User Profile
PhilRiceUoS
Brass Contributor
Joined 6 years ago
User Widgets
Recent Discussions
Different External Sharing Settings for different sets of users(allow for many, restrict for some)
Ive seen some similar posts and done al ot of research but am as yet unable to ascertain if there is a way to do this , so Im posting the question in case im missing something. We are a large org, with circa 40000 M365 users (basically staff and students) and currently have external sharing set to be only allowed by domain whitelist (sharepoint top level Allow list). Students have only recently been onboarded (same tenant but with subdomain) and the we want to allow them to share unrestricted via onedrive but maintain restrictions for staff (control via domain whitelist). My current understanding is that there seems to be no way to have top level sharepoint setting of restrict by domain and then have anything lower than that less restrictive - i.e. onedrive cannot be less restrictive. So the approach would have to be allow globally at top level SP setting which the students would inherit, and then individually apply more restrictive settings for the staff on a per user basis. I can see how the above would technically work but the reality is that is unmanageable for 1000s of users when the settings seem to be applied using powershell Set-SPOSite cmdlet on a individual user basis and I cant see it that is possible to control at a Security Group level or even with batch processing, additionally we will be adding / removing whitelist domains quite frequently so the settings would have to be applied on a daily basis. Ive looked at Information Barriers for Teams for similar segregation reasons but not looked at IB for sharepoint & onedrive in depth yet (will read some more today if I get a chance) , but with a quick glance I cant see how those can be used for controlling external sharing anyway so I dont think it will be a solution. Any further suggestions or ideas are appreciated - open to any ideas, licencing not likely to be an issue given we have E5 level. Utilizing scripted solutions , Azure Automation etc all perfectly acceptable if can be applied within in reasonable timeframe each day. This seems to be a (another) big blind spot for use cases for large organizations - seems crazy to assume that when you are dealing with 10s of thousands of users that you wouldn't need more flexibility in an easier to administer way.Restrict access to an App Registration / Enterprise App to be from just a single IP or server
as per the question title - I would like to be able to restrict access to an AAD App registration / Enterprise App so that just a single server or IP can authenticate and use the app. The App registration is currently set up to use a client secret for access which is called via python. I have tried setting up conditional access policy to restrict to a named location that contained the single IP address but discovered that CA IP restrictions only apply to user authentication and not to programmatic using secrets. This is something that is being developed so we can be adaptable and reconfigure things is required but Im struggling to find a way to restrict things in this way to be restricted to a single server. The server is currently on premises but we are migrating everything into Azure anyway, so if there is a solution that requires the server to be in Azure , such as creating and using an endpoint for example, that might work also. I was also trying to look into the possibility of using a certificate instead but wanted to see if an issued certificate could be configured to only work from a single IP or MAC address for added security. Hopefully someone will have so ideas that can help me with this. Thanks for any suggestionsAny Solution for initial setting of Account Password via magic link for new accounts?
Hi, We are looking at decommissioning use of our LDAP and IDM systems and part of the user account creation flow is reliant on these and some other systems. Essentially new accounts are triggered from an HR system, which writes into LDAP>IDM and then AD>AAD. Part of the process sends the user the account details to their registered email and newly created random password for them to logon to their new account. As part of the redesign we are looking at SSPR in AAD with password sync back to AD, which seems easy enough to setup but it is the initial account creation stage that Im trying to find a solution. Essentially we need to be able to trigger the account creation from the HR system as we currently do and create that directly in AD which syncs to AAD. This we can achieve but we ideally would like to be able to: - set the password to a random secure password - enforce change at next logon - write the alternative email address into ad/aad programmatically (graph api to write into AAD profile?) - someone use SSPR to allow the user to set an initial password but without recieving the originally set one, preferably using a magic link they can click and be prompted to set password and enable the account. It is this last step Im wondering if it is at all possible and if anyone has any pointers / advice as to how we might achieve this? Doesnt have to be exactly the way I outlined of course and Im open to suggestions on ways to meet that end goal, even if it involves third party additions (I am also going to look into manageengine to see what that can offer). Ive seen some info on using magiclinks for B2C but nothing for standard AD/AAD internal accounts. Thanks PhilCustom Role definition not showing in Azure Portal
Ive just created a custom role via powershell and confirmed that it worked in PS and can get the ID with with Get-AzRoleDefinition | ? {$_.IsCustom -eq $true} | FT Name, IsCustom but it simply does not show up in the Azure Portal under Roles and Administrators. Ive tried refreshing , seraching with a filter for custom role type, searching by name but after an hour still not there I have Global Admin rights and I cannot think of why this would be unless there is currently some kind of synching issue going in the Azure Infrastructure. Anyone have any ideas as to why this might be ? Ive tried creating it twice also in case it was a glitch with the first one.9.8KViews1like3CommentsRe: Exchange Online - Tag for external email messages received
Does anyone know of any docs that give more technical details of how this works aside from how to enabled via powershell and the roadmap annoucnement? Ive been asked to provide info on how it functions and how it would protect against spoofed emails. In my own tests I couldnt get a spoofed email through so I guess 365 provides good protection anyway but im looking for actual details I can give rather than just saying "it works"7.1KViews1like3CommentsCan we restrict AAD user logins to be from specific devices for better privileged account security?
