Wednesday, August 28, 2024

Exchange Online user to access the on-premises Exchange Control Panel (ECP) - Active Directory attributes

Standard



To ensure that an Exchange Online user can access the on-premises Exchange Control Panel (ECP), you need to configure certain Active Directory attributes correctly. Here are the key attributes and steps to point the user to the right on-premises Exchange server:

Key Attributes to Configure:

  1. msExchHomeServerName: This attribute specifies the Exchange server that hosts the user’s mailbox.
  2. msExchRecipientTypeDetails: Indicates the type of recipient. For a remote user mailbox, this should be set to 2147483648.
  3. msExchRemoteRecipientType: Indicates the type of remote recipient. For a migrated mailbox, this should be set to 4.

Steps to Update Attributes:

  1. Open Active Directory Users and Computers (ADUC):

    • Enable Advanced Features from the View menu to access the Attribute Editor tab.
  2. Locate the User:

    • Find the user account that needs access to the on-premises ECP.
  3. Update Attributes:

    • msExchHomeServerName: Set this attribute to the FQDN of the on-premises Exchange server.
    • msExchRecipientTypeDetails: Set this attribute to 2147483648
    • msExchRemoteRecipientType: Set this attribute to 4

Example PowerShell Command:

You can use PowerShell to update these attributes:

# Replace 'username' with the actual username and 'exchangeServerFQDN' with the FQDN of your on-premises Exchange server
Set-ADUser -Identity username -Add @{
    msExchHomeServerName="exchangeServerFQDN";
    msExchRecipientTypeDetails=2147483648;
    msExchRemoteRecipientType=4
}

Additional Considerations:

These steps should help you point the Exchange Online user to the correct on-premises Exchange server for accessing the ECP. If you need further assistance or have any other questions, feel free to drop me a comment!





Monday, August 5, 2024

Strength the Break glass accounts (Emergency access) with FIDO2

Standard

 


Many organizations create emergency access accounts to prevent being locked out of their Microsoft Entra organization. These accounts ensure that administrators can always sign in or activate another user’s account when needed. Typically, two or more emergency access accounts are created to mitigate the impact of losing administrative access. These accounts are highly privileged and are not assigned to specific individuals.

For detailed guidance on creating an emergency access account, refer to this Microsoft guide. https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/security-emergency-access?WT.mc_id=%3Fwt.mc_id%3DMVP_328457

Generally, we use lengthy passwords for emergency access accounts. The usernames and passwords are sealed and stored in a very secure location. These accounts are excluded from all security mechanisms, meaning no MFA or similar protections are applied.

To strengthen security, instead of using passwords, we can use FIDO2 keys. There are many FIDO2 security vendors available, offering various technologies. 

Some examples:

  1. Yubico YubiKey 5 NFC: Known for its versatility, this key supports multiple protocols including FIDO2, FIDO U2F, and NFC, making it compatible with a wide range of devices12.
  2. Feitian ePass K9: This key is praised for its robust security features and ease of use. It supports FIDO2 and U2F protocols3.
  3. SoloKeys Solo 1: An open-source security key that supports FIDO2 and U2F. It’s a great choice for those who prefer transparency and community-driven development3.
  4. TrustKey T110: This key offers strong security with FIDO2 support and is known for its durability and reliability3.
  5. GoTrust Idem Key: A compact and reliable key that supports FIDO2 and U2F, making it a solid choice for securing your accounts3.

Tuesday, July 16, 2024

All you want to know about Microsoft 365 new bulk Email Sending method (HVE)

Standard

 High Volume Email for Microsoft 365

Last April, Microsoft released the public preview of Microsoft High Volume Email (HVE) for Microsoft 365. HVE is a new service designed primarily for line-of-business applications and other high-volume SMTP Auth submissions, enabling the sending of internal messages beyond the current limits of Exchange Online.

Many customers are using their on-premises hybrid Exchange environments to send bulk emails through email relay, which has become challenging due to Microsoft’s new restrictions. Exchange servers need to be updated, and many customers are struggling to upgrade their existing servers. If customers do not upgrade, Microsoft will throttle their emails.

