Need to Know podcast–Episode 212

In this episode I speak with Darrell Webster about what happens behind the scenes with the Regarding365 community. A really good discussion around community and the process of regularly creating content. Of course there is also the latest Microsoft Cloud news and yes, Brenton is back to explain where he has been. Tune in for all the details.

This episode was recorded using Microsoft Teams and produced with Camtasia 2019

Take a listen and let us know what you think – feedback@needtoknow.cloud

You can listen directly to this episode at:

https://ciaops.podbean.com/e/episode-212-darrell-webster/

Subscribe via iTunes at:

https://itunes.apple.com/au/podcast/ciaops-need-to-know-podcasts/id406891445?mt=2

The podcast is also available on Stitcher at:

http://www.stitcher.com/podcast/ciaops/need-to-know-podcast?refid=stpr

Don’t forget to give the show a rating as well as send us any feedback or suggestions you may have for the show.

Resources

@darrellaas

@regarding365

@contactbrenton

@directorcia

What’s new in Teams – July 2019

New to Microsoft 365 in July

OneDrive round up – July 2019

New Flow and PowerApps licensing

An Office 365 Guide to PowerApps and Flow licensing

Microsoft Defender ATP evaluation lab is now available

Without enrollment and Outlook for iOS and Android general app configuration

What’s new with Microsoft 365 – July [VIDEO]

Ring Central Teams

Teams in the Classroom [VIDEO]

https://mcdn.podbean.com/mf/web/g3iqgy/ep212.m4a

Exchange Online PowerShell WinRM issue

image

I went into my PowerShell ISE today, as I always do, and tried to connect to Exchange Online. However, as you can see from the above error message:

Connecting to remote server outlook.office365.com failed with the following error message: The WinRM client cannot process the request.

I couldn’t connect! Why was this I wondered? It was working last time. I then proceeded to waste a good amount of time trying to troubleshoot WinRM errors to no avail. Only at the point of frustration did I actually read more of what the error message actually said:

Basic authentication is currently disabled in the client configuration. Change the client configuration and try the request again.

I then tried to connect to Exchange Online via PowerShell using another machine of mine and received the same error. I then tried a VM in Azure and that worked fine. It was at this point that I started to suspect it was something to do with my Intune policies as the Azure VM was stand alone.

I had just recently implemented the Security Baselines provided by Microsoft.

image

I was working my way through some of the reports of conflicts and misconfigurations by adjust my existing best practices policies to suit. I didn’t appreciate that these Security Baselines actually implement policies that get pushed out to devices! I thought they just compared your settings to what Microsoft recommended as best practice.

image

When I went to the affected workstations and ran the command:

winrm get winrm/config/client/auth

I got the above in which you can see that the Basic auth setting is indeed set to false but that it is set by a GPO. Ok, so where is this GPO I wondered? Given that all the affected machines were Azure AD joined without a local domain controller it meant that the GPO was going to be Intune, as that is where the policies are pushed from in my case.

image

When I repeated that winrm command on a machine that worked I saw the above, Basic = true and no Source=”GPO”.

I then tried in vain to change the GPO locally using PowerShell and the GP console to alter the setting but with no luck.

Suspecting Intune and my policy fiddling, I totally disabled all configuration policies for the device but the problem continued. I then deleted the Security Baseline policies I had created and BAM, everything worked!

Ok, so the problem was the Security Baseline policies, but how? Well, it turns out that these Security Baselines actually do apply an additional policy to your devices once you enable it. Now my question was, where exactly does it do this and can I alter the Security Baseline if desired?

image

Turns out, that the location for what affected me is in the Remote Management section of the MDM Security Baseline policy as shown above.

image

Unfortunately, I had breezed over these options when I first set up the policy using the wizard. You can expand each of the options there and make adjustments if you need! D’Oh!

The lessons here are, firstly that if your implement the MDM Security Baseline or the Microsoft Defender ATP baseline, these will create policies and apply these to your environment. Secondly, you can customise these baselines if you wish, both during the creation process and afterward if you wish. Thirdly, you need to be careful with these policies as they set a lot of settings that you may not seem to immediately come from Intune.

