Exchange Online Mail Enabled Security Groups

Posted on by Adam Fowler

One of the things I’ve found out while migrating to Exchange Online was around access to shared mailboxes, and having to alter my methods slightly.

For Exchange On-Prem (Exchange 2010), whenever I created a shared mailbox I would control access with a security group. If the mailbox was called “Finance”, then I’d have an Active Directory Security Group called “Finance Mailbox Full Access” and give that group full access to the mailbox. Then, I’d add the staff that needed access to that group – meaning it was easier to track and manage who had access to what, particularly with nested group support so I could add a whole department in.

The extra win on this approach was around applying logic to the groups. When someone joined or left Finance, the user management process would ensure the user was added to a group for Finance. That would then feed into all the access that Finance were granted through the groups that single group was inside – and it works great. 

The good news is that this is still possible going to Exchange Online, my nested and automated systems can continue to work. However, some changes were required to make this work.

Firstly, any security group that is going to be added to an Exchange Online mailbox for access must be mail enabled. This goes against my personal best practice as I liked complete seperation of security groups and email groups, because I didn’t want to deal with scenarios where ‘All Finance need this resource, but I don’t want them to get the emails about the same resource’. Still, having a descriptive security group name should avoid that happening. 

This leads to another catch – to mail enable a security group, it has to be ‘universal’. In turn, that means every other group that those groups are inside also need to be universal.

For me this was easy, since all my security groups were cleanly in a single OU, and there was no impact to me on changing them to universal (check this for yourself though!)

Get-ADGroup -SearchBase 
“ou=Security Groups,ou=ABC,dc=com” | Set-ADGroup -GroupScope DomainLocal

After that, ,ail enabling an existing security group is easy with the PowerShell command:

Enable-DistributionGroup

I was actually able to mail enable all my Security Groups that granted mailbox access at once, by getting all the groups and filtering them down to only ones that contained the word ‘Mailbox’

Get-Group -resultsize unlimited | where {$_.name -like “mailbox“} | Enable-DistributionGroup

You’ll also need to mail enable any groups inside the groups, and you should be able to work this out based on the above commands.

Keep in mind you’ll probably want to hide all these groups from the address book so users can’t see them – in Exchange 2010 the GUI lets you mass select and change this option, but it’s also easy to do from PowerShell (but you’d need to 


Get-Group -resultsize unlimited | where {$_.name -like “mailbox“}| Set-DistributionGroup –HiddenFromAddressListsEnabled:$true

Note that if you use PowerShell to give a non mail-enabled Security Group access to a mailbox, it will appear in the Exchange admin center, but it won’t work. As far as EAC knows, it has no members because it’s not mail enabled. I found this out the hard way!

Conditional Access Makes MFA Migration Easier

Posted on by Adam Fowler

Microsoft Azure’s Conditional Access is a really great way to get a company using Multi-Factor Authentication. The old argument of not wanting MFA to get in the way of logins constantly goes away with this solution, because it lets you set the rules and scenarios where MFA will and won’t trigger.

To be more accurate, the access controls that Conditional Access can use lets you use more than just MFA to log in (username/password/token style). You can set the rules so a trusted device negates the need for MFA.

This isn’t new anymore either. Here’s a video from Microsoft back in March 2017 talking about how all this works:

What this means is that someone with a username and password on a device that is either InTune enrolled, or set up for Azure AD Hybrid is trustworthy enough. Of course this is less secure than asking for MFA every time, but do you really need to do that when someone is using their work laptop?

Another condition to choose from is ‘Locations’. You can decide that MFA won’t kick in if the login is coming from inside your corporate network. You can also target different applications with different rules that stack – so maybe the payroll system will always ask for MFA, but a less sensitive one will only ask when not on a managed device.

Security wise, there’s also a ‘Sign-in Risk‘ option where each authentication attempt is evaluated and given a risk ranking, and access can be granted or blocked based on the results. Note that this one needs Azure AD Premium P2 which isn’t part of the Microsoft 365 E3 subscription – E5 or separate licensing is required.

Because Conditional Access works like a bunch of Outlook rules, you can slowly build up and adjust what kicks in when. It’s really easy to do, and there’s really no excuse (once you have licensing!) to stop you setting it up ready to demo to staff. 

Combine Conditional Access with Azure AD App Proxy where you can externalise any internal web based app, while forcing auth on it and you’ve got an easy way of enabling workers to do their jobs remotely, while being happy about the security around it – and NOT just poking a hole in a firewall, exposing your IIS box to the world.

Lenovo 500 Multimedia Controller Review

Posted on by Adam Fowler

Thanks to Lenovo, I’ve been given an interesting new gadget to review – the Lenovo 500 Multimedia Controller. It’s a compact sized wireless keyboard, designed for usage from a couch.

For a long time, I’ve used a computer plugged into the main loungeroom TV for a variety of things – watching TV shows and movies via local copies of content on Kodi, streaming services like Netflix and YouTube, as well as general web browsing.

