sign in logs for an individual user you’ll probably see a huge amount of failed logins because automated hacking tools are banging away trying to brute force access into these accounts.

Once you see the sheer volume of attempts, constantly trying to gain access, you’ll hopefully appreciate how important Multi Factor Authentication (MFA) is because it means that even if the password is guessed then to login there is a need for another factor, like a security PIN.

So you think your safe with just MFA eh? Well, perhaps not as safe as you may think, because there is a good chance that basic authentication is still enabled on the tenant. What is basic authentication? Simply a login and password. Why is it still on? Because enabling MFA for users doesn’t disable it, it remains in place as a fall back.

With basic authentication still in place, this allows bad actors to keep banging away on your tenant trying to brute force a password. If you haven’t got MFA enabled for users, it is probably only a matter of time before a user’s password gets brute forced. Even if you have MFA, it is better to not even provide bad actors the ability to get one step closer to actually logging in now is it?

If you are serious about security for your Office 365 tenant then you need to enable MFA AND also disable basic authentication. Is this going to break stuff? If you are using application prior to Office 2013, for example, then yes, but you shouldn’t really be using those anyway.

To understand how to disable basic authentication and the ramifications of doing that, have a look at the following article:

Disable Basic authentication in Exchange Online

Most security conscious people should be using modern applications that mean that switching off basic authentication shouldn’t cause an issue at all.

After you have disabled basic authentication, go back into your logs and see how all the attacks I’ve mentioned previous effectively cease. It ain’t magic, you’ve just hardened your tenant by reducing the risk surface area. For bonus credits on securing your tenant take a look at:

Azure AD and ADFS best practices: Defending against spray attacks

I also have the following script in my GitHub repo:

https://github.com/directorcia/Office365/blob/master/o365-modern-auth.ps1

that will enable modern authentication in your tenant when run. However, beware of enabling this as it can cause issues, especially older (pre-Office 2013) applications.

So remember, yes enable MFA across your Office 365 organisation but ALSO disable basic authentication as well!

A great security add on for Microsoft 365

Office 365 has a good deal of security available out of the box, however much of it needs to be fully configured from the defaults. Add to this the additional security options Microsoft 365 Business brings to the table on top of what Office 365 provides as standard. Services like Office 365 Advanced Threat Protection (ATP), Data Loss Prevention (DLP), Legal Hold and so on are included with Microsoft 365 Business and most also still need to be configured appropriately.

Configuring security options is nothing new. IT Professionals have been doing it for years. That won’t change just because services are now in the cloud.

Even after you have configured all of these services appropriately, there are more security options you can add on from Microsoft. I think that probably the best add on security service you can bolt on to your Microsoft/Office 365 environment is Office 365 Cloud App Security.

clip_image001

You can simply add the Office 365 Cloud App Security to any existing tenant and then assign it to your users. As you can see from the above (in $AUD), it is pretty cheap for what I’ll show it can do for you.

Now before I get too far down the path of explaining Office 365 Cloud App Security I need to let you know there is a more advanced version of this service called Microsoft Cloud App Security that I’ll cover in more detail in an upcoming article. Here, I’m going to focus on Office 365 Cloud App Security. If you want to know the differences between the two services take a look at:

What are the differences between Microsoft Cloud App Security and Office 365 Cloud App Security

image

Once you purchase a subscription to Office 365 Cloud App Security and assign the licenses, you will see an extra option appear the Alerts section of the Security and Compliance center, as shown above. Selecting the new Manage advanced alerts menu item will display the Managed advanced alerts screen on the right. Like most security option in Microsoft 365, you’ll need to go in there and enable it the first time you visit.

Once it has been enabled select the Go to Office 365 Cloud App Security button.

image

You’ll now be taken to the Office 365 Cloud App Security console and a list of policies as you can see above. These are the default policies that are created for you and it is possible to create your own policies which I’ll cover soon.

