The “REMOTE Cloud Workplace Meetup” Number 6 will be held on June 9th. As COVID-19 still blocks us to meet in person, this event will be a virtual event with two sessions. I’m very happy to serve the first session.
WHAT IS THE CONTENT
We will talk about Identity and Access Management. As this is only a 35 minutes slot, incl. Q&A, I will only cover thre topics: – Zero Trust (very short) – Azure Multifactor Authentication based on Conditional Access – Access Reviews for Teams or Microsoft 365 groups (Former Office 365 groups) Feel free to register here: Remote Cloud Workplace Meetup #6
A valid and secured Identity is gold!
Azure Active Directory (Azure AD) brings you several options to achieve this goal.
First of all you should enable Azure MFA for all users. But hey: What about all the Admin Accounts and what in case of Azure MFA fails. We will show how to enable Azure MFA in a right way and make sure you have a protected identity.
What else: Using Identity Governance and Access reviews you have a tool on board which helps you to review access to your Office platform such as Microsoft Teams.
Currently and in the past I have done a number of ADFS to Azure AD authentication projects, where authentication is moved to Password Hash Sync (PHS) & Seamless SSO or Pass Through Authentication (PTA) including sSSO.
First of all you should know your environment when starting removing services. I assume, that you’re aware of the server that are joined to your ADFS farm. If not, STOP here and start over :-). No, you can use PowerShell to get a list of your servers and specially the primary server of your farm. Run that on one of your ADFS hosts:
Make sure you have migrated all authentications to Azure and you have disbled the relying party trusts for a while now. This gives you the certainty that no authentication flow still passed your ADFS environment.
You should also consider the “Application” logs on each of your ADFS server. Filter them by using “AD FS, AD FS Auditing, AD FS Tracing and ADHealth-Adfs” to confirm no auth-flow runs over ADFS.
If you still see failing authentications going over your farm, make sure they get migrated to Azure before you remove your ADFS servers. Also have a look into the Application and Services Log/ADFS/Admin. If all is clear, you can start decommissioning your farm.
On your primary ADFS server check the certificate sharing containers as you will need that later to remove it within ADSI. Do that before you removing the ADFS farm.
Remove the WAP Servers
Login to each WAP server, open the Remote Access Management Console and look for published web applications. Remove any to ADFS related that are not being used any more. Make a note of the URL that you are removing – its very likely that this means you can remove the same name from public and private DNS as well once the service is no longer needed. You can accomplish this by using PowerShell:
Also remove the ADFS database on the local system by running the command bellow. This will clear the folder with the ADFS database and logs.
Clean-up some more ADFS Stuff
Do not forget to remove: – Internal and external ADFS specific DNS records – Load Balancer configurations for ADFS Farm – Firewall rules between Internet, Load Balancer, DMZ and ADFS Servers – Revoke certificates if no longer needed – Service accounts, Group Managed Service Accounts – Remove IIS on the ADFS Server and/or decommissioning the Windows Server itself
If you have removed all ADFS Servers from your forest, you are now save to remove the ADSI entries under for the Certificate Sharing Container within ADSI edit: CN=Microsoft,CN=Program Data,DC=domain,DC=local
Recently a customer called, that the Automatic Enrollment for MDM is not working as excepted and the clients are getting some errors during MDM Autoenrollment. Easy I thought, let’s have a look…
Within the Eventlog under Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider the error Unknown Win32 Error code: 0x80180001 was triggerd.
Usually you configure MDM Automatic enrollment using a GPO after your devices are Hybrid Joined (to do so, check that post here).
Since Windows 10 1903 this GPO policy got a change. You can now select Device or User Authentication. If you select Device Authentication, a device token will be used to enroll the device, but this is not supported for Intune, based on this Docs article.
Also, another error caused in the Eventlog which indicates, that the GPO setting must be misconfigured:
MDM Enroll: Server Returned Fault/Code/Subcode/Value=(MessageFormat) Fault/Reason/Text=(Device based token is not supported for enrollment type OnPremiseGroupPolicyCoManaged
As soon this GPO policy is applied to a device, a scheduled task is created and triggers the enrollment process every 5 minutes.
