One Identity

My home network has been Ubiquiti Unifi stuff for years now and I am quite happy with their products. It didn't fail me during numerous video conferencing calls since March 2020 (you know why…). Now that I am increasingly away from home, I do use the L2TP VPN solution more often to acces my home resources. Unfortunately, this solution has a separate set of credentials. I would really like just one identity to ru… access all my Microsoft 365 apps, data and in this case my network.

There are obviously other solutions that I could use to achieve the same goal. Within Unifi you can use a different RADIUS server. With Microsoft 365, you need to use Azure AD Domain Services and a NPS server to achieve integration. That is overkill, I (still) don't want to add that additional overhead and complexity. Why not talk directly to Azure AD? And this is what other vendors offer. And then I noticed the UID option within my Unifi Dream Machine. Could I connect Ubiquiti UID and Microsoft 365?

What is Ubiquiti UID?

UID stands for Unifi Identity, and this is Ubiquiti's many purposes platform combining all Unifi products in one big cloud-based management solution. This means you can offer the Unifi capabilities to your end users. Not just Wifi/VPN, but also Unifi Access (door/key management) and even other applications and some MDM. It's an interesting mix, but for now I am focusing on the VPN stuff and general steps to achieve my goal: integrate my Microsoft (or Azure AD) identity with my Unifi VPN.

Ubiquiti has good documentation on setting this all up, so I will only mention the general steps and link to their pages. The first step is to get a UID workspace. In the USA UID is already generally available, but in Canada and Europe they offer an early preview. You can request a workspace, I got mine within hours and it looks like https://<name>.ui.com/portal. The next step is to connect to your on-premises Unifi OS console via the UID agent application, which you must install on your device.

The mobile app is key

You can enable the desired services within the UID agent application, but the exact configuration must be done via UID Manager Portal, which can be reached via https://<name>.ui.com/cloud or via the UID portal. I did not really change much and the UID VPN already worked, via the UID mobile app.

The UID mobile app is a very user-friendly way to deploy the available services. With a click on a button the user can enable a VPN, connect to Wi-Fi open doors and more. Now the question becomes how you provision this app? After downloading and installing the app (which you could do via your MDM solution) the only thing to configure is the workspace name and then the user needs to authenticate. More on that below.

The UID adds a VPN configuration into your mobile device, so do note that other VPN connections cannot be active at the same time. I also use MS Defender with Web Protect, that won't be active during your UID VPN. Be aware of that.

There is also a separate authenticator app called UI Verify, which uses push notifications when authenticating with the UID portals. You can set other MFA methods however, but I'm not sure whether you can fully dispense of yet another Authenticator app on your phone. You can configure MFA requirements via policies, but I haven't investigated this much.

Enabling SSO with Microsoft 365

Now the big question: how do I use the same credentials from my Microsoft 365 account? So, for this to work you require access to the additional feature called "Identity Providers". This was not available, and I had to request this as this is an early preview for my region. I don't remember where I had to do this, it's somewhere in the UID Cloud Management. In any case, when your feature expansion is successful, I followed the instructions to connect UID and Microsoft 365/Azure AD via an Enterprise Application. You still need to provision users within UID, it does need and user object that must match with your Microsoft 365 users. Luckily, this can be achieved via an easy import step.

And what is the user experience? The user must install the app obviously or you could deploy that via your MDM solution. At first startup, the user must enter the UID workspace name for your organization. When that is done, the user needs to authenticate. Because you've set up SSO, you can select the Microsoft 365 option instead of username/password. And depending on your security settings, you might require UID MFA. But after that you have access to your UID capabilities! See my YouTube short for an example.

Concluding

Yes, with UID and the expansion to include Identity Providers I can achieve my goal of having just one identity and gain access to my internal network. I hope my writeup gave you an idea of the possibilities of UID with Microsoft 365. But be aware that this is an early preview for me, and the expansion is only a trail. Specifically, the Identity Provider capability looks like it is going to be a paid subscription on a per user/per month basis, which is not surprising as that is often the case for more enterprise level integration.

This was only a quick view to see what you could do with it. Your millage may vary, especially with the end-user experience as my device wasn't fully out-of-the-box (Intune Managed and all). I've left a lot with standard settings, and some require some additional attention to increase security. For one, the VPN configuration has a temporary user password of only eight characters, I would've preferred at least sixteen but as the user never has to type it in why not the maximum of thirty? Or use certificates. Also, my tenant was configured to allow passwordless logon and it was enabled on this phone for the account I tested. Those are things that factor in.

