What is Microsoft Purview Customer Key?

Microsoft Pureview Customer Key (or Customer Key for short) is an encryption service mainly aimed at resolving regulatory issues with the adoption of Microsoft 365. This is the product you need in the Microsoft Cloud environment if you have a regulatory requirement to have ownership and control over the keys used to encrypt data at rest.

Microsoft 365 already provides volume-level encryption through Bitlocker and Distributed Key Manager (DKM), but you have no control over the encryption keys used. Customer Key can encrypt with your keys data from Exchange Online, Skype for Business, SharePoint Online, OneDrive for Business, and Microsoft Teams. The Microsoft services will use your key to make the various systems work.

You’ll have the option to let Microsoft generate your RSA Keys or upload your own. All the key management capabilities are done through Azure Key Vault. Once Microsoft checks that everything is going well, Microsoft 365 uses your keys to encrypt data at rest.


While Customer Key adds additional security against unauthorized access to data, it’s not intended to restrict Microsoft employees’ ability to access your data. Instead, that feature is provided by Customer Lockbox. Customer Lockbox ensures that Microsoft can’t access your data without your consent.

CRITICAL CONSIDERATIONS:

  • Once you encrypt SharePoint Online, OneDrive for Business, and Teams, there is no going back to Microsoft Managed Keys.
  • The loss of the root encryption keys can have catastrophic consequences. Various precautions can be taken to avoid common errors but keep this in mind.
  • Microsoft keeps an availability key, which functions the same as your two keys. This key is used by automated processes and aims to provide recovery capabilities from the loss of the root keys you manage. To learn more follow this link: Availability Key in Customer Key | Microsoft Docs

FEATURES LIMITED BY THIS SERVICE:

  • None that I’m aware of

GENERAL REQUIREMENTS:


PERMISSIONS

  • Being a Global Admin for the tenant

REQUIRED LICENCES: (One of the following types)

  • Office 365 E5
  • Microsoft 365 E5
  • Microsoft 365 E5 Compliance
  • Microsoft 365 E5 Information Protection & Governance SKUs
  • Microsoft 365 Security and Compliance for FLW

AZURE:

Generally, the ability to create Subscriptions and an Owner role in those subscriptions. The subscriptions will host the Azure Key Vaults that will contain your keys.

  • Ability to create Azure Subscriptions and Resource Groups
  • Ability to modify permissions on Azure Subscriptions and on resources
  • Ability to create and manage Azure Key Vaults and related keys

TIPS:

  • You can leverage the Hardware Security Module (HSM) key protection by using a Premium Key Vault

To learn more, refer to the following link:

Customer Key Overview | Microsoft Docs

Add or remove a user from a Conditional Access Policy (CAP) – Azure AD

Conditional Access Policies (CAPs) are identity-driven policies that govern user access to resources. We can summarize them as if statements that govern what will be requested, enforced or blocked.

In most organizations, the CAPs govern the enforcement of MFA, the block of logins using legacy protocols, and requiring a compliant device to access company resources.

All policies “think” at the user level.

It is advisable to make changes to CAPs only if you have a basic understatement of the service, since you could risk blocking access to the tenant for all users. In order to learn more, refer to the following documentation:


Azure AD Conditional Access documentation – Microsoft Entra | Microsoft Learn

Some quick notes:

  • It’s a good idea to manage exclusions using Groups. This way, you won’t have to directly modify the policy every time.
  • Since many policies are scoped to include all users, you’ll have to handle exceptions with the “exclude” feature.

To add or remove a user:

  • Log in to Conditional Access – Microsoft Azure
  • Select the desired policy
  • If you intend to add a user to the policy, click on the blue link under “Users or workload identities”, then “Include,” and click the blue link under “Users and groups”.
  • Select or search for the desired user, then click “Select.”
  • If you want to exclude a user, click on the blue link under “Users or workload identities”, then “Exclude,” and click on the blue link just below “Users and groups.” The same user selection screen shown in the previous step will open. Search for and select the user, then click “Select.”

Once done, save using the “Save” button at the end of the page. If the policy is in “Report-only” or “Off“, the flow is not active.

Enable file monitoring for Office 365 in Defender for Cloud Apps – DCA

Before enabling file monitoring in Defender for Cloud Apps, be sure to have the appropriate licensing assigned. To follow these steps, you’ll need the following:

  • An Information Protection licence
  •  A full Defender for Cloud Apps licence. A Microsoft Defender for Cloud Apps Discovery license is not enough.

Please note that you’ll have to create a file policy as soon as you enable the feature. If you don’t create a file policy in the first seven days, the feature will be disabled.

First, log into the Defender for Cloud Apps portal:

Defender for Cloud Apps Portal

Then, click on Settings in the top right corner

Go into Files under the Information Protection tab. If you don’t see this section, please check the license you have applied to your user.

Enable file monitoring, then save. Once done, click on “Connected Apps”

Click on the three dots at the right of Office 365. If the application is not there, add it.

Click edit settings, then check “Office 365 files”. Finally, click “Connect”, then close the panel to finish up.

Get all users of an Azure AD Group and add them to another one – Powershell

The following script will get all the members of an Azure AD group and add them to another group. You’ll just need to know the name of the two groups.

The source group will be called Group1 and the destination Group2.

