Office365, Exchange, Azure, AD: Why you should always check your Office365 Recycle Bin?

Every human mistake is they never check what is inside their recycle bin before proceeding.

The very first thing you should do when you want to create a user is to check your Office 365 recycle bin! Why? Because is best to avoid another problem for yourself unless you are the problem. To also avoid duplication occur in Office 365.

Imagine yourself hitting the brick wall by creating and deleting repetition of a particular user account, setting yourself in panic moment and continue getting errors such as,

  1. Unable to get the user account to sync up to Office 365
  2. Incorrect user principal name
  3. Worst -> Incorrect Immutable ID

So ALWAYS CHECK OFFICE 365 RECYCLE BIN BEFORE PROCEEDING TO CREATE!

Office 365 & Azure Powershell: Why not to use -SearchString pipe to Set function command?

Even though that you type the following command and it return you a single result, and you thought that it would work but it will not work.

Example:

  1. First you try to get the user, and you able to retrieve a result

Get-MsolUser – SearchString “abc”

#Result
Name                     UserPrincipalName
———                     ——————————-

abc                           abc@domain.com

2. After getting the user, you try to pipe it to a Set function. However, you receive an error like below; this error indicates an exception is trigger in Microsoft  backend and prevent such command to proceed.

Get-MsolUser -SearchString “abc” | Set-MsolUserPrincipalName -NewUserPrincipalName “aaa@domain.com”

#Result

Set-MsolUserPrincipalName : Unable to update parameter. Parameter name: IMMUTABLEID.
At line:1 char:44
+ … abc” | Set-MsolUserPrincipalName -NewUserPrincipalName “aaa…
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OperationStopped: (:) [Set-MsolUserPrincipalName], MicrosoftOnlineException
+ FullyQualifiedErrorId : Microsoft.Online.Administration.Automation.PropertyNotSettableException,Microsoft.Online.Admi
nistration.Automation.SetUserPrincipalName

3. So the correct way to do it is to either

Get-MsolUser -UserPrincipalName “abc@domain.com” | Set-MsolUserPrincipalName -NewPrincipalName “aaa@domain.com”
OR

Set-MsolUserPrincipalName -UserPrincipalName “abc@domain.com” -NewUserPrincipalName “aaa@domain.com”

*Note: Please test it out before you implement

Azure AD Connect (AADC): How to resolve Stopped-extension-dll-exception?

Usually this error will not have any effect to Office 365 Dirsync, but it is indeed annoying to see error in our Azure AD Connect Sync Client Interface. Is best to resolve this error.

There are only 4 possible causes;

  1. AADC is OUTDATED ()
    • Check for AADC version
    • If it is outdated than update it, run the sync again
    • Reference: https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-upgrade-previous-version
  2. AADC’s schema crashes
    • Run the AADC application and restart the schema
    • Reference: https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnectsync-installation-wizard
  3. Azure AD account Sync password is not set to “Password Never Expired”
    • *Note: By default, when you setup AADC this is already turn on
    • If you had turn this feature off,you have to update the password and enable the feature back on.
    • Run Azure PowerShell Module command
      • Connect-MsolService
      • #Set new password
        Set-MsolUserPassword
        -UserPrincipalName “XXXXXXX” -NewPassword “pa$$word
      • Set-MsolUser -UserPrincipalName "XXXXXXXXX" -PasswordNeverExpires $true
      • Restart the AADC service
      • #After restart runs finish, type this command
        Start-ADSyncSyncCycle -PolicyType Initial
  4. Server itself is having problem
    • Restart the server
  5. Permission missing
    • If you enable single sign-on, remember its minimum requirement of the permission rights for service account is domain admin
  6. DNS routing issue
    • If you notice that you are having trouble resolving “login.windows.net” this is due to your DNS settings in your DNS server/AADC server network settings
    • Most likely is DNS server settings, is configure wrongly
    • Try to run nslookup to identify the return result
    • If there is a forwarder in place, remove it.

