Multi-Factor Authentication – What do we know so far?

To provide additional layer of security MFA has been recently enforced in many organisation, especially after Microsoft started to offer the administrator to enable by just a flick of a button.

I’ve written an article about a scenario to troubleshoot an issue, i thought it would be nice to know the options available, and troubleshooting issues.  Hence this article.

So, first off, Microsoft offer 3 ways

  1. Office 365 MFA
  2. On-prem Azure MFA
  3. The Network Policy Server (NPS) extension for Azure MFA

In above 3 options, an appropriate license is required to make it work.  Usually, Azure AD premium license or MFA standalone license is sufficient. There are other types of license which also gives MFA feature.

Before we go in troubleshooting issues with each type, we need to understand what type of MFA needed for the organisation.

  1. Office 365 MFA  – This is generally available for all the office 365 users.  MFA can be used with any office 365 services and application which can integrate with Office 365.
  2. On-prem Azure MFA – A on-prem server is required.  This options give more control to the user.  On-prem application can be integrated with Azure MFA server.
  3. The Network Policy Server (NPS) extension for Azure MFA – This options is only for NPS.  This option is a stripped down version of on-prem Azure MFA.  If you have a NPS VPN infrastructure then this is option can be used.

Now that we know the different types, let me go in detail on each options and how you can check the logs to troubleshoot issues in upcoming article.

Good news for Office 365 Hybrid Customer – Delegate Access is now possible for cross-premises Mailboxes

Hybrid customer always complaint about the fact that Office 365 users not being able to delegate access to On-prem (Or) On-prem users not being able delegate to Office 365.

The good news is that Microsoft started allowing this feature from April 2018.

To enable cross premises delegation you first need to configure:

  • For on-prem user to become a delegate of an Cloud user

Set-OrgnizationConfig -ACLableSyncedObjectEnable $True

  • For cloud user to become a delegate of an on-prem user

msExchRecipientDisplayType attribute for the remote mailbox in on-prem AD to be set to -1073741818

       Get-ADUser vijay.ragavan@ultima.com -Properties msExchRecipientDisplayType |         where {$_.msExchRecipientDisplayType -eq -2147483642} | Set-ADUser -Replace            @{msExchRecipientDisplayType = -1073741818}

Now you can ask the user to use their outlook to allow the delegation.  Send-AS and on-behalf also works as per the below article

Refer:

https://support.microsoft.com/en-us/help/3064053/overview-of-delegation-in-an-office-365-hybrid-environment

 

Hope this is useful.

VJ

AzuMFA Extension for NPS – Stopped working

So, Azure MFA Extension for NPS was setup RDS and it was working till last week.

Issue:

Allow of sudden the MFA notification stopped.  User no longer get notification on their mobile, text or a call when they try to sign into any server through RDS (Outside the network)

Diagnosis :

  • When we tried the office 365 portal, it worked just fine.  Users got their notification on to their device and allowed to access the portal.
  • In the logs, we see lot of
    • Source:        Microsoft-AzureMfa-AuthZ
    • Event ID:      4
    • Description:
    • NPS Extension for Azure MFA: Radius request is missing NAS Identifier and Nas IpAddress attribute.Populating atleast one of these fields is recommended
  • Authentication with Azure MFA
    • Source:        Microsoft-AzureMfa-AuthZ
    • Event ID:      2
    • Computer:      PCC-EUN-DC-02.tpcc.prostate-cancer.org.uk
    • Description:
    • NPS Extension for Azure MFA: Unknown exception

So, at this point I don’t know what was wrong, as it was working without any issues.  No changes made recently

After having to go through the following article

https://docs.microsoft.com/en-us/azure/multi-factor-authentication/nps-extension-vpn

https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-nps-extension

The line which struck me is the following.

The NPS Extension for Azure MFA is available to customers with licenses for Azure Multi-Factor Authentication (included with Azure AD Premium, EMS, or an MFA stand-alone license). Consumption-based licenses for Azure MFA such as per user or per authentication licenses are not compatible with the NPS extension.

For testing, i assigned a MFA Standalone license for a user – It worked.

But still i was confused why it was working all this while? After speaking to MS, the preview version was active and MS their functionality for 30 more days so the client can choose a plan. (Client claimed that they never received any communication)

Hope this helps.

VJ

 

KB4011273 – CAUSES OUTLOOK ADD-IN ISSUES

Recently Microsoft released office security that created lot of issues for the clients who heavily uses outlook add-ins for business purposes.

Some of them are Enterprise vault, Sales force and so on.

Thought there is a fix released by MS on February release, upon testing the result didn’t change.

