Microsoft

How to Automate FTP Uploads with PSFTP

Posted on January 10, 2020January 10, 2020 by Adam Fowler

Many vendors and companies still transfer data via FTP. It could be transactional data, user data, or a myriad of other things. Hopefully they’re using SFTP or FTPS (which are different ways of achieving secure FTP transmissions) rather than FTP, for similar data transfer security reasons on HTTP vs HTTPS.

A common use case I come across, is user management. Uploading basic user data like names, email addresses and employee numbers so a vendor can update records in their cloud based product for your staff to use. If you’re using a cloud service and don’t have user automation sorted – then ask them how you can achieve it – it’s much more enjoyable to set up automation, than do repeating mindless tasks.

Assuming you have details on what to send and where, you’ll need to work out how to automate FTP uploads. Note that this is a much less secure method – you’re saving the password in plain text. Alternatives do exist such as what’s demonstrated in this YouTube video below using a Public Key and Private Key Pair, but require the ability to create a .ssh folder on the FTP server. I’d rather do it this way:

Getting the other end to do what you want isn’t always possible in the real world, so you need to consider the risks if you need to save a password in plain text somewhere (saved in a Scheduled Task as you’ll see below). They’re obtainable if someone can get onto the server (or a backup of the server, or connect to Task Scheduler remotely), which should be heavily locked down anyway, and the password for this might be saved in a password database those same staff members have access to anyway.

If those credentials were obtained by another party, what could they do? If the FTP site cleans up the data instantly that’s uploaded, then they could potentially upload whatever they wanted. Look at a worst case and decide if you’re comfortable with having the account credentials saved this way, or need to find another approach.

Again, consider these risks, try to implement the most secure method you can, and raise any concerns with management/your boss. Assuming this is a scenario where you can’t do it more securely:

Instructions

First, you’ll need software. I use PSFTP – part of PuTTY, a free and open source solution. Download the full installer, as there’s a few components of PuTTY we need.

Next, you’ll need the login details of the FTP site:
Host: e.g. sftp.contoso.com
Username
Password

Open a Command Prompt, navigate to the location that contains sftp.exe and type:

sftp username@host -pw password

You’ll probably first be prompted with a message saying ‘The server’s host key is not cached in the registry’ with some details on the fingerprint. If you’re sure you’re connecting to the right server, you can say ‘y’ to ‘Store key in cache’. Once saved, you won’t be prompted for this on the same computer/user.

At this stage, we’re just making sure you can sign in and get past the key stage. If this works, you’ll now need to work on a batch file to pass through all the commands you want to do.

In this example, I’ll be going into a folder and uploading a file. Open notepad and type your commands, which you can first test in your active connection:

cd inbound
mput filename.csv
quit

Pretty simple stuff. Save your notepad file (we’ll call it batchfile.txt), and if you haven’t already disconnected from your SFTP session, do so with the ‘quit’ command.

Connect back to the SFTP site, but this time we’ll specify the batch file to rin after connecting:

sftp username@host -pw password -b batchfile.txt -batch

I’ve also added -batch on the end to specify it’s an automated batch job – this will cause SFTP to exit on a prompt, rather than be running forever waiting for an input. You can try without -batch first if you want to test and see the prompts, but you’ll need to run this command manually rather than triggering from a Scheduled Task.

If this works as expected, great! You can automate the SFTP task – the final step is to schedule it to run, which I usually use the native Scheduled Tasks in Windows to do.

If your scheduled task is running under a different account than what you tested with, then you’ll need to do that initial host key saving – easiest way is to launch Command Prompt as that user, and connect to the FTP site.

Service health dashboard email notifications GA

Posted on November 26, 2019November 29, 2019 by Adam Fowler

Email alerts for Microsoft 365 Service Health incidents is now Generally Available! (as fellow MVP Greig Sheridan pointed out, although it’s GA, it’s gradually rolling out from December 2019 to March 2020 – but I already have this in my live tenant) In case you missed this one, there’s now an easy way to configure email alerts to go out when there’s an outage of some sort in the Microsoft 365 space.

Personally I’m used to checking out the portal once I hear about a complaint and seeing what might be broken. Instead, I’ll now see emails to keep across what’s going on in the Microsoft world, as well as have a ticket raised via email to helpdesk, so any potential user affecting outages are identified earlier in the troubleshooting process.

The advisory is MC196504 for those who want to read about it in the ‘Microsoft 365 admin center Message center’, but all you need to do to enable it is:

From the new Microsoft 365 admin center, go to Health > Service Health. Under the All services tab, click the Preferences button:

This will pop out a side window:

From this page, you can enter up to 2 email addresses – so if you want it to go to more than 2 recipients, use a distribution group. You can choose the services you want to receive alerts about (all are ticked by default), and as it will advise when saving, it may take up to 8 hours to apply.

