Friday, September 8, 2023

Token protection in Microsoft Entra Conditional Access


 Token safeguarding, also known as token binding within the industry, aims to diminish the vulnerability to attacks involving token theft. It achieves this by guaranteeing that a token remains functional exclusively on the designated device. In instances where a malicious actor manages to pilfer a token through tactics like hijacking or replay, they gain the ability to impersonate their target until the token's expiration or revocation. Although token theft is perceived as a relatively infrequent occurrence, its potential consequences can be substantial.

Token protection establishes a cryptographically robust connection between the token and the device (referred to as the client secret) for which it was issued. In the absence of the client secret, the tethered token becomes ineffectual.


This preview supports the following configurations for access to resources with Token Protection conditional access policies applied:

  • Windows 10 or newer devices that are Azure AD joined, hybrid Azure AD joined, or Azure AD registered.
  • OneDrive sync client version 22.217 or later
  • Teams native client version or later
  • Power BI desktop version 2.117.841.0 (May 2023) or later
  • Visual Studio 2022 or later when using the 'Windows authentication broker' Sign-in option
  • Office Perpetual clients aren't supported

Known limitations

  • External users (Azure AD B2B) aren't supported and shouldn't be included in your Conditional Access policy.
  • The following applications don't support signing in using protected token flows and users are blocked when accessing Exchange and SharePoint:
  • PowerShell modules accessing Exchange, SharePoint, or Microsoft Graph scopes that are served by Exchange or SharePoint
  • PowerQuery extension for Excel
  • Extensions to Visual Studio Code which access Exchange or SharePoint
  • The new Teams 2.1 preview client gets blocked after sign out due to a bug. This bug should be fixed in a future service update.
  • The following Windows client devices aren't supported:
  • Windows Server
  • Surface Hub
  • Windows-based Microsoft Teams Rooms (MTR) systems

Licensing requirements

  • Using this feature requires Azure AD Premium P2 licenses.

Create the Conditional Access Policy 

Login the Microsoft Entra Conditional Access policy 

Token Theft Simulation

Numerous methods are at your disposal for testing this scenario, and I will be utilizing the tokentactics tool.

after downloading extract the File and run below commend in powershell.

#set the location - i have save it on the C drive
Set-Location C:\TokenPhish

#Set execytion to unrestricted
Set-ExecutionPolicy Unrestricted

#import the Token Tactics Modules 
Import-Module .\TokenTactics.psd1

#initiate the Tocken phising
Get-AzureToken -Client Outlook

Share this URL with and the code and ask to sign it. 

Select the user

Sign it is blocked

Check from the sign in logs 

Monday, September 4, 2023

Microsoft Entra Conditional Access with Strictly Enforce Location Policies


A new feature in conditional access allows for the strict enforcement of location policies using continuous access evaluation (CAE). This enables the quick invalidation of tokens that violate your IP-based location policies. When a client's access to a resource is denied because CAE's strict location policies are activated, the client will experience a blockage.

Adding Sponsors for Guest user


Introducing the sponsor feature enables you to designate a responsible individual or group for each guest user. This functionality allows for the tracking of the inviting party and enhances accountability.

This article delivers an overview of the sponsor feature and offers guidance on its application within B2B scenarios.

The Sponsors field within the user object pertains to the individual or group responsible for extending the invitation to the guest user within the organization. This field serves as a means to identify the inviting party and enhance accountability. It's important to note that being a sponsor does not confer administrative privileges upon the sponsor user or group. Instead, it can be employed for approval processes in Entitlement Management.

When extending an invitation to a guest user, you automatically assume the role of the sponsor for that guest user, unless you explicitly designate another user as the sponsor during the invitation process. Your name will be automatically added to the Sponsors field within the user object. Additionally, it's possible to assign up to 5 sponsors to a single guest user.

Monday, July 31, 2023

Exchange hybrid "writeback" with Cloud Sync (Cloud to On-prem Sync)



An Exchange hybrid deployment is a way to extend the feature-rich experience and administrative control of an on-premises Microsoft Exchange organization to the cloud. It provides a seamless look and feel of a single Exchange organization between an on-premises Exchange organization and Exchange Online.

With this new feature enabled, we can "write back" Exchange Online attribute to on-premises AD environment.