Current Exchange throttle enforcement stages:


All you need to know about exchange throttling -  https://techcommunity.microsoft.com/t5/exchange-team-blog/throttling-and-blocking-email-from-persistently-vulnerable/ba-p/3815328?WT.mc_id=%3Fwt.mc_id%3DMVP_328457

HVE Current limits

  • Pricing has not been release yet but as public preview customer can try on non critical application for email sent. 
  • Only 20 HVE account can be create per tenant
  • Recipient rate limits is set to 100,000 per day ( per tenant)
  • External recipient 2000 per day (Per account)

How to create

  1. login to https://admin.exchange.microsoft.com/#/highvolumeemail
  2. select "Add an HVE account
  3. Provide the basic information and next to finished


Application setting

  • Server/Endpoint: smtp-hve.office365.com
  • Port: 587
  • TLS: STARTTLS
  • TLS 1.2 and TLS 1.3 are supported
  • Authentication: Username and password

Authentication

During the Preview, High Volume Email (HVE) for Microsoft 365 requires SMTP Basic Authentication. Once it reaches General Availability, OAuth authentication is expected to be supported.
Follow below method to enable basic authentication for HVE account.
1. Connect to Exchange online though PowerShell and run below commend
New-AuthenticationPolicy -Name "allowed basic auth"
Set-AuthenticationPolicy -Identity "allowed basic auth" -AllowBasicAuthSmtp
2. assign to new auth policy to HVE account
Set-User -Identity "HVEaccountName" -AuthenticationPolicy "allowed basic auth"

3. To immediately apply the authentication changes to HVE account run below commend. otherwise it will take up to 24 hours. once you run the commend you can check the within 30 mins.
Set-User -Identity "HVEaccountName" -STSRefreshTokensValidFrom $([System.DateTime]::UtcNow)

Usage Reports

Navigate to https://admin.exchange.microsoft.com/#/reports/highvolumeemaildetails







Monday, July 15, 2024

Microsoft Entra Internet Access and Microsoft Entra Private Access have been announced

Standard

 The pricing details for Microsoft Entra Internet Access and Microsoft Entra Private Access have been announced.

Microsoft Entra Private Access, often referred to as the VPN Killer, offers a modern alternative to traditional VPN solutions. It enables access to on-premises or private networks through the Global Secure Access Client. 



Microsoft Entra Internet Access offers web content filtering and the option to secure Microsoft 365 using new Conditional Access policies such as "Compliant Networks". This includes networks and endpoints linked to the Global Secure Access service, providing robust defense against Attacker-in-the-Middle scenarios. 



The bundle solution, Microsoft Entra Suite, includes several components such as

- Microsoft Entra ID P2

- Microsoft Entra ID Governance

- Microsoft Entra Verified Credentials Premium

- Microsoft Entra Private Access

- Microsoft Entra Internet Access

The pricing is set at $12 per month or $144 annually.

Read more: https://techcommunity.microsoft.com/t5/microsoft-entra-blog/microsoft-entra-expands-into-security-service-edge-with-two-new/ba-p/3847829?WT.mc_id=%3Fwt.mc_id%3DMVP_328457



https://techcommunity.microsoft.com/t5/microsoft-entra-blog/microsoft-entra-suite-now-generally-available/ba-p/2520427?WT.mc_id=%3Fwt.mc_id%3DMVP_328457

Saturday, April 20, 2024

Tenant attach vs Co-management

Standard

 Let’s delve into the comparison between tenant attach and co-management:

  1. Tenant Attach:

    • Definition: Tenant Attach is a feature that allows you to connect your Configuration Manager (ConfigMgr) hierarchy to your Microsoft Intune tenant.
    • Purpose: It enables synchronization between ConfigMgr and Intune, allowing you to manage devices using either solution.
    • Visibility: You can view Configuration Manager devices in the Intune admin center.
    • Use Case: Useful when you want to gradually transition from ConfigMgr to Intune or need a hybrid management approach.
    • Flexibility: You can choose to manage devices purely with ConfigMgr or Intune, based on your requirements.
  2. Co-management:

    • Definition: Co-management occurs when a device is simultaneously managed by both ConfigMgr and Intune.
    • Purpose: It allows organizations to leverage the strengths of both solutions.
    • Scenarios: Co-management is beneficial for scenarios where you want to:
      • Gradually move workloads from ConfigMgr to Intune.
      • Use Intune for modern management while maintaining existing ConfigMgr infrastructure.
    • Features: Co-management provides features like conditional access, compliance policies, and Windows Update management.
    • Device State: Devices can be in a co-managed state, where both ConfigMgr and Intune policies apply.

In summary, tenant attach establishes a connection between ConfigMgr and Intune, while co-management enables dual management of devices. The choice depends on your organization’s needs and migration strategy


Tuesday, January 16, 2024

Saturday, January 13, 2024

Log in smoothly with Standard domain account and Local Admin account using Windows Hello

Standard


Introduction

Windows Hello is a feature that allows you to sign in to your Windows 11 device using your face, iris, or fingerprint. It is a convenient and secure way to unlock your device without typing a password. However, if you have more than one account on your device, such as a domain standard user account and a local admin account, you might want to use Windows Hello for both accounts. This document will show you how to set up Windows Hello for your local admin account and how to make it easier to run applications as an administrator.

Steps to set up Windows Hello for your local admin account

  • First, you need to sign in to your local admin account by switching the profile in the Windows login screen. You can do this by clicking on the user icon in the bottom left corner and selecting your local admin account.
  • After you sign in to Windows with your local admin account, click the Start button and search for Settings.
  • Then, go to Accounts and click on Sign-in options in the left pane.
  • Under Windows Hello, you will see the options to set up your fingerprint recognition. Choose the option that suits your device and follow the instructions to scan your biometric data.

  • Once you have set up Windows Hello, you can sign out of your local admin account and switch back to your domain standard user account.

Tip: Use a Different finger for each profile. Scan one finger for the domain account and another finger for the local account. 

How to run applications as an administrator using Windows Hello

Some applications, such as Hyper-V Manager, require you to run them as an administrator to access their full functionality. However, if you are signed in with your domain standard user account, you will need to enter your local admin account credentials every time you want to run them as an administrator. This can be inconvenient and time-consuming, especially if you have a long or complex password. To avoid this hassle, you can use Windows Hello to sign in with your fingerprint instead of typing your password. Here is how you can do that:

  • Right-click on the application that you want to run as an administrator and select Open file location.
  • Then, right-click on the application shortcut and select Properties.
  • Then, select the Shortcut tab and click on Advanced.
  • Tick the Run as administrator checkbox and click OK.


  • Now, every time you click on the application shortcut, it will automatically open with a run as administrator prompt and ask you to scan your fingerprint. If you have enrolled a different finger for your local admin account and your domain standard user account, you can use the appropriate finger to sign in without any hassle.

Conclusion

By following these steps, you can set up Windows Hello for your local admin account and use your fingerprint to sign in and run applications as an administrator. This will make your Windows 11 experience more convenient and secure. However, you should also remember to keep your fingerprint scanner clean and dry, and to update your biometric data regularly to avoid any errors or failures.

Thursday, November 30, 2023

Enable Microsoft Entra self-service password reset on the Windows sign-in screen

Standard

 To configure self-service password reset on the sign-in screen using Intune, you need to create a device configuration policy in Microsoft Intune and enable the Allow Aad Password Reset setting. This setting allows users to reset their passwords directly from the Windows sign-in screen, improving the overall user experience on Windows devices. Here are the steps to create the policy:

  • Sign in to the Microsoft Intune Admin portal .
  • Select Devices > Windows > Configuration profiles > Create profile.
  • In Create Profile, select Platform as Windows 10 and later and Profile type as Settings catalog. Click on Create button.
  • On the Basics tab, enter a name and a description for the policy, then select Next.
  • In Configuration settings, click Add settings to browse or search the catalog for the settings you want to configure.
  • On the Settings Picker window, select Authentication to see all the settings in this category. Select Allow Aad Password Reset below. After adding your settings, close the settings picker.
  • On the Configuration settings tab, select the Allow Aad Password Reset setting and choose Allow Then select Next.
  • On the Assignments tab, choose the groups of devices that you want to apply this policy to. Then select Next.
  • On the Review + create tab, review your settings and click on Create to create the policy.