I’ll spend some more time looking at these in detail and reporting back. My own personal best practice policies are pretty close to the Microsoft ones, but it is great that I can do a comparison between them and improve my own.

A frustrating self inflicted issue to resolve but I have learned much in nutting it out and I hope if you have the same issues that this information saves you the time I had to invest to resolve it!

CIAOPS Need to Know Microsoft 365 Webinar–July

laptop-eyes-technology-computer

It’s been a long time between drinks but the free CIAOPS Need to Know webinars are back. I’ve done a technology refresh, which means I’ll be attempting to use Microsoft Teams Live Events now. Given this is the first public attempt at this I welcome you to come along and watch all the stuff ups and gaffs that are no doubt going to plague me as I try and get the technology to work. It’ll be fun. Come join me and make this rebirth memorable.

You’ll also notice that I’ve re-branded the webinars to Microsoft 365, which means I’ll be looking deeper into this “new” service from Microsoft.

You can register for the regular monthly webinar here:

July Webinar Registrations

The details are:

CIAOPS Need to Know Webinar – July 2019
Thursday 26th of July  2019
11am – 12am Sydney Time

All sessions are recorded and posted to the CIAOPS Academy.

There of course will also be open Q and A so make sure you bring your questions for me and I’ll do my best to answer them.

The CIAOPS Need to Know Webinars are free to attend but if you want to receive the recording of the session you need to sign up as a CIAOPS patron which you can do here:

http://www.ciaopspatron.com

or purchase them individually at:

http://www.ciaopsacademy.com/

Also feel free at any stage to email me directly via director@ciaops.com with your webinar topic suggestions.

I’d also appreciate you sharing information about this webinar with anyone you feel may benefit from the session and I look forward to seeing you there.

MVP for 2019-20

MVP_Logo_Horizontal_Preferred_Cyan300_RGB_300ppi

I’m proud to say that Microsoft has graciously awarded me as a Most Valued Professional (MVP) for 2019 in the Office Servers and Services category. This makes it now eight awards in a row for me, which is very special and honouring. I thank Microsoft for this special award and acknowledge the responsibilities it entails.

However, this award is not possible without members of the community out there who take the time to do things like read my blog, watch my YouTube channel, attend events where I speak and more. Thanks everyone.

I’m committed to continuing to provide more information and insight into the fantastic products and services Microsoft creates. I can’t wait each day to see what new stuff Microsoft has brought us and how it can be implemented for users. With the rapid development rate in the cloud I am always amazed at all the new stuff that becomes available but it is really great to have that challenge of staying current.

Having attended my first MVP Summit this  year I’m looking forward to next year’s one so I can again visit Redmond and learn from Microsoft and fellow MVPs. Being an MVP is being part of a unique community of very dedicated and smart people who truly love to share their knowledge. I aim to live up to the example they set and continue to improve and grow. I congratulate all those who were also awarded for this year and look forward to seeing you at the MVP Summit in 2020.

But again, I thank Microsoft for this honour and will work hard to live up top the expectations it sets again for 2019-20 so I can make it nine years ins 2020!

Need to Know podcast–Episode 207

We have an interview with Senior product Marketing Manager for Microsoft 365 Business, Ashanka Iddya. There is of course an update on everything from the Microsoft Cloud with a special focus on the recent SharePoint 2019 Conference. Delta synced files, full Document Library fidelity in Teams and more are covered in this episode.

This episode was recorded using Microsoft Teams and produced with Camtasia

Take a listen and let us know what you think – feedback@needtoknow.cloud

You can listen directly to this episode at:

https://ciaops.podbean.com/e/episode-207-ashanka-iddya/

Subscribe via iTunes at:

https://itunes.apple.com/au/podcast/ciaops-need-to-know-podcasts/id406891445?mt=2

The podcast is also available on Stitcher at:

http://www.stitcher.com/podcast/ciaops/need-to-know-podcast?refid=stpr

Don’t forget to give the show a rating as well as send us any feedback or suggestions you may have for the show.