Setup Azure AD Connect cloud sync to your Organization


Introducing Azure AD Connect Cloud Sync, a cutting-edge solution by Microsoft designed to cater to your hybrid identity needs for seamless synchronization of users, groups, and contacts to Azure AD. This innovative offering utilizes the Azure AD cloud provisioning agent, presenting a departure from the traditional Azure AD Connect application. 

Monday, July 17, 2023

All you need to know about Remote Help with MS Intune




Network Requirement

Remote Help communicates over port 443 (https) and connects to the Remote Assistance Service at by using the Remote Desktop Protocol (RDP). The traffic is encrypted with TLS 1.2.

Both the helper and sharer must be able to reach these endpoints over port 443:
* for accessibility features within the app
* Telemetry Service
* for telemetry and remote service initialization
* endpoint used for the Remote Help application
* for Azure Communication Service for chat and connection between parties
*.aadcdn.msauth.netRequired for logging in to the application Microsoft Azure Active Directory (Azure AD)
*.aadcdn.msftauth.netRequired for logging in to the application Azure AD
* for Azure Communication Service for chat and connection between parties
* for connecting to the Microsoft Graph service
*.login.microsoftonline.comRequired for Microsoft sign in service. Might not be available in preview in all markets or for all localizations
* for Azure Communication Service for chat and connection between parties
Allowlist for Microsoft Edge endpointsThe app uses Microsoft Edge WebView2 browser control. This article identifies the domain URLs that you need to add to the allowlist to ensure communications through firewalls and other security mechanisms

Check for Licensing

From the Intune portal you can check the licensing.
  1. Access the Intune portal.
  2. Navigate to the Endpoint portal.
  3. Proceed to the Tenant Administration section.
  4. Select "Intune Add-ons" to check the licensing.

from here you can activate your trail. 

Integrate Intune - Remote Help

  1. Access the Endpoint portal.
  2. Navigate to the Tenant Administration section.
  3. Choose "Remote Help" from the available options.
  4. Click on "Settings" and select "Configure.
Following Setting need to set

Enable Remote Help: Enable
Allowed Remote help to unenrolled Devices : Allowed 
Disable Chat : No

RBAC Permissions for Intune Remote Help

  1. Access the Endpoint portal.
  2. Navigate to the Tenant Administration section.
  3. Choose "Roles" from the available options.
You can assign the "Help Desk Operator" or you can create a new Role. Select Create button to create new role. fill the below details
  • Name : Provide a Name
  • In the permission select Remote help and select necessary permission
    • Elevation - Elevation allows the helper to enter UAC credentials when prompted on the sharer’s device when remote help is enabled. Enabling elevation also allows the helper to view and control the sharer’s device when the sharer grants the helper access.
    • View Screen - View screen allows the helper to view the sharer’s device when Remote Help is enabled for all platforms we support.
    • Take Full Control - For Windows and Android devices, take full control allows the helper to view and control the sharer’s device when Remote Help is enabled.
  • Select next & Create.

After that Open the Role base profile previously created and go to assignment. Fill the following

  • Select Assign and provide a name
  • Admin Group - Add the admin group or helper group (Support team Group)
  • Scope Group - you can add all users, All device or specific halpee group.
Select Next and Create. 

Deploy Remote help app though Intune

Frist you need to download below two setup 

Open the app Microsoft-Win32-Content-Prep-Tool and open the IntuneWinAppUtil application. 

  • specify the source folder of the Remote app for windows location
  • Specify the setup file - Example -  remotehelpinstaller.exe
  • Specify the output folder to export the intunewin file
  • Catalog  Select - No
exported location you ca see that intunewin  has been created

then go to Endpoint admin portal > 
Select app > windows Apps and click Add icon. fill below information to create the app in intune

  • App Type : Windows app (Win32) and select
  • Click Select App package and brouse the intunewin file we created previously
  • file the app information as required & click next (publisher required to fill
in the Program fill below information 
  • Install command - remotehelpinstaller.exe /quiet acceptTerms=1
  • Uninstall command - remotehelpinstaller.exe /uninstall /quiet acceptTerms=1
To opt out of automatic updates, specify enableAutoUpdates=0 as part of the install command remotehelpinstaller.exe /quiet acceptTerms=1 enableAutoUpdates=0

Requirement tabs fill below
  • Operating system architecture - 32 bit & 64 bit
  • Minimum operating system - Windows 10 1607
and select next

Detection Rules tab fill below information 
  • Rules format - Manually configure detection rules and click +add
  • Rule type - select File
  • Path, specify C:\Program Files\Remote Help
  • File or folder, specify RemoteHelp.exe
  • Detection method, select String (version)
  • Operator, select Greater than or equal to
  •  Value, specify the version of Remote Help you are deploying. For example, 10.0.22467.1000
  • Leave Associated with a 32-bit app on 64-bit clients set to No
Finished the wizard (Assignment  tab Assign to deployment group.)

Setting up Conditional Access for Remote Help

Conditional Access for Remote help still in Preview. We need to enable it before we create the polices

  • Install-Module -Name AzureADPreview
  • Connect-AzureAD
  • New-AzureADServicePrincipal -AppId 1dee7b72-b80d-4e56-933d-8b6b04f9a3e2

Create policy

  1. Access the Endpoint portal.
  2. Navigate to the Endpoint security section.
  3. Select Conditional Access
  4. then select Policy and Create New policy

Initiate a remote help session

  1. Access the Endpoint portal.
  2. Navigate to the Device section.
  3. Windows devices & open the Manage PPC

Supported features and scenarios

The following table shows the features and scenarios supported by each remote assistance option. A check mark (✅) indicates that the feature or scenario is supported, and a cross mark (❌) indicates that it's not supported.

Wednesday, July 12, 2023

System-preferred multifactor authentication Method


System-preferred multifactor authentication (MFA) is a security feature that prompts users to sign in using the most secure method they have registered. This can help to improve sign-in security and discourage the use of less secure methods, such as SMS.

For example, if a user has registered both SMS and Microsoft Authenticator push notifications as MFA methods, system-preferred MFA will prompt them to sign in using the push notification method. The user can still choose to sign in using another method, but they will be first prompted to try the most secure method they have registered.

If you are an administrator, I encourage you to consider enabling system-preferred MFA in your organization. This is a simple way to improve the security of your sign-in process and protect your users' data.

Enable system-preferred MFA in the Entra ID portal

By default, system-preferred MFA is Microsoft managed and disabled for all users.
  1. In the Azure portal, click Security > Authentication methods > Settings.

  2. For System-preferred multifactor authentication, choose whether to explicitly enable or disable the feature, and include or exclude any users. Excluded groups take precedence over include groups.

How does system-preferred MFA determine the most secure method?

When a user signs in, the authentication process checks which authentication methods are registered for the user. The user is then prompted to sign in with the most secure method according to the following order. The order of authentication methods is dynamic, meaning it is updated as the security landscape
changes and as better authentication methods emerge.
Temporary Access Pass

A one-time passcode that is generated and sent to the user via email or SMS.

  • FIDO2 security key

A physical security key that the user inserts into their computer or mobile device to authenticate.

  • Microsoft Authenticator push notifications

A notification that is sent to the user's Microsoft Authenticator app. The user can then approve the sign-in attempt from their app.

  • Time-based one-time password (TOTP)

A code that is generated by the user's phone or other device. The code changes every few seconds, making it difficult for attackers to guess.

  • Telephony

A phone call or text message that is sent to the user. The user then enters a code from the call or text message to authenticate.

  • Certificate-based authentication

A digital certificate that is installed on the user's computer or mobile device. The certificate is used to authenticate the user when they sign in.

Friday, July 7, 2023

Remove or Change a user's email alias in Office 365

In Office 365, changing a user's email alias has traditionally been a straightforward process that many engineers have been familiar with. However, due to recent updates by Microsoft, there have been some changes in the way we need to approach this task, causing confusion among a few of my colleagues who reached out to me for assistance. In this guide, I will outline the updated procedure for changing a user's email alias in Office 365, particularly when dealing with a Hybrid setup and synchronization between on-premises Active Directory and the cloud environment.

Change a user's email alias 


1. Open the Azure Active Directory portal by logging in to your Office 365 account.
2. Navigate to the "Users" section.
3. Locate and select the user whose email alias needs to be changed.
4. Open the user's profile and proceed to edit their properties.