Hi I am researching the idea of only allowing admin accounts to log in from specifically allowed machines - so that is the actual devices I want to specify and not named Locations / IPs using conditional access policies , but havent seen a way to do this within Conditional Access policies. Does anyone know a way this can be achieved? To expand on my thinking a bit , I have a general idea of having all admin access to be only possible from windows builds that have been secured, removing things office apps / email, appcode & secure boot enabled and probably using a VM image or even Windows Virtual Machines (which might be the way forward if what im asking is not possible as they could be created in a single Virtual network and use the IPs from that for conditional access but Id like something faster that can be implemented) . All admins have separate daily user and admin accounts (with MFA etc) already but my thinking is if we can separate it out further so the admin accounts can only be used from highly secure devices it will reduce the risk further. The above question is part of that thinking and maybe a first step along this path. Thanks29KViews0likes4CommentsRe: Teams Whiteboard
lmarta having experienced the exact same issue (people having access then it no longer being enabled for teachers, staff etc) Im sure my answer will help you. Previously Whiteboard was enabled/disabled at a tenant level in M365 > Settings > Whiteboard only but in Nov/Dec it was changed so that you can control it on a per user level via licensing. The announcement was very ambiguous and seemed to say that no action was needed if you had it enabled at tenant level but in fact the change means you have to have it enabled at tenant level AND enabled the Whiteboard license for the users also. So to fix your issue firstly double check it is enabled at tenant level (sound like it probably is given it worked before) and then enabled at user level for all the users you want to have access. Hopefully you are using group based licensing so it can be done in seconds.1.5KViews0likes0CommentsRe: Allow user to AAD Join & InTune Enroll company devices only , not personal owned Win Pro/Ent device
caseykraus after looking at CA for this I don't think it is possible to achieve. Conditional access policies I actually find quite limited TBH and hopefully they will increase the features they offer a lot more in the future.10KViews0likes0CommentsRe: Allow user to AAD Join & InTune Enroll company devices only , not personal owned Win Pro/Ent device
JanBakkerOrphaned the planned restrictions will be : - in AAD set staff user group to be allowed to AAD join devices - in Intune set staff user group to be allowed to AutoEnroll in InTune (tested having this disabled but this stops Autopilot from working properly) - Enrollment restriction policy - set to Allow Windows 10 but block personal devices and block all other platform types. We are planning to only enroll devices by either AutoPilot for new builds or with staff enrolling themselves for other devices. So DEM accounts, provisioning packages etc wont apply in this case as we don't want to encounter the limitations they incur. In the above configuration a staff user wont be able to AAD join or InTune Enroll a Windows 10 HOME device , which will be the majority of BYOD devices. Windows Home cannot AAD join anyway so essentially all blocking personal devices does is stop AAD registered devices from InTune Enrolling. The problem im trying to resolve is the specific case of when a staff user (therefore allowed to AAD enroll) has their own device that has Windows Pro/Enterprise level OS , which results in them being able to AAD and therefore InTune Enroll because an AAD joined device is seen as Corporate automatically. I think the issue / confusion lies in the way the label 'Personal' is use and lack of ability to differenciate between a company owned device and a personally owned device by using registration of HWIDs, serial numbers etc. 'Personal' device simply means a device that is AAD registered and not AAD joined , which actually makes sense giving AAD registered is mostly for BYOD. However, if you are trying to let users enroll company devices , as will be a common enough requirement in todays WFH scenarios, it doesnt seem straight forward to be able to stop them from enrolling personal Win Pro/Ent machines.10KViews0likes1CommentAllow user to AAD Join & InTune Enroll company devices only , not personal owned Win Pro/Ent device
I am trying to work out the best way of achieving the following restrictions: Allow Staff user accounts to be able to AAD Join and InTune AutoEnroll company owned devices Block Staff from AAD Joining and AutoEnrolling personal devices The obvious configuration for this is to set the staff users accounts group in AAD to be allowed to AAD Join and in InTune allow them to Auto Enroll whilst setting an Enrollment Restriction Policy for blocking personal devices. That is all good in theory , but the reality of that is that if a staff user has a personal devices that has Windows Pro, Enterprise or Education installed this configuration means they can still AAD Joined and InTune AutoEnroll. Is there a way to make certain only company owned devices can be Joined/Enrolled? The fact that most personal users will have Windows Home mitigate some of the risk and we are planning to use AutoPilot registration as an additional way of controlling things so we can design the InTune app and policy assignments groups so that they are populated only by devices with the HWID registered, so if done correctly even if they do enroll a personal device it wont receive any apps or policies anyway. There is the setting to restrict users to only be able to enroll or AAD join 1 device that could be configured but that doesn't stop them enrolling a personal device if they haven't enrolled a device already plus it is a tenant wide setting so removes flexibility for users that we might want to allow to enroll and join multiple devices. I cant help but wonder if there is a simpler , more robust way of doing this? The ideal scenario for us is to simply be able to say - only devices with registered HWID can be enrolled. Am I missing something that enables this? Thanks11KViews0likes6CommentsRe: Teams Rooms sign in issue with Skype for Business
BenRooke did you ever resolve this? I am having the same issue with a Crestron device with SfB on premise not logging in. We actually dont care abouting using SfB on it but there is a error right across the top of the Teams Room interface on the device about not being able to sign in which is going to cause support calls so we would like to either fix it or someone force the crestron device into a Teams only config. We will be decommissioning SfB next year anyway like im sure many organisations are so seems like something that should be config option on these devices.2.1KViews0likes0CommentsRe: Can we restrict AAD user logins to be from specific devices for better privileged account security?
