Password-less sign-in to Office 365

Today i was busy hardening my Office 365 Security and i came to the topic about Password-less sign-in. I have heard this at some recent events like Experts Live an Ignite. So it was time to configure this.

What is Password-less sign-in

Password-less sign-in is a different way of login in to Azure AD. You will sign in with a number picker instead of a old school password. As you all know Microsoft thinks old school passwords are not safe anymore. And logically this is true. Because a Password is just a set of characters If you take a common password like “Welcome123!@” then these are al characters and there is no difference in character between a capital W or a symbol like @. The only difficulty you can create is the length but if someone want to crack that, then that will just be a matter of time until it is cracked.

How does it work

How does password-less sign-in work. This new method allows you to completely replace your password with a number match on yourAzure Authenticator app as the first factor together with your biometric like Touch ID for the 2nd factor to complete the sign-in.  This 2-way communication with the identity provider (IdP), in this case, Azure AD, makes the phone itself a strong credential and a password is no longer required because we have the number challenge.

I think this way of authentication combined with Windows hello for business is where safe authentication is heading to.

Configuration

To start configuring Password-less sign in We should start up Powershell. I used the cloud based version of Powershell from Azure AD.

Cloud shell Powershell password-less sign-in

When pressing this button in Azure AD a Cloud shell will start “you need a storage account for this”.
When the cloud shell is started it is time to configure the password-less sign-in.

Powershell cloud shell password-less sign-in

type or copy the following command. And no worries you will only make the option available besides the other authentication methods.

New-AzureADPolicy -Type AuthenticatorAppSignInPolicy -Definition ‘{“AuthenticatorAppSignInPolicy”:{“Enabled”:true}}’ -isOrganizationDefault $true -DisplayName AuthenticatorAppSignIn

Powershell commando password-less sign-in

When this is done you have configured Password-less sign in. And it is time to try it out. Make sure you test it first to some pilot users. The impact can be high but you wont lock anyone out.

Issues

There are still some issue due this functionality is still in preview. The current issues are regarding.

  • ADFS integrated with Azure AD
  • Azure MFA
  • Only one device registration is possible

For more info check here for the Microsoft docs. Also check out my other blogs

Please follow and like us:
error

Single Label Domain (SLD) and Azure AD Connect

The SLD Azure AD case

Some time ago I was at this customer where I needed to setup Azure AD from 2 forests and 7 domains. Essentially this customer wanted to move to Office 365 Exchange Online. When I was making an inventory of these domains I came across a Single Label Domain (SLD). And me at the age of 30 had never heard of this one.

Single label Domain (SLD)

So what is a single label domain. SLD is a name that is used to describe domains which have only a single name, and no suffix. As example, your Active Directory domain might have a name like company.local, but if it were Single Label, it might be just company.

Either way SLD or Single label domains are a pretty grey area when it comes to support when you need Microsoft. So some advice is to avoid them at all times.

Ok lets go back on topic. We have 2 Active Directory Forests One of these forest is Single label and we have 7 domains and one of these 7 domains is a Single label domain. All the rest is just a normal FQDN like company.local.

Now we get back to the part Microsoft that Microsoft does not support this.

Setting up Azure AD

When you start configuring Azure AD you get to a certain point that AzureAD is asks for you domain forest(s) to give in so it can discover the domain underneath. Both Forests will be discovered yes even the Single label One. And Yes it discovers all FQDN domain names underneath. Except the Single label domain that one will not be discovered.

I understand that this was a little confusing so see the table below :).

Forest.local

Discoverd

Forest.

Discoverd

Domain.local1

Yes

Domain.local5

Yes

Domain.local2

Yes

Domain.local6

Yes

Domain.local3

Yes

Domain.

No

Domain.local4

Yes

I tried some different kind of things to get the Domain. Discovered within Azure AD connect. In the end I found out that with creating a Host file gets it the domain discovered in Azure AD connect. So we moved to the next setup screen in Azure AD connect and that is letting Azure AD discover anything what is inside the domain and then I mean the objects itself.

This is never going to work even with the setup of the hosts file it doesn’t work. So this quest came to a end and we needed to figure out something else.

So what we did is we made a decision to create a new Forest with a new domain and move all the users to that domain. For this task we used ADMT. ADMT is a tool from Microsoft that provides a “copy” action to move Active Directory object from and to different type of domains.

Active Directory Migration Tool (ADMT)

Microsoft developed ADMT to speed the migration process and reduce the chance of errors. ADMT performs object migrations and security translations in a way to limit disruptions to let users access network resources while the migration is underway.

Check this URL if you want to start with ADMT.

https://www.microsoft.com/en-us/download/details.aspx?id=19188

Please follow and like us:
error

How to disable Office Groups and Teams creation the right way.

Why disable groups/ teams creation

Some companies want to permit access to group and our teams creation. There can be many reasons for this. For instance you want to disable the creation of groups and teams to be more in control over these features.

To do this the right way it is recommended that only certain users are able to create groups and teams. In order to perform this it is rather recommended to create a Universal Security Group (which is mail enabled). This group will be used only for group and team creation.

First steps

As mentioned before it is recommended to create a Universal Security Group (which is mail enabled). When you have Azure AD Connect in place you should create this group on-premise and sync this over to Azure AD. That means that you management will maintain On-premise.

You can also create this group in Azure AD itself. If that is your way to go you should just create a security group in Azure AD. Please understand that your management will be in AzureAD/ Office 365.

The Script

To disable the group/ teams creation you can run the script bellow from the Azure AD PowerShell module

$Settings = Get-AzureADDirectorySetting | Where-Object {$_.DisplayName -eq ‘Group.Unified’}
If ( !( $Settings)) {
# No Group.Unified object found, create new settings object from template
Get-AzureADDirectorySettingTemplate | Where-Object {$_.DisplayName -eq ‘Group.Unified’} | Select-Object -ExpandProperty Values
$Template = Get-AzureADDirectorySettingTemplate | Where-Object {$_.DisplayName -eq ‘Group.Unified’}
$Template | Select-Object -ExpandProperty Values
$Settings = $Template.CreateDirectorySetting()
}
$Settings[‘EnableGroupCreation’] = ‘false’
$Settings[‘AllowToAddGuests’] = ‘false’
$Settings[‘GroupCreationAllowedGroupId’] = ( Get-AzureADGroup -SearchString ‘Office365GroupTeamsAdmins‘).ObjectId
If ( Get-AzureADDirectorySetting | Where-Object {$_.DisplayName -eq ‘Group.Unified’} ) {
Get-AzureADDirectorySetting | Where-Object {$_.DisplayName -eq ‘Group.Unified’} | Set-AzureADDirectorySetting -DirectorySetting $Settings
}
Else {
New-AzureADDirectorySetting -DirectorySetting $Settings
}

And make sure there is a Synced universal mail enabled security group with the name Office365GroupTeamsAdmins. Because  the user must be in the group Office365GroupTeamsAdmins to create groups and teams so all other users are not permitted.
Thanks to Michel de Rooij for this script
Please follow and like us:
error