# Replace Group1Name with the name of your source group and Group2Name with the name of the destination one. Everything else will be done automatically

$Group1 = "Group1Name"
$Group2 = "Group2Name"


$group1ObjectID = Get-AzureADGroup -Filter "Displayname eq '$group1'" | Select objectid -ExpandProperty ObjectID
$group2ObjectID = Get-AzureADGroup -Filter "Displayname eq '$group2'" | Select objectid -ExpandProperty ObjectID

$membersGroup1 = Get-AzureADGroupMember -ObjectId $group1ObjectID -All $true

foreach($member in $membersGroup1)
{
    $currentuser = Get-AzureADUser -ObjectId $member.ObjectId | select objectid
    Add-AzureADGroupMember -ObjectId $group2ObjectID -RefObjectId $currentuser.objectid

}
Get-AzureADGroupMember -ObjectId $group2ObjectID -All $true

Unfortunately, your password contains a word, phrase or pattern that makes it easily guessable. – Azure AD

Suppose you or a user reset a password, and one of the following errors comes up. In that case, it means that either you are using a guessable password or that somebody in your organization has enabled Password Protection in your environment, and you are using a banned word.

  • Unfortunately, your password contains a word, phrase or pattern that makes it easily guessable. Please try again with a different password.
  • “Unable to update the password. The value provided for the new password does not meet the length, complexity, or history requirements of the domain.”

If you are a user, please try a more complex password to circumvent the error. Substituting @ with A, 1 with I, and other widespread ways of changing up a common word will not be counted as “not including a common word”.

If you are an admin, please note the following about this feature. Users often create passwords that use common words based on personal interests or easily rememberable things (e.g. cities, sports teams, celebrities, months, etc.). These passwords are strongly vulnerable to dictionary-based attacks. Azure AD Password Protection, which works either in a “cloud-only” mode or can also synchronize to on-prem, provides a global and custom-banned password list. The global one is maintained directly by Microsoft; the custom one can be modified by the Microsoft 365 / Azure AD admins.

To access the feature settings, click on this link: Password Protection settings | Azure AD

Delete a user profile in Azure Virtual Desktop – AVD

To remove a user profile in Azure Virtual Desktop, you must first be sure that the user is logged off. If you are unsure on how to do it, follow the guide below.

After you’ve checked this, you got two options based on the type of profile architecture you chose to implement.

  • If the profiles are stored locally, you can proceed to remove them as you’d do in standard W10 machine.
  • If you are using FSLogix, which is the recommended way to handle them, you can proceed to remove the user folder from the Azure File Share.

If you are unsure about which type of user profile solution you use, you can log in to a standard user account (preferably the one you wish to remove) and follow the guide below.

If you fall under the first option, log into the AVD instance/instances with an admin user account, open “Run“, then type netplwiz.exe and click enter. This will open the Advanced User Accounts Control Panel. From there, you’ll get a list of all the users. Next, click on the user profile you’d like to delete and click “Remove”. You’ll have to repeat this procedure for all the AVD hosts in your environment.

If you are running FSLogix, log into the Azure File Share hosting your profiles, then locate the user folder you wish to delete. Usually, the format is either %username%%sid% or “%sid%%username%, depending on whether you have added the FlipFlopProfileDirectoryName registry in the FSLogix configuration (FlipFlopDirectoryName | AVD). Once you have found it, open it, and delete the VHD/ VHDX stored inside, as per the screenshot below. After the VHD deletion has been completed, delete the user profile folder.

This application contains sensitive information and can only be accessed from devices or client applications that meet management compliance policy – Azure AD

This error message results from the application of a Conditional Access Policy on your tenant that blocks users from accessing cloud resources using a non-compliant device. The compliance state of a device is evaluated by Intune. To check which compliance policies you have active in your environment, head to:

Compliance Policies | Intune

To resolve the issue, either fix the device’s compliance state or exclude the user from the Conditional Access Policy.

To fix the compliance state, head into All Devices | Intune, click on the impacted device, and then “Device Compliance“. From there, you can see which policy makes the device not compliant and which setting is “at fault”.

If you are looking to understand which Conditional Access Policy is blocking the user, check out this guide:

To learn more, visit: Get started with device compliance | Intune 

To drill down on this type of Conditional Access Policy control, check out this link:

Conditional Access: Require compliant or hybrid Azure AD joined device

This application contains sensitive information and can only be accessed from domain joined devices – Azure AD

This error message results from the application of a Conditional Access Policy on your tenant that blocks users from accessing cloud resources without a hybrid-joined device. A Hybrid-joined device is an AD-joined client which gets synchronized to Azure AD via Azure Active Directory Connect (AD Connect). This process enables you to make the device visible to Azure AD and lets you manage it with Intune.

If you are looking to understand which Conditional Access Policy is blocking users, check out this guide:

If this block has been triggered, you are probably synchronizing AD-joined devices to Azure AD. If the user is accessing the portal from an on-premise joined device, check if you are synchronizing said device and consider adding it to the right OU / add the right attribute to let it sync.

Once you are done, and the device is hybrid joined (or you’ve excluded the user from the CAP), the user will be able to access the resources.