Resources

@aiddya

@contactbrenton

@directorcia

Small and Medium Business on the Microsoft Tech Community

SharePoint home sites

New mobile features, interactivity and more announced at SharePoint Conference 2019

OneDrive announcements – SharePoint Conference 2019

Turbocharging Microsoft 365 cloud user experiences

Framework for file migrations to Microsoft 365

Processes for File migrations to Microsoft 365

CIAOPS Patron Program

Need to Know podcast–Episode 200

Well we made it! 200 episodes are now done and dusted. We thanks our special guests for attending this episode live, Mark O’Shea and Marc Kean.  Of we can’t forget the co-host Brenton Johnson, who helped make this episode special. We’d also like to thank everyone who shared best wishes and congratulations. It is fantastic to know that people are out there and enjoying what we put together.

This of course is only the beginning of the march towards our next 200 episodes and we hope you’ll all join us for the journey. We’ve come a long way in around 10 years of podcasting and so too has the Microsoft Cloud. What’s it going to be like in another 10 years? Join us on the journey.

Thanks again to both Mark O’Shea and Marc Kean for being part of our special episode and supporting the podcast over the years.

Take a listen and let us know what you think – feedback@needtoknow.cloud

You can listen directly to this episode at:

https://ciaops.podbean.com/e/episode-200-lets-celebrate/

Subscribe via iTunes at:

https://itunes.apple.com/au/podcast/ciaops-need-to-know-podcasts/id406891445?mt=2

The podcast is also available on Stitcher at:

http://www.stitcher.com/podcast/ciaops/need-to-know-podcast?refid=stpr

Don’t forget to give the show a rating as well as send us any feedback or suggestions you may have for the show.

Resources

@intunedin

@marckean

@contactbrenton

@directorcia

Microsoft Ignite sessions on YouTube

CIAOPS Techwerks whiteboard training–Sydney 31 January

I’ll be hosting an all day focused, hands on, technical whiteboard training session on Microsoft Cloud technologies (Office 365, Microsoft 365, Azure, etc) in Sydney on Thursday January the 31st 2019. The course is limited to 15 people and there are still a few places available if you wish to attend.

The content of these events is driven by the attendees. That means we cover exactly what people want to see and focus on doing hands on, real world scenarios. Attendees can vote on topics they’d like to see covered prior to the day and we continue to target exactly what the small group of attendees wants to see. Thus, this is an excellent way to get really deep into the technology and have all the questions you’ve been dying to know answered. Typically, the event produces a number of best practice take aways for each attendee. So far, the greatest votes are for deeper dives into Intune, security and PowerShell configuration and scripts, however that isn’t finalised until the day.

The CIAOPS Techwerks events are run regularly in major Australian capital cities, so if you can’t make this one or you aren’t in Sydney on that date, stay tuned for more details and announcements soon. If you are interested in signing up please contact me via emails (director@ciaops.com) and I can let you know all the details as well as answer any questions you may have about the event.

I hope to see you there.

Using multiple authenticator apps with a single Microsoft 365 user account

One of the best ways to ensure an account is secure is to enable Multi Factor Authentication (MFA) for it. This means, the user logs in as normal with their username and password but before the login process is complete they must enter another form of verification. That form is typically via an SMS, Phone call or an authenticator application on their mobile device.

The best practice with Microsoft 365 is to use the Microsoft Authenticator app, which is available on both iOS and Android. Here’s an overview video:

The way that you set up MFA for a Microsoft 365 account is to login to the Microsoft 365 portal as an administrator and navigate to the Admin center.

image

Then do a search for MFA as shown above. One of the returned results should be Azure multi-factor authentication settings as shown, which you should select.