The sticking point on doing all of this from a couch rather than a desk, is how to drive it all. I’ve tried a fairly vast array of devices:

  • A standard wireless keyboard and mouse, an ‘air mouse’ – too clunky and no nice flat surface to use the mouse on.
  • An ‘air mouse’ which is what happens when you breed a keyboard and Nintendo Wiimote together – inaccurate and slow to type on.
  • A dedicated remote control for ‘media’ content – too limiting in what you can do with it, no keyboard for typing.
  • Smartphone as keyboard/mouse – keyboard too slow to type on, mouse too tricky to use, always need smartphone around.
  • All in one keyboard and trackpad – the current winner for me (Logitech K400

The all in one keyboard and trackpad gives me what I want – a full keyboard experience so I can type fast, a multi-touch trackpad so I can move the cursor around fairly well, and use gestures like scrolling through pages. However, it’s still rather large, and doesn’t really like being dropped (the batteries generally go flying).

That’s why I was looking forward to trying Lenovo’s solution to this, and compare it to my currently winning solution.

The box turned up which looks simple enough, and shows what you’re getting :

  • Boxed Lenovo 500 Multimedia Controller

Opening the box, all that’s inside beyond plastic and manuals are the keyboard itself, a tiny dongle, and a USB extension cable.

  • Lenovo 500 Multimedia Controller with dongle and USB extension

The keyboard itself looks and feels very well made. I was expecting something of average quality, but this feels premium. It has a reasonable amount of weight to it and the keys feel very solid – there is no cheap plastic to be found:

  • Lenovo 500 Multimedia Controller Front

  • Lenovo 500 Multimedia Controller Back

  • Lenovo 500 Multimedia Controller Back with Cover Off

Getting the back cover off was a bit tricky – I needed to apply a lot more force than I was comfortable with, but that’s probably good for a device that’ll probably get thrown around and dropped. It takes two AAA batteries (included in the box in some countries) which will last up to 8 months – about normal for a wireless keyboard.

After clicking the back cover back on, I had one more look at the device. It has a decent amount of weight to it which helps with the premium feel, and a curved back sort of like an old iPhone 3GS, but a more emphasised curve – again, a really nice design that feels good to hold:

  • Front view

After plugging it in to my Intel NUC running Windows 10, the device was ready to use. When I first looked at the device (I decided to approach it with no research until after I’d finished playing), I assumed the bottom section was a trackpad. It turns out, the entire keyboard area is a trackpad! Everywhere from the top left Escape key, to the bottom right arrow key is one giant trackpad – despite the keys actually being individual buttons that press down. It even supports gestures, such as scrolling.

https://www.youtube.com/watch?v=Gc19UCAuGYU&feature=youtu.be
Quick demo of using the device as a trackpad

The bottom section are dedicated left and right click mouse buttons, with no touch abilities. The keyboard itself can be used to click also, just like a trackpad and using a tap motion rather than actually pressing down on it.

It’s also worth noting that the cursor sensitivity can be adjusted via the keyboard itself, with the Fn + F9 and Fn+F10 key combos – personally I upped the sensitivity a bit.

After using it for a while, here’s the pros and cons I formed about this device:

Pros:

  • High quality device – good materials, good weight, not flimsy in any way
  • Compact – it’s about the size of a large smartphone
  • Touchpad accuracy – fairly accurate with a very large surface to work with
  • Keyboard keys – they press down seperately and actually click. Typing can be done similar to the old full keyboard Nokias.
  • Battery – ~ 8 months means you won’t go flat easily, or have to remember about charging the device. It can be treated like any other standard remote control

Cons:

  • Small keys – no small device will let me type as fast as I can on a full sized keyboard, but this is probably the best to expect for a device this size
  • Touchpad sensitivity – because the keys are so close to the edge, I found my hands would accidently rest againt a key and affect my ability to move the cursor.

Overall, this is the best keyboard I’ve seen for couch usage for it’s size. The more important consideration is how you expect to use it; if you do a lot of typing and are used to typing fast, you’re going to need a full sized keyboard – no mini keyboard is going to be as good to use. However, for light typing and a trackpad experience, in a form factor that’s around smart-phone size, this ticks all the boxes.

Because the Lenovo 500 Multimedia Controller is a different style of device than what you’d be used to, there is a little adaptation required to put your hands in the right spot, get used to tapping the trackpad instead of clicking and use a small keyboard – but these to me were just minor adjustments I had to learn, rather than being too difficult to change what I do.

A note for Australians – at the time of writing, I can’t see anywhere to buy this locally, but for US residents the device costs around $40US.

OneDrive for Business – Turn Off ‘Allow Editing’ By Default

Posted on by Adam Fowler

Update 21st March 2019

You can now find these settings in the OneDrive Admin Center (Preview) at https://admin.onedrive.com and that’s a clearer experience.