Please note that the “Hybrid join check” type of access control is usually paired with a device compliance check. So expect a possible further block related to this. To learn more, visit: Get started with device compliance | Intune  or read my article:

To drill down on this type of Conditional Access Policy, check out this link:

Conditional Access: Require compliant or hybrid Azure AD joined device

Online Mailbox cannot be created because an on-premise one already exists – Exchange Online

This issue is mainly present if you are trying to migrate from Exchange on-prem to Exchange Online and you’re not going with the hybrid route. The “double mailbox” way consists in having an online mailbox and a local one, and manually (or automatically using tools) migrating the content online.

The issue is that, if you are synchronizing your on-prem AD with Azure AD, you are most probably including your msExchMailboxGUID into the replicated fields. This attribute will tell Exchange Online not to create an online mailbox, as an on-prem one already exists.

Once you will have cleared this field from the online user, Exchange Online will be able to create another mailbox, populating the msExchMailboxGuid of the online user, leaving you with the possibility of exporting and importing data into your online mailbox.

Please note that this will also automatically clear the following attributes from the online user:

  • alias
  •  legacyExchangeDN
  •  msExchArchiveGuid
  •  msExchArchiveName
  •  msExchBlockedSendersHash
  •  msExchElcMailboxFlags
  •  msExchRecipientDisplayType
  •  msExchRecipientTypeDetails
  •  msExchSafeRecipientsHash
  •  msExchSafeSendersHash
  •  userCertificate

To proceed with the creation of the online mailbox, follow these steps:

  • Open your AD Connect server.
  • Stop the Sync with Powershell (launch it as admin and keep it open after this command): Set-ADSyncScheduler -SyncCycleEnabled $false
  • Open the Synchronization Rules Editor as an admin.
  • Select the In from AD – User Exchange rule, click Edit, then click on yes.
  • Under Precedence write 250 (or the first free one), then click Next until you arrive in the Transformations page. Here look for msExchMailboxGuid, then change the row’s settings to make them match with the image below:
  • Once you are done, click Save, then open the original rule. Note down the Precedence (usually it’s 108), then delete the rule. Go into your newly cloned rule and change the Precedence to the one you noted down.
  • Before you enable the scheduler and perform a full sync, you should test out the changes. This is the documentation link to test everything out without committing changes to Azure AD: Verify changes to AD Connect rules | MS Docs
  • Reenable the scheduler: Set-ADSyncScheduler -SyncCycleEnabled $true
  • Perform a full synchronization: Start-ADSyncSyncCycle -PolicyType Initial

You should now be able to create a second mailbox for your synchronized user by assigning a valid license.

Enable Modern Authentication for Outlook 2013

Since Microsoft will soon start to turn off Basic Authentication for Exchange Online, you’ll have to enable Modern Authentication client-side if you still have some machines running Outlook 2013 and want them to connect to Office 365. This is quickly done by adding some registry keys. Modern authentication is already enabled by default in Office 2016 and later versions.

This process will activate the Modern Authentication workflow for all the apps included in Office 2013 (Outlook 2013, Excel 2013, Word 2013, OneNote, etc.), not just Outlook.

While this procedure will allow you (for now) to connect to Office 365, it is critical to remember that connection to Office 365 and Exchange Online via Office 2013 is not supported anymore. You should update to a newer and supported version soon, as things might stop working without notice.

To enable the feature, either open an elevated CMD and paste these commands in or add the entries manually via Registry Editor.

CMD:

reg add HKEY_CURRENT_USER\Software\Microsoft\Exchange /v "AlwaysUseMSOAuthForAutoDiscover" /t REG_DWORD /d 1 /f
reg add HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Common\Identity /v "EnableADAL" /t REG_DWORD /d 1 /f
reg add HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Common\Identity /v "Version" /t REG_DWORD /d 1 /f

REGISTRY EDITOR:

Path ValueTypeValue
HKEY_CURRENT_USER\Software\Microsoft\ExchangeAlwaysUseMSOAuthForAutoDiscoverREG_DWORD1
HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Common\IdentityEnableADALREG_DWORD1
HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Common\IdentityVersionREG_DWORD1

Restrict access to Azure Management apps – Azure AD

If we want to restrict access to the Azure management services for non-privileged users, we can now create a Conditional Access Policy that allows us to do so.

To create a Conditional Access Policy, we’ll need Azure Active Directory Plan 1 or higher, which is either bought standalone, or can be found most notably inside Microsoft 365 Business Premium, or the Microsoft 365 Enterprise plans (E3, E5)

On the other hand, if we just need to restrict access to Azure AD, we have the option to do so from the User Settings in the Azure AD portal:

User Settings | Azure AD

By creating the following Conditional Access Policy, we will restrict users from accessing these apps:

  • Azure portal
  • Azure Resource Manager provider
  • Classic deployment model APIs
  • Azure PowerShell
  • Azure CLI
  • Azure DevOps
  • Azure Data Factory portal
  • Azure Event Hubs
  • Azure Service Bus
  • Azure SQL Database
  • SQL Managed Instance
  • Azure Synapse
  • Visual Studio subscriptions administrator portal

First, open the following link, or go into your Conditional Access Policies:

Conditional Access Policies | Azure AD

Then, under “Users or workload identities“, select all users, and exclude the admin roles you currently use in your organization. You could also create a security group with all admin users as members and then exclude it from the policy.

Under “Cloud apps or actions”, click on “Selected apps”, then “Microsoft Azure Management“.