You can find this task under \Microsoft\Windows\EnterpriseMgmt. If you check the arguments for this specific task, you probably realize that the argument uses the string:
So, still device authentication is used. This causes our error. Let’s change that to User authentication.
To test the enrollment with user auth, you can ether changing the GPO to user authentication (this did not change the scheduled task arguments in my case, even after reboots, gpupdate, etc.) or just manually changing the string to:
After that, the devices started to auto enroll into Intune. Be aware, that auto enrollment, enrollment restriction and Azure AD device registration needs to be enabled and configured for that.
Your users will receive a toast message that some account settings has been changed.
If you use Azure MFA maybe another error will popup in the event log but not displayed to the enduser:
Auto MDM Enroll: Failed (Unknown Win32 Error code: 0x8018002a)
This will also block the enrollment process. You can avoid that, by configuring an exclusion in Conditional Access for the “Microsoft Intune Enrollment” cloud app.
It is going to be a busy time until the end of November! I’m very proud to be a part of some great conferences and user groups to present about Modern Workplace stuff like Modern Device Management and Microsoft 365 Governance.
AZURE USER GROUP ZURICH Already next week you can join me at the Azure User Group in Zurich. There is a full track about Digital Cloud Workplace and how to move from a “legacy” management to a modern cloud (enabled) management or better I say, to a Modern Workplace! Of course, using tools from the Microsoft 365 products. If you like to join check out the agenda and register now for the MeetUp in Zurich:
EXPERTS LIVE EUROPE I am happy to let you know that I will be speaking at Experts Live Europe 2019 in Prague. The conference will be held in from November 20-22 2019. This is huge for me and I’m very happy to be a part of this conference, specially as a speaker in this year. If you’re interested to join, you can find more details about the conference here:
GEEKMANIA Also in November, at the 29th, we will be at a community event called Geekmania in Zurich, Switzerland. This event covers two tracks, one for Azure and another one for Microsoft 365. I’m happy to provide two sessions in the afternoon. In the first session I will show, why and how you can use Microsoft 365 and in the second session we will talk about Modern Device Management. Would be cool to see you there and if you have, bring some questions!
If you use the Microsoft 365 Security platform and you have the licences to use Microsoft Cloud App Security (MCAS), I recommend to implement Azure Information Protection (AIP) into MCAS.
Azure Information Protection allows you to label and protect your documents also in an automated way. There are two ways to do that. First: You can use the AIP labels in Azure or second, you migrate your labels to the Office 365 Security & Compliance Center also called Unified Labels. Before you migrate your labels, be aware of some limitations of Unified Labels. Find a detailed overview in this article here.
First of all, assign a licence to your user to use MCAS (usually E5 or the Microsoft 365 Security Add-In) and then login to the MCAS portal. portal.cloudappsecurity.com From there use the gear in the top right to configure or check your organization settings. They should already be filled out, as this information’s are tenant wide settings.
Navigate to Investigate and select Connectedapps. On the plus sign add Office 365 as app and Connect the platform to MCAS.
Also make sure you have enabled Office 365 Auditing in the Security & Compliance portal. Browse to protection.office.com – Search – Audit Log search. If audit log is not yet enabled, enable it. It should be on by default. You can find more details regarding audit log here
Back in MCAS, under settings, select Azure Information Protection. Tick the box Automatically scan new files for AIP labels and content inspection warnings and save it.
MCAS can also inspect protected files using file policies. Grant these permissions to MCAS by activating the option in the settings.
To ignore classification labels set external to your organization, in the Cloud App Security portal, go under Settings and Azure Information Protection. Select Only scan files for Azure Information Protection classification labels and content inspection warnings from this tenant.
Now from Files page and under Investigate you can select the file you like to label. Click the three dots at the right side of the file and choose Apply classification label to apply a label.
Be aware: It takes some time to sync your labels into Cloud App Security and Cloud App Security can apply Azure Information Protection on files that are up to 50 MB.
In the next post I will show you how to apply labels in an automated way to a SharePoint library.