Living HI Tech

Set-OrganizationConfig -OAuth2ClientProfileEnabled $True

-OAuth2ClientProfileEnabled

The OAuth2ClientProfileEnabled parameter enables or disables modern authentication in the Exchange organization. Valid values are:

$true: modern authentication is enabled.

$false: modern authentication is disabled.

modern authentication is based on the Active Directory Authentication Library (ADAL) and OAuth 2.0, and enables authentication features like multi-factor authentication (MFA), certificate-based authentication (CBA), and third-party SAML identity providers.

When you enable modern authentication in Exchange Online, we recommend that you also enable it in Skype for Business Online. For more information, see Skype for Business Online: Enable your tenant for modern authentication.

Type:Boolean

Position:Named

Default value:True

Accept pipeline input:False

Accept wildcard characters:False

Applies to:Exchange Server 2013, Exchange Server 2016, Exchange Server 2019, Exchange Online

https://docs.microsoft.com/en-us/powershell/module/exchange/set-organizationconfig?view=exchange-ps

https://social.technet.microsoft.com/wiki/contents/articles/34339.skype-for-business-online-enable-your-tenant-for-modern-authentication.aspx

M365 Learn Security Recommendations

Legacy authentication is an easy target for hackers. Figure out who is using it and then take action to transition away from legacy authentication. Before you can block legacy authentication in your directory, you need to first understand if your users have apps that use legacy authentication and how it affects your overall directory. Azure AD sign-in logs can be used to determine if you're using legacy authentication.

Navigate to the Azure portal > Azure Active Directory > Sign-ins.

Add the Client App column if it is not shown by clicking on Columns > Client App. 

Filter by Client App > check all the Legacy Authentication Clients options presented.

Filter by Status > Success.

Filtering will only show you successful sign-on attempts that were made by the selected legacy authentication protocols. Clicking on each individual sign-on attempt will show you additional details. The Client App column or the Client App field under the Basic Info tab after selecting an individual row of data indicates which legacy authentication protocol was used. These logs indicate which users are still depending on legacy authentication and which applications are using legacy protocols to make authentication requests. For users that do not appear in these logs and are confirmed to be not using legacy authentication, implement a Conditional Access policy: block legacy authentication for these users only.

To create a Conditional Access policy to block legacy authentication, perform the following steps:

Create a new Conditional Access policy.

Target the users and groups who can be blocked. NOTE: Apply this policy to a subset of users to test and make sure the policy behaves as expected.

Select All Cloud apps.

Under Conditions, select Client apps (preview), set Configure to Yes, and check only the boxes Mobile apps and desktop clients > Other clients.

Finally, under Access controls, select Grant > Block.

You should enable this policy as Report-only first, so you can learn which users are using legacy authentication.  

Once you have a better idea who is using legacy authentication in your directory and which applications depend on it, the next step is upgrading your users to modern authentication. The following steps provide an overview of the path to modern authentication:

Enable modern authentication. Modern authentication is enabled by default for directories created on or after August 1, 2017. If your directory was created prior to this date, you'll need to manually enable modern authentication for your directory using PowerShell. For organizations actively using basic authentication for Exchange Online, be aware that basic authentication will be disabled for all tenants in the second half of 2021.

The following PowerShell commands can be used to enable modern authentication:

- Exchange Online:

 Set-OrganizationConfig -OAuth2ClientProfileEnabled $True

- Skype for Business Online:

 Set-CsOAuthConfiguration -ClientAdalAuthOverride Allowed

Update applications. Once you have enabled modern authentication in your directory, you can start updating applications by enabling modern authentication for Office clients. Office 2016 or later clients support modern authentication by default. No extra steps are required.

For Office 2013, the following registry keys are required:

HKCU\SOFTWARE\Microsoft\Office\15.0\Common\Identity\EnableADAL

Type REG_DWORD

Value 1

HKCU\SOFTWARE\Microsoft\Office\15.0\Common\Identity\Version

Type REG_DWORD

Value 1

Enable Exchange Online modern authentication. In order for Windows-based Outlook clients to use modern authentication, Exchange Online must be modern authentication-enabled as well. If modern authentication is disabled for Exchange Online, Windows-based Outlook clients that support modern authentication (Outlook 2013 or later) will use basic authentication to connect to Exchange Online mailboxes.