So, if you decide to uninstall that patch you can either use your patch management software like SCCM or WSUS. But if you want a quick if you don’t have a patch management software, the follow the instructions,

  1. Create a .bat file with the following and save in sysvol folder on a DC@echo offmsiexec.exe /package {90140000-001A-0409-0000-0000000FF1CE} /uninstall {6DE885AE-8E0F-4FEA-8AA2-77D455F8A6AA} /qn /quiet /norestart

    exit

  2. Create a GPO that applies to all the workstations (if that is what you intended to do)
  3. Edit the policy and Navigate to “Policies->Windows settings->Scripts->Go to properties of Startup, Add the script to the list

User needs to reboot the machine to make sure it removes the patch successfully.

Note: I’ve seen cases that this patch got installed directly but not through SCCM or WSUS.  Though there is a GPO to restrict the update.  If you have an idea how this patch could have installed, comment.

Microsoft Intune – Things to remember before you use new Azure integrated Intune

As you may already know that Microsoft decided and moved from Classic Intune to Azure integrated Intune.  There are few things that needs to considered before you decide to use Azure integrated Intune for patch management.

  • The app groups that are created in Classic intune are being migrated to Azure integrated Intune.  These groups cannot be used in Classic intune anymore.  If you would like to patch the workstations with the existing group or create a new groups, it wont work – Microsoft acknowledged this as bug and awaiting resolution (This has been resolved now)
  • If there is a policy that exists in the Classic portal and you are using Azure integrated intune, and has a software update ring, then there might be a policy conflict.  Make sure the Classic Intune are removed.
  • Classic Intune can only manage the devices using Intune management agent.  Azure integrated Intune can manage the devices only if the device is enrolled as Mobile Device.  If the agent is present in the workstations, it cant be enrolled as mobile device.  So first thing you should do is to remove the Agent.
  • If the Agent is present in the workstation it cant be enrolled to new Azure integrated Intune.  You have to uninstall the agent, you can use https://gallery.technet.microsoft.com/Uninstall-the-Intune-b42111d1.  This will create a Schedule Tasks.  It may take about 5 to 10 mins.  It uses ProvisioningUtil.exe located under C:\Program Files\Microsoft\OnlineManagement\Common.  If you have custom installation path or if the exe doesn’t exist, then you might need to install the Agent again and run this script again.
  • If you are planning to migrate to Azure integrated Intune from Classic Intune, make sure the device is not listed in the Classic portal.  If the device is visible, then before enrolling, make sure the workstation entry is removed from the Classic portal.  Sometimes you may see entries in both the portal, In that case, you have to remove the device from both the portal, and re-enroll.
  • Finally, version upgrade of windows 10 is not straight forward.

Hope this helps

VJ

Spectre – Vulnerabilities

Recently Google Project Zero team has identified a vulnerabilities on CPU that is affecting all AMD, Intel and ARM Processors.

The variants of the issue identified so far,

Variant 1: bounds check bypass (CVE-2017-5753)
Variant 2: branch target injection (CVE-2017-5715)
Variant 3: rogue data cache load (CVE-2017-5754)

The entire Azure / Office 365 platform from Microsoft is being patched and rebooted as a matter of priority to resolve this problem.  You might have already got notification to do a redeploy at your convenience or MS would have forced it last week.

To take care of the on-prem infrastructure, MS has released patches

https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution

No patches will be available for Windows XP, Vista, 2000, 2003 etc.

These patches only mitigate the exposure of vulnerability but not resolve.  You MUST update your infrastructure as soon as possible and also check for any manufacture update like BIOS or driver updates

*Google Chrome, IE, Firefox also got some updates last week to handle this vulnerabilities.

Hope this information was useful.

VJ

Blocking Third Party application to access Office 365

When you have your users on office 365, they tend to use integrate their account with third party cloud applications.

The advantage and dis-advantage of using office 365 is that it integrates seamlessly with the third-part cloud application.

One such application that i came across is that CloudHQ.  It is very good product.  When you work with different client, and their respective application, CloudHQ, helps get those information to one place.

For example, If a user has a office 365 mailbox and a gmail account.  He can extract all the emails from office 365 and transfer it to gmail account.

All you have to do is just authenticate authroize CloudHQ to use your office 365 account.

CloudHQ can do lot more than what i just described.

To some organization, they don’t want their user to take the corporate data to external application which is not allowed.

How a user can sign-up to these applications (I user CloudHQ as an example)

Go to the website

Title

Sign-up using the office 365 account

signup

Logon screen to office 365

loginscreen

Authorize CloudHQ to your office365 account,

authorize

As soon as it is done, admin can see this application under Enterprise application list

enterpriseappl

Right now, this user has authorized CloudHq to access the office365.  From CloudHQ, you can authorize your personal email account, such as gmail, as the destination to copy the emails.

To avoid this,

You might wonder if disable active sync or other features may allow you to control access of the users – NOPE.

Even if you disable EWS, user will be able to authorize the application to access their office 365 account.

The only way to control this is by setting the restriction in Azure portal.  You can block all the application except few MS application or which ever way works for you.

conditionalAccess

Hope this was useful.

VJ