This one’s a pretty simple feature, but one I’m very glad to see. Set it up for yourself today!

The Current State of Edgium

Posted on October 23, 2019November 26, 2020 by Adam Fowler

Update 16th Jan 2020: The New Edge is now live! You can download from here” https://www.microsoft.com/en-us/edge?form=MO12GC&OCID=MO12GC and more details here: https://blogs.windows.com/windowsexperience/2020/01/15/new-year-new-browser-the-new-microsoft-edge-is-out-of-preview-and-now-available-for-download/

Original Article:

“Edgium” or ‘The next version of Microsoft Edge’ is Microsoft’s rebuild of the Microsoft Edge browser, built on the open-source Chromium platform. I recently decided to start using it and see the current state of Edgium (which I’ll call it that for the rest of this post for clarification’s sake).

Microsoft Edge was met with a lot of resistance when launched – and although there were reasonable claims about it being the fastest browser around, there were a lot of features lacking and sites that wouldn’t work with it.

Here’s why Microsoft decided to abandon Edge as it is. It’s interesting to note that on mobile devices, they were already using an open-source foundation from the start, and for the desktop version there’s a focus on making sure all web standards are adopted.

You can download Microsoft Edge Beta right now and install it in parallel with the old Edge – or you can install the build that replaces old Edge direct from Microsoft here (keep in mind you can’t uninstall from this). The Beta is good if you want to have a play around before committing.

The expirience I’ve had so far is rock solid. There are some ways where it loosk and feels like Chrome, and others where it’s more Edgey. The import options (for me at least) just worked – I could import everything from browser history, favorites and saved passwords and pick which Chrome profile I wanted to import it from.

At the Edgium end, I’ve then created multiple profiles and imported each relevant profile across to match the experience I was having on Chrome. Multiple profiles is great when you’re doing things in Microsoft 365 and have multiple accounts (user and admin) and different tenants to access.

Also, Edgium fully supports Chrome extensions. Old Edge did have extensions too, but very few. Edgium will prompt, asking if you want to allow 3rd party extensions, and then you add them just like you would in Chrome:

The settings area of Edgium in my opinion, is much better than Chrome:

There’s also already Group Policy ADM/ADMX files ready to use which gives IT Administrators a lot of control over the browser, which is worth putting in place and going through before you even consider piloting Edgium.

For IT Admins, also check out the security baseline you should use, currently in draft form.

Edgium also has an Internet Explorer mode, so hopefully this can end up with Edgium replacing Chrome, Internet Explorer and Old Edge with a single browser – it might take a while of course, but for a company looking to control the user experience a bit more and not manage lots of browsers, it’s looking hopeful.

At the time of writing there’s no announced release date of Edgium, but it’s expected to completely replace Edge – so it’s worth getting used to it early. I’m sure there will be some changes between here and launch, but it should all be small changes.

Personally I’ve made the move from Chrome to Edge and haven’t hit an issue yet. Old Edge is on the way out, and overall this seems to be a positive decision for all involved. Let’s see how

Managing Unified Messaging Users in Exchange Online

Posted on October 18, 2019October 20, 2020 by Adam Fowler

error
The phone number you entered has already been registered by someone else.

This is the standard error you’ll see in the Exchange admin center when trying to enable Unified Messaging on an extension that already has it enabled.

When a user departs you’d expect that when you change the user mailbox to a shared mailbox and drop the licensing, Unified Messaging should go. However, in Exchange Online the mailbox will still be Unified Messaging (UM) enabled, and hang onto the extension it had.

You probably won’t even notice this until you go to enable UM on another mailbox using that same extension, which leads to the error at the top of this article.

The first challenge is to find the Shared Mailbox that is holding onto the extension. After connecting to Exchange Online in PowerShell, you can run this command:

get-ummailbox | select name, phonenumber | out-gridview

This will show a nice gridview of all your mailboxes and what UM extension they have. You can search/filter this view to find the cuplrit.

If you want to see which of your mailboxes are Shared and have UM enabled, run this command:

Get-Mailbox -RecipientTypeDetails SharedMailbox -ResultSize:Unlimited -filter {umenabled -eq "true"}

Knowing this mailbox, you’d expect it should be easy to turn off UM. This wouldn’t be too much of a problem if you could just disable UM like you can on a normal mailbox, but in Exchange admin center this isn’t an option at all when it’s a shared mailbox.