SharePoint Online is enabled for modern authentication default. For directories created after August 1, 2017, modern authentication is enabled by default in Exchange Online. However, if you had previously disabled modern authentication or if you are using a directory created prior to this date, you will need to manually enable modern authentication.

Enable Skype for Business Online modern authentication. To prevent legacy authentication requests made by Skype for Business, it's necessary to enable modern authentication for Skype for Business Online. For directories created after August 1, 2017, modern authentication for Skype for Business is enabled by default. We suggest you transition to Microsoft Teams, which supports modern authentication by default.

Our SPO developer wanted to add the content editor web part and script editor web part. He sent me a link to enable these web parts. 

https://global-sharepoint.com/sharepoint-online/how-to-enable-script-editor-web-part-in-sharepoint-online-site/

The PowerShell script provided doesn’t account for MFA. So, I tweaked it based on a previous OneDrive script I tweaked. Here’s the MFA version: 

#this is a script to add the content web part and script editor web part to an SPO site.

#connect to SPO admin site, it will prompt to MFA Connect-SPOService -Url https://yourdomain-admin.sharepoint.com/

#change SPOsite to the url you are adding the web parts to Set-SPOsite "https://domain.sharepoint.com/sites/sitename" -DenyAddAndCustomizePages 0

Just a quick note...

SharePoint Online has a Records Center, Compliance Policy Center and Document Center

We are currently looking into how to set this up and apply it to our content. 

First things first, we need to determine requirements to configure in these centers...

what we’re investigating is data labels, document retention, e-discovery (hold), and audits. 

we had a user who works remotely and was having trouble with dropped meetings in teams. The problem was she was too far from her router so her wifi signal was weak. This showed up as long round trip packet time, long jitter rate (ideally below 20ms) and dropped packets at a high rate of 30%.  We used the Skype for Business Network Assessment tool to test user's network connectivity. This will tell you the jitter rate, packet loss rate. We also used the Teams Admin console in Office 365 admin portal to check the Advanced call history and it also shows us the same rates. But the tool is for instant assessment of the network.  https://www.microsoft.com/en-us/download/details.aspx?id=53885  please see reply for article on how to use the tool. 

In this article, it tells you the metrics for good connection. Also want to note that by default, it installs in C:\Program FIles(86x)\Micorsoft Skype for Business Network Assessment Tool (or something like that) so when you use CMD, you'll need to use the command "cd network path to assessmenttool.exe" to run the tool. It is not an executable file that launches an app. https://blogs.technet.microsoft.com/skypehybridguy/2017/08/11/assess-your-networks-readiness-for-skype-for-business-online/

Here’s a script that will dump out a list of Microsoft Teams owners’ email. Useful if you want to send emails to all Teams owners. You’ll have to do some cleaning after, of course. 

# Log into Teams Connect-MicrosoftTeams

# Retrieve all Teams Write-Verbose "Getting Teams" $teams = Get-Team

Write-Host "Teams Count is $($teams.count)`r`n"

$Owners = "" $i = 0

$teams | ForEach-Object {

   Write-host "Getting owners for Team $($_.DisplayName)"

   # Get owners    $TeamOwners = Get-TeamUser -GroupId $_.GroupID -Role Owner

   # Display owners of current team    Write-host $TeamOwners.User"`n"

   Write-host $i

   # Build list of all owners                    If ($i -eq 0) {        $Owners += $TeamOwners.User    } Else {        $Owners += " " + $TeamOwners.User    }

   $i += 1

}

# Display semi-colon delimited list of all owners Write-host "All owners:`n"$Owners.Replace(" ", ";")

NOTES:

If you haven’t run PowerShell against Teams before, there are a few things you’ll need to do in advance:

First, install the PowerShell Module for Teams on your local machine from Microsoft's PowerShell Gallery using this command:

Install-Module -Name MicrosoftTeams

You may be prompted to install the package manager NuGet which is used to load any dependencies.  Click Yes to do this and proceed with the installation.