Finish up by selecting “Block access” under the Grant Access Controls.

From now on, all users except the admins will be blocked from accessing Azure management services.

Additional Context and Number Matching User Guide – MFA

I wanted to publish the following article, which is how I would notify my users of the upcoming activation of Additional Context and Number Matching in their MFA requests.

If instead you are looking for a guide on how to enable Additional Context and Number Matching, follow the guide linked below.

Feel free to use the message below as your own. The images are taken from a wonderful article by Tony Redmond. Please replace them with your own.

─────────────────────────────────────────────────────────

From [replace with activation date] forward, you will be asked to enter additional details in your MFA (Multi-factor authentication) prompts. 

On your PC screen, you will be presented with a number, and you will be asked to enter this same number inside of your MFA request on your phone to complete the approval.  

You will also get a map that will show the location where the request was made from. This must be taken as a general indication and it’s not always going to be your exact location, since Internet providers are not bound to route your connection from a point closest to you.  

Please deny and report immediately to the IT department if you receive a request that was not done by you, or you do not recognize the location you are being shown. 

PC Screen view and smartphone view 

                                                   

Find stale Enterprise Applications – Azure AD

If you just blocked users from registering applications, or you are just analyzing your Enterprise applications, you may find that there is a lot of work ahead of you.

First, you may want to find if there are applications with no user assigned. Then you may wonder if there are applications without sign-ins in the last 30 days.

To ease your work, you may find it useful to query all applications for these fields and get the output in a CSV.

This script is freely based on Ravenswood PoC code, with the intent of helping out and refining it a bit.

First, head to Enterprise Applications | AAD and click “Download (Export)”, then download the CSV.

This is done via the portal and not via PowerShell for practicality, since at the moment, to get the same exact filters (e.g. “Microsoft Applications”, “Enterprise Applications”, etc.) that you get on the portal, you would have to query Graph.

Then save this script:

	$AllApplications=Import-Csv .\EnterpriseAppsList.csv
	$applications=$allapplications | where {$_.applicationtype -ne "Microsoft application"}
	ForEach($Application in $Applications){ 
   #Retrieve the objectid and signin logs, format the user assigned to the app 
	$app=Get-AzureADServicePrincipal -all $true | where {$_.objectid -eq $application.id}
    $Log = Get-AzureADAuditSignInLogs -All $true -filter "appid eq '$($App.AppID)'" 

	$userassigned = Get-AzureADServiceAppRoleAssignment -ObjectId $App.ObjectId | Select ResourceDisplayName,PrincipalDisplayName
	$format=$userassigned.gettype()
	if($format.basetype.name -eq "Object"){ 
	$userassigned=[string]$userassigned	
	}
	

    #Create a custom object for output 

    [PSCustomObject]@{ 

        ApplicationName = $App.DisplayName 

        ApplicationID = $App.AppID 

        SignIns = $Log.count
	 
	Users = $userassigned.count
    } 
    Start-Sleep 5
}

And finally, launch it:

.\StaleApplicationAnalysis.ps1 | Export-csv StaleApplicationCleanup.csv

The output will be along these lines, with an additional column for the App ID:

If you happen to find any optimization, feel free to let me know, and I’ll update the post.

Microsoft Secure Score not updating

The Microsoft Secure score is a useful page to get an idea of the general improvement areas you should monitor and approach in your tenant.

When you make a change to reflect one of the improvement actions, you might have to wait up to 48 hours to get the points in the portal.

If you have waited the 48 hours (generally, it’s 24 hours, but the job might fail), check that the policies you created were configured as recommended in the “implementation” tab, then try the following.

First, check if there is some degradation with the service.

If there isn’t degradation, try changing the Conditional Access Policy (or the security policy you enabled) and see if the secure score catches up.

If it didn’t, or you are in a hurry, click on the recommended action, “Edit status & action plan”, and resolve the suggestion as risk accepted, then wait for the score to update. Once you see that the full points are awarded, revert the change. This procedure should “force” the sync to grant you full points, then change it with the actual value.

If the above failed, contact Microsoft Support and request a manual restart of the job.

Either that will solve it, or in some cases, just waiting a couple more days will fix it.

Teams Hardening guide step by step

This is a brief and introductory guide on what you may want to configure and change in a basic hardened Teams environment. However, you should consider that these are just general recommendations, and what works for a company may not be the best for another one. This is especially true when it comes to setting up collaboration services. Also, keep in mind that your Teams security is only as good as your identity security

It’s helpful to note that some companies require that users should not be able to create new teams, depending on your internal policies. This is done by limiting the creation of Microsoft 365 groups using the following setting: Groups – Microsoft Azure – Users can create Microsoft 365 groups in Azure portals, API or PowerShell. The same is also available via PowerShell in a more complete way. 

Before diving into the settings, you may consider the following, that will not be discussed further, but are non the less important:

  • You should already have a basic hardened Azure AD environment (or AD + AAD if you are in an hybrid scenario). Your Teams security will be only as good as your identity security. For example, if you don’t have MFA set up yet or you are not blocking legacy authentication protocols, you might be better off starting from there.
  • You should consider setting up retention and expiration policies for Teams, especially if you will let users create teams freely.
  • DLP and sensitivity labels should be created and applied.
  • You should monitor user activity often via the Teams portal.
  • Enhanced encryption policies should be evaluated on a company by company basis since it disables recording and transcription.
  • You should start using and configuring Cloud App Security
  • Live event policies should be evaluated based on whether your company uses them.
  • Voice settings should be evaluated on a customer by customer basis, depending on what you have to implement and your general infrastructure.

Follow along by opening the Teams Admin center and evaluating these settings.

Teams -> Teams settings:

  • Turn OFF all external file sharing and cloud file storage options in the Files tab if they are not company approved.
  • “Users can send emails to a channel email address” should be set to OFF, or only specified domains should be allowed
  • “Scope directory search using an Exchange address book policy” controls how users find and communicate with other people in their organization. This may help users out, but it’s not a “must set”.

Teams -> Teams Policies:

  • Consider creating new policies for more granular management. The settings could be left all on if no specific stricter need arises.

Teams -> Teams Update policies:

  • You may want to consider setting “Show Office Preview” as not enabled. This is, however, not critical.

Teams -> Teams Upgrade settings:

  • Coexistence mode should be set to Teams Only if you are not using Skype for Business.

Users -> Guest access:

  • “Make private calls” should be set to OFF since there is mostly no need for a guest to make calls “using” your tenant.
  • “Meet Now” should be set to OFF.
  • “Edit sent messages” should be set to OFF.
  • “Delete sent messages” should be set to OFF.
  • “Delete chat” should be set to OFF.

Users -> External access:

  • Here, you can either allow all external domains, allow only specific domains or only block specific ones. This setting is very dependent on your organization and your risk acceptance level. Most SMBs are blocking specific domains.
  • Allow users in my organization to communicate with Skype users should mostly be set to OFF. The same goes for “People in my organization can communicate with Teams users whose accounts aren’t managed by an organization”.

Teams apps -> Permission policies:

  • You either go for a restrictive global policy or create tailored policies later. Whatever is best for your use case.
  • Third-party apps should be set to Block all apps if you are not using any.
  • Custom apps should be set to Block all apps if you are not using any.

Meetings -> Meeting policies:

  • You either go for a restrictive global policy or create tailored policies later. Whatever is best for your use case.
  • “Let anonymous people join a meeting” should be set to OFF.
  • “Let anonymous people start a meeting” might be set to OFF.
  • “Who can present in meetings” should be set to “Organizers, but users can override”.
  • “Automatically admit people” should be set to “Invited users only”.
  • “Dial-in users can bypass the lobby” should be set to OFF.

Meetings ->Meeting settings:

  • Anonymous people can join a meeting should be set to OFF
  • Anonymous users can interact with apps in meetings should be set to OFF
  • “Insert Quality of Service (QoS) markers for real-time media traffic” is usually set to ON. Not a deal-breaker, but it’s sometimes helpful to get insights.

Meetings -> Messaging policies

  • Owners can delete sent messages should be set to OFF if you don’t need moderation in Teams.
  • Delete sent messages may be set to OFF, if the need arises.
  • Delete chat should mostly be set to OFF.
  • Edit sent messages may be set to OFF, if the need arises.
  • Read may be set to “Turned on for everyone”, but it’s not a priority.
  • Giphy content rating should be set to “Moderate”.

You should set rules under “Notifications & alerts”, as they are more free insights that you get.

If you use Skype for Business, you may want to configure the policies found under Other settings -> Skype for Business.

Unblock at-risk user – Azure AD

If a user can’t access your tenant and forwards the following message to you, here are the steps on how you can solve it.

Your account is blocked

We’ve detected suspicious activity on your account.

Sorry, the organization you are trying to access restricts at-risk users. Please contact your admin.

The unblock is done by either resetting the user password or clearing the user risk once you have assessed that the risk is resolved.

  • If you have AAD Premium P2 (you can check it on the overview page of Azure AD), remediate the user risk by following this link Identity Protection | Risky users. A password reset is usually suggested and will also clear the user’s risk.
  • If you do not have AAD Premium P2, you can reset the user’s password or let them do it by themselves by using Self Service Password Reset (SSPR) if you have configured it. Alternatively, you can also go on this page, and ignore the user risk, once you have assessed that everything is resolved: AAD Risky Users. All these methods will clear the user risk.

Allow 10 – 15 minutes before the user can access again without getting the error reported above.

How to check which Conditional Access Policy is blocking a user log-in – Azure AD

If you have Conditional Access Policies in place to block certain log-ins, you might get that a user will contact you because their sign-in request is being blocked. Probably both you and the user don’t know which policy is making the log-in fail, since it’s not specified in the error message.

The usual error message is something along the lines of: “Your sign-in was successful, but does not meet the criteria to access this resource. For example, you might be signing in from a browser, app or location that is restricted by your admin.” and the standard error code is “BlockedByConditionalAccess” error 53003

To get more details:

  • Click on the failed log-in request
  • Click on “Conditional Access
  • The Policies that have as a result “Failure” and “Grant Controls” set on “Block” are the ones blocking the user.

User blocked due to risk on home tenant – Azure AD

If you just enabled Azure AD Identity Protection for your entire tenant, you might get some complaints from guest users, saying that their sign-in was blocked.

If you got a similar issue, but the user is not a guest but a member of your organization, follow this guide Unblock at-risk users – Azure AD.