The above causes are also the steps-by-steps investigation, and to resolve this error it is best to follow the above category and resolving them.

*Note: This error may occurs after few hours and it is best to monitor for 24 hours or 48 hours.

AD & Office 365: Soft-matching Distribution List from AD to Office 365

Want to manage your cloud Distribution List with on-premise? You could do soft-matching to get Distribution list match and synchronized back  to Office 365.

Yes, to perform this you could either manually or powershell. Manually means that you will configure using the GUI of AD. For powershell is for a large amount of Distribution List.

The 3 major attributes needed to fulfill in AD for having a successful soft-matching are;

  1. displayName
  2. mail
  3. proxyAddresses

*Note: 3 of these attributes above must have the same value with the Distribution list in Office 365.

softmatch.PNG

Next, after finishing fulfilling the values of these 3 attributes, you can go ahead to your Azure AD server (AADC) and run the sync.

  1. Open Windows Powershell or open Microsoft Azure Powershell Module
  2. Type this command
    1. Start-ADSyncSyncCycle -PolicyType Delta

      • *Note: This only sync changes
    2. Check your Azure Sync Client Interface for sync progress
  3. Once sync progress is finish, go to your Office 365 portal
  4. At the admin center > Groups > Search for your Distribution list

References:

  1. https://gallery.technet.microsoft.com/Soft-Match-Cloud-b2652fee

Vectra: AI Threat Detection (Live Threat Detection)

Many industries are either in the prevent or in the forensic stage to resolve their threat. However, non are detecting active threats running in the enterprise. Thus, this will lead to huge implication to the enterprise.

vectra-logo-og

Vectra is an Artificial Intelligent (AI) Threat Detection and Response. How cool is that?

Vectra uses algorithm to detect threats, instead of using a Database of threats to identify threats in the network environment.

What does Vectra do ;

  1. Is that it always keeps tracks of packets following in and out of the premises
  2. Detects types of threat that is found on a packet
  3. Keep tracks of the packet threat stage
  4. Provide “From” and “To” details of the transmission of packets
  5. Alert the premises’s technical team about threat
  6. Allow premises’s technical team to determine what types of threat to detect on packets

2 types of flow of compromise of threats;

vectra1.png

  • Procedure steps threats
    • Go through number of stages to extract confidential data
  • Direct attack threats
    • Extract confidential data directly once compromise

These are the summarize definition of the image above (stages of threats);

Command & Control Botnet monetization Internal reconnaissance Lateral Movement Exfiltration
•C&C

•Cyber admin  coordinate an attack over time

•Commonly associated with click fraud, sending spam or generating DDoS traffic at a target

Consume valuable resources

Damage the external reputation of the network

•Target is not an organization’s more critical assets

•Vital part of a targeted attack

•Begins shortly after an initial infection

•Allow Cybercriminals orient an attack inside a network and identify targets for lateral movement

•Establish multiple points of persistence in a network while moving deeper toward key assets Extract compromised data from inside a network to a remote external attacker

•Multiple hops or staging phases to evade security controls

Is good to know that there is a technology that could help enterprise to avoid threats attack first before being compromised.

Vectra detects Active Attacks;

v1

Below is a graph of how most organization focus on which phases more to protect their environment from threats,

v2.png

References:

  1. https://vectra.ai/understanding-todays-cyber-security-challenges

Office 365: Synchronized/Migrated user showing wrong UPN in Office 365

Oh no! I forgot to change/set the user’s UPN correctly before migration! Even a simple job we could get it wrongly. Thus, this will lead you to panic. Well, if you are panic, just take a deep breath.

Usually, such problem we resolve it by breaking/disable the DirSync so that the user’s status change from “Sync from on prem” to “cloud”. So that if we could make the changes at the Office 365, without interrupting the on-prem. However, this kind of solution is troublesome because it takes hours for the DirSync to complete disable and waiting for the user’s status to change. When I mean by hours, depends of the amount of users you have at Office 365. The larger the amount the longer it takes for the time taken for the DirSync to complete disable and for the user’s status to change.

