Office 365 & AD & Exchange Hybrid: How to create remote mailbox in Exchange Hybrid for existing user, in Active Directory and Office 365?

When you have existing user active directory record and you’ve accidentally had provision the mailbox at Office 365. Thus, result you unable to add the user into any distribution group and etc. because it doesn’t have record in Exchange Hybrid. Besides, user’s primary email address wasn’t correct, such as “xxxx@domain.onmicrosoft.com” instead of “xxxx@domain.com”.

Here are the steps to resolve your problems;

Implication: None (for me)

*Note: You have to be familiar with PowerShell. Best to try it on a test user account first.

  1. Go to Exchange Hybrid server
  2. Open Exchange Powershell Management
  3. Type the following commands;

    Enable-remotemailbox “userDisplayName” -RemoteRoutingAddress “xxxx@domain.mail.onmicrosoft.com”

  4. Go to Azure AD Server
  5. Open Windows Powershell

    Start-ADSyncSyncCycle -PolicyType Delta

  6. You will than review that particular user’s the mailbox in Office 365, has more email addresses shown in the email address category itself. And also the Primary email address has change to the right one.

 

*Note: This may take half an hour for the overall settings to be propagated at the user side. Because at the user side they will still view their primary smtp as the incorrect one, even though the modification has done.

Active Directory: How to export Active Directory User with all attributes?

I know that the below command will not be as effective but it does the job.

Step-by-Steps

  1. Go to Active Directory/Domain Controller
  2. Open Powershell as administrator
  3. Type the following command below;

Get-ADUser -Properties * -Filter * | Export-csv “ADUserattributes.csv”

OR

Get-ADUser -Filter * -Properties * | Export-csv “ADUserattributes.csv”

 

The above command will export the list of AD Users with attributes and values in a csv file format, and all you need to do is to copy out the attributes and paste it in a new excel file, format it from column view to row view(optional).

*Note: You could modify the command as you wish

 

Office 365 & Exchange Online: Why have to be careful with Mail Flow Rules?

Many thought that even they are from programmer background or any Technical background could achieve to implement 101% accurately correct mail flow rules, based on a programmer mindset. However, by having such thoughts will bring risks to yourself and the company itself.

*Note: If you’re not familiar of the product, then please try not to play around with it in production environment. Always, start off with research and lab testing.

Mail flow rules brings huge impact to your organization’s mail flow with slight incorrect configuration of a rule. Example, mails send to only Department B, aren’t suppose for Department A to be view but then Department A somehow able to view mails that is for Department B. However, this causes data leak within organization.

 

Is best to spend time to understand the product than rather getting yourself in trouble.

 

Reference

  1. https://technet.microsoft.com/en-us/library/jj919235(v=exchg.150).aspx

 

Office 365 Custom DLP: How to create custom Sensitive Information?

Yes this is interesting topic for me because it involve programming! I will make this topic as simple as learning alphabet, because I will be showing you the importance on how to create your very own DLP sensitive information. DLP templates are come in the form of xml file format.

*Note: You may need to spend some time in this. Practice makes perfect result.

Importance that you must include into your xml are:

  1. Rule
  2. Entity
  3. Pattern
  4. Identity Match/Id Match/Format/RegularExpression

#This is the flow chart

Rule -> Entity -> Pattern -> Identity Match/Format/Regular Expression

Ok, now you know what are the importance, next will be things you need to take note on the “importance” that can have multiple section. That is “Pattern” & “Identity Match”. You can only have 1 rule consist with 1 Entity, where that Entity can have multiple unique pattern types and each pattern can have its own unique ID Match.


Below is a sample of my code on how it looks like in xml;

*Note: You have to change the GUID of the highlighted red parts, as you can see there are 4 GUIDs, but only 2 GUID are the same. To get new GUID, you simple have to open your PowerShell and type the command “[guid]::newguid()”.