Update 16th April 2020

As the SharePoint Admin Center has been updated, here’s the area to find the view/edit choice:

Original Post

Every organisation has their own requirements and standards. For mine, I see a risk when the default action of sharing a document via OneDrive for Business is the ability to ‘Allow editing’ of any document sent out. It’s worse because that option is hidden behind the main popup when sharing a file, and you don’t actually see that you’re giving ‘modify’ access rather than ‘read only’:

OneDrive for Business default sharing popup
OneDrive for Business ‘Allow editing’ on by default

There is a way to change this default behavior though, and it’s not in the OneDrive admin center.

Instead, you’ll need to head to the SharePoint admin center (since the backend of OneDrive is SharePoint Online, this makes some sense). From here, go into ‘sharing’ and there’s an option around ‘Default link permissions’. You can change this to ‘View’ rather than ‘Edit’:

SharePoint admin center

The change was immediate from my testing, as soon as I went to share another file via OneDrive for Business, the ‘Allow editing’ option was unticked. This is only changing the default too, someone can still decide they want to allow editing and tick the box.

It’s worth considering what you should have as your default. The new versioning in OneDrive/SharePoint Online is really good, and will let a user easily roll back to a previous version of a document if something accidentally gets changed – but will your users be aware if something does change? It’s possible to set up an alert, but it’s a bit tedious: http://itgroove.net/brainlitter/2016/05/16/creating-alerts-documents-new-onedrive-business/

Hope this helps anyone considering rolling out OneDrive, or wants to start allowing external sharing.

Azure AD Hybrid Joined Devices Overview

Posted on by Adam Fowler

Thought I’d make some notes around Azure AD Hybrid while the details are all bouncing around in my head.

What is Azure AD Hybrid?

A Windows device can be Domain joined, where you change it from a WorkGroup to a domain and authenticate against a domain controller, then the computer gets created in Active Directory. It can also be Azure AD joined, where you use your work account to join the device straight to Azure Active Directory. The later is the modern method, can only be done in Windows 10 as far as I know and really is only designed for someone who’s on the Microsoft 365 suite of products (think of InTune as a part of that ), and you either don’t need legacy on-prem connections, or can do some trickery around giving access to things where you’d historically use on-prem Active Directory authentication.

There is a third option though, that came out of the need for users to have connections to both worlds = Azure AD Hybrid. This lets you add a domain joined device to Azure AD at the same time, but needs to be done in that order. This is supported in Windows 10 (called Windows Current Devices) as well as Windows 7/8/8.1 (called down-level devices), but I’ve only tested this in Windows 10. There’s more work and steps to support down-level devices.

Why would I want Azure AD Hybrid?

There’s a bunch of reasons! A lot of the cool new features you can leverage for identity and devices coming out of Azure AD won’t work at or, or as nicely, on a pure domain joined device:

Windows Hello for Business
Seamless Single Sign-On (SSO) with Passthru Authentication (PTA)
Conditional Access
Windows Store for Business
Enterprise compliant roaming

Multi-factor Authentication

Conditional Access gives options for a better user experience rather than just forcing MFA in all scenarios. One of the options I like, is allowing an Azure AD Hybrid joined device to access a resource without anything beyond a password. This means that combined with Seamless SSO and PTA, a user can take their laptop anywhere, log onto Windows, and access resources without any other requirements. However, if they try to access a resource from another device, they’ll be challenged for another authentication method. Even better with Windows Hello for Business fingerprint or camera login, but that’s a whole other topic.

How To Set Up Azure AD Hybrid

I won’t go into too many details on this, as there’s excellent documentation already that covers both ADFS and non-ADFS users. Unless you already have ADFS, you most likely don’t need it, and it’s not the recommended method, as ADFS itself is much more complex (but fully works and is supported).

Very high level, the two steps are:

  1. Configure Azure AD Connect for Azure AD Hybrid Join using the setup/configuration wizard
  2. Enable “Register domain-joined computers as devices” via Group Policy under Computer Configuration > Policies > Administrative Templates > Windows Components > Device Registration.

That’s really it. Read the documentation though, there’s a lot to consider – but the end result should have no impact on users. They won’t know or see that their device is Azure AD Hybrid joined, and you can’t even see it (at the time of writing) via GUI settings.

How to see if a device is Azure AD Hybrid Joined

On a PC itself, you can run the command ‘dsregcmd /status‘ from a command prompt.  The very first line of the results will show ‘AzureAdJoined : YES’ or ‘AzureAdJoined : NO’. Pretty straight forward! You’ll see a lot more information in the other results when it is joined.

You can also test if a device is Azure AD Joined with the PowerShell command ‘get-msoldevice -deviceId <deviceId>’ using the computer name as the deviceid. You’ll either get a result back or you won’t, again it’s pretty clear.

If it’s not joined and you want to work out why, it gets a bit tougher. There’s a great blog post here on troubleshooting, but you can always log a case with Microsoft to get some assistance.

I’m haven’t come across or read any reason to not set up Azure AD Hybrid, as long as you’re in a position where you’ve already got all users and devices syncing already. Seamless Single Sign-On and Passthru Authentication is a great reason in itself to head down this path, as the user experience is a lot nicer without the constant re-entering of passwords.