Here are the problems we faced:

  1. Forgot to set the email policy
  2. Forgot how to set email policy
  3. Set the wrong email policy
  4. Highly confident and doesn’t double check
  5. Doesn’t do enough research about preparation of migration

Lucky for me that I have found a way to solve this kind of clumsiness, please refer to the reference given below.

Note: This solution is only for clumsy situation. Don’t put it into your planing of migration, because this will make you feel like a total blockhead in front of your customers. Please do not take it in as a habit.

Reference:

  1. http://www.codenutz.com/office365-changing-the-main-login-name-for-upn-for-a-user-via-powershell/

[Old Version] Azure & Office 365: How to enable RMS?

Aloha (Hello)…I know there is the new feature from Microsoft, Azure Protection P2 where users can protect their attachments and etc. For short, double protection. This feature is actually another license (Azure License) is not include in the Enterprise licenses. Thus, you have to purchase it separately.

Anyway, this article is only for users/customer that doesn’t need double protection/smaller industry. I am more comfortable to activate RMS using the Azure classic portal;

Step by steps;

  1. Go to https://manage.windowsazure.com
  2. Key in your global admin credentials
  3. Click on Active Directory
    1. azureportalv1.png
  4. At the top bar, select Rights Management
    1. azureportalv2
  5. In the Rights Management page you can view whether your RMS is Active or Deactivate
  6. To activate it there is a button at the bottom bar of the page
  7. If you wish to manage it or create new policy, you can just go ahead and click on the RMS that you just activate it.
  8. Note: If you wish to manage or create new policy, please seek for advice from Microsoft Support for further understanding.
  9. Note:Please review the below Reference to fully activate RMS that is in need of using Powershell to complete.
  10. Note: Default RMS policies are unable to be deleted.

Reference:

  1. https://docs.microsoft.com/en-us/information-protection/deploy-use/activate-azure-classic
  2. https://blogs.technet.microsoft.com/canitpro/2015/05/19/step-by-step-setup-and-enablement-of-office-365-message-encryption/

Office 356: How to export list with licenses details and smtp details via PowerShell?

I know I am not the best coder but I always like to find the simplest coding way so it is easier for beginners to not feel frustrated.

I do find it confusing when you got an error in your exported csv file of the list.

System.Collections.Generic.List`1[System.String]

*Note: This is basically only for attributes which contain more characters/words or more than a word (means there are “:” or “;” as a divider), such as the value in accountskuid attribute is {contoso:enterprisepackage}.

For example;

  1. If you try to export a list of user from office 365, as a logical thinker you would probably type such code;

    Get-MsolUser -All | Select userprincipalname, proxyaddresses, licenses.accountskuid | Export-csv list.csv

However, this code will not get you what you want, instead it will give you the error.

The proper code should be:

Get-MsolUser -All | Select userprincipalname, {$_.proxyaddresses}, {$_.licenses.accountskuid} | export-csv list.csv

The “licenses.accountskuid” means a class named licenses in office 365 system, inside it has an attribute name, “accountskuid”. You have to do it this way to get/call/pull out the attribute you wish to be propagated in your csv file.

If you wish to test out my code whether it works, then it is best for you to replace “-All” with “-MaxResults”(Means display max result among the list of users).
Example;

#This will only display 1 user with license assigned

Get-MsolUser -MaxResults 1 | Select userprincipalname, {$_.proxyaddresses}, {$_.licenses.accountskuid} | where {$_.islicensed -eq $true} | export-csv list.csv

There are lots of ways to do so. You could use the fancy way that is using the “-expandproperty” or “-properties” and etc.
Coding is up to your comfortably and understandable.

References:

  1. https://mymicrosoftexchange.wordpress.com/2015/03/23/office-365-script-to-get-detailed-report-of-assigned-licenses/

Skype for Business: How to setup QoS at client side?

Well there are 2 ways you could perform this is by editing the client’s computer (local group policy) or push the settings using group policy management.

Anyway, both of these methods or steps are similar and simple to setup.

*Note: A wrong value can causes the QoS not running correct

Steps for local group policy;

  1. Make sure you are login as local administrator on your computer
  2. Go to > Start > Search > Group policy
  3. At the group policy > computer configuration > Windows settings > policy QoS settings
  4. Create new policy
  5. Just follow the below image to create total of 5 QoS policies

sfb2

6. During creating the policy, just change which is necessary. Leave the others as default.

7. Do a restart of the computer (I always do this)

Steps for  GPM;

  1. Open GPM
  2. Create a new GPO and name it
  3. Right click the GPO and click edit
  4. At the group policy > computer configuration > Windows settings > policy QoS settings
  5. Create new policy
  6. Just follow the below image to create total of 5 QoS policies

sfb2

7. Link this GPO to the OU you wish to have this GPO implemented

8. After that remember to do gpupdate /force on both the server and the client computer

For testing;
1. Install wireshark

2. Select the network you connected and Start the wireshark (Start Capture traffic)

3. Start your skype for business audio call or video call, or both within the same network. Do a peer-to-peer communication.

4. Talk to the audio or make some sound for a minute or 2.

5. End the skype for business call (audio or video)

6. Stop your wireshark

7. Save your traffic

8. You should be able to see your QoS is working

 

wireshark.png

References:

  1. https://three65.blog/2015/09/07/skype-for-business-configuring-quality-of-service-qos/
  2. https://gallery.technet.microsoft.com/office/Configure-QoS-for-Skype-cdea2e67
  3. https://gallery.technet.microsoft.com/lync/Configure-QoS-for-Skype-cdea2e67

Windows 10: How to setup Windows Hello?

This blog is based on my experience on how to setup windows hello. I really like to capture every single steps or actions are performed, because it is much easier for me (beginner) and end users to understand.

*Note

Please go through this blog first “https://sabrinaksy.wordpress.com/2017/08/27/ad-gpo-how-to-enable-windows-hello/

Precaution;

Before implementing, please do go through and understand the steps given below. Each steps are given clear elaboration on how to perform it. Skipping a step will causes you confusion.

Here are the steps by steps;

For administrator;

At end user’s computer

  1. Run Command prompt as Administrator at end user’s computer
  2. Type in the following commands;
Gpupdate /force
  1. Close Command prompt, once all policies has updated

OR, At the AD server

  • Open Group Policy Management
  • At the OU where the windows hello GPO is created for
  • Right click on the OU and click on the force gpupdate on all active computers

For end users;

After successfully updated the group policy on the end user side.

  1. Go to > Start
    hello1
  2. Click on the > Setting
    • Then it will direct you to the setting interface;
    • hello2
  1. Click on > Accounts
  2. At the left-side bar
    • Select > Sign-in Options
    • hello3
  3. Scroll down and find PIN
    • Select > Add
    • hello4
  4. After that it will prompt you to enter your computer login password
    • hello5
  5. After successfully authenticate your credential, then enter convenience PIN number
    • hello6.png
  6. After enter the PIN number, your PIN status will change into something like below image;
    • hello7.png
  7. Scroll back up and find ‘Face Recognition’
    • Select > Set up
    • hello8
  8. A ‘Welcome’ interface will appear;
    • Select > Get started
    • hello9
  9. Enter the PIN, that you had set for yourself earlier;
    • hello10.png
  10. After successfully authenticate your PIN number, a face recognition interface will appear;
    • Place your face in-front of the camera where it can detect your face
    • hello11.png
  11. After that a successful interface will appear;
    • Select > Close
    • hello12.png
  1. To give it a try out;
    • Sign out from your computer account and you will see a different interface like the image below;
    • hello13.png