Modifying the Email Alias:

1. In the user's properties, look for the "User Principal Name" and "Mail Nickname" attributes. These are the attributes that can now be modified from the cloud environment.
2. Update the "User Principal Name" field with the desired alias for the user's email address.
3. Similarly, modify the "Mail Nickname" field to reflect the new alias.
4. Save the changes to update the user's email alias.

Hybrid Setup Considerations:

It's worth noting that in a Hybrid setup, where synchronization occurs between on-premises Active Directory and Office 365, changing the email alias solely from the on-premises environment (proxy address) may not result in the desired changes. Therefore, it is crucial to utilize the Azure Active Directory portal to modify the necessary attributes mentioned above.

Remove a user's email alias 

In a Hybrid setup, when migrating from a domain removal scenario to an Onmicrosoft domain, there are specific steps that need to be followed to ensure a smooth transition. This guide outlines the necessary procedures, particularly when dealing with licensed and unlicensed users, and the synchronization of attribute changes from the on-premises Active Directory to Azure Active Directory.


Handling Licensed Users:
a. For licensed users, initiate the domain change from the on-premises Active Directory.
b. Make the necessary changes to the user's attributes, including the domain information.
c. Run an Azure AD delta sync to synchronize the exchange attributes to Azure Active Directory.
d. Note that the delta sync will only sync attribute changes to Azure if the user has an active license.

Unlicensed Users:

a. In the case of unlicensed users, a delta sync alone will not sync any attribute changes to Azure Active Directory.
b. Instead, the initial sync command must be used to ensure that the changes take effect.
c. Execute the initial sync command to synchronize the attribute changes for unlicensed users.

When migrating from a domain removal scenario to an Onmicrosoft domain in a Hybrid setup, it is crucial to follow the proper steps for both licensed and unlicensed users. For licensed users, changing the domain from the on-premises Active Directory and running an Azure AD delta sync will effectively sync the exchange attribute changes to Azure. However, for unlicensed users, the delta sync will not suffice, and the initial sync command must be utilized to ensure that the changes take effect. By adhering to these procedures, you can successfully migrate from domain removal to an Onmicrosoft domain in your Hybrid setup.

Monday, June 19, 2023

Scheduling meeting with voting poll


It is now easy to schedule a meeting when external parties are involved in the same meeting.

Last year, Microsoft released a feature called 'Find Time,' but most of us are not aware of it, and some lack knowledge about the new feature. In this article, I will share all my findings on the scheduling poll available in Outlook.

We can schedule a poll in two locations:

  • Calendar

  • New email 

Next, change the required details as per your needs.

After you create the poll, you will see it in the email or calendar request as shown below.

Check your calendar; you will see that your calendar has been tentatively booked for the selected time frame.

Once you receive the votes, you can select 'View Poll Results,' and it will open on the web (

Select the meeting title to expand the results.
With the results, you can directly schedule the meeting. After successfully completing the poll, the hold time will be released."

Tuesday, June 6, 2023

Cross-Tenant Synchronization

Some customers have requested cross-tenant synchronization, but it is not currently available in its entirety. However, we do offer several features that can enable synchronization with another tenant. Some customers utilize third-party applications, while others rely on scripting for this complex integration.

To facilitate seamless synchronization between two tenants, we have a few key features that can be directly enabled and provide significant benefits:

  1. Calendar Cross-Tenant Synchronization: This feature allows for the synchronization of calendars between different tenants. It ensures that appointments, events, and important dates are shared and updated across multiple tenants.
  2. Collaboration Cross-Tenant Synchronization: With this feature, users from different tenants can collaborate effortlessly. It enables real-time collaboration enabling smooth teamwork and productivity across tenants.
  3. Application Access Cross-Tenant Synchronization: By enabling this feature, users from one tenant can seamlessly access and interact with applications and data from another tenant. It simplifies the process of sharing resources and enhances efficiency in cross-tenant workflows.

By leveraging these features, we aim to provide a robust and efficient solution for cross-tenant synchronization. Although complete synchronization is not currently available, these enabled features offer significant benefits for customers seeking to streamline their operations and enhance collaboration between tenants.

Calendar Cross-Tenant Synchronization

This is how we can enable the Calendar synchronization. 

Go to the Exchange admin Center, click Organization ad Select Sharing.

Select Organization relationship