Monitor Windows AD and Azure AD Health with Microsoft OMS

What is Microsoft Operation Management Suite (OMS)

Oms (Microsoft Operations Management Suite) is Microsoft’s cloud-based IT management solution that helps you manage and protect your on-premises and cloud infrastructure. In this case we will use OMS to monitor and sort of “manage” Azure AD connect and Azure AD identities.

Before we start with OMS

Bore we start there are some requirements.

  1.  We need a Valid OMS Subscription – OMS has different level of subscriptions. It is depending on the OMS services you use and amount of data you uploaded. Ther is a free version which provides 500mb daily upload and 7-days of data retention.
  2. Direct Connection to Azure AD
  3. Domain Administrator Account in order to install the agent in the domain controllers we need to have Domain Administrator privileges.
  4. Global admin account to perform some actions in Azure AD

How to enable OMS as an AD Solutions 

Log in to OMS https://login.mms.microsoft.com/signin.aspx?ref=ms_mms as OMS administrator

Click on Solution Gallery

By default, AD Assessment solution is enabled. In order to enable AD Replication Status  click on the tile from the solution list and then click on Add.

Install OMS Agents 
Next step of the configuration is to install monitoring agent in domain controllers and get them connected with OMS.
1. Log in to the domain controller as domain administrator
2. Log in to OMS portal
3. Go to Settings > Connected Sources > Windows Servers > click on Download Windows Agent (64bit). it will download the monitoring agent to the system.
4. Once it is download, double click on the setup and start the installation process.
5. In first windows of the wizard click Next to begin the installation.
6. In next window read and accept the licenses terms.
7. In next window, we can select where it should install. If there is on changes click Next to Continue.
8. In next window, it asks where it will connect to. In our scenario, it will connect to OMS directly.
9. In next window, it asks about OMS Workspace ID and Key. it can be found in OMS portal in Settings > Connected Sources > Windows Servers. if this server is behind proxy server, we also can specify the proxy setting in this window. Once relevant info provided click on Next to continue.
 10. In next window, it asks how I need to check agent updates. It is recommended to use windows updates option. Once selection has made, Click Next.
11. In confirmation page, click Install to begin the installation.
12. Follow same steps for other domain controllers.
13. After few minutes, we can see the newly added servers are connected as data source under Settings > Connected Sources > Windows Servers

How to view analyzed Data

After a few minutes, OMS will start to collect data and virtualize the findings. To view this data, log in to OMS portal and click on relevant solution gallery tile in home page. You will find your analysed/ assessed servers there. You also get a quick overview and some recommendations for these servers.
Once click on the tile it brings you to a page where it displays more details about its findings. You will get a nice overview with all the collected data and it even provides you some fixes

 How to collect Windows logs for Analysis

Using OMS, we also can collect windows logs and use OMS analyzing capabilities to analyze those. When this enabled, OMS space usage and bandwidth usage on organization end will be higher. In order to collect logs,
1. Log in to OMS portal
2. Go to Settings > Data > Windows Event Logs
3. In the box, you can search for the relevant log file name and add it to the list. We also can select which type of events to extract. Once selection is made click Save.
After few minutes, you can start to see the events under log search option. In their using queries we can filter out the data. Also, we can setup email alerts based on the specific events.
*source http://www.rebeladmin.com/
Please follow and like us:

Where is the Bitlocker Key stored within Microsoft Azure AD

Storing your Bitlocker key

When you enroll your  Windows 10 devices with  Microsoft Intune, you have the posibility to store your Bitlocker recovery keys in Azure AD. There are two ways to store the Bitlocker key the proper way

  1. Store the Bitlocker key into Active Directory (on-premise)
  2. Store the Key Into Azure AD (Cloud)

When you use the Azure AD join and activate Bitlocker, you get the option to store the Recovery Key in Azure AD. When you walk through the Join or register the device wizard.

The Key will be stored in the Cloud/ Azure AD. To get these keys in the Classic Azure Portal follow the steps below

Classic Azure Portal steps

  1. Open Azure AD in the Management Portal https://manage.windowsazure.com
  2. Open the Users tab and search/browse for the account you need to find recovery key for, then open it.
  3. Go to the Devices tab, and in the View box, select Devices.
  4. Select the affected device, and click View Details.

All registed recovery keys should be visible

(New) Azure Portal

Most of you will probably use the (new) azure Portal, to find the keys here is a little different but not to much. Follow the steps bellow to get the recovery keys from Azure AD

  1. Open Azure AD in the Management Portal https://portal.azure.com
  2. Open the Users and Groups blade and find the user involved.
  3. Go to his registred devices of the user.
  4. Click on the Device where you need the key from,

You will find the recovery key at the bottom of the device information

Please follow and like us:

Migrating Azure AD connect to new Active directory domain

Migrate Azure AD connect

When you want to migrate Azure AD Connect to another domain, so things can become pretty complicated. These kind of migrations can also create a lot of issues and unknown errors. The best thing to do before you start such a migration is to prepare this scenario in a testlab.