Take a moment to have look through the list of default policies and you’ll find the cover some very common scenarios.

image

In this case, I’ve click on the Mass downloaded by a single user policy to view the details.

image

The real heart of the policy is the Create Filter for the policy section a little down the page as shown above. This is where you create the rules to determine when an alert should be activated.

image

A little bit further down the screen you’ll find the section to manage the alerts. Here you’ll see the option to send an email, text message and the new preview option to trigger a Microsoft Flow. This new Microsoft Flow feature will allow you to automate just about any action if the alert is triggered.

image

The Governance section at the bottom of the page shows you the default actions that you can take when an alert is triggered, including the ability to suspend the user and force them to sign in again.

image

The above shows you a custom policy that I have created that will alert me when an Office 365 administrator logs on outside my corporate network.

Once you have customised the default policies and add any custom ones all you need to do is wait until an alert is triggered.

image

When you receive an alert via email it will look like the above with links to take you straight to the policy match.

image

You can now view any alerts in the console as shown above.

image

When you select an alert you can dig deeper into the details as shown above as well as Dismiss or Resolve it by recoding how it was (these are in the top right corner of the screen).

image

Not only can you configure and view very detailed alerts but you can also view the Office 365 Activity Log as shown above. This is very, very handy and much easier than having to use the interface in the Security and Compliance center or an exported CSV file.

image

If you click on an item you again get a huge amount of information as shown above.

image

The buttons in the top right of the item allow you to search on similar:

– Activity types (i.e. here Log on)

– Activity from the same user

– Activity from same IP

– Activity from same country and region

– Activity in the same time frame

image

The above shows you the failed logon activities, each of which you can drill into for more information.

So the second things the Office 365 Cloud App Security can provided is a detailed way to browse and investigate the Office 365 Activity log.

Sample report

Another thing Office 365 Cloud App Security can do is ingest the logs from on premises firewalls and UTM devices and display them in a dashboard as shown above. Here you can see exactly what cloud apps are being used in your environment. The idea is that it helps you identify shadow IT and prevent the leakage of corporate data from non authorised applications.

That’s a lot of power for a very small price in my books and makes Office 365 Cloud App Security a worthwhile investment for your environment. If you want even more power then you can look at Microsoft Cloud App Security which I’ll detail in an upcoming article.

If you are serious about monitoring your Microsoft/Office 365 environment quickly and easily, then nothing beats Cloud App Security. For most, Office 365 Cloud App Security will do what is required but remember that for only about $1 more, Microsoft Cloud App Security has even more power.

You can of course sign up for a 30 day trial of either product in your tenant today and try it for yourself. I’m pretty confident when you see everything that it can do you’ll happy add to the tenant going forward.

So when you get Microsoft/Office 365, I suggest Cloud App Security (either Office 365 or Microsoft) as something that you should add for sure if you are serious about security (and who isn’t these days??).

Need to Know podcast–Episode 198

Join me with Nigel Moore for this episode as he talks about what successful Managed Service Providers (MSPs) are doing and thinking with the Microsoft Cloud and also into the future. Nigel shares his wealth of experience from running a successful MSP and now running a coaching business focused on helping MSPs become more successful. being the last episode before Christmas and New Year, both Brenton and I wish you all the best for the holiday season. We appreciate your support in 2018 and look forward to you joining us again in 2019.

Take a listen and let us know what you think –feedback@needtoknow.cloud

You can listen directly to this episode at:

https://ciaops.podbean.com/e/episode-198-nigel-moore/

Subscribe via iTunes at:

https://itunes.apple.com/au/podcast/ciaops-need-to-know-podcasts/id406891445?mt=2

The podcast is also available on Stitcher at:

http://www.stitcher.com/podcast/ciaops/need-to-know-podcast?refid=stpr

Don’t forget to give the show a rating as well as send us any feedback or suggestions you may have for the show.

Resources

@contactbrenton

@directorcia

The Tech Tribe – Nigel Moore

Zapier and Microsoft Teams integration

Introducing the Microsoft 365 freelance toolkit

Microsoft Teams adoption hub

What’s the difference between OneNote and OneNote 2016?

Teams usage passes Slack

Microsoft 365 update for November 2018

Updates to Azure AD Terms of Use functionality within conditional access

An easy way to bring back your Azure VM with in place restore