There are a lot more capabilities with UID and there is a lot of overlap if you already have Intune/Endpoint Management for instance. But if you have invested in Ubiquiti Unifi hardware and were waiting for an integration with Microsoft 365 (or Google or other SAML providers), this might be worth checking out. At least now I can have a VPN based on single identity!

Note: This is not a paid/unpaid endorsement of Ubiquiti, Unifi or UID. Just a quick product review and experiences out of personal interest, specifically on what is possible with Ubiquiti UID combined with Microsoft 365 and the end-user experience.

The post Ubiquiti UID and Microsoft 365: SSO with your VPN appeared first on Dave Stork's IMHO.

This month the beta exam MS-220: Troubleshooting Microsoft Exchange Online became available. This exam will provide the Microsoft 365 Certified: Exchange Online Support Engineer Specialty. Microsoft Learning announced this new certification in March.

Because it's a beta exam there is not a lot of training material or courses (yet) you can use to prepare. I've created a list of reference articles while preparing for this exam myself. I did something similar with the Exchange Server 2013 beta exam!

You can find the list on my GitHub page, within the exam-reference repository. I plan to use that one a little bit more for learning sources for some of the exams I plan to (re)take this year. Feel free to add your own information!

Click here to go directly to the MS-220 content. And pass that Exam MS-220 Exchange Troubleshooting!

And on another note, I've just renewed my Microsoft Certified Trainer (MCT) certification for another year!

The post Exam MS-220 Exchange Online Troubleshooting list of sources appeared first on Dave Stork's IMHO.

I will be hosting a webinar on the 26th of October with the title "Controlling your Enterprise Mail flow". The European SharePoint, Office 365 and Azure Conference (ESPC) is hosting this live event webinar. It is a topic I have frequently visited before. However, I still find organizations struggle with it. If you are an mail admin and struggling with this, this webinar might be for you!

The session abstract:

Topics that the speaker will cover:
– Implementing SPF, DKIM and DMARC and similar technologies to prevent spoofing.
– Dealing with mail subdomains, forwarding and mail from other SaaS services.
– Going through mail headers to check mails for authenticity yourself and to extract other useful information.

Click the image or here to registering for the webinar!

The post I will host an ESPC live webinar "Controlling your Enterprise Mail flow" on October 26th appeared first on Dave Stork's IMHO.

2020 has been a weird year for me. We sold our house and bought an apartment, moved to a different city in The Netherlands and soon after that, decided to quit my job at the same company for over 18 years. A difficult decision but a necessary one. I planned to take three months off for some travelling and self-reflection and to decide what to do next. And then the pandemic happened…

Yeah, those where some interesting weeks (read: I freaked out a little bit). But very soon I discovered that those worries and self-doubt I had weren't necessary. I am privileged to work in a prosperous country and a work field very much in demand. But I also realized I have something very valuable skills to offer. Very soon my calendar was full with a lot of planned discussions with quite a few companies. I think 20-30 Teams calls in about 5 weeks time. Those discussions really helped me formulate my needs and wants in my work life.

NeoNomads

In the end the best match was with NeoNomads. A small company, just starting out but I knew some of those who already worked there and our interests were very much aligned. I wanted to build something, help the company and others grow while doing interesting work. Work that is appreciated, challenging and something to be proud about.

After one year I can say that it was good decision to join and still very happy I made the jump. Even with all of a lot of other personal stuff and this horrible pandemic, I am in a better place now than I was in January 2020. Luck, privilege, but also hard work and good company. The vaccine in my arm also helps. Thank you science!

MVP renewal

I got renewed as an Microsoft MVP today! It motivates me to continue to share with the tech community. I didn't do the things I hoped I could do in 2020, which makes this renewal feel very weird and a little bit unearned. I intend to contribute more in the upcoming months however. Got some plans in the works

And I hope we can more in person internationally again soon. Things are somewhat looking better here, but the world as a whole is not out of the woods yet. Stay safe, get vaccinated if possible and for those that can consider donating to good causes that help fight this pandemic all over the world.

