Enable Office 365 auditing for admin and user

Introduction

Office 365 Security and Compliance center gives you the capabilities to perform a unified audit log search to track user and admin activities in Office 365. Office 365 Security and Compliance center enables auditing for admin and users to monitor their activities in Office 365. Sometime its required to monitor and track the activities of users and admins for compliance reasons. Large organizations who have multiple admins setup in Office 365 are always looking for a method to track admin activities to ensure data security and track Office 365 changes. Organization with Office 365 infrastructure deployed or planning to move on to Office 365 should consider enabling Office 365 auditing in Security and Compliance to track activities.

Office 365 Security and Compliance center will track the following activities of admin and users.

  • User activities audit by Office 365 includes activity in Power BI, Sway, Exchange online (Mailbox auditing), Yammer, SharePoint online and OneDrive for Business.
  • Admin activities audit by Office 365 includes activity in Power BI, Exchange online, SharePoint online and OneDrive for Business, Azure AD and Yammer.

How to enable Office 365 auditing for admin and user

  • To configure users and admin activity auditing, login to the Office 365 “Security and Compliance” center using the admin credentials.

You can either login to protection.office.com or portal.office.com and navigate to Admin > Security and Compliance

Enable Office 365 auditing for admin and user

  • Once you are logged in, Click on “Start recording now” under Search for Activity

Enable Office 365 auditing for admin and user

  • When you click on the “start recording now” link, it will open a following pop up message asking you to confirm if you would like to Start recording user and admin activities. Click on “Turn on

Enable Office 365 auditing for admin and user

  • Click Yes to confirm these changes, this will start the process of updating the organization settings in Office 365 for Security and Compliance

Enable Office 365 auditing for admin and user

  • Once the organization settings are updated in Office 365, you will see the following screen and a check mark under “Search for Activity” that confirms the feature has been enabled in Office 365

Enable Office 365 auditing for admin and user

  • To run audit reports for user or admin activities in Office 365, Navigate to “Search & Investigate” and click on “Audit log Search

Enable Office 365 auditing for admin and user

  • As we have enabled the auditing a moment ago, it will show the warning message as shown in the below screen. It’s recommended that you recommend the audit search log after 24 hours when you enable the auditing in Office 365.

Enable Office 365 auditing for admin and user

It can take up to 24 Hrs to turn this feature on in Office 365 as per the SLA. I have seen this to be activated within minute and you can still perform the search

Office 365 user and admin audit logging helps  you to view user specific information whether user viewed a specific document or purged an item from their mailbox? Office 365 Security & Compliance Center help you to search the unified audit log to view user and administrator activity in your Office 365 organization and i would highly recommend to activate this feature in your office 365 tenant. More information on this can be found on “Office Security and Compliance” site.

Exchange Server 2013 CU14 and Exchange Server 2016 CU3 Issues

Microsoft released Exchange Server 2013 CU14 in september and issues that are being addressed by Exchange 2013 CU14 are listed here. Along with Exchange server 2013 CU14, Microsoft also released CU3 of Exchange 2016. Implementation of these updates in production has caused issues with database content index failure. Both the updates were released in September of this year.

I have experienced this issue with Exchange 2016 CU3 implementation and a lot of customers has reported the same issue on Microsoft TechNet forum as well for Exchange Server 2013 CU14. Working with Microsoft support ticket, it has been reported back that a bug has already been acknowledged and for now, the solution is to deploy a new Exchange server 2013 CU13 or Exchange Server 2016 CU2 and move all user mailboxes to new server. Although, it’s the ugly workaround but for now we have to do this or I would say, we shouldn’t upgrade our Exchange implementation to current CU until a fix is being released by Microsoft.

Being a consultant, I will not recommend you to deploy Exchange Server 2013 CU14 or Exchange Server 2013 CU3 in your production environment until we have a fix for this bug.

If you are experiencing the same issue in your exchange organization, I would highly recommend to open a support ticket with Microsoft and let them know that you are also impacted with the issue. With content indexing failing on database, you’ll also see the following event ID on your server.

Watson report about to be sent for process id: 28160, with parameters: E12IIS, c-RTL-AMD64, 15.00.1236.003, M.E.Search.Service, M.E.Data.Directory, M.E.D.D.ScopeSet.GetOrgWideDefaultScopeSet, System.ArgumentNullException, 301, 15.00.1236.000.
ErrorReportingEnabled: False

This issue is widely reported by many organizations and I highly recommend to test Exchange updates in dev environment thoroughly before rolling out the changes to your production exchange server.

Configure Conditional Access for Exchange Online

Introduction to Intune Conditional Access

Microsoft Intune is a cloud based mobile device, application and PC management solution from Microsoft. Intune help organizations to empower employees with access to corporate resources from anywhere on almost any device. While we empower our users to access corporate data from anywhere from any device that leave us to consider the data security as well to protect the confidentiality. Microsoft Intune conditional access gives us the capabilities to restrict the access to corporate data to ensure compliance and confidentiality.

Intune Conditional Access allow administrators to enforce compliance policies to devices before they can access emails or SharePoint online information to their device. Intune Conditional Access policies can restrict access to corporate information based on:

  • Device compliance status
  • Device operating system
  • Application type leverage to access the data

Below diagram depicts how the conditional access works in Microsoft Intune0When a user device will request the access to corporate data in Office 365, Intune will perform the following checks on the device.

  • Verify that the devices is targeted by a conditional policy or not.
  • Verify whether the device is being management by Intune or not, which requires the user to enroll the device with Intune and register the device with Azure AD
  • Verify the policies on device as per compliance policies configured and grant or deny access based on results

Intune conditional access requires Intune subscription and you can get the subscription as standalone or as part of Mobility suite

Intune conditional access configuration is a 2 step configuration. You have to configure a compliance policy and once the compliance policy is in place for devices, next step is to configure the conditional access policy.

Compliance policy includes common device settings like passcode, encryption, and whether or not a device is jailbroken. The device must meet these rules in order to be considered compliant.

Configure Conditional Access for Exchange Online

configuring conditional access for Exchange online requires you to complete the following steps.

  • Configure a Compliance Policy
  • Configure a Conditional Access Policy

Configure a Compliance Policy

To configure a compliance policy, perform the following steps.

  • Login to Microsoft Intune portal
  • Navigate to Policy > Compliance Policies and click on “Add” to create a compliance policy

01

  • Define the compliance policies and deploy the policy to the users.

02

Now, we have the compliance policy created and deployed, we are ready to configure Intune conditional access.

Configure Conditional Access for Exchange Online

To configure conditional access for Exchange online, navigate to Policies > Conditional Access > Exchange Online

capture

  • Enable the Exchange online conditional access policy

2Once the Exchange online policy is enabled, define the conditional access policies based on your security requirements.

3

Once the conditional access is configured, users will get an email regarding the change on what they have to do to use emails on their device. As i have configured the policy to restrict access to devices that are domain-joined. Domain-joined devices must be register with Azure AD for Intune to validate and grant access to users to access data otherwise users will get the following error on their machines.

4

Being a Consultant, I strongly recommend my customers to leverage Intune conditional access policies to secure their data access while empowering the users to access corporate data from anywhere at anytime.

Configuring Office 365 Modern Authentication

Introduction

Modern authentication in Office 365 leverage Active Directory Authentication Library (ADAL)-based sign-in to Office client apps. Modern Authentication allows administrators to enable features such as Multi-Factor Authentication (MFA), SAML-based third-party Identity Providers with Office client applications, smart card and certificate-based authentication, and it removes the need for Outlook to use the basic authentication protocol.

Why we need Modern Authentication?

Office 365 Multi-Factor Authentication (MFA) enables you to configure additional layer of security for user sign-in process to ensure data protection and minimize the security risk. Users who are enabled for multi-factor authentication are required to configure App Password in order to use Office desktop applications, including Outlook, Skype for Business, Word, Excel, PowerPoint and OneDrive for Business. An App Password is a 16-character randomly generated password that can be used with an Office client application as a way of increasing security in lieu of the second authentication factor. App passwords are randomly generated and its hard for end users to memorize these passwords. Modern Authentication in Office 365 help desktop applications to user ADAL based authentication and eliminate the need to memorize app password.

Modern Authentication requires minimum of Office 2013 client (15.0.4753.1001) installed on workstations

By default, Office 2016 client apps are enabled for modern authentication and do not require any additional configuration on client side. For Office 2013 client apps, we need to have a registry keys set up on end user operating system to enable support for modern authentication.To enable modern authentication support for Windows workstation running Office 2013 client apps, following registry keys are required.