<?xml version="1.0" encoding="UTF-8"?>
<RulePackage xmlns="http://schemas.microsoft.com/office/2011/mce">
<!-- Need to change guid, rule package guid, [guid]::newguid()-->
<RulePack id="872155dc-1234-4e3e-a10d-x"> 
<Version build="0" major="1" minor="0" revision="0"/> 
<!-- Need to change guid, publisher guid --> 
<Publisher id="6907d14a-1234-4023-87cd-x"/> 
<Details defaultLangCode="en-us"> <LocalizedDetails langcode="en-us"> <PublisherName>Company Group</PublisherName> 
<Name>ID Custom Rule Pack</Name>
<Description> This rule package contains the custom ID entity. </Description> </LocalizedDetails> 
</Details>
</RulePack>

<!--This orange part, is your rule type-->
<Rules>
<!-- ID --> 
<!--This blue part, is your entity-->
<!-- need to change guid, entity guid--> 
<Entity id="b660289d-189e-1234-9e0a-x" patternsProximity="300" recommendedConfidence="70">
<!--This green part, is your pattern type-->
<Pattern confidenceLevel="80"> 
<!--This purple part, is your Identity match name-->
<IdMatch idRef="Regex_id1"/> 
</Pattern>
<Pattern confidenceLevel="80">
<IdMatch idRef="Regex_id2"/> 
</Pattern> 
</Entity>

<!--This pink part is your Regular Expression-->
<!--Format: AB-C-DE-FGH--> 
<Regex id="Regex_id1">(\d{2})[-](\d{1})[-](\d{2})[-](\d{3})</Regex> 
<!--Format: ABCDEFGMANNN -->
<Regex id="Regex_id2">(\d{7})[mM][a-zA-Z](\d{3})</Regex> 

<LocalizedStrings> 
<!-- Resource guid same as rule guid --> 
<Resource idRef="b660289d-189e-1234-9e0a-x">
<Name default="true" langcode="en-us">ID</Name>
<Description default="true" langcode="en-us"> A custom classification for detecting IDs. </Description> 
</Resource> 
</LocalizedStrings>

</Rules>

</RulePackage>

The above xml consist of 2 patterns both are set with accuracy of 80%, means if DLP scanned your mail/sharepoint/onedrive consist what is inside the pattern and has 80% match percentage will trigger the rule. Inside each pattern consist unique identity which name “Regex_id1”  and “Regex_id2”. After that, is comes to setting the format for each unique identities. As you can see above, the format i had state in the comment.

*Note: The code above doesn’t limit your needs, you could play around with what you wish to include, such as keywords, false positive, or etc.. You could learn more about twerking around the codes by reading below references. You can also use any online tester site to test out regex of your code .


References:

  1. https://support.office.com/en-us/article/Create-a-custom-sensitive-information-type-82c382a5-b6db-44fd-995d-b333b3c7fc30
  2. https://docs.microsoft.com/en-us/dotnet/standard/base-types/regular-expression-language-quick-reference
  3. https://justaucguy.wordpress.com/2014/11/21/adventures-in-custom-dlp-rules-part-one/

Office 365: Email address with random numbers attached UPN (user123@contoso.onmicrosoft.com)

Why do some of my users have random numbers attach with their UPN? Well the only answer to this question is, duplication occur because you haven’t force delete the old account from Office 365 recycle bin. And by default there is a setting in Azure AD to detect duplication is set to false, so this is another reason that even there are duplication in AD created and a sync has been trigger the duplication will also be sync to the Office 365.

To prevent any duplication in future to be sync to the Office 365, is to set the duplication checking in Azure AD to true. So that any duplication is scan will be rejected to be sync to the Office 365. To resolve the duplication currently having is to delete the account and resync it to Office 365.

*Note: These random numbers in your smtp has no implication or effects to your mailbox/account, but it is only not nice to see it that way. It is up to your choice to do it or not.

*Azure Module Power Shell needed

  1. Open Azure power shell
  2. Type the following command to get the sync feature

Connect-MsolService

Get-MsolDirSyncFeatures

dirsyncfeature

3. Next, enable both of the feature to true

Set-MsolDirSyncFeatures -Feature DuplicateUPNResiliency -Enabled $true

Set-MsolDirSyncFeatures – Feature DuplicateProxyAddressResiliency -Enabled $true


*Note:

Situation 1: If the mailbox is still new, you will only need to delete the account and force delete from the recycle bin, then do a resync 

Situation 2: If user have the mailbox for very long, you have to break the dirsync wait for the account’s status change from “Sync from on premise” to “on cloud“, then from Office 365 you can edit its smtp address but make sure you have your recycle bin clear from the old account. (Yes this is much troublesome than Situation 1)


Step by step for situation 1

  1. Locate the account from Office 356
  2. Unassign the mailbox license
  3. At Active Directory, move the account to a unsync organization unit
  4. At Azure AD Connect, run a manual sync command

Start-ADSyncSyncCycle -PolicyType Delta

5. Make sure the account at Office 365 has gone to the “Deleted User” Category

6. Once the account has been appear in “Deleted User” Office 365, you have to run a command to force deleted from the recycle bin.