The post One year at NeoNomads! Eight years as an MVP! appeared first on Dave Stork's IMHO.

It's been a while, but I will be speaking at a WICCA online event next week. WICCA stands for "Women In Cybersecurity Community Association". Their goal is "to bring infosec ladies and female security enthusiasts together to learn about exploits, hacking, incident response, forensics, the low-level stuff and make bad crypto jokes!"

At their June virtual meetup, I will be doing a presentation about mail flow. Specifically, around SPF, DKIM, DMARC and mail header analysis. An interesting topic if I say so myself . However, it can be quite challenging to get familiar with. I hope I can help with that.

The event is open to all. It will be in English. You can sign up via their MeetUp page.

If the topic isn't interesting for you there is another speaker that evening. They are a quite active community, and you can also support them in several ways. Check their website!

The post I will be speaking at a WICCA online event next week! appeared first on Dave Stork's IMHO.

I get to investigate quite some mail environments in my work as a consultant. At a certain point you see some patterns emerging. One of those patterns is the correct configuration of mail related DNS records. It's one of the first things I check when I must check an unfamiliar environment. I have talked about this anti-spoofing topic on numerous occasions. I would compare it to a ping test when there are network issues.

For several years I have worked on a simple PowerShell script that lists quickly listed the MX, SPF, DMARC DNS records and recently added some DKIM selector checks as well. It is a bit of a hassle to do by hand or to find out checking the DNS configuration. And I decided to share this script to the public. I hope it will help with the correct configuration of those records and limit mail issues and spoofing.

You can download the script at GitHub.

Easily list your domains with this PowerShell script by either using Exchange (Remote) PowerShell. It will automatically check all your accepted domains either on-premises or in the cloud. If you can't connect to an Exchange environment, you can specify a single mail domain just running PowerShell.

You still must work to improve the environment if required, but I found this tool immensely helpful and takes some burden away. As a PowerShell script should do. Feel free to leave comments, issues, feature request and the like. I have some things I want to add such as DANE and MTA-STS and some other things.

It's the first time I've published a script of mine publicly, so my GitHub page might be rough

The post Easily list mail DNS records via this PowerShell script appeared first on Dave Stork's IMHO.

During the virtual Microsoft Ignite 2020, the Exchange Product Group announced the general availability of plus address support in Exchange Online. This has been a long request feature; I blogged about this in 2014 and Microsoft already announced it during Microsoft Ignite 2019. But now it's here!

Considering enabling Plus Addressing

And if your re-read my 2014 post, you might read that I was a bit skeptical whether organizations would enable this. It is still certainly a feature that would require some forethought. However, my opinion has change over the years. It can limit the amount of alias addresses a mailbox would need.

I checked how the end user experience is and for one the recipient does see the Plus Address that was used to send that mail. This means that Outlook rules can be triggered by the + suffix, which should be logical. Also, the To: field shows the added plus suffix in Outlook (desktop, web and Mobile).

I examined the headers of this test mail and the To: field has the plus address, which is logical and kind of the purpose of plus addressing: you want to know how your address was found. Do note that there is matching with the displayname in your Global Address List and such. It also means that specific services that rely on exact matching of the SMTP address, might not work as intended (Office 365 Message Encryption, S/MIME come to mind). Take that into account as well before deploying and informing your users.

Unfortunately, I couldn't test plus addressing in an Exchange Hybrid setup (I must repair my lab ) and check how on-premises mailboxes would react. There is no formal on-premises support for Plus Addressing, it is therefore possible that on-premises mailboxes might behave differently than cloud mailboxes. When I figure this out, I'll update this blog.

Also, it does not hide the normal mail address of a recipient. If your goal is to limit leaking mail addresses when signing up for other services for instance, this feature won't protect you when the normal address is easily deduced by stripping the plus suffix. You could mitigate this by giving your users a bland alias that they could use with plus addressing.

Enabling Plus Addressing

Be sure that no mail addresses in your environment already have a + in it. It is a legal character in email addresses and it could stand in the way when you want to use this feature. You can find them with this one-liner which should list all recipient object with a + in its mail address:

Get-Recipient | Where {$_.EmailAddresses -like "*+*"}

You should check your on-premises environment as well. Better to be thorough now. Enabling the feature is tenant wide:

Set-OrganizationConfig -AllowPlusAddressInRecipients $true

It might take a while to activate, but in my case a test was successful after a few minutes.

