Azure AD Connect: What to know about In-place Upgrade from version 1.0 to 2.0 ?

Hi everyone, hope you guys are having a blast weekend. Today I would like to bring to you Azure AD Connect.

In the past, the 1.0 in-place upgrade, I would have to kept a record of the “before” changes of settings, such as the organization units, and etc. This would likely need me to schedule a day to capture the settings.

Anyway, not all of the 1.0 version can support the in-place upgrade to 2.0 version, if you have an older Azure AD Connect, that do not support in-place upgrade you would need to plan a migration or transition, to the 2.0 version. It may sounds simple, but there are few things you would need to take note of, that is avoiding duplicated records sync to Office 365, and duplicated service accounts, else you will likely get more stuff to clean up in the end. Is good to plan your transition and your clean-up first.

*Note: 31st August 2022, 1.0 version will be end of life

For those who are on the supported version of 1.0, that can perform in-place upgrade to 2.0 version, here are some tips or hint you can take note of before performing the upgrade,

  1. Full backup on the server
  2. Make sure you know what are the impacts
  3. Make sure the existing service account has the required permissions based on the 2.0 prerequisites
  4. During the upgrade, the wizard will request you to re-enter the global administrator account from Office 365
  5. You do not need to keep a record of the existing organizational unit because it will automatically bring forward the settings to your 2.0, same goes with your SSO, password hash settings, or device join settings
  6. Yes, version 2.0 does support single-label domain

If you would like to know more about the prerequisites of version 2.0, feel free to refer the references below,

References:

  1. https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-upgrade-previous-version
  2. https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-version-history

Exchange Online Protection: Configuration Analyzer (Your Mail Security Advisor)

Hi guys and ladies, today I’m going to write about the hidden guru in your Exchange Online Protection, a.k.a Office 365 Mail Security or Microsoft Defender for Office 365.

Why improving your mail security configuration is important? Well, malicious attacks gets improve from time to time, so does security too. In the past, scammers used to send fake letters to houses claiming to be from the bank or police officer, to lure you into turning yourself in with money. Now 2022, scammers are sending blast mails to any IP address or available legit domain in the world, claiming to be an authorized organization and to seek their victims.

There are times you would like to compare what your vendors recommendation and the global recommendation of mail security configuration, now you have it in your Microsoft Exchange Online portal. Basically configuration analyzer scans your existing policies and provide either Standard or strict recommendation to improve your mail policies.

*Note:

Do not make changes to default policies by Microsoft. Recommended to create new ones.

How to get that?

  1. First you login to your https://security.microsoft.com portal
  2. At the left taskbar, you can see the “Email and collaboration” category
  3. Select the “Policies & rules”
  4. Select “Threat policy”
  5. Select “Configuration Analyzer”

As you can see they do scan your default policies by you can ignore them. The most important thing inside this table, is the structured and convenient information that provide you understanding on how you can improve your existing policies.

You may refer to the references below to know whether is your license has this feature available.

References

  1. https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/configuration-analyzer-for-security-policies?view=o365-worldwide

Microsoft Information Protection: Planning Your Sensitive Labels

Hey guys and girls, hope you guys are having a great weekend! Remember to stay healthy and stay safe as your priority.

Today’s blog is more towards talking about the Microsoft information protection labels, how to plan before deploying it. Each organization has their own preferences and requirements. Planning is a crucial part of every deployment especially when the deployment would have to roll-out to the users to use it for their daily work. Layman is the key to the users understanding.

Some organization have a compliance team and some does not have it. Having a compliance team would able to make this deployment much more clearer in terms of what the organization needs. If the organization does not have a compliance team, then we would help to identity together in terms what do they require only. Labels are structure in the form of priorities, so best to make it simple, and easier for administrator to manage too.

Phase 1: Give them the feel and look

Microsoft do provide default labels to organization, you can roll-out these default labels to smaller team or compliance team, allowing them to play around with it for a period of time. This allows them to have an idea how sensitive labels works and coming out a template would be easier for them. Having a template is the quickest way and easier way to roll-out the labels.

Default labels

Phase 2: Feedback and Drafting Template

Getting feedback and drafting template phase, is a closer phase to rolling out the labels that suits the organization needs. In this phase, there are few items that you would need to involve into and would take a bit of time,

  • Categories the labels based on location (Exchange online, SPO, OneDrive and etc)
    • There is difference in terms of protection features for each location
  • What can or can’t do in the labels
  • Users description about the labels (keep it as layman as you can)
  • Priority of the labels
  • Design structure of the labels/sub-labels (Simple is better)
  • Permissions (Flexible or Set)
  • Action for the priority labels (Flexible, Warning or Strict-Justification)
  • Customization notifications (Majority would decide to maintain the default, so you don’t need to spend too much time on this part)

Here are some design types that you can reference,

Design type 1

This design is for organization that would like to remain some default labels, and has new labels for other departments and its purposes. No sub-labels to be manage.

Design type 2

This design is for organization that would wish to keep some default labels but does not want to have other new labels to manage. Has sub-labels to manage.

Design type 3

This design is for organization that would like to manage their labels in the form of departments and with each department has their own labels. I wouldn’t recommend this though, because is complicated. As I mention earlier, labels are arrange in the form of priority.

Phase 3: Final Template

This is the phase where you can start to roll-out the final template of the labels back to the small team or compliance team to give it one last confirmation.

References:

  1. https://docs.microsoft.com/en-us/azure/information-protection/what-is-information-protection
  2. https://docs.microsoft.com/en-us/microsoft-365/compliance/sensitivity-labels?view=o365-worldwide

MDM: Preventing Meeting Room devices registered to Intune by user account

Hey guys and girls, happy new year and hope you guys are healthy and safe!
I’ve come across of issues of users kept login their own corporate user accounts into a meeting room device through Microsoft Teams. Thus, this will also registered the meeting room device under the user’s account.

Kept manually deleting the devices objects from the user account is not flexible to administrators. Clean up is really not something that as administrators has to do every time a user uses that meeting room device. Our meeting room devices are not hybrid join. So this solution does not really impact the Windows license but this does not mean it would not cause issue for your environment. Recommended that you test it out at your lab environment. Our meeting room devices are custom made/design.

I was able to came across an article that really helps my situation. This solution require to modify the device’s registry editor.

Note:

Please run a lab test.

  1. Launch the registry editor on the affected machine
  2. Direct to this location HKLM\SOFTWARE\Policies\Microsoft\Windows\WorkplaceJoin
  3. Create a new DWORD item and name it BlockAADWorkplaceJoin with the value of 1
  4. Reboot the machine
  5. You may run a command line “dsregcmd /status” to check the MDM status
    • WorkplaceJoined: No
    • SSO state: No

If you have multiple devices that you would need to apply this settings you could export and save this registry settings or use PowerShell method. You may refer the PowerShell method via the references below.

References:

  1. https://msendpointmgr.com/2021/03/11/are-you-tired-of-allow-my-organization-to-manage-my-device/
  2. https://support.microsoft.com/en-us/topic/how-to-back-up-and-restore-the-registry-in-windows-855140ad-e318-2a13-2829-d428a2ab0692