You cannot remediate the user risk of a guest. If you try to look for a guest user in Identity Protection | Risky users, you won’t find any.

The user risk is calculated in the “home” tenant, where your user was created, not in the tenant you have guest access / are trying to access. This is also done so that the system may have more insights into user behaviour to calculate the risk.

Now going forward, there are two ways of solving this issue:

  • If the home tenant administrators have AAD Premium P2, they can remediate the user risk by following this link Identity Protection | Risky users. A password reset is usually suggested and will also clear the user’s risk.
  • If they do not have AAD Premium P2, they can reset the user’s password or let the user do it by themselves by using Self Service Password Reset (SSPR), if configured. Alternatively, they can also go on this page, and ignore the user risk, once you have assessed that everything is resolved: AAD Risky Users. All these methods will clear the user risk.

Of course, if you wish, you may disable the user risk policy for guests. This is done by creating a dynamic group in Azure AD containing all the guest (Dynamic security group with a dynamic query of usertype equals guest) and excluding it from the policy.

Enable idle session timeout for Microsoft 365

In the last few days, Microsoft implemented a timeout feature for the Microsoft 365 portal and the Office web apps. The aim is to disconnect a user if no activity is received. This will go on to become a global setting: “Idle session timeout for Microsoft 365 web apps will eventually replace current idle timeout settings in Outlook Web App (OWA) and SharePoint Online (SPO)”. This feature is not tab specific, so if you interact with Word (web app), you won’t be signed out from Outlook (web) that you have open in another tab.

You can check out the roadmap here:

Office App: Idle session timeout for Microsoft 365 web apps

I’ve noticed some inconsistencies in the practical application, which will be probably ironed out during the next months.

To enable this feature, open the following link, or go to Settings -> Org setting -> Security & privacy -> Idle session timeout (Preview).

Idle session timeout (Preview)

Click on “Turn on to set the period of inactivity for users to be signed off of Office web apps”, then set the timeout period and click “Save”.

Once you are done, users will get the following prompt if they do not interact with the Office tabs for the configured period.

There is no way of removing the “Stay signed in” option for now, which lets the user keep the sessions from disconnecting.

The GA is expected by June 2022.

Outlook requires app password for connecting to Exchange Online

Even if most people use modern authentication for connecting with Exchange Online, some users still have to use app passwords to enable connections from Outlook.

For tenants created after August 2017, modern authentication is enabled by default, but some admins have it turned off.

To enable modern authentication for Exchange Online, follow these steps:

  • Let all the basic authentication protocols selected.
  • Click “Save“.

You should aim to disable all the basic authentication protocols as soon as possible.

To enable modern authentication on Outlook 2013, click on the following guide:

Enable Modern Authentication for Office 2013 on Windows devices

Apple Mail not working after disabling Legacy Authentication – Exchange Online

If just enabled a Conditional Access Policy blocking legacy authentication to Exchange Online, enabled Security Defaults, or Microsoft disabled it for your tenant, you might see some Apple Mail clients not connecting anymore.

This issue is happening because the profile might be still configured to use Exchange ActiveSync to connect to Exchange Online, and EAS (along with other legacy protocols) will be retired in October 2022.

Apple supports an automatic switch to modern authentication for its profiles, but only if it was freshly configured after iOS 12.

Unfortunately, it seems that backing up and restoring profiles does not trigger the switch to modern auth, so if you moved to a new iPhone and didn’t reconfigure the profile manually, you’ll need to remove and recreate it.

UPDATE 16.06.2022:

Apple will add support for the automatic migration to modern auth in iOS 15.6. Once you update your Apple device, the Mail app will use the saved credentials to establish a new authentication flow. From that moment onward, you’ll authenticate to Azure AD (Microsoft online Identity Provider) and get a new OAuth access token. The “old” stored credentials will then be removed. The process is fully transparent to users.

Read the full announcement here: Microsoft and Apple Working Together to Improve Exchange Online Security

Scan now is greyed-out in Azure Information Protection – AIP

If you just installed the Azure Information Protection on-premises scanner and you are trying to start your first Content Scan Job, you might get that the button “Scan now” is greyed out.

Before attempting to troubleshoot, check that you selected the job below. If you did, try restarting the service “Azure Information Protection Scanner” on the SQL server and refreshing the Azure Content scan job page.

If you still cannot start the scan, try executing the following command on the SQL server, and insert the credentials of the service account:

$scanner_account_creds= Get-Credential
Start-AIPScannerDiagnostics -onbehalf $scanner_account_creds -Verbose -VerboseErrorCount 50

For further information refer to the following articles:

Troubleshooting your unified labeling on-premises scanner deployment

Start-AIPScannerDiagnostics

Enable number matching and additional context with Microsoft Authenticator – Azure AD

It’s been long since Microsoft released number matching and additional context for the Microsoft Authenticator. These features allow you to quickly improve your passwordless or MFA approach, adding a new layer of security and preventing accidental approvals. This is also useful to lower the chances of being compromised by MFA fatigue attacks.

To enable these features follow this link, which will guide you into Azure AD, Security, then Authentication methods:

Authentication methods | AAD

From here, click “Microsoft Authenticator“.

Click “Yes” under “ENABLE“, then on “Configure“.