7. Open Azure Module PowerShell

8. Type the following command, enter the UPN that you wish to remove from recycle bin

Connect-MsolService

Get-MsolUser -ReturnDeletedUser

Get-MsolUser -ReturnDeletedUser | Remove-MsolUser -UserPrincipalName xxxx@domain.com -RemoveFromRecycleBin -Force

9. After finish remove the account from recycle bin, move back the account from unsync Organization Unit to Sync Organization Unit

10. At Azure AD Connect, run the manual sync command

11. At Office 365, locate the account and assign license

12. You can notice there is no more random numbers found


Step by Step for Situation 2

*Make sure recycle bin is clear from duplication accounts

  1. Open Azure Module PowerShell
  2. Type the following command, enter the UPN that you wish to remove from recycle bin

    Connect-MsolService

    Get-MsolUser -ReturnDeletedUser

    Get-MsolUser -ReturnDeletedUser | Remove-MsolUser -UserPrincipalName xxxx@domain.com -RemoveFromRecycleBin -Force

  3. Open Azure Module Powershell
  4. Type the following command

Connect-MsolService

Set-MsolDirSyncEnabled -EnableDirSync $false

3. You probably have to wait for 24hr to 48hrs for the dirsync to complete progress

4. At Office 365 > Exchange Online > Recipients > Mailbox

5. Search for the account > Double click on it

6. Go to Email Option > select the smtp address to edit

7. Remove the random numbers from the smtp address

8. Save your changes

*Make sure you put this to lab test before trying it out in actual environment, just to get clear understanding what are you doing

 

References:

  1. https://support.office.com/en-us/article/Turn-off-directory-synchronization-for-Office-365-ee5f861e-bd48-4267-83d1-a4ead4b4a00d

Office365, Exchange, Azure, AD: Why you should always check your Office365 Recycle Bin?

Every human mistake is they never check what is inside their recycle bin before proceeding.

The very first thing you should do when you want to create a user is to check your Office 365 recycle bin! Why? Because is best to avoid another problem for yourself unless you are the problem. To also avoid duplication occur in Office 365.

Imagine yourself hitting the brick wall by creating and deleting repetition of a particular user account, setting yourself in panic moment and continue getting errors such as,

  1. Unable to get the user account to sync up to Office 365
  2. Incorrect user principal name
  3. Worst -> Incorrect Immutable ID

So ALWAYS CHECK OFFICE 365 RECYCLE BIN BEFORE PROCEEDING TO CREATE!

Office 365 & Azure Powershell: Why not to use -SearchString pipe to Set function command?

Even though that you type the following command and it return you a single result, and you thought that it would work but it will not work.

Example:

  1. First you try to get the user, and you able to retrieve a result

Get-MsolUser – SearchString “abc”

#Result
Name                     UserPrincipalName
———                     ——————————-

abc                           abc@domain.com

2. After getting the user, you try to pipe it to a Set function. However, you receive an error like below; this error indicates an exception is trigger in Microsoft  backend and prevent such command to proceed.

Get-MsolUser -SearchString “abc” | Set-MsolUserPrincipalName -NewUserPrincipalName “aaa@domain.com”

#Result

Set-MsolUserPrincipalName : Unable to update parameter. Parameter name: IMMUTABLEID.
At line:1 char:44
+ … abc” | Set-MsolUserPrincipalName -NewUserPrincipalName “aaa…
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OperationStopped: (:) [Set-MsolUserPrincipalName], MicrosoftOnlineException
+ FullyQualifiedErrorId : Microsoft.Online.Administration.Automation.PropertyNotSettableException,Microsoft.Online.Admi
nistration.Automation.SetUserPrincipalName

3. So the correct way to do it is to either

Get-MsolUser -UserPrincipalName “abc@domain.com” | Set-MsolUserPrincipalName -NewPrincipalName “aaa@domain.com”
OR

Set-MsolUserPrincipalName -UserPrincipalName “abc@domain.com” -NewUserPrincipalName “aaa@domain.com”

*Note: Please test it out before you implement

Azure AD Connect (AADC): How to resolve Stopped-extension-dll-exception?

Usually this error will not have any effect to Office 365 Dirsync, but it is indeed annoying to see error in our Azure AD Connect Sync Client Interface. Is best to resolve this error.

There are only 4 possible causes;

  1. AADC is OUTDATED ()
    • Check for AADC version
    • If it is outdated than update it, run the sync again
    • Reference: https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-upgrade-previous-version
  2. AADC’s schema crashes
    • Run the AADC application and restart the schema
    • Reference: https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnectsync-installation-wizard
  3. Azure AD account Sync password is not set to “Password Never Expired”
    • *Note: By default, when you setup AADC this is already turn on
    • If you had turn this feature off,you have to update the password and enable the feature back on.
    • Run Azure PowerShell Module command
      • Connect-MsolService
      • #Set new password
        Set-MsolUserPassword
        -UserPrincipalName “XXXXXXX” -NewPassword “pa$$word
      • Set-MsolUser -UserPrincipalName "XXXXXXXXX" -PasswordNeverExpires $true
      • Restart the AADC service
      • #After restart runs finish, type this command
        Start-ADSyncSyncCycle -PolicyType Initial
  4. Server itself is having problem
    • Restart the server
  5. Permission missing
    • If you enable single sign-on, remember its minimum requirement of the permission rights for service account is domain admin
  6. DNS routing issue
    • If you notice that you are having trouble resolving “login.windows.net” this is due to your DNS settings in your DNS server/AADC server network settings
    • Most likely is DNS server settings, is configure wrongly
    • Try to run nslookup to identify the return result
    • If there is a forwarder in place, remove it.

The above causes are also the steps-by-steps investigation, and to resolve this error it is best to follow the above category and resolving them.

*Note: This error may occurs after few hours and it is best to monitor for 24 hours or 48 hours.

AD & Office 365: Soft-matching Distribution List from AD to Office 365

Want to manage your cloud Distribution List with on-premise? You could do soft-matching to get Distribution list match and synchronized back  to Office 365.

Yes, to perform this you could either manually or powershell. Manually means that you will configure using the GUI of AD. For powershell is for a large amount of Distribution List.

The 3 major attributes needed to fulfill in AD for having a successful soft-matching are;

  1. displayName
  2. mail
  3. proxyAddresses

*Note: 3 of these attributes above must have the same value with the Distribution list in Office 365.

softmatch.PNG

Next, after finishing fulfilling the values of these 3 attributes, you can go ahead to your Azure AD server (AADC) and run the sync.

  1. Open Windows Powershell or open Microsoft Azure Powershell Module
  2. Type this command
    1. Start-ADSyncSyncCycle -PolicyType Delta

      • *Note: This only sync changes
    2. Check your Azure Sync Client Interface for sync progress
  3. Once sync progress is finish, go to your Office 365 portal
  4. At the admin center > Groups > Search for your Distribution list

References:

  1. https://gallery.technet.microsoft.com/Soft-Match-Cloud-b2652fee

Vectra: AI Threat Detection (Live Threat Detection)

Many industries are either in the prevent or in the forensic stage to resolve their threat. However, non are detecting active threats running in the enterprise. Thus, this will lead to huge implication to the enterprise.

vectra-logo-og

Vectra is an Artificial Intelligent (AI) Threat Detection and Response. How cool is that?

Vectra uses algorithm to detect threats, instead of using a Database of threats to identify threats in the network environment.

What does Vectra do ;

  1. Is that it always keeps tracks of packets following in and out of the premises
  2. Detects types of threat that is found on a packet
  3. Keep tracks of the packet threat stage
  4. Provide “From” and “To” details of the transmission of packets
  5. Alert the premises’s technical team about threat
  6. Allow premises’s technical team to determine what types of threat to detect on packets

2 types of flow of compromise of threats;

vectra1.png

  • Procedure steps threats
    • Go through number of stages to extract confidential data
  • Direct attack threats
    • Extract confidential data directly once compromise

These are the summarize definition of the image above (stages of threats);

Command & Control Botnet monetization Internal reconnaissance Lateral Movement Exfiltration
•C&C

•Cyber admin  coordinate an attack over time

•Commonly associated with click fraud, sending spam or generating DDoS traffic at a target

Consume valuable resources

Damage the external reputation of the network

•Target is not an organization’s more critical assets

•Vital part of a targeted attack

•Begins shortly after an initial infection

•Allow Cybercriminals orient an attack inside a network and identify targets for lateral movement

•Establish multiple points of persistence in a network while moving deeper toward key assets Extract compromised data from inside a network to a remote external attacker

•Multiple hops or staging phases to evade security controls

Is good to know that there is a technology that could help enterprise to avoid threats attack first before being compromised.

Vectra detects Active Attacks;

v1

Below is a graph of how most organization focus on which phases more to protect their environment from threats,

v2.png

References:

  1. https://vectra.ai/understanding-todays-cyber-security-challenges