You should be aware that here you are configuring Multi-Factor Authentication for Office 365 which is a subset of all the features available in Azure Multi-Factor Authentication. You can see the feature comparison here:

MFA version feature comparison

All versions of Office 365 and Microsoft 365 come with Multi-Factor Authentication for Office 365 the more advanced Microsoft 365 plans, such as E3 and E5 come with Azure Multi-Factor Authentication. The discussion here is focused on Multi-Factor Authentication for Office 365 and this applies to all plans. 

image

After selection of that option, a notification should now appear from the right of the windows. Select the Manage multi-factor authentication link that appears as shown above.

image

This should take you to a list of your users as shown above. This will show the MFA status of each user. The above shows you that Alex Wilber currently has an Enforced setting, while everyone else has Disabled.

image

Select the user you want to enable on the right and then select the Enable link on the right as shown.

image

You should now see the above message. Select enable the multi-factor auth button to continue.

image

After a moment or two, you should receive confirmation that MFA is now enabled for the account as shown above. Select the close button to continue.

SNAGHTML1980450f

As shown above, you will now see that the status of that user is now Enforced. This means that they have yet to complete their MFA enrolment. Once they have, their status will change to Enabled.

image

After the user enters their login and password into the Office 365 tenant the next time they login, they will see the above message telling them they basically need to enrol in MFA.

image

They should now see a screen like that shown above. In this case we are going to use a Mobile app as a means of authentication so we select that option from the top box. In the, How do you want to use the mobile app? box select Use verification code. This will request the user to end a unique code from the authenticator app to verify their identity during login. There is also the option to receive push notifications BUT if you are going to be using multiple authenticators then best practice is not to do this, and I’ll detail why further down when I talk about the scenarios where this multiple authenticator environment can be used. For now, select Use verification code and then the set up button underneath.

image

You’ll now see a QR code like shown above that you can use with your Microsoft Authenticator app. However, using this does come with limitations.

Firstly, this method doesn’t support third party authenticator like Google Authenticator or Lastpass Authenticator.

file

If you try to use those you’ll get an error like you see above and be unable to configure the third party authenticator.

file2 (002)

Secondly, if you try and use the same QR code on another device running a second Microsoft Authenticator app then you’ll see the above error, basically telling you that the QR code has been used before (which it has).

image

The trick to overcoming both of these limitations is to select the link Configure app without notifications to the right of the QR code as shown above.

image

When you do so, you’ll get a new QR, that looks very similar but has different wording a link.

You can now use this QR to set up multiple Microsoft Authenticator apps on different devices as well as third party authenticators. You may also want to take a screen shot of this QR code for future reference if you wish to set up or reconfigure authenticator devices in the future.

Some considerations here. All devices you now use with this QR code will configure the same identical sequence of rolling numbers for authentication. Thus, when you configure multiple devices this way you’ll see that the pin numbers will be identical on all devices and will change more or less at the same time. What you have effectively achieved here is a duplication of the MFA token for that user. Is that a good thing? Best practice is to only have ONE and only ONE authenticator per account but there are scenarios I will illustrate later where having a duplicate is acceptable. However, please remember, the more tokens you have for an account, the less secure it is.

image

Once you have used the QR with all the devices you wish to use, select Next and then Next. You’ll then be prompted to enter a verification code from any of the devices (as they all show the same code now anyway) to verify the account set up. Enter the code and continue.

image

You’ll then need to enter a phone number as a fall back option. Select the Next button when this is complete.

image

You’ll then see a single app password you can use if needed, but best practice is that you shouldn’t be using these so select the Done button.

image

Now when the user logs in to Microsoft 365, they’ll enter their login and password as before but then also be prompted for a code from an authenticator. If you have duplicated the authenticator as shown above, the code on the devices will be the same and thus all you need to access that account is any of the devices just configured.

image

So where might a duplicated authenticator make sense? Perhaps as an administrator of a tenant I move between different locations and devices. Or perhaps I want to have the same code for everyone using authenticators for access. Perhaps different people need to read me the code from an authenticator on their device. There are scenarios where duplicated authenticators may make sense, so it is an option if needed.

Duplicating authenticators is probably ok if there is only one user accessing the account, but what happens when multiple need to access the one account using MFA? They should use a unique authenticator as best practice I would suggest.

