Microsoft Defender for Identity Service fails to start, event error 1067
After an upgrade to new Domain Controllers the MDI Sensor fails to start after it was rebooted on the new Domain Controllers. The service is in starting mode in both the Security portal and under services for each device. The new servers where members of the group that gives the Group Managed Account permissions to…
Sentinel – Configure playbook to isolate Machine
Description In this blog I will walk throw the basic configuration of creating an playbook that will isolate a machine that is onboarded to Defender for Endpoint. This operation can also be done from the Defender Security Portal without using Sentinel. To be able to complete this setup you will need to have Microsoft Defender…
Cloudshell + VSCode to get Devices per User for a Pilot Group in Entra ID
In this blog I will show a case where you for example have created a teams enabled Microsoft 365 Group that you use as a Pilot Group for example when you implement defender products. Some features in this kind of project needs to be tested and enabled on devices. This blog will showcase how you…
How to configure Defender for Endpoint with local GPO
In some cases you will need to configure Defender for Endpoint without the cloud support of Intune. This guide will help you to get a local GPO in-place. Prerequisites Start and create a GPO. If you do not see Computer configuration > Policies > Administrative templates: Policy definitions > Windows Components > Microsoft Defender Antivirus…
Defender for Identity check connectivity
Before your start the installation of the sensor for MDI it’s a good idea to just check that the server that will run this service can connect to Azure. This can easily be done with PowerShell from the server you will install on. For the tenant name just change value to the name you have…
Microsoft365DSC – Export config
Prerequisites To run Microsoft365DSC you will start by installing the PowerShell module. To get all the modules needed you can run command and just add the scope of the command you will use with your DSC command. If you just installed the module don’t forget to import-module Microsoft365DSC. Certificate Next up is to create a…
gMSA Action Account issues MDI
After Action Account is configured for Defender for Identity an issue occur when any actions is performed that will execute tasks in on-premise Active Directory. For example if I try to disable an account I just get an error: “There was no manage action account configured for the target user’s domain. For more information, see…
Configure Intune policies to win over AD GPO
If you have a device joined to a local Active Directory and is managed by intune the Local GPO will win over Intune if you have different settings for the same setting. When you move to an cloud first strategy it can be a good idea to switch to make Intune win when settings are…
Cannot access Microsoft Defender Connector in Sentinel
I had issues in my lab environment that i could not access the settings for defender for Microsoft 365 Connector. I was just asked to login again. With error AADSTS50131. I looked for risky users in the Identity Protection portal. And the account was listed with a medium risk. I looked and all policies was…
Yubikey factory reset when you need a new configuration
When you need to start from scratch with your Yubikey a factory reset is the solution. To manage Yubikey you can download Yubikey manager. When you installed the software it will find your attached Yubikey device. From here you can manage and see all information about your Yubikey. In my case I have done a…
Azure AD Cloud Sync – The Basics
Overview In this blog I will describe basic functionality of Azure AD Cloud Sync. I might update and extend this blog when I am evaluating more features of Cloud Sync. The biggest limitation of Cloud Sync today is The great benefits of Cloud Sync is if we run disconnected AD Forest that we can sync…
Export Last user sign-in with MGGraph PowerShell
MGGraph is a must to have in the toolbox when working with Azure AD. This can for example be used to see activity of guest accounts. Install and connect MGGraph First you need to install the PowerShell commands needed to run commands. The prerequisites are better described by Microsoft here . Start PowerShell and run:…
SSO for Azure AD now integrated in Firefox
Mozilla Firefox has a setting now to support sign-in with Microsoft Work or School account. This is great news since it also means that we now can sign-in and get the benefits of Conditional Access Policies using Firefox browser. It will take benefit of your registered work or school account in Windows. I have tested…
Azure AD Connect Version 2.0.X, my thoughts
Just arrived back from vacation and now it’s time to get to know our new friend AD Connect Version 2. I started with reading Microsoft documentations and want to pinpoint the differences. Requires Windows Server 2016 or later Uses LocalDB components of SQL 2019 Use TLS1.2 and is required for installation. You can use “Set-ADSyncToolsTls12″…
How are clients affected when you disable Azure AD Join
Background In Azure Active Directory we have a setting that allow us to select 3 different options for Azure AD Join. All users may join devices to Azure AD (Default setting in tenants) Selected users may join devices to Azure AD None users may join devices to Azure AD We find the setting under https://portal.azure.com/#blade/Microsoft_AAD_Devices/DevicesMenuBlade/DeviceSettings/menuId/…
Configure FIDO2 for Firstline workers with Temporary Access Pass