Have you enabled it? Or did you run into problems in your environment? Let me know in the comments!

The post Exchange Online finally has plus addressing! appeared first on Dave Stork's IMHO.

Embarrassing

The Dutch Data Protection Agency (Dutch: Autoriteit Persoonsgegevens) is responsible for the supervision of correct handing of personal data. This agency must be informed when there is a breach with personal data. It’s the agency that has its duties described within GDPR. So, it is extra painful when they themselves are responsible of a data leak. Over a year ago they mailed a press release (link to article in Dutch) to several journalists but used the Carbon Copy (or CC field) instead of the Blind Carbon Copy (BCC) in their mail solution. Now every recipient was aware of the other recipients including their email address.

I recently got reminded to this situation. This is just one example that of information sent to the wrong recipient (not just a BCC vs CC mix-up). It got me thinking on how you could help limit those instances with some easy and quick solutions. The best thing is that you can implement them right away and you possibly didn't even know about it!

Enable External Recipients MailTip

There is no direct warning when a user utilized the CC field. But in this case, the External Recipient MailTip could have warned senders. A Mailtip in most clients will pop-up when an external recipient is added in any recipient field and before the mail is sent. This wouldn’t have prevented this specific case but might have alerted the sender to check whether the sender is handling external recipients correctly. You can enable it with the Set-OrganizationConfig cmdlet:

Set-OrganizationConfig -MailTipsExternalRecipientsTipsEnabled $True

It's still dependent on the user noticing and acting, but it's certainly helpful if the mail correspondence has a lot of recipients OR a private mail address from your coworker was accidentally added.

Set Large Audience Threshold

Another thing that could help is another MailTip: The Large Audience threshold. If a distribution group contains select too many recipients (internal and external), a MailTip warns the user before it is sent. The sender could then still review the recipient list. The default value is twenty-five recipients, but you can change that with the Set-OrganizationConfig cmdlet:

Set-OrganizationConfig –MailTipsLargeAudienceThreshold 20

MVP Paul Cunningham has an excellent post on this feature.

Creating Custom Mailtips

You can add a Mailtip on each almost all mail(box) enabled objects. You can set it via the Exchange Admin Center or via PowerShell:

Set-Mailbox -identity <Identity> -MailTip "This is a default mailtip"

This is valuable if you need warnings on specific internal objects unrelated on how many recipients you've entered. Instead of Mailbox, you can use MailUser, MailContact, DistributionGroup and DynamicDistributionGroup. You can also add regional specific MailTips if required. Read this Microsoft article for more details.

Having given some MailTip examples, the downside is that users will filter them out if they are overused. And MailTips are only show in Microsoft clients (Outlook Desktop, On the Web and Mobile), not clients using Exchange ActiveSync or line-of-business applications using SMTP relaying. We might need some other tools in those scenarios.

Moderation or Transport rules

For formal communications like my example in the intro, Outlook might not be the best tool. There are specific (mailing) tools or services that might be a better fit. But those come with a cost and there are some smaller scale alternatives in Exchange. I'm thinking about message approval or moderation. With moderation you have someone else check the mail before it is sent. You have created a Two-Eyes process and that should limit mailing errors such as wrong recipients or faulty content.

For the example, I might have created mail contacts for each external recipient. Hide the contacts from the address book and add them to a Distribution Group with moderation enabled. When someone sends a mail to that Group, the moderator(s) will get a message with the intended message and must approve it before it is sent to the actual recipients.

But using contacts and groups with moderation isn't foolproof in every scenario. Transport Rules also can enable moderation and that opens quite a few possibilities. You can set a rule that everything sent out to external recipients from a specific Shared Mailbox (obviously with limited Send-As permissions), must be moderated by its manager:

New-TransportRule -From Info@contoso.com -SentToScope 'NotInOrganization' -ModerateMessageByManager:$true -Name 'Moderate This' -SenderAddressLocation 'Header'

It's worth investigating what Transport Rules can offer, so experiment with them (in your lab/test tenant) and read how Microsoft suggest implementing them for common scenarios.