Trying to disable UM via PowerShell with the ‘Disable-UMMailbox’ command also won’t work, as you’ll get a license error:

License validation error: the action 'Disable-UMMailbox', 'Identity', can't be performed on the user 'Test User'
 with license 'BPOS_S_Standard'.
     + CategoryInfo          : NotSpecified: (:) [Disable-UMMailbox], RuleValidationException
     + FullyQualifiedErrorId : [Server=SYXPR01MB1901,RequestId=dfc62192-8270-4a65-b582-c7f327d6e7e2,TimeStamp=15/10/201
    9 6:24:33 AM] [FailureCategory=Cmdlet-RuleValidationException] DDB44050,Microsoft.Exchange.Management.Tasks.UM.Dis
   ableUMMailbox
     + PSComputerName        : outlook.office365.com

To fix this, you could use the Exchange admin center GUI along with the Microsoft 365 Portal, but it’s easier to run all the steps required via PowerShell:

First apply a license to the shared mailbox account that includes Exchange Online. You can see what licenses are available to you with this PowerShell command used by the MsolService cmdlet:

 Get-MsolAccountSku

Then, apply a license with this command against the shared mailbox and the AccountSkuID from the previous command:

Set-MsolUserLicense -UserPrincipalName "UPN OF SHARED MAILBOX" -AddLicenses "tenant:licensename"

Once applied, you’ll then need to change the mailbox to a Regular mailbox rather than Shared:

Set-Mailbox "UPN OF SHARED MAILBOX" -Type Regular

After a while, Unified Messaging may drop off by itself if you allocated a license that doesn’t support it (such as Exchange Online Plan 1 or Exchange Online Kiosk, or you can force it off with this command:

Disable-UMMailbox -Identity  "UPN OF SHARED MAILBOX"

Finally you can now enable UM on that other mailbox that was getting the error on the extension being in use. Easily done via the Exchange admin center GUI.

Two last steps are then to reverse what you did – take the license away from the shared mailbox, and make it a shared mailbox again:

Set-MsolUserLicense -UserPrincipalName "UPN OF SHARED MAILBOX" -RemoveLicenses "tenant:licensename"

Set-Mailbox "UPN OF SHARED MAILBOX" -Type Shared

Blocking ActiveSync with Conditional Access

Posted on September 27, 2019October 20, 2020 by Adam Fowler

Microsoft has announced that they’re continuing the path away from Legacy Authentication, with the decommission of legacy auth to EWS on Exchange Online on October 13th 2020. Instead of waiting for that looming date, there’s a bunch of security reasons to only have Modern Authentication for Microsoft 365.

I’ve already written up on Protect Your Office 365 Accounts By Disabling Basic Authentication and Blocking Legacy Authentication – Conditional Access vs Authentication Policies – but when I migrated from Authentication Policies to Conditional Access, I didn’t realise ActiveSync wasn’t included as part of blocking Legacy Authentication, even though it connects without MFA.

The guide from Microsoft on how to block Legacy Authentication doesn’t actually mention ActiveSync, so it’s easy to miss like I initially did! You’ll need to block ActiveSync altogether as far as I know, as it doesn’t support MFA.

Although I still think Conditional Access is easier to manage than Authentication Policies, there is one caveat; even with an ActiveSync block in place via Conditional Access, too many attempts by a user will lock their account briefly. This might cause problems or require work to get those users to clean up whatever device is trying to log in. With an Authentication Policy I don’t believe this happens because it’s blocked earlier in the sign-in process – you won’t see logs, and the account can’t get locked.

There is of course, a checkbox around ActiveSync, and a way to block it using Conditional Access, but I had mixed results in blocking it successfully until I did it exactly this way:

Create a new Conditional Access Policy and set these options:

Cloud apps or actions > Select Apps > Office 365 Exchange Online

Conditions > Client apps > Tick both ‘Mobile apps and desktop clients’ + ‘Exchange ActiveSync Clients’

In the Users and Groups section, you can narrow this down from ‘All Users’ for testing or for a gradual rollout.

The user experience is interesting on this one – they can still sort of authenticate, but instead of getting their emails, they will see a single email advising that their access has been blocked:

On top of this, you can use Azure AD to audit who might be using ActiveSync before you put any sort of block in place. As per usual, there’s a good Microsoft article on Discovering and blocking legacy authentication which can walk you through this, but in short:

Via the Azure Portal, go to Azure Active Directory > Users. Under Activity, go to Sign-ins. Click Add filters, and choose Client App > Tick the three ‘Exchange ActiveSync’ options and press ‘Apply’. You’ll see the last 7 days of sign in attempts using ActiveSync, which should give you an idea of how many users are using it, and who.

Blocking Legacy Authentication, plus blocking ActiveSync will give you a much more secure environment, protecting from account attacks.

Share this:

Share this:

Share this:

Share this:

Share this: