Azure, Microsoft 365, Office 365, Cloud

This article contains my brief notes on the very large area of ​​Azure AD for Microsoft 365 / Office 365 services. I didn't have time to study in detail, so I tried to make it as simple as possible to test and get the necessary things up and running. That is, the replication of local accounts to the online environment. Additionally, in a situation where manually created accounts already existed in Azure AD (cloud) and needed to be paired with local accounts (on-premises). I do not guarantee accuracy and the article is by no means comprehensive.

This article is just my notes. It contains brief information about using PowerShell to get information about users in Azure AD and mailboxes in Exchange Online (EXO). It also covers working with licenses and various bulk operations. Describes how to remove (block) a specific service, such as Exchange Online or Teams. Finally, this information is used to solve the problem where a user with an on-premises mailbox has a second mailbox in EXO.

Before we get into the hybrid Exchange configuration, where we use servers in our company (On-Premises) together with Exchange Online (EXO) cloud servers, we need to know how it will affect routing (Transport Routing) and mail flow (Mail Flow). What, if any, adjustments do we need to make to avoid message delivery issues. Since there are two Exchange organizations that share the same domain, we need to determine where mail comes in from the Internet and how it leaves. Closely related to this are the receiving and sending Connectors in both environments. And the configuration of our public domains (Accepted Domains). We spend a lot of time on a special situation that Microsoft doesn't describe in the documentation. If we send a message from our internal servers to another organization that is hosted on the same EXO servers, our Tenant Exchange Online will process the message and forward it.

If we run Exchange Server on our network and we also use (or are about to use) Microsoft cloud services (Office 365), we probably need to get Exchange Hybrid up and running. This is when our On-Premises Exchange organization and Exchange Online communicate with each other. We can move some/all mailboxes to the cloud or just use the connection of MS Teams and other services to internal mailboxes. I ran into a number of problems in the test environment (it was better in production).

This article describes some important principles of hybrid Exchange configuration. What attributes must be synchronized to Azure AD for correct functionality. How mailboxes are handled in an On-Premises organization versus Exchange Online and how we can find out where a user has a mailbox. How to properly create and move a mailbox. Describes all the situations that can arise in practice, in terms of placing a mailbox for a single user. It deals with the repair of non-functional variants. The situation where one user has a mailbox on an internal server and a mailbox in the cloud (one of them is basically broken) is mostly discussed. Many things have to be done using PowerShell.

In this article, we'll look at the Azure AD capabilities for self-service password change or reset (SSPR) or account unlocking. We'll focus on the situation where we have On-Premises Active Directory Domain Services (AD DS) users synced to cloud Azure AD. Not so important is that Password hash synchronization (PHS) is used. At the beginning, we will address Password Writeback so that password changes in the cloud are reflected in On-Premises. We will mention the concept of modern authentication, password policies and importantly Authentication methods.

Following on from our last article, which looked at the Self-Service Password Reset or Account Unlocking Portal (SSPR), we'll look at what Microsoft refers to as Passwordless Sign-in. Here using the Microsoft Authenticator application. As a main focus, we'll look at Multi-Factor Authentication (MFA). We'll mention authentication methods again and look at managing them in Azure AD.

Enrolling computers and other devices (such as mobile phones) in Azure AD can bring us various benefits. Let's briefly mention the basic Azure AD Device Registration option. Next, we will discuss Hybrid Azure AD Join. When we have computers connected to On-Premises AD domain, we sync their accounts to Azure AD and the computers get registered to Azure AD. They can then take advantage of both environments. SSO and Conditional Access works in Azure AD.

FortiGate supports the SAML protocol, which we can use for user authentication. One of the places where we can use it is to log administrators into the web interface (GUI). And one source of identity can be Microsoft Azure Active Directory (Azure AD). Authentication against Azure AD allows us to use Conditional Access. For example, we can use it to set up multi-factor authentication (MFA). Or requiring a managed device for access.

FortiGate supports the SAML protocol, which can be used to authenticate users to a remote server (similar to how we use LDAP or RADIUS). We can use such authenticated users in different places. Here we will focus on SSL VPN and use Microsoft Azure AD as Identity Provider (identity source - external authentication server). These can be On-Premises AD DS domain users that we sync to Azure AD Tenant (or pure cloud accounts). Authentication against Azure AD allows us to leverage cloud security. For example, Multi-Factor Authentication (MFA) and Conditional Access in general.

In a previous article, we discussed the ability to authenticate users against Azure AD when logging into an SSL VPN. SAML was used and Multi-Factor Authentication (MFA) could be requested. However, client certificate authentication could not be used at the same time. There is another option where you can use MFA in Azure AD, even together with a certificate. However, it has a number of other limitations. Microsoft Network Policy Server (NPS), RADIUS, and the NPS Extension for Azure MFA (NPS Extension for Azure MFA) are used.

This article is about a situation where we have a Fortinet FortiGate and we use SSL VPN on it. We want to make the VPN connection more secure. So we decide to require multi-factor authentication when users log in. We also want to allow connections to the VPN only from company-managed devices. These are the computers that are included in the AD domain. We use Microsoft 365 cloud services, where we replicate accounts. So the solution is to connect FortiGate to Azure AD / Entra ID using SAML 2.0. And using Azure AD / Entra ID MFA along with Conditional Access Policy.

The first article about my familiarization with Microsoft Intune solution for managing corporate and private devices with different operating system. A very brief description of what Intune is, what the licenses are, and how to do the initial setup. Then we'll look at how to get Windows 10 or 11 devices into Intune management, i.e. how to enroll them (Enroll). We'll describe some of the methods in more detail. The main focus is on enterprise devices in a Hybrid Azure AD Join environment.

Let's take a look at the possible ways to enroll devices into Azure AD / Entra ID. We'll focus on macOS and Android (iOS should be similar), but we'll also cover Windows. In the second part, we'll discuss Device Authentication, which is the authentication of a device when logging into Azure AD that we can use for device identification and access control. Again, it's more interesting working on macOS and Android, which has some limitations, whereas Windows simply works automatically.

After a light introduction to Intune and registering Windows devices, in the second part we will look at how to register (Enroll) macOS devices. Again, these can be both corporate and private devices. There are fewer methods available in this case. We will describe both manual registration using Company Portal and automated registration using Apple Business Manager.

In the third section on Microsoft Intune, we'll look at configuring properties and settings for managed devices. Intune allows you to configure a huge number of settings (most for Windows). There are several ways to configure it. The main thing is to think about what we want to configure, then we choose the appropriate method (the documentation will help us with the details). The second question is whether to apply the settings to the device or to the user.

In the fourth part about Microsoft Intune, we will look at the second basic functionality, which is application management. In this part, we will focus on installing applications. Other areas, such as application configuration and security, may be covered next time. Application installation is a very broad area. Due to the fact that we have a wide range of platforms and types of applications (installation options) as well as target devices. Let's try to describe general things. Next, we'll focus (still briefly) on Windows and macOS. We won't cover Android and iOS mobile platforms too much in this article, where a number of specific areas are growing (and also BYOD, for example).

With Intune, we can control the installation of updates on macOS devices (but in a much more limited way than on Windows). We can create profiles for update policies that deploy updates to devices and/or configure operating system update settings. These can be major and minor operating system updates, application updates, configuration files or firmware updates.

Intune offers several options to manage the installation of updates on Windows devices. Windows Update for Business is used. For configuration within Intune, we most often use Update Rings, where we create several groups and install updates with gradual delays. For Windows version updates, we can use the newer Feature Updates Policy. There are other options, such as Windows Autopatch, that are barely covered here.

The use of Multi-Factor Authentication (MFA) is now a common standard. Let's take a look at the options Microsoft offers for corporate accounts in Microsoft Entra ID. We can use this authentication within Microsoft 365, but we can also connect third party applications or our internal applications. We'll list what authentication methods are available, and why some are more secure than others. We will describe how the different categories of MFA work.

After a general description of Microsoft Entra Multi-Factor Authentication (MFA), let's take a more practical look at registering and managing authentication methods. We'll focus on the capabilities of Microsoft Authenticator, in this case the optimal Phone sign-in. Then we'll walk through the MFA sign-in process and the use of some authentication methods.

We have a situation where for some application, here we will show for SSL VPN on Fortinet FortiGate, we are using Microsoft Entra ID user authentication using SAML 2.0. When we set up SAML Single sign-on in the Enterprise Application, a self-signed certificate with a validity of 3 years was generated. This is used for communication between the application and Entra ID. We will describe the procedure for renewing (replacing) a certificate when it expires.

A quick guide to the installation and configuration of the Logitech Rally Bar video conferencing solution and Tap IP touch control console using Microsoft Teams as the service provider. It also includes instructions for creating and setting up a Microsoft Teams Rooms and meeting room account in a Exchange Hybrid environment (and Hybrid identity). In this case, the Teams Rooms app is running on Android.

Veeam Backup & Replication version 12.3 introduces a brand new feature, Veeam Backup for Microsoft Entra ID. It is an option to back up Microsoft Entra ID. Backup of many types of objects is supported, such as users, groups, applications, Conditional Access Policies, and logs. We can perform granular recovery of certain objects or their attributes. Everything works simply, as we are used to with Veeam. The only drawback is licensing. In the first part, we will look at the features, requirements, components, and licensing. We will describe the process of adding an Entra ID Tenant. Including a mention of a possible problem if the PostgreSQL database is not set up/functional.

Veeam Backup & Replication version 12.3 introduces a brand new feature, Veeam Backup for Microsoft Entra ID. It is the ability to back up Microsoft Entra ID. Backup of many types of objects is supported, such as users, groups, applications, Conditional Access Policies, and logs. We can perform granular recovery of certain objects or their attributes. In the second part, we will show you how to create both types of backup jobs (Entra ID Tenant and Entra ID log). We will mention enabling Conditional Access Policies backup. And we will take a very brief look at recovery.