Adding users to the local Remote Desktop Users Group

Standard

 There are different ways to add users to the local remote desktop user group using Intune, depending on the type of device and the method of user identification. If the device is Azure AD joined,this methord will help you to add users to local groups.

  • Sign in to the Microsoft Intune Admin portal .
  • Select Endpoint security> Account protection > Create profile.
  • In Create Profile, select Platform as Windows 10 and later and Profile type as Local user group membership. Click on Create button.

  • On the Basics tab, enter a name and a description for the policy, then select Next.

  • Then Select Local Group as remote desktop user and select the group 

  • On the Assignments tab, choose the groups of devices that you want to apply this policy to. Then select Next.
  • On the Review + create tab, review your settings and click on Create to create the policy.




Thursday, November 9, 2023

Improve experience with Quick assist Non Administrator mode

Standard

Many customers intend to use third-party remote assistance tools for their day-to-day support needs, while some opt for Teams as their remote support tool. In my experience, using the Quick Assist tool has proven to be much more beneficial, and I have personally experienced its advantages.


However, when Administrator mode is not available, I've observed a decrease in the quality of the experience. To address this issue, I've implemented some strategies to avoid suboptimal experiences.

Before that, I recommend using the shortcut for Quick Assist, which is Ctrl + Windows key + Q. It's much easier to guide end users by asking them to press these keys.


Option 01

Quick Assist is my preferred application for remotely resolving technical issues. It also allows me to elevate my privileges and run as an administrator for hardware and software installation and configuration. The following steps outline the process:

Launch the Command Prompt (CMD) on the end user's computer.

Enter the following command:

runas /user:domain\administrator cmd

Replace "domain" with your organization's domain.

Replace "administrator" with any valid administrator login.

If a domain is not available, use the following command in CMD:

runas /user:local_user cmd

Enter the administrator password when prompted.

Once you've successfully launched CMD in administrator mode, you can perform various tasks, such as:

Installing software using a command like 

  • x:\MicrosoftEdgeSetup.exe (for software installation, where x is any drive letter from your computer).
  • appwiz.cpl for installing or uninstalling program.
  • Services.msc (Run or Stop a service)
  • devmgmt.msc (Device Manager, to install/uninstall or upgrade the device driver)
  • diskmgmt.msc (Disk Management) 
  • compmgmt.msc (Computer Management)
  • regedit (Registry Editor)

Option 02

When opening an elevated privilege application, a pause screen is typically displayed, and the end user is prompted to enter the Admin password. However, in cases where the user is not accustomed to such a procedure and you, as the administrator, want to ensure a secure experience, this can be challenging.


 This is how I've developed a workaround to address this issue.

  1. Login to Intune Admin Center - https://intune.microsoft.com/
  2. Go to Devices and select Configuration profiles
  3. Then Create a Policy 
    • Platform - Windows 10 and later
    • Profile type - Settings Catalog
  4. Provide the name and click next
  5. In the Configuration Setting Tab, select +Add settings and search for "User Account Control"
  6. Then Select Local Policies Security Options
  7. after that select these two polices 
    • User Account Control Behavior Of The Elevation Prompt For Standard Users
    • User Account Control Switch To The Secure Desktop When Prompting For Elevation


8. Set below policy as below 
    • User Account Control Switch To The Secure Desktop When Prompting For Elevation - Disabled
    • User Account Control Behavior Of The Elevation Prompt For Standard Users - prompt for credentials


9. Then Select Next and in the Assignment page add the group. after than click next and create the policy. 

After option 02; Quick assist remote experience

A password prompt appears on the remote system, allowing the admin to type