Finally Microsoft release the public preview of Temporary Access Pass. Why is that so important?For all Firstline workers without mobile device it´s hard to configure MFA (Multi Factor Authentication). They need assistance from an IT support to setup FIDO2 security key. With TAP (Temporary Access Pass) it´s now possible to configure a passcode for new…
Updated Authentication Methods API in Public Preview
Microsoft is now release new features to Authentication Methods API. One of the most missing component was Application Permissions that are now in Public Preview. What mean with Application support? You can connect and change sign-in methods for all users. Before was only delegated permission an option and the you need to sign-in with each…
Remove a User from All Teams with PowerShell in Azure Automation
I did an easy script for a case when disabled user accounts are saved during a sometime. The case was to remove this users from all membership in Microsoft Teams. An extension attribute is used for all accounts that is in this disabled state. ExtentionAttribute7 = “Sleep” To be able to run this script you…
Password policy for hybrid identity
When setting up Azure AD Connect and synchronize identities to Azure AD we have two different password policy’s to take care of. In local Active Directory we have a policy for local accounts but if we have an user synchronize to Azure AD they still use the local password policy as default. In Azure AD…
Block external e-mail forward in Power Automate (Flow)
I have a case where a company had issues with users started to forward e-mail with power automate even that external forwarding is blocked in Exchange. This issue can occur even if the user do not have a power automate license since they anyway can initiate the service themselves. To make this more usable we…
Connect Azure Automation Runbook script with service principal for AzureAD
We are all working to get rid of service account without MFA. One step forward is to use service principal with permissions and then connect. In this article I will guide you how to setup this solution to connect with AzureAD PowerShell. Start PowerShell as administrator on your computer. Update the password (“pwd” in the…
Prohibit upload sensitive data in Microsoft 365
I got many questions from customer that they want to block upload of confidential data in Microsoft 365. Is it possible to block that? The answer is yes if you have access to both (CA) Conditional Access and (MCAS) Microsoft Cloud App Security. In CA you need to enabled the “Use Conditional Access App Control”…
Login to Teams webclient is blocked
I had an issue where it was not possible to login to Teams web client. It just generated a error that referred to contact your administrator. AADSTS7000112: Application ‘id’ (Microsoft Teams Web Client) is disabled To fix this issue we can go to portal.azure.com and sign-in. Select Azure Active Directory -> Enterprise Apps and do…
Sensitivity labels on site and groups changed the privacy setting to “None”
From the beginning you have to choose between the privacy settings Public and Private for each sensitivity label. That is an blocker for users to use other setting than what the label says. From now it is possible to configure the new settings “None – let user choose who can access the site”. With that…
Remove AD Forest from AD Connect
I was going to remove an AD Forest from AD Connect and took for granted that this would be an easy operation to do from within the AD Connect wizard. I realized that it is just possible to add AD Forests. I than thought that miisclient would be the place to do this. There is…
Enable Azure ATP and integrate to Microsoft Cloud App Security
Azure Advanced Threat Protection (ATP) is a cloud-based security solution that leverages your on-premises Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization. With all this signals integrated in Cloud App Security it’s possible to create alerts and actions on all this signals. If…
Export Azure AD last logon with PowerShell Graph API
In local Active Directory we have the possibility to export last logon for each user but in Azure AD we don´t had that attribute before. From now it´s available in Microsoft Graph beta. There are still limitation in graph queries to filter the data so the best recommendations is to export the data with PowerShell…
Administrative Units get graphical interface
Finally we have a interface for Administrative Units. I have been in private preview for a time now and test this interface with customers. There are always things I will see to be better but a very good start. If you hope that you can release PowerShell for now, then the answer is no. We…
FIDO2 security keys (passwordless) in hybrid enviroment
Everyone know that password is weak today and passwordless is around the corner for every enterprise company’s. Together with FIDO2 it is now possible to sign-in to an Windows 10 hybrid join device. We don´t need any MFA or a complex password anymore. Just a key that you bring with you. FIDO2 is based on…
Configure Hybrid Azure AD joined with AD Connect
This method is suitable for hybrid organizations with existing on-premises AD infrastructure. This is also a requirement for other solutions like Co-Management, Passwordless sign-in etc. Start the AD Connect Configuration Wizard. Select Configure device options. Select Configure Hybrid Azure AD join. Choose Windows 10 or later if you only have that. All Windows down-level require…
Configure SSO with Office 365
In Azure there are a lot of Single Sign-On (SSO) options. Many early adopters in cloud use ADFS based on that SSO was not a part of AD Connect at the beginning. Today we have more than one solution to choose between. Active Directory Federation Services (ADFS)This is an on-premies solution that is important if…
When to use Security Defaults or Conditional Access?
Azure AD Security Defaults is a protection that is enabled in all new tenants. This is created to raise the security in Microsoft 365 to a better level. When security defaults is enabled you are not able to use Conditional Access. If to want better control and choose the rule by your self, the Conditional…
Azure ATP: Show group membership changes from local Active Directory in the cloud
Have you ever have problem with users that are removed from a group and missing who remove the user from the group? With Azure ATP it is now possible to show that kind of information. You can also enabled monitoring and alert to get that information. Sign-in to Cloud App Security https://customer.portal.cloudappsecurity.com and open Investigate…
Azure Automation Credentials, auto-rollover
In this blog I will describe an easy way to rollover credentials in you Azure Automation Credential key vault. This example we use a Global Admin account. When you setup service accounts you should always use “least privilege permissions”. This can be combined with Administrative Units or even a model where you use a secured…
Update Exchange Online connection in Azure Automation to support Modern Authentication
Update your Automation runbooks running exchange online to Modern Authentication The final date for running basic authentication on Exchange Online is coming fast. Have you updated all your runbooks against Exchange Online from not using Basic authentication? If not it’s highly recommended to start the work ASAP. In this blog I will describe how easy…
Get started with Azure AD Identity Protection
A first look at a customer can be like the picture below. A lot of risky users to take care of. Before you activate Microsoft Azure AD Identity Protection there is some necessary step that need to be configured. What settings can you configure in Identity Protection? User risk policy Sign-in risk policy MFA registration…
Use Azure AD dynamic groups based on ServicePlanId
Azure AD Dynamic Groups is not something new. We have this in Exchange for long time but we are also able to use them even in Azure Active Directory with the Azure AD Premium 1 license. Why should we use dynamic groups instead of static groups? In this post I will give you some example…
Look for Teams with Guests
When rolling out classifications on Teams in an existing environment it can be good to know how many Teams that already have Guest Users invited. To gather this information I put together an easy PowerShell script. Running this script requires that you install the Microsoft Teams PowerShell module. Hope this will help you in your…
Part 3: Conditional Access block legacy authentication
Microsoft has announced that “End of support for Basic Authentication access to Exchange Online API’s for Office 365 customers” is October 13th, 2020. Basic Authentication for Exchange Active Sync (EAS), Post Office Protocol (POP), Internet Message Access Protocol (IMAP), and Remote PowerShell (RPS) in Exchange Online is affected. SMTP AUTH with basic authentication will not be affected. It´t…
Part 2: Conditional Access Azure Monitor Log Analytics workspace
Why should we store log to an Log Analytics workspace? The answer can be more than one. I will guide you how to setup and share some benefit of the value. The picture above show the standard workbooks you can see. You can deep into each of the workbooks to investigate more information. Let´s open…
Part 1: Conditional Access Report-only
Conditional Access is used by rules to secure users and applications against sign-ins to Azure AD. New features are released recurrent and some are still in preview. One of the feature is Report-only that is a very powerful to get started with Conditional Access in a current environment. Instead of create rules that block traffic…
Create Azure EA Subscription with PowerShell
Create EA subscription with PowerShell First I configure Visual Studio Code to work together with Azure Cloud Shell. To begin we have 2 prerequisites. Install node.js, https://nodejs.org/en Install Visual Studio Code Azure Account extension from within application You can now type CTRL+SHIFT+P from within Visual Studio Code, this should present you with the option to…
Link a SharePoint document library to a TAB in all Teams from a provisioning Template
I worked with a customer that had a requirement to have a central document library linked to many teams. My first though was to just create the TEAM and link a TAB to SharePoint library. I than used this as a template when I created the next TEAM. I was disappointed when I realized that…
How to configue advanced settings of sensitive labelpolicy with powershell
When Microsoft moving more and more settings from Azure portal to Office 365 SCC portal then all settings is not available in the GUI anymore. We need to use PowerShell to use these settings. Not even the PowerShell, we also need the real Unified Labeling client installed on Windows. What kind of settings do we…
Configure Domain in Office 365 and Azure with PowerShell
I often setup lab environment in an Azure subscription combined with a trial for Microsoft 365 E5 licensing. One of the most booring task is to manually configure DNS in Azure for the domain. To solve this, I put together a PowerShell to setup the domain automatically. This script requires you to install 2 PowerShell…
Sensitivity labels in Microsoft Teams, Office 365 groups, and SharePoint sites are now in public preview
In my first blog post I will give you how to get started with labels in Microsoft Teams. There is still some limitation but over all basics it works well. With labels you can allow or blow guest users in Microsoft Teams with specific label. Today you can classify both from GUI and from PowerShell.…
Follow My Blog
Get new content delivered directly to your inbox.
Microsoft 365 Tech blog 