Disable Azure AD connect

First you need to logon to the Azure AD connect server which you want to migrate. Then perform the 4 steps below.

Install the Azure Active Directory Module for Windows PowerShell. So For more info, go to the following Microsoft website:

Connect to Azure AD by using Windows PowerShell. For more info about how to do this, go to the following Microsoft website:

Disable directory synchronization.  So to do this, type the following cmdlet, and then press Enter:

Set-MsolDirSyncEnabled –EnableDirSync $false

Check that directory synchronization was fully disabled by using the Windows PowerShell. To do this, run the following cmdlet periodically:

(Get-MSOLCompanyInformation).DirectorySynchronizationEnabled

*note This will take up to 72 hours. This change will not cause any service interruption, all users will be able to use their services as normal.

Install the new Azure AD connect

When you have prepared or executed the steps above you can install the Azure AD connect tool on the new server.

The second step is to populate your new AD domain with all user accounts. So it is now important that you copy all information from the old domain, (companyname, jobtitles etc), and for Exchange Online it is especially important that these attributes are copied:

  • userPrincipalName
  • proxyAddresses
  • legacyExchangeDN

When Hybrid you need the above and attributes below

  • msExchRecipientTypeDetails
  • msExchMasterAccountSid
  • msExchRecipientDisplayType
  • msExchRemoteRecipientType

What does the attributes do

  • The UserPrincipalName (UPN) of the users is the login name to Office 365.
  • ProxyAddresses are all your email addresses, both primary and alias.
  • The legacyExchangeDN, is used if you previously have migrated from an Exchange on-premises to Office 365. It is used for internal addressing in Exchange. If it is removed you will not be able to reply to old emails, meeting invitations, and your Suggested Contacts will also fail.
  • msExchRecipientTypeDetails sets the type of mailbox: usermailbox(1), linkedmailbox(2), Sharedmailox(4), legacymailbox(8), room mailbox(16), equipmentmailbox(13)
  • msExchMasterAccountSid This attribute of the target user object holds the objectSID of the source user account. This allows to connect to the own mailbox and shared mailbox.
  • msExchRecipientDisplayType sets the type of account that is used (List of references)
  • msExchRemoteRecipientType

Match Immutable ID

The third step is to make sure the immutable id in Office 365 which uses the ObjectGUID attribute  is translated to an ImmutableID in Azure Active Directory. If you rename your users, the ObjectGUID is untouched. And most of the time you use the ObjectGUID by default as immutableID.

*note if you have used something else please make sure this part is covert.

Currently we are moving to a new Domain so in this case the ObjectGUID will be changed. To manage this we have to clean the attribute in Office365. Office 365 generates these IDs for us,  you can use the Command below.

Set-msolUser -UserprincipalName “jerry.meyer@domain.com” -immutableID “$null”

Enable AzureAD sync and reinstall Azure AD connect

The next step is to enable Azure AD connect in the Office 365 tenant.

Set-MsolDirSyncEnabled –EnableDirSync $true

Check if it is enabled:

(Get-MSOLCompanyInformation).DirectorySynchronizationEnabled

After these steps you reinstall the Azure AD Connect Sync tool on a server in the new domain. I strongly recommend using a new server for this step. Always use a new server for this purpose else it can create bad errors or even break the sync. When this happens you need to create a ticket at Microsoft.

When the installation and full sync is done. The Sync tool will match the users in Office 365 and AD onprem by the primary email address. When there is a match  a new ImmutableID is created and written to Azure AD.

Please follow and like us:

Retention Policy and Litigation hold

Most of the times Security is unfamiliar terrain when it comes down to Litigation hold and Retention Policies. In this blog post i will explain when to use Litigation hold and when it is best to use the Retention policy in Office 365.

Litigation Hold

When you search on Technet or Google for litigation hold you will find millions of results. But Actually it is quit simple. Litigation Hold is actually another expression for Legal Hold. When you translate this into Office 365 you will use this function. For instance when a user is leaving the company and you need to preserve the Mailbox for 30 years or even longer.

If you activate or use litigation hold you can already check this from you GDPR Checklist because this is one of the requirement.  Office 365 offers a rich set of in-place eDiscovery capabilities to identify relevant data. in-place Discovery including  for instance, search, hold, analyze and export. These tools will help you quickly to meet the investigative, legal, and regulatory requirements regarding GDPR.

To activate Litigation hold you can simply run the following command from the Exchange online powershell module

Set-Mailbox user@domain.com -LitigationHoldEnabled $true -LitigationHoldDuration Unlimited

*note it can take up to 60 minutes before this function is completely activated.

Retention Policy

Since some time compliance is one of Microsoft’s main focuses in Office 365. You need to know how to use these Office 365 features, so that next time you encounter legal, industry regulations or internal policies, you know what to do.

A retention policy is mainly used to preserve content for a specific period of time or indefinitely. Due to regulatory, legal, or business requirement. You can enable Retention policies on most of the Office 365 services like Onedrive, Exchange and since a short period even Groups and possibly even Teams.

You can configure the retention policies quiet easy using the wizard. You can find this in the Security and Compliance menu of the Office 365 admin Center.

So when do you use Litigation hold and when to use a retention Policy

When use Litigation hold to Legally hold a complete mailbox (it will be stored between the soft deleted mailboxes). You use the Retention Policy when you want to preserve Content of one of the Office 365 services.

And yes the configuration of these compliance settings really depends on the situation of you company or client.

Please follow and like us:

Revoke Access from compromised office 365 account

Revoke access

When you have aaccount in your organization that has been hacked or compromised you need to take immediate action to prevent a security dilemma inside of your organization.

For instance when the credentials of a account are compromised. This account can be used for sending out bad emails with malware  and even worse skimming. This will result in a bad Image for your company.

Actions against compromised account

When a account is compromised you need to revoke access to this account. You can perform this with a password reset. What most admin do not know is that this change does not kick in straight away. To speed this process up, the best thing to do is run a “Revoke-AzureADUserAllRefreshToken” on the user’s account. (make sure you are using the connect-azuread module)

Now you are sure that this account has a new password and logging in is impossible.

There is a scenario that the account can still send emails to others. In this case the best thing to do is to create a transport rule. The Transport rule can prevent the user to send out malicious emails.

There is also a way to prevent most of these dangers with the implementation of Azure AD identity protection.

 

 

Please follow and like us:

Microsoft Office 365 groups and Office 365 teams Expiry

Yesterday Microsoft has introduced a feature within Office groups to set an expiry date. What does this means.

What does this mean

This means that you can set a 30 days expiration of a group. When the experation date is passed the owner of the group gets a notification to renew the expiration date for another 30 days or even more.

un1

How do i configure this Group Expiry

You can set the expiration of Office groups in Azure Active directory.

Untitled

When you’re not setting a new expiration date the group will be removed and put into soft deleted. If a group is deleted this can be a real pain for the members of this team or group when this was not the intention.

See my post How to restore a group on how to restore a office group.

Please follow and like us:

How to restore Office 365 group

Some of you probably know that it was not possible to restore data in a office group within office 365. Recently microsoft introduced the new functionality to restore office 365 group or team. This means that you can restore a office Group including all content.

Sometimes a removal of a group can really be a pain for the members in this group or team.

First of all a tip on restore Office 365 Group.

Don’t use Remove-MsolGroup because it purges the group permanently. Always use Remove-AzureADMSGroup to delete an O365 group.

When you start with this topic make sure you have Azure Active Directory PowerShell Version 2 installed else you will mis alot of cmdlets. You can download it from the site of Microsoft. The new version of powershell also contains a lot of new features regarding azure ad. You can also use the command connect-azuread to connect directly into office 365.

To get all removed Office 365 Groups execute the command below

Get-AzureADMSDeletedGroup

Before you want to restore the group or team you need to get more details about the removed office 365 group to get more insights into the group or team. You can also get the object id from here .

Execute the Get command included with the objectID of the removed group. you can also look up the objectid in azure ad.

Get-AzureADMSDeletedGroup –Id <ObjectID>

How to restore your deleted Office 365 group

Once you have verified that the group is in soft deleted, the restore command will restore everything in the office group. (it can take up to 2 days to restore everything) I know this can take a long time and you cant see the status of the restore but the wait is worth the effort.

Restore-AzureADMSDeletedDirectoryObject -Id <ObjectID>

I think you will use this a lot when you manage a office 365 tenant

Please follow and like us:

Office 365 B2B Guest invites with Powershell (without invite email)

Intro add guest user in office 365 with B2B

Sometimes you need to let external users get access to your Office 365 tenant . When this is one user you can just invite the user from the site (Office 365 B2B Guest invites). But what will you do when you need to give access to lots of users without a invite.

In this article i explain how you can add multiple users (10, 100, 1000, 10000 ) as a guest to you office 365 tenant.

First of all you need to do the manual invite Once and give the user you have invite 2 roles.

  1. Usermanagement
  2. Invite guests

The invite guests role explains itself, but you need the usermanagement for changing attributes or removing the user from the tenant.

Ok lets start with Office 365 B2B Guest invites

Invite a users from your source tenant in your destination tenant. When you have done this the user should be in your office 365 tenant under guest with a name like.

user_domain.com#EXT#@j3rmeyerDEV.onmicrosoft.com

When you have checked this you can execute the following command to give the right permissions to that user.

Add-MsolRoleMember -RoleObjectId 95e79109-95c0-4d8e-aee3-d01accf2d47b -RoleMemberEmailAddress “user_domain.com#EXT#@j3rmeyerDEV.onmicrosoft.com”
*note: the invited user gets an email which he needs to accept so for testing purposes give him a Exchange online license.
OK now we have done this you can check this in AzureAD under Map role under the user account and it should be looking like this (sorry for the Dutch).
Untitled
Oke so now we have created a invite account in the destination tenant which is allow to invite users from his Own tenant into your tenant. And the good part is that the users he will invite will not get a Invitation email when you execute the following powershell command.
#Connect to destination tenant with the credential of the inviter account (yes i know you can use a keyfile)
$Username = “Inviteraccount”
$Password = “Inviteraccount password”
$PasswordSecured = Convertto-SecureString –String $Password –AsPlainText –Force
$UserCredential = New-object System.Management.Automation.PSCredential $Username,$PasswordSecured
Connect-AzureAD -Credential $UserCredential -TenantDomain “j3rmeyerDEV.onmicrosoft.com”
#Invite the user
$newuser = New-AzureADMSInvitation -InvitedUserEmailAddress “user2@domain.com” -InvitedUserDisplayName “User2” -sendinvitationmessage $false -InviteRedirectUrl “https://j3rmeyerdev.sharepoint.com”

In a following blog post i will show you how you can easily loop true the users in Activedirectory and add them as a guest without a invite in you Office 365 tenant.

Please follow and like us:

How to Fix Duplicate Exchange Guid Errors in Office 365

When you are migrating users to office 365 you can get a lot off issues. One of these issues is when you have duplication errors in your tenant. Duplicate Exchange online Guid Errors can can generate a lot of issues. Think about duplicate accounts or Mailusers are not removable.

When you see these issues you probably do not have a clue on what to do  but actually these issues are pretty easy to fix:

Fix Duplicate Exchange Guid Errors:

This fix contains a lot of powershelling to get the error hashes and data you need to perform the action to restore this. To perform these actions with ease i recommend you install the latest versions of Powershell before you continue and make sure you have the permissions needed to continue to Duplicate Exchange Guid Errors

(Get-MsolUser -UserPrincipalName affecteduser@domain.com).errors.errordetail.objecterrors.errorrecord| fl

Search in EXO PowerShell for the object that is using the mentioned EXchangeGUID or ArchiveGUID:

Get-Recipient -IncludeSoftDeletedRecipients ‘ExchangeGUID value’|ft RecipientType,PrimarySmtpAddress,*WhenSoftDeleted*

Once you found the object that is using this ExchangeGUID or ArchiveGUID, you have to purge it. When you purge it you have 2 options The softdeleted mailuser removal or Usermailbox removal.

1. If it is a softdeleted MailUser:

Remove-MailUser ‘ExchangeGUID value’ -PermanentlyDelete

2. If it is a softdeleted UserMailbox, run:

Remove-Mailbox ‘ExchangeGUID value’ -PermanentlyDelete

If this command fails due to mailbox being protected by hold, you have to disable the hold first(check if data backup is required):

Set-Mailbox user@domain.com -LitigationHoldEnabled $false -InactiveMailbox

If it turns to be an active mailuser/mailbox that is using this ExchangeGUID/ArchiveGUID, you need to evaluate the option to purge that user. Most of the time Purging is needed to continue with the actions.

Next step after purging.

After the faulty object has been purged from EXO, we need to fix the validation error by forcing the object provisioning:

Get-MsolUser -UserPrincipalName user@domain.com |fl *objectID*

Redo-MsolProvisionUser -ObjectId ‘paste the *objectID* value from above command’

Wait for 5 minutes and then run the next command, to confirm if your validation error is fixed:

(Get-MsolUser -UserPrincipalName user@domain.com).errors.errordetail.objecterrors.errorrecord| fl

Please follow and like us:

Office 365 Hybrid migration error: StalledDuitoTarget_DiskLatency

The error that you get refers to : ‘StalledDueToTarget_DiskLatency’

To be straight to the point this is an issue where you can do nothing about.
When you get the message StalledDuitoTarget_DiskLatency . This means that it has to do with the Exchange Online servers and not with the On-premises infrastructure, so there is nothing you can do locally.

In this case the only thing you can do is open a case with Microsoft. When you have done this ask them what can be the cause of this error from the target side (Office 365).

It would be a good idea to open a case with them mentioning the error (StalledDuitoTarget_DiskLatency) and ask them if they can perform a change that might improve the migration speed.

Please follow and like us: