Microsoft Entra Conditional Access with Strictly Enforce Location Policies

A new feature in conditional access allows for the strict enforcement of location policies using continuous access evaluation (CAE). This enables the quick invalidation of tokens that violate your IP-based location policies. When a client's access to a resource is denied because CAE's strict location policies are activated, the client will experience a blockage.

Read More

Adding Sponsors for Guest user

Introducing the sponsor feature enables you to designate a responsible individual or group for each guest user. This functionality allows for the tracking of the inviting party and enhances accountability.

This article delivers an overview of the sponsor feature and offers guidance on its application within B2B scenarios.

The Sponsors field within the user object pertains to the individual or group responsible for extending the invitation to the guest user within the organization. This field serves as a means to identify the inviting party and enhance accountability. It's important to note that being a sponsor does not confer administrative privileges upon the sponsor user or group. Instead, it can be employed for approval processes in Entitlement Management.

When extending an invitation to a guest user, you automatically assume the role of the sponsor for that guest user, unless you explicitly designate another user as the sponsor during the invitation process. Your name will be automatically added to the Sponsors field within the user object. Additionally, it's possible to assign up to 5 sponsors to a single guest user.

Read More

Exchange hybrid "writeback" with Cloud Sync (Cloud to On-prem Sync)

 

An Exchange hybrid deployment is a way to extend the feature-rich experience and administrative control of an on-premises Microsoft Exchange organization to the cloud. It provides a seamless look and feel of a single Exchange organization between an on-premises Exchange organization and Exchange Online.

With this new feature enabled, we can "write back" Exchange Online attribute to on-premises AD environment.

Read More

How to setup Azure AD Connect cloud sync to your Organization

Introducing Azure AD Connect Cloud Sync, a cutting-edge solution by Microsoft designed to cater to your hybrid identity needs for seamless synchronization of users, groups, and contacts to Azure AD. This innovative offering utilizes the Azure AD cloud provisioning agent, presenting a departure from the traditional Azure AD Connect application. 

Read More

All you need to know about Remote Help with MS Intune

 

Prerequisites

• Intune subscription
• Remote Help add on license or an Intune Suite license for all IT support workers (helpers) and users (sharers)
• Windows 10/11
• The Remote Help app for Windows.(https://aka.ms/downloadremotehelp)

Network Requirement

Remote Help communicates over port 443 (https) and connects to the Remote Assistance Service at https://remoteassistance.support.services.microsoft.com by using the Remote Desktop Protocol (RDP). The traffic is encrypted with TLS 1.2.

Both the helper and sharer must be able to reach these endpoints over port 443:

Domain/Name	Description
*.aria.microsoft.com	Used for accessibility features within the app
*.events.data.microsoft.com	Microsoft Telemetry Service
*.monitor.azure.com	Required for telemetry and remote service initialization
*.support.services.microsoft.com	Primary endpoint used for the Remote Help application
*.trouter.skype.com	Used for Azure Communication Service for chat and connection between parties
*.aadcdn.msauth.net	Required for logging in to the application Microsoft Azure Active Directory (Azure AD)
*.aadcdn.msftauth.net	Required for logging in to the application Azure AD
*.edge.skype.com	Used for Azure Communication Service for chat and connection between parties
*.graph.microsoft.com	Used for connecting to the Microsoft Graph service
*.login.microsoftonline.com	Required for Microsoft sign in service. Might not be available in preview in all markets or for all localizations
*.remoteassistanceprodacs.communication.azure.com	Used for Azure Communication Service for chat and connection between parties
Allowlist for Microsoft Edge endpoints	The app uses Microsoft Edge WebView2 browser control. This article identifies the domain URLs that you need to add to the allowlist to ensure communications through firewalls and other security mechanisms

Check for Licensing

From the Intune portal you can check the licensing.

1. Access the Intune portal.
2. Navigate to the Endpoint portal.
3. Proceed to the Tenant Administration section.
4. Select "Intune Add-ons" to check the licensing.

from here you can activate your trail. 

Integrate Intune - Remote Help

1. Access the Endpoint portal.
2. Navigate to the Tenant Administration section.
3. Choose "Remote Help" from the available options.
4. Click on "Settings" and select "Configure.

Following Setting need to set

Enable Remote Help: Enable

Allowed Remote help to unenrolled Devices : Allowed 

Disable Chat : No

RBAC Permissions for Intune Remote Help

1. Access the Endpoint portal.
2. Navigate to the Tenant Administration section.
3. Choose "Roles" from the available options.

You can assign the "Help Desk Operator" or you can create a new Role. Select Create button to create new role. fill the below details

• Name : Provide a Name
• In the permission select Remote help and select necessary permission

• Elevation - Elevation allows the helper to enter UAC credentials when prompted on the sharer’s device when remote help is enabled. Enabling elevation also allows the helper to view and control the sharer’s device when the sharer grants the helper access.
• View Screen - View screen allows the helper to view the sharer’s device when Remote Help is enabled for all platforms we support.
• Take Full Control - For Windows and Android devices, take full control allows the helper to view and control the sharer’s device when Remote Help is enabled.
• Select next & Create.

After that Open the Role base profile previously created and go to assignment. Fill the following

• Select Assign and provide a name
• Admin Group - Add the admin group or helper group (Support team Group)
• Scope Group - you can add all users, All device or specific halpee group.

Select Next and Create. 

Deploy Remote help app though Intune

Frist you need to download below two setup 

• Remote app for windows - (https://aka.ms/downloadremotehelp)
• Microsoft Win32 Content Prep Tool - https://github.com/Microsoft/Microsoft-Win32-Content-Prep-Tool

Open the app Microsoft-Win32-Content-Prep-Tool and open the IntuneWinAppUtil application. 

• specify the source folder of the Remote app for windows location
• Specify the setup file - Example -  remotehelpinstaller.exe
• Specify the output folder to export the intunewin file
• Catalog  Select - No

exported location you ca see that intunewin  has been created

then go to Endpoint admin portal > Select app > windows Apps and click Add icon. fill below information to create the app in intune

• App Type : Windows app (Win32) and select
• Click Select App package and brouse the intunewin file we created previously
• file the app information as required & click next (publisher required to fill

in the Program fill below information 

• Install command - remotehelpinstaller.exe /quiet acceptTerms=1
• Uninstall command - remotehelpinstaller.exe /uninstall /quiet acceptTerms=1

To opt out of automatic updates, specify enableAutoUpdates=0 as part of the install command remotehelpinstaller.exe /quiet acceptTerms=1 enableAutoUpdates=0

Requirement tabs fill below

• Operating system architecture - 32 bit & 64 bit
• Minimum operating system - Windows 10 1607

and select next

Detection Rules tab fill below information 

• Rules format - Manually configure detection rules and click +add
• Rule type - select File
• Path, specify C:\Program Files\Remote Help
• File or folder, specify RemoteHelp.exe
• Detection method, select String (version)
• Operator, select Greater than or equal to
•  Value, specify the version of Remote Help you are deploying. For example, 10.0.22467.1000
• Leave Associated with a 32-bit app on 64-bit clients set to No

Finished the wizard (Assignment  tab Assign to deployment group.)

Setting up Conditional Access for Remote Help

Conditional Access for Remote help still in Preview. We need to enable it before we create the polices

• Install-Module -Name AzureADPreview
• Connect-AzureAD
• New-AzureADServicePrincipal -AppId 1dee7b72-b80d-4e56-933d-8b6b04f9a3e2

Create policy

1. Access the Endpoint portal.
2. Navigate to the Endpoint security section.
3. Select Conditional Access
4. then select Policy and Create New policy

Initiate a remote help session

1. Access the Endpoint portal.
2. Navigate to the Device section.
3. Windows devices & open the Manage PPC

Supported features and scenarios

The following table shows the features and scenarios supported by each remote assistance option. A check mark (✅) indicates that the feature or scenario is supported, and a cross mark (❌) indicates that it's not supported.

Read More

System-preferred multifactor authentication Method

System-preferred multifactor authentication (MFA) is a security feature that prompts users to sign in using the most secure method they have registered. This can help to improve sign-in security and discourage the use of less secure methods, such as SMS.

For example, if a user has registered both SMS and Microsoft Authenticator push notifications as MFA methods, system-preferred MFA will prompt them to sign in using the push notification method. The user can still choose to sign in using another method, but they will be first prompted to try the most secure method they have registered.

If you are an administrator, I encourage you to consider enabling system-preferred MFA in your organization. This is a simple way to improve the security of your sign-in process and protect your users' data.