JanBakkerOrphaned useful links thanks - Ive actually looked at PAWs before although havent read through that documentation page fully (will try go through it in detail later). It doesnt quite seem, unless ive missed it so far, to achieve what Im aiming for and that is to control on a actual device basis . So for example a policy that says if 'hardware ID -eq <id here> allow log on' to literally restrict which actual devices can authenticate thereby if an account is compromised in anyway it is useless unless they also have an allowed device. In combination with MFA this seems pretty secure to me.28KViews0likes2CommentsRe: Teams Live - Invite External Presenter with Gmail/Yahoo
bharat_tank sounds like it is possible/likely , if his 'official id' uses teams normally, that when he clicks on the invite in his gmail account it tried to open it in the session for his other 'official' account. This is what I was referring to as a common problem. Just because the invite is in gmail and clicked on in gmail does not mean that it tries to open teams as that gmail account - if there is a teams session usnig another account on the device it will try to open it as that teams session and therefore the invite will direct to attendee as that account is not invited as presenter.5.8KViews0likes0CommentsRe: Teams Live - Invite External Presenter with Gmail/Yahoo
bharat_tank A couple of notes here about the issues you are having ... Firstly the issue with externals joining as attendee instead of presenter can be for a couple of reasons. One is that they are not actually joining with the account that is invited (surprisingly common issue). this can happen in situations when they have cached login sessions for other accounts and they click on the invite which then in turn tries to join as presenter using the incorrect account. You can check to see if this is the case by looking at the attendee report and seeing if the email you invited is in there or not - if its not and they are telling you they are getting sent in as attendee that is what is happening. Secondly, an issue that is not fully documented so not 100% clear, is that it seems anyone acting as presenter needs to have an account that is somehow 'microsoft enabled' (my own phrasing) by which I mean it needs to have been used in the MS ecosystem somehow for authentication. We usually recommend to people arranging externals to present to check that they have either an account that is joined to another 365 tenant or if not, then get them to sign up for a free Teams account with the email and actually do a Teams meeting beforehand to check that they can use Teams. That tends to fix it but I ve also seen people reported that just having the account being a 'Microsoft account' - which gmail , yahoo and no MS accounts can be) also works. The other issue you are having about not seeing them in the participants list could be related to the above or another glitch with Teams Live Events is that if an external presenter joins the meeting before any internal producers/presenters then the 'waiting in lobby' notification will never show and therefore you cannot let them in. In short - an internal user must be joined to the event meeting first before any externals join or they get left in 'no where land' with them being told someone will let them in , but there being no way to let them in. You can fix this by telling them to leave the meeting and rejoin though, but unless you know about this then it is not usually something they will try.5.8KViews0likes2CommentsRe: Azure Automation connecting to Exchange with MFA enforced
MichaelMardahl I deployed this and the only thing I changed was the user account name (which is definately in Azure Automation Credentials) and it just gets stuck on Logging in to Exchange Online... and never stops. The account has permissions and can login using powershell. Im finding every solution I have tried to use Exchange Online with Azure Automation does the same and gets stuck. Any ideas?17KViews0likes2CommentsEnabling MFA for accounts of different licence levels
This shouldn't be such a difficult problem to answer but it is proving difficult for me to find out a definitive answer. I have a tenant with a few thousand A5 level licenses so therefore can use conditional access MFA and I have further 20K or so A1 'with A5 student use benefit' licences and am trying to work out how MFA can be enabled for all of them. We currently use a third party MFA product for the A5 level users and nothing on the A1 and have we are able to stop using the third party product to use MS MFA instead if required/better. From research I can see that 'security defaults' would enable a basic MFA with MS Authenticator for A1 licence users and I know conditional access requires higher level (P1/P2) so the A5 licences are ok for that but what I cannot find out is if it is possible to mix the two types of MFA and have the A1 (Student) users use security defaults MFA and the A5 (Staff / Faculty) users the conditional access MFA.Ive found nothing that address a mixed requirement like this.7KViews0likes4CommentsRe: Teams Live Events Present Multiple Presenters
OCA619 one work around to this but can add a bit more complexity & moves alot of the production function outside of Teams itself , is to use a virtual webcam program and have that as your webcam. For example manycam.com has the ability to attach several IP cams together, you can arrange them on screen in the format you like and have that as a single webcam feed into Teams Live Event. Fully agree though that this is a much needed feature in Teams and hopefully it is something that will come soon - get the feeling the Teams development team is quite overwhelmed with things currently though!50KViews0likes0Comments
Recent Blog Articles
No content to show