To set up multiple unique authenticators (rather than just duplicates), complete the above process but just for a SINGLE authenticator app. Again, it is recommended not to enable push notifications and just use a pin code entry. Once the single MFA has been configured for the account, login to that account using MFA. Select the user icon in the top right of the screen. That should display a menu like shown above. From this menu, select My account.

image

In the window that appears, locate the Security & privacy section and select the Manage security & privacy button.

image

Now select Additional security verification at the bottom as shown above.

image

This will display two additional options as shown. Select Update your phone numbers used for account security.

image

This should display the above options, where you can configure the MFA settings for the account. At the bottom of this screen you will see that there is already one Authenticator app, which is the initial one configured for the account. To add a second independent authenticator tied to this account select the Set up Authenticator app button as shown.

image

This should display the now familiar MFA configuration window as shown above. The default option will be for push notifications. This means that any time the account logs in a push notification will be send to ALL the authenticator apps configured to this account whether they have been set up as duplicates or separate authenticators. As mentioned previously, this option also only allows a single Microsoft Authenticator configuration and no third party options.

image

Thus, best practice is again to select the Configure apps without notifications link on the right to make more authenticator options available.

image

This will again give you a slightly different screen with a QR code to configure the authenticator device. Remember, here you are not duplicating the existing authenticator that was created initially, you are creating a separate independent authenticator app that is tied to the same user account.

image

When you have completed the configuration process for this authenticator you’ll again need to verify it as shown above.

image

When you return to the Additional security verification screen you will now see two authenticator apps at the bottom of the screen as shown above.

image

This might appear confusing, but in my example I configured two different authenticator apps independently on the same device (one Microsoft, one Google). If you configure authenticator apps on two different physical devices it should look more like the above where you can tell the difference between the devices. In my experience, if there is ever confusion or duplicates, the more recent configurations appear at the top of the list if you ever wish to delete one.

image

You may want to ensure that you DON’T select the option to Notify me through app, because doing so will send a push notification to all configured and supported apps for verification. If you have different people, all with their own authenticator app configured, on separate devices, you don’t want them all getting a notification when ANY one of them attempts to login to the account. Not only is it annoying, but any of the other devices can approve the login request, even though they didn’t initiate it. You can use the notification option for authentication if you wish BUT, use it with care and an understand of the risks it brings.

Screenshot_20190115-084113_Authenticator file1 (002)

The above shows you that I have configured authentication on two separate devices (Android on left, iPhone on right). Note how the time is the same on each device, along with the account it protects. You’ll also notice that one device is using the Google Authenticator while the other is using the Microsoft Authenticator, just to show you that you can mix and match authenticators as you please. These are two independent authenticators tied to the one account as I have just shown you how to configure. Thus, if I now try and login to the configurated account, I use the one user name, plus the one password and either of the two numbers on the authenticators I have configured on these devices.

Now, where does this multiple authenticators to a single Microsoft 365 account make sense? The most common scenario is for IT resellers who need to support multiple customer tenants with multiple technicians securely using MFA. A typical scenario would be to configure a single management account in each customer’s tenant that is a global administrator for the tenant. That account would have an initial MFA authenticator enabled during set up. Then, for each technician who needs access, each of their personal devices would also be enabled for MFA on that same single customer admin account using the process I detailed above. Thus, the admin login details would be shared amongst the technicians along with the password BUT each would use their own authenticator app to gain access to the customers management account. Thus, each technician use the same username and password to access the account but a unique MFA pin code that is generated on their own personal device and is unique to them.

In the event that a technician leaves, the IT reseller could merely remove that technician’s authenticator app from the customer’s admin account and probably change the password and re-share that updated password amongst the remaining technicians. In an environment with lots of tenants and technicians, manually doing this would be time consuming. I’d be confident that this process could be scripted using PowerShell but can’t say for sure until I look at that in more detail. Stay tuned. But at least you can have multiple technicians accessing multiple shared accounts with their own unique MFA authenticator app.

So there you have it. Yes, it is possible to have multiple authentication apps providing MFA to a single Microsoft 365 account. Yes, it is possible to achieve this with both Microsoft and third party authenticator apps. Yes, it is possible to have duplicate and independent authenticator configurations for one account. And finally, YES, it makes an account LESS SECURE by having multiple authenticator apps configured against a single account, so use with CARE and THINK before you implement.