Configuring Office 365 Modern Authentication

Configuring Modern Authentication for Office Apps

Modern authentication in Office 365 is enabled per user basis for workloads in Office 365. By default, modern authentication is enabled for SharePoint online and you do not have to configure anything in SharePoint online to enable modern authentication.

Configuring Exchange Online for Modern Authentication

Follow the steps to configure Exchange online for Modern authentication in Office 365.

Get-OrganizationConfig | ft OAuth*

Configuring Office 365 Modern Authentication

  • To enable the modern authentication for Exchange online, run the following cmdlet

Set-OrganizationConfig -OAuth2ClientProfileEnabled $True

Configuring Office 365 Modern Authentication

  • To verify that the Modern Authentication is enabled for Exchange online, Re-run the Get-OrganizationConfig cmdlet

Configuring Office 365 Modern Authentication

Configuring Skype for Business Online for Modern Authentication

Follow the steps to configure Modern Authentication for Skype for Business online in Office 365.

Get-CsOAuthConfiguration

  • To enable modern authentication for Skype for Business online, run the following cmdlet

Set-CsOAuthConfiguration -ClientAdalAuthOverride Allowed

Configuring Office 365 Modern AuthenticationOnce the Modern authentication is enabled for Office 365 workloads and client side is updated as well with registry key for Office 2013 clients, app password requirement will be eliminated. MFA enabled users will get the same experience during the authentication process that other user have who do not have MFA enabled on their account.

 

Configuring Azure AD Connect to use specific Domain Controller

Introduction

Microsoft Azure AD Connect (AAD Connect) tool replicates your on-premises Active Directory with Office 365. Configuring Azure AD Connect to use specific domain controller can help expedite the process of replicating the changes to Office 365. I have seen scenario’s where on-premises Active Directory changes have not been replicated to Office 365 after 30minutes and Azure AD Connect shows a successful Delta Sync status in MIIS client. The fact why it happens is because Azure AD Connect is replicating the changes to Office 365 from a domain controller which doesn’t have your latest updates.

How Azure AD Connect locate a Domain Controller?

When you deploy Azure AD Connect tool in Active Directory forest, Azure AD Connect leverage DNS to locate a domain controller. Once Azure AD connect has a domain controller information, it connects with the same domain controller every time until the domain controller is not reachable and than Azure AD Connect tries to connect to another domain controller.

Why we need to Configure Azure AD Connect to use specific Domain Controller?

Configuring Azure AD Connect to use specific domain controller is required when you are implementing directory synchronization with Office 35 for multi-site active directory infrastructure where users are in multiple active directory sites across the globe.If you are modifying active directory changes and need to have them replicated to Office 365 quickly than we have 2 options, option 1 is to modify the changes to the domain controller from where Azure AD Connect is replicating the changes to Office 365. Downside of option 1 is that, you have to check the domain controller information from where the changes were being replicated during the last sync cycle. Option 2 is to configure the AAD Connect tool to use specific domain controllers. It’s much easy to configure the list of domain controllers in directory sync tool than to wait for replication changes to happen across active directory sites.

Configuring Azure AD Connect to use specific Domain Controller

Once the directory synchronization tool is installed. Follow the steps mentioned below to configure the list of domain controllers to which Azure AD Connect tool will connect.

  • Login to Azure AD Connect server and run the miis client

if you have installed the tool on default location, than Miis client can be located from C:\Program Files\Microsoft Azure AD Sync\UIShell

Configuring Azure AD Connect to use specific Domain Controller

  • Navigate to connectors and go to the properties of your connector

Configuring Azure AD Connect to use specific Domain Controller

  • In properties windows, select Configure Directory Partition and click on Configure to define your prefer domain controllers

Configuring Azure AD Connect to use specific Domain Controller

  • Enter the FQDN of your preferred domain controllers and click on Add

Configuring Azure AD Connect to use specific Domain Controller

 

  • Once you have defined the preferred domain controllers, make sure you have mark the checkbox next to Only use preferred Domain Controllers

Configuring Azure AD Connect to use specific Domain Controller

  • Click OK button to complete the configuration of preferred domain controller in Azure AD Connect tool

Azure AD connect tool is now configured to use preferred domain controllers only. Azure AD Connect will always check the preferred domain controllers for any modification in Active Directory to replicate with Office 365. More information on Azure AD Connect tool can be found here

 

1 2