In conclusion

So, MailTips can help your user to prevent errors before they sent the mails. But they do not work for every scenario. There is also a risk of overuse and that could lead to users not noticing that specific important MailTip. Object Moderation and Transport Rules offer message approval to a second set of eyes,

Obviously, there are more advanced solutions to prevent what are in a sense data leaks. Data Loss Prevention is one of those, although that is more focused on the content and certainly not foolproof. Information Rights Management or Azure Information Protection can set explicit permissions to mails and documents. But those solution are more complex, cost extra licenses and have their own pros and cons.

The tips I highlighted aren't foolproof but are available to all current supported on-premises Exchange environment and Exchange Online. They don't require additional licenses and are quite easy and quickly implemented. Neat right?

Have some additional tips? Let me know in the comments!

The post Quick tips to limit sending mail to the wrong recipient appeared first on Dave Stork's IMHO.

There are several ways how you can protect and limit access to Exchange Online. Conditional Access, Client Access Rules, the older ActiveSync Device rules and, the topic of this post, Authentication Policies. These policies are available in Exchange Online and Exchange Server 2019 since CU2. This article will show you how to implement this.

Why use Authentication Policies?

Authentication Policies only do one thing: enabling or disabling legacy or basic authentication (I use both terms) on protocols used by Exchange Online. Why would you want that? Well, basic auth only requires a username and a password and that's it. There are no additional checks before allowing access, this means that malicious attackers just need those two pieces of information. If users have re-used their passwords, any leak outside of your control could potentially provide access to your environment. You will likely find a lot of failed logon attempts on SMTP or IMAP protocols when you check sign-in activity in Azure Active Directory,

When you enable Modern Authentication, this does not disable legacy authentication. Even if you have Conditional Access and/or Multi Factor Authentication (MFA) in place, it is still wise to implement Authentication Policies. Especially now that Microsoft has delayed the removal of legacy authentication on some of the Exchange protocols. It only takes one forgotten account with leaked credentials to gain access.

Preparing

Do not forget to check your environment before implementing these security measures. For Exchange Online, use Azure AD Sign-in reporting to investigate which accounts are still using Legacy Authentication. The Exchange Team blog has an excellent blog post on how to find those legacy sign-in accounts.

It's possible you have applications or appliances that still use older protocols like IMAP or POP to access mailbox content or require authenticated SMTP. Microsoft has been working on adding OAuth authentication (or Modern Authentication) to those protocols. OAuth is currently available on IMAP, SMTP and recently POP. Be sure to read those articles, there are some things to consider. Obviously, your application etc. must support the use of OAuth, be sure that you vendor supports this or will be supporting it soon. You may have to upgrade or change applications. Be sure to check that ASAP as this feature might not be a priority for your vendor and you might be stuck with some mailboxes on your on-prem Exchange environment. It's comparable with the TLS1.2 impact I blogged about in early 2018.

Implementing

I always create multiple policies with different protocols having a different legacy authentication state. While most of your clients should already use Modern Authentication, there are still line-of-business applications or devices that can only use legacy auth. You might need to create exceptions. Below is an example of creating several policies:

New-AuthenticationPolicy "Enable all BasicAuth" -AllowBasicAuthActiveSync -AllowBasicAuthAutodiscover -AllowBasicAuthImap -AllowBasicAuthMapi -AllowBasicAuthOfflineAddressBook -AllowBasicAuthOutlookService -AllowBasicAuthPop -AllowBasicAuthReportingWebServices -AllowBasicAuthRpc -AllowBasicAuthSmtp -AllowBasicAuthWebServices -AllowBasicAuthPowershell
New-AuthenticationPolicy "Disable all BasicAuth"
New-AuthenticationPolicy "Allow only BasicAuth PowerShell" -AllowBasicAuthPowerShell
New-AuthenticationPolicy "Allow only BasicAuth PowerShell, EWS" -AllowBasicAuthWebServices -AllowBasicAuthPowerShell
New-AuthenticationPolicy "Allow only BasicAuth SMTP" -AllowBasicAuthSMTP
New-AuthenticationPolicy "Allow only BasicAuth EWS" -AllowBasicAuthWebServices
New-AuthenticationPolicy "Allow only BasicAuth SMTP, EWS" -AllowBasicAuthSMTP -AllowBasicAuthWebServices
New-AuthenticationPolicy "Allow only BasicAuth IMAP" -AllowBasicAuthImