Require TLS with Exchange Online and a custom made NDR (Non-Delivery Report) with Powershell, Azure Automation and Conditional Access

Introduction

First things first: This is not a typical topic on this blog, but I do find it highly relevant to share regardless.

The main story here is, that if you want to comply with GDPR and other regulations, you might end up in a situation where you need to require TLS for outgoing e-mails. This is something that’s easily achievable by configuring the proper transport rules in Exchange Online, but what if the recipient doesn’t support receiving e-mails encrypted with TLS in transit? In that situation, the e-mail typically bounce back after 24 hours of retrying (At the time of writing, this timer is not configurable in Exchange Online) .

24 hours is a long time to wait for the Non-Delivery Report, especially for my industry which is the legal vertical, so I had to come up with something else.

Powershell and Azure Automation to the rescue (and also a little something on how to protect the accounts used with Conditional Access).

OBS: Apologies if there are more clever solutions out there to cater for this. I haven’t been able to find any, but I’m sharing regardless, as the use of this easily can be transferred to other needs. đŸ™‚

Read more…

Automatically remind users to update iOS with e-mails and custom notifications using Microsoft Intune Powershell SDK

Introduction

**Minor update**: https://www.imab.dk/script-update-automatically-remind-users-to-update-ios-with-e-mails-and-custom-notifications-using-microsoft-intune-powershell-sdk/

Long title! It could have been even longer, but I struggled to squeeze in that the e-mail also is sent over Office 365 and the entire deliciousness is running on a schedule with Azure Automation. đŸ™‚

The story here is, that iOS is getting updates quite frequently, and a lot of enterprises (including myself), are managing those iOS devices as private BYOD devices enrolled through the Company Portal. As of such, keeping the devices up to date is the end-user’s responsibility and something that’s often forgotten and neglected.

So what if we could send those devices and users a kind reminder automatically, both as a custom notification directly on the device, but also as an e-mail? Microsoft Intune Powershell SDK to the rescue!

Read more…

Migrate Office 365 ProPlus from 32-bit to 64-bit using Microsoft Intune or SCCM (System Center Configuration Manager)

Introduction

When installing Office 365 ProPlus today, the recommended and default architecture is 64-bit. It has been so for some time, but it’s not until lately (at time of writing) that the Office Deployment Tool (in short ODT), is able to migrate from 32-bit to 64-bit in a single operation.

I have tested the migration, both using Microsoft Intune and System Center Configuration Manager and the outcome is what made this blog post.

Note: Migrating Office 365 ProPlus like this, from 32-bit to 64-bit in production, probably has more to it in terms of considering third party add-ins. You will have to test and make sure those add-ins are compatible with the relevant 64-bit Office application. I expect there will be some migration paths for those as well, where you will need to remove the 32-bit add-in prior to migrating Office 365 ProPlus to 64-bit.

Read more…

Migrate your OneDrive for Business to Per Machine installation (With or without source files using SCCM and Powershell)

Introduction

Installing the OneDrive for Business client on a per machine basis is an often requested feature and for good reasons. OneDrive in it’s current state in the production ring, is installing into the users profile in %localappdata%, and for equally good reasons that is often not desired by enterprises.

Now, Microsoft has finally given us an option, allowing us to install OneDrive for the device into %programfiles(x86)%. The option is currently in preview and all the juicy details are found here: https://docs.microsoft.com/en-us/onedrive/per-machine-installation

PS. Credit where due: I was inspired by Per Larsen’s post on doing the same with Microsoft Intune and like many times before, this brought me to doing something on my own for the sharing and learning experience. Enjoy. đŸ™‚

Read more…

Connect to Exchange Online with Powershell, Modern Authentication and Conditional Access

Introduction

This is not one of the usual topics I blog about, but nonetheless it’s quite relevant. If you leverage Conditional Access to protect your corporate resources, good chances are that you are blocking legacy authentication (or at least that is something you should consider doing).

If you also fancy connecting to Exchange Online using Powershell for automation reasons, another good chance is that this is done with basic/legacy authentication. This is obviously a conflict with my first statement, so I figured it would make a good blog post to describe how to connect to Exchange Online automated with Modern Authentication while being protected by Conditional Access.

Read more…

Receive an e-mail alert if an Office 365 Administrator repeatedly fails to provide correct credentials

Introduction

Users with Office 365 administrator roles are very much sensitive users, and besides protecting them with various features such as Conditional Access and MFA, it might be interesting to know if someone tries to brute force or guess their credentials.

In this post I will walk you through how you can setup a policy in Cloud App Security, that automatically sends you an e-mail, if someone fails to provide the correct credentials for users with any Office 365 administrator role assigned.

Sneak peek at the Cloud App Security portal displaying the alert created during this guide

Read more…