Be sure to activate “Require number matching for push notifications (Preview)“, “Show application name in push and passwordless notifications (Preview)” and “Show application name in push and passwordless notifications (Preview)“, then save. You can also scope the features to a selected group of users if you want to test them out.

Check out this article if you are looking for a guide to send out to users before rolling out the features:

Additional Context and Number Matching User Guide – MFA

Automatically apply Sensitivity Labels to files and libraries – Microsoft Pureview

There are a couple of ways to enable an automatic classification of files in SharePoint. The first one, more complete from a customization point of view, is to use a File Policy in Defender for Cloud Apps. The second one (the newer and less recommended one, to be fully released Q3/Q4 2022) is to use a Default Sensitivity Label in SharePoint Online.

If you are looking at how to enable file monitoring and file policies, follow this guide:

File Policy in Defender for Cloud Apps

To create a policy that automatically matches and labels files in the root folder and the subfolders, follow the steps below:

  • Open the MDCA portal.
  • Create a new file policy.
  • Create a broad filter. I’ve set it as “App equals SharePoint Online” for this example.
  • Under “Apply to”, specify the root folder where the policy should start to apply.
  • Apply the governance action “Apply sensitivity label”, and select your label. Check the box below if you wish MDCA to override all user-defined labels. This will override older labels set on docs in the site and new ones defined at document creation.
  • Save the policy

Suppose you would like a policy to automatically apply labels to all the files and subfolders recursively from a root folder onward in SharePoint or OneDrive. In that case, you might think you can use the “Files matching all of the following” filter. Unfortunately, this won’t work, as it will not match recursively on the files contained in the subfolders.

Default Sensitivity labels in Sharepoint Online

Once you enable SharePoint to process labels, you can configure a default label for document libraries. This will ensure that any new or newly modified files get the specified label.

The feature will not apply to documents not opened since setting the default label or if the file has a higher priority label applied. Therefore, I would recommend, for the moment, using PowerShell or MDCA (as shown above) before setting the default label.

The feature will also not work if you have “User access to content expires” set anything other than Never or if you use Double Key Encryption.

Also, please note that PDFs are not currently getting labelled using this method, but I expect this to change before Q4 2022. Please refer to the docs for further updates, depending on when you are reading this:

Configure a default sensitivity label for a SharePoint document library | MS Docs

Here you can find a cool summarization table, taken from the official Docs:

Existing labelOverride with library default label
Manually applied, any priorityNo
Automatically applied, lower priorityYes
Automatically applied, higher priorityNo
Default label from policy, lower priorityYes
Default label from policy, higher priorityNo

If you wish to enable this feature:

  • Go to Information Protection | Pureview
  • Click on Labels, then “Turn on now” under “Your organization has not turned on the ability to process content in Office online files that have encrypted sensitivity labels applied and are stored in OneDrive and SharePoint. You can turn on here, but note that additional configuration is required for Multi-Geo environments.”
  • Open your SP document library, then on the top right corner click settings (the “gear” icon), then “Library settings“.
  • Select your default label, then click “Save“.

Allow some time between enabling the feature and looking for the library setting, as you probably won’t find the feature right away; you’ll have to wait up to 24 hours.

How to download the disk of an Azure VM – Azure

Since Azure introduced the option to download the OS disk of a VM directly, you don’t need anymore to traffic around to download the unmanaged disk (or go with the snapshot route).
Here are some easy steps to directly download the disk of your Windows / Linux VM.
Please note that a Sysprep is advised if you need to use the disk as a template to create new VMs.

  • Go to the VM, and stop it.
  • Click on “Disks” then on he OS Disk.
  • Click on “Disk Export“, then in the field, enter a higher number (es. 30600) so that you have plenty of time to download the disk. Once done, click “Generate URL“.
  • Click on “Download the VHD file

ResourceNotTopLevel error when trying to move resources – Azure

When you transfer Azure resources between subscriptions, you might get the following error: “ResourceNotTopLevel“.

This is caused by the fact that you only have to select top-level resources for the move, and the dependencies will be moved automatically.

For example, say you selected both a Network Watcher Extension and the relative VM you want to move. You will just need to move the VM object, and the extension will come with the server.

Example of an error code:


{
                "code": "ResourceNotTopLevel",
                "message": "Identifier '/subscriptions/0000000000000000000/resourceGroups/MoveResource/providers/Microsoft.Compute/virtualMachines/VMtobeMoved/extensions/AzureNetworkWatcherExtension' is not a top level resource. Please include only the top-level resource for this child resource in the move request. A child resource would be moved along with its associated top-level resource.\""
            }

From the error code, you’ll get that you just have to move the following resource, being the top-level one:

/subscriptions/0000000000000000000/resourceGroups/MoveResource/providers/Microsoft.Compute/virtualMachines/VMtobeMoved

It’s good to remember that if dependent resources are distributed across different resource groups, you’ll first have to move them into one resource group and then attempt the migration.

Automatically clean up inactive Guest users – Azure AD

Using Azure AD Access Reviews (available with AAD P2), you can automatically remove users from your tenant who haven’t had access in a specified number of days. In this guide, we will implement the access review step by step.

This is a great way to clean up your tenant automatically and can be scheduled.

WARNING: The procedure used to clean up only users who didn’t have access in the last 30 days. This has now been expanded to support a variable number of days (ex. 60, 90, etc).

As a prerequisite, you’ll need to create a dynamic group in AAD, which will contain all guest users who can log in to the tenant:

  • To create the group, go to AAD Groups, then click on “New Group”.
  • Select Group Type as “Security“, give the group a name, and select “Membership type” as “Dynamic User“.
  • Under “Dynamic user members”, click on “Add dynamic query“.
  • The query you will want to create is:
 (user.userType -eq "Guest") and (user.accountEnabled -eq true)

You can create this group also using Powershell, and pasting this command after installing the Graph module.

Import-Module Microsoft.Graph.Groups

$params = @{
	DisplayName = "Guest_review_dynamicgroup"
	MailEnabled = $false
	MailNickname = "fb7kk308-6"
	SecurityEnabled = $true
	Description = "Group used for the automatic guest removal process"
	GroupTypes = @(
		"DynamicMembership"
	)
	MembershipRule = "(user.userType -eq "Guest") and (user.accountEnabled -eq true)"
	MembershipRuleProcessingState = "On"
}

New-MgGroup -BodyParameter $params

The accountEnabled attribute lets you filter for users who can log in. Since the access review will deactivate the account for 30 days before deleting it permanently, this way we’ll filter only for the guest users active in the tenant and not the ones ready to be automatically deleted.

  • Once done, click on “Create”.

To create the access review, open this link, then follow the steps listed below:

Identity Governance | Access Reviews

  • Click on “New access review“.
  • Select “Teams + Groups” under “Select what to review”, “Select Teams + groups” under “Select review scope”, under “Group” enter your group, then click on “Guest users only” under “Scope”.
  • You can then filter only for the guest that did not had access in a specified number of days. This is accomplished using this part of the wizard:
  • Click on Next, and under “Select reviewers”, click on “Selected user(s) or group(s)“. The person or people that will manually review the users to delete should be selected just below. If not needed, insert an admin and go ahead. I always give at least 3 to 5 days for the reviewers to check if somebody should not be blocked or deleted. If some guest user should always be excluded from the review, you can add an exclusion in the AAD Group membership rules.
  • In the last paragraph, you’ll want to select auto-apply results to make the automation work. Under “If reviewers don’t respond”, choose “Take recommendations“. The recommendations will be based on whether the user has logged in recently or not. There are no other recommendations that I am aware of at this moment. Under “Action to apply on denied guest users”, select “Block user from signing-in for 30 days, then remove user from the tenant“. Be sure that “No sign-in within 30 days” is selected as reviewer decision helper, as per the image below.
  • If you want this to be fully automated, deselect “Justification required”.
  • Once done, click on “Review + create”, give the review a name and click on “Create”.

Now you will automatically have the guest users who haven’t logged in in the specified number of days blocked. After 30 days, the blocked user will be removed from the tenant.

Enable Unified Audit Logs – Office 365

Unified Audit Log is one of the essential features for tracking down every action done across the tenant.

The logs are kept for 90 days by default, but you can extend them using special addons.

If you want to check whether the logging is enabled on your tenant, connect to Exchange Online with PowerShell. Once connected, you can check the status.

Install-Module ExchangeOnlineManagement
Import-Module ExchangeOnlineManagement
Connect-ExchangeOnline -UserPrincipalName yourupn@domain.com
Get-AdminAuditLogConfig | FL UnifiedAuditLogIngestionEnabled

If you get “True” as a result, the logging is enabled. If you get “False”, follow the steps below to enable it:

PowerShell way:

Using the PS tab, you opened before to check the Audit Log status, send the following command:

Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true

You might be asked to run “Enable-OrganizationCustomization” before relaunching the command. You must wait 30 to 60 minutes after sending “Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true” to see it enabled in the portal.

Portal way:

Go to https://compliance.microsoft.com/, then click on “Audit” on the left pane. When you get to the page, click on “Start recording user and admin activity“, then check the status after 30-60 minutes. If it fails, try with PowerShell.

Cancel downloaded updates in Windows Server

If the server has downloaded automatically an update (such as the SharePoint ones), which you don’t want to install, try following these steps to delete the queue:

  • Open an elevated PowerShell, then run the following command
Stop-Service -Name "wuauserv"
  • Open an elevated PowerShell, then run the following commands to make a backup of the folders we’re going to delete.
cd C:\

'backupwinupdate', 'backupdatastore' | %{New-Item -Name "$_" -ItemType "Directory"}

Copy-Item -Path "C:\Windows\SoftwareDistribution\Download" -Destination "C:\backupwinupdate" -Recurse
Copy-Item -Path "C:\Windows\SoftwareDistribution\DataStore" -Destination "C:\backupdatastore" -Recurse
  • Check that the backup has been created, then proceed to delete the content of the original folders:
Get-ChildItem -Path C:\Windows\SoftwareDistribution\Download” -Include * -File -Recurse | foreach { $_.Delete()}
Get-ChildItem -Path C:\Windows\SoftwareDistribution\DataStore” -Include * -File -Recurse | foreach { $_.Delete()}
  • After clearing the content, you can proceed to start Windows Update:
Start-Service -Name "wuauserv"

You’ll need to reboot at the end of this procedure.

Be sure to clean up the backup folders C:\backupwinupdate and C:\backupdatastore