Enable system-preferred MFA in the Entra ID portal

By default, system-preferred MFA is Microsoft managed and disabled for all users.

1. In the Azure portal, click Security > Authentication methods > Settings.

2. For System-preferred multifactor authentication, choose whether to explicitly enable or disable the feature, and include or exclude any users. Excluded groups take precedence over include groups.

How does system-preferred MFA determine the most secure method?

When a user signs in, the authentication process checks which authentication methods are registered for the user. The user is then prompted to sign in with the most secure method according to the following order. The order of authentication methods is dynamic, meaning it is updated as the security landscape
changes and as better authentication methods emerge.
Temporary Access Pass

A one-time passcode that is generated and sent to the user via email or SMS.

• FIDO2 security key

A physical security key that the user inserts into their computer or mobile device to authenticate.

• Microsoft Authenticator push notifications

A notification that is sent to the user's Microsoft Authenticator app. The user can then approve the sign-in attempt from their app.

• Time-based one-time password (TOTP)

A code that is generated by the user's phone or other device. The code changes every few seconds, making it difficult for attackers to guess.

• Telephony

A phone call or text message that is sent to the user. The user then enters a code from the call or text message to authenticate.

• Certificate-based authentication

A digital certificate that is installed on the user's computer or mobile device. The certificate is used to authenticate the user when they sign in.

Read More

Remove or Change a user's email alias in Office 365

In Office 365, changing a user's email alias has traditionally been a straightforward process that many engineers have been familiar with. However, due to recent updates by Microsoft, there have been some changes in the way we need to approach this task, causing confusion among a few of my colleagues who reached out to me for assistance. In this guide, I will outline the updated procedure for changing a user's email alias in Office 365, particularly when dealing with a Hybrid setup and synchronization between on-premises Active Directory and the cloud environment.

Change a user's email alias 

Procedure:

1. Open the Azure Active Directory portal by logging in to your Office 365 account.

2. Navigate to the "Users" section.

3. Locate and select the user whose email alias needs to be changed.

4. Open the user's profile and proceed to edit their properties.

Modifying the Email Alias:

1. In the user's properties, look for the "User Principal Name" and "Mail Nickname" attributes. These are the attributes that can now be modified from the cloud environment.

2. Update the "User Principal Name" field with the desired alias for the user's email address.

3. Similarly, modify the "Mail Nickname" field to reflect the new alias.

4. Save the changes to update the user's email alias.

Hybrid Setup Considerations:

It's worth noting that in a Hybrid setup, where synchronization occurs between on-premises Active Directory and Office 365, changing the email alias solely from the on-premises environment (proxy address) may not result in the desired changes. Therefore, it is crucial to utilize the Azure Active Directory portal to modify the necessary attributes mentioned above.

Remove a user's email alias 

In a Hybrid setup, when migrating from a domain removal scenario to an Onmicrosoft domain, there are specific steps that need to be followed to ensure a smooth transition. This guide outlines the necessary procedures, particularly when dealing with licensed and unlicensed users, and the synchronization of attribute changes from the on-premises Active Directory to Azure Active Directory.

Procedure:

Handling Licensed Users:

a. For licensed users, initiate the domain change from the on-premises Active Directory.

b. Make the necessary changes to the user's attributes, including the domain information.

c. Run an Azure AD delta sync to synchronize the exchange attributes to Azure Active Directory.

d. Note that the delta sync will only sync attribute changes to Azure if the user has an active license.

Unlicensed Users:

a. In the case of unlicensed users, a delta sync alone will not sync any attribute changes to Azure Active Directory.

b. Instead, the initial sync command must be used to ensure that the changes take effect.

c. Execute the initial sync command to synchronize the attribute changes for unlicensed users.

When migrating from a domain removal scenario to an Onmicrosoft domain in a Hybrid setup, it is crucial to follow the proper steps for both licensed and unlicensed users. For licensed users, changing the domain from the on-premises Active Directory and running an Azure AD delta sync will effectively sync the exchange attribute changes to Azure. However, for unlicensed users, the delta sync will not suffice, and the initial sync command must be utilized to ensure that the changes take effect. By adhering to these procedures, you can successfully migrate from domain removal to an Onmicrosoft domain in your Hybrid setup.

Read More

Scheduling meeting with voting poll

It is now easy to schedule a meeting when external parties are involved in the same meeting.

Last year, Microsoft released a feature called 'Find Time,' but most of us are not aware of it, and some lack knowledge about the new feature. In this article, I will share all my findings on the scheduling poll available in Outlook.

We can schedule a poll in two locations:

• Calendar

• New email 

Next, change the required details as per your needs.

After you create the poll, you will see it in the email or calendar request as shown below.

Check your calendar; you will see that your calendar has been tentatively booked for the selected time frame.

Once you receive the votes, you can select 'View Poll Results,' and it will open on the web (https://outlook.office.com/findtime/dashboard).

Select the meeting title to expand the results.

With the results, you can directly schedule the meeting. After successfully completing the poll, the hold time will be released."

Referance: https://prod.support.services.microsoft.com/en-us/topic/access-scheduling-poll-a8742e97-0b59-45c4-9359-23b582c64a271

Read More

Cross-Tenant Synchronization

Some customers have requested cross-tenant synchronization, but it is not currently available in its entirety. However, we do offer several features that can enable synchronization with another tenant. Some customers utilize third-party applications, while others rely on scripting for this complex integration.

To facilitate seamless synchronization between two tenants, we have a few key features that can be directly enabled and provide significant benefits:

1. Calendar Cross-Tenant Synchronization: This feature allows for the synchronization of calendars between different tenants. It ensures that appointments, events, and important dates are shared and updated across multiple tenants.
2. Collaboration Cross-Tenant Synchronization: With this feature, users from different tenants can collaborate effortlessly. It enables real-time collaboration enabling smooth teamwork and productivity across tenants.
3. Application Access Cross-Tenant Synchronization: By enabling this feature, users from one tenant can seamlessly access and interact with applications and data from another tenant. It simplifies the process of sharing resources and enhances efficiency in cross-tenant workflows.

By leveraging these features, we aim to provide a robust and efficient solution for cross-tenant synchronization. Although complete synchronization is not currently available, these enabled features offer significant benefits for customers seeking to streamline their operations and enhance collaboration between tenants.

Calendar Cross-Tenant Synchronization

This is how we can enable the Calendar synchronization. 

Go to the Exchange admin Center, click Organization ad Select Sharing.

Select Organization relationship 

• Relationship name: Provide a Friendly Name
• Domain to share with: Add the domain

Do the same for the another tenant as well. 

Cross-Tenant Synchronization

Follow below step to Enable Collaboration Cross tenant

Go to Azure portal (Portal.azure.com) and Select External Identities. after that Select 

Cross-Tenant Synchronization settings. select Organizational Setting

• Add Organization and provide the Tenant ID or Domain Name.

In the Target tenant Go to inbound Access > Cross-Tenant Sync select Allow users Sync in to this tenant. 

In the Source Tenant Go to OutboundAccess > Cross-Tenant Sync select Allow users Sync in to this tenant

after that in the Target tenant go to Azure Active directory and go to Cross-Tenant Synchronization. 

then New Configuration > Provide a name. after that open the Configuration and add the users or Group.

then go to Provisioning  and Manual change to Automatic 

and add the tenant ID & Test connections

after that Save it. and go back to Provisioning and Provisioning Status turn on.

Read More

Manage ownerless Microsoft 365 groups and teams

To ensure smooth functioning within groups, it is essential for each group to have an owner responsible for managing membership and settings. Owners possess unique permissions, including the ability to modify group configurations. However, situations may arise when the owner leaves, leaving members in need of assistance to add a new owner. This can potentially disrupt the ecosystem, especially within Microsoft Teams.

To address this issue, one possible solution is to implement a system where an email notification is automatically sent to active group members when there is no owner present. The email would request one of the active members to step up and become the new owner. This process can be facilitated through the following steps:

1. Log in to the O365 admin center.
2. Navigate to the Settings section.
3. Locate the Microsoft 365 Groups option.
4. Enable the functionality to identify ownerless groups by ticking the corresponding checkbox.

By implementing this option, the system will proactively identify groups without owners. This will trigger an email notification to active group members, alerting them to the vacancy and asking for someone to assume the ownership role. This approach ensures continuity and prevents the ecosystem from breaking due to lack of ownership.

By following these steps, you can improve the management of groups within Microsoft Teams, promoting a seamless experience for all members and maintaining the integrity of the ecosystem.

Read More