By default, PowerShell’s execution policy is set to "Restricted".  If you haven't used PowerShell much you may need to temporarily loosen this policy for your local machine with this command:

Set-ExecutionPolicy RemoteSigned

Once this is configured you should be able to run the attached script.

The first line of the script connects you to Teams.  Log in using a Teams administrator account.  This is the context that the script will run under to retrieve the owner information.

When you are done running the script, you can set the execution policy back to the default using this command:

Soooooo, it’s been a really, really long time since I’ve worked on SharePoint 2010. We are finally finally upgrading (to 2016) but it seems like before it goes, I’ll have to jot down one more quick post. 

Wow, it’s almost a year since our O365 deployment began as a Pilot Program back in January-February. In a short time, we’ve held countless kick-offs and trainings to individual departments (yes, we coordinated and trained each and every department in our 2k organization) and we are almost near the end. We’ve been flying island to island, meeting so many people in the organization I would’ve never met otherwise, and wearing our iconic purple team shirt. It really has been a blast learning the ins-and-outs of O365 and teaching others how to embrace change, embrace learning new technology and being the one to hold their hand and tell them we’re here to help. While time consuming, this adoption method has provided the most benefit to our customers and to our organization in bringing about digital transformation. I wouldn’t have done it any other way. 

Technical Note:

We worked with a Microsoft resource who let us know that Teams spaces are actually O365 groups and the expiration policy is not set up by default and when expired, it is not the space that gets deleted, but the entire O365 group.

I attended Microsoft Ignite 2018 at Orlando, FL. It was a really great conference because I got to network with Microsoft’s CSEO (Core Services Engineering and Operations) Team. This was Microsoft’s IT Operations Team before the transition to all things Azure Cloud and DevOps. I spoke with Dana Baxter, Service Manager, and Rajesh Vasireddy, Program Manager and Engineer extraordinaire. Two very intelligent and helpful individuals. They did multiple presentations on their transition to devops and Azure. 

Main takeaways:

Buy-in has to be from the very top and every level below must be held accountable by those at the top. To transition to DevOps, Microsoft went through key phases - it didn’t just happen overnight and they experienced pain points, just like any other organization will. Initially, IT Operations managed all the subscriptions for all the Microsoft Teams and the teams would have to answer to IT Operations. Do you see the problem with this? People went rogue. They started using their own credit cards to buy their own subscriptions. So, how did IT Operations reel in the rebels? They didn’t. What happened was enough teams had security incidents, infrastructure problems, etc and had to ask IT Operations for help. Want our help? Come back into our subscriptions. 

But this model is still very similar to the old model of Operations, just in cloud instead of on-prem. It’s a transition point to DevOps.   (If Microsoft is using Azure and that’s its own product, isn’t it still on-prem? hehe.).

So, how did Microsoft fully implement DevOps? Their IT Operations team focused on empowering their users to manage their own subscriptions by developing monitoring and alert toolkits. With a simple click, a Microsoft team could install 100+ policies and alerts to help them manage their own Azure infrastructure. There was also a lot of training, hand-holding and support until the teams realized that they had become self-sufficient. In the end, every team has their own subscriptions, they monitor their own environment and CSEO has reporting and monitoring that hooks into all the individual subscriptions in order to provide org-wide reporting. 

At KS, we are building out Azure for dev and prod. We are positioning ourselves to be the cloud broker for the org. This is the transition phase that Microsoft went through, except we’ll be offering services for AWS and Google. 

Ignite presentations by these two superstars are available here: 

It’s been awhile! Too much has been going. Quick update:

We are replacing our obsolete object-based eVault backup and recovery system with Veeam. I am leading the replacement project and we are towards the end of the first deployment phase. From here, we’ll be flying to the outer island locations to set up the new storage hardware, network configuration and Veeam agent installations. This new system brings the org a more reliable and faster recovery (tested when we lost part of our SAN and restored it in 1 day!) as well as automated backup file restore testing (sure backups). It’s been a long road, some political, some people, but we’re almost there!

It’s audit time. I am on the primary team for audit interviews regarding business continuity (for critical applications) and disaster recovery (our new Veeam deployment factors into our DR capabilities). Right now, we are using Azure Site Recovery as our off-site DR but my goal is to get Veeam to be a secondary DR (it has this capability). 

Just wanted to do a quick post on some visuals I drafted that are project and process related. 

Visual above is what I use to explain the project to team members. Justification of resources and efforts to get team buy-in.

This is the current data relating to the EOL audit report grouped by responsible team. The ? highlights redundant data input that I’d like to address.

This is just  a quick post on what’s been going on...

Our org is working with a consultant to establish an enterprise DR plan.  Here’s some random notes...

The president of the company is saying they conduct the BIA following an investigation and follow-up procedure. However, after talking with the consultants who did the work, this is not the case.  Basically, they sent out a survey and compiled all the data and presented it as the BIA.  We found many holes in the data and areas that need further details.  They insist this is the standard and any other work will be a business change order that will require additional funds.  There is a conflict of interest because the deliverable does not meet our expectations and the statement of work is loose, where we can reject the deliverable. Our next meeting will be to bring up the conflict between what the president said, the work that was actually done, and the holes that need to be fixed on their end. We have even discussed internally getting assistance from legal and procurement, as well as an exit strategy and bringing the effort in-house.  

Some things we noted from their BIA...

The BIA was conducted through a departmental survey. As such, the BIA reflects a priority for department operations that is not aligned with the mission of the organization.  

The BIA has no analysis done and is just a summary of the surveys sent out. There are no details or justifications for RTOs and the vendor made no effort to elicit the information from the department heads. 

This BIA can’t be presented to the execs...it is just a summary and provides no direction to the org. The vendor insists that it is up to the org to decide what actions to plan based on the report. This does not meet expectations. Compromise is to provide the details to the vendor and have them update the deliverable. 

In their defense, the vendor insists the BIA is just their findings and is not meant to provide any action or direction.  Instead, the BIA is a snapshot and the BCP for each department is the living document that will detail any changes in action, workarounds, etc for continuity.  

I am currently part of a team working with a vendor to update our org’s BIA, BCP and DR Plans. Some quick notes from our meeting to get to a middle ground, as the vendor is taking the direction differently from our expectations: 

Mission-Critical

·        Mission-critical needs to be defined and agreed upon by X and vendor. Vendor seems to define mission-critical as “all departments operational”.  

·        X’ previous BIA and current operations reflect mission-critical as those departments that perform essential business processes for X, such that if these processes where to cease, X as an organization, would no longer be able to operate after 7 days (2005).

·        Defining mission-critical will help scope the BIA and lower the # of applications currently on X “mission-critical” applications.

 Application Usage

·        V did not provide enough information about how the departments use the applications.  In the Appendix, application usage is explained in just a few words in various columns, ie: Used For? Pg 65. This scarce level of detail does not inform an employee (who does not work in the department) with enough information to understand how the department uses the application and how its usage is considered “mission-critical”.  

·        V needs to provide the full details that they gathered during the research phase.  

 Applications

·        The list of applications is currently segmented by internal and external.  This should be further defined, responsibilities identified and the definitions documented in the BIA.  Example: SaaS, SaaS & Internal, Internal Desktop, Internal.  

·        Internal meaning that the system is fully hosted by X on-premise and X is fully responsible.

·        Internal Desktop meaning the application is a client application installed on the department’s workstations and the department is responsible.  

·        SaaS meaning the system is fully hosted and supported by a vendor and the vendor is responsible.  

·        SaaS & Internal meaning the system is hosted and supported by a vendor, but the system has integration with X hosted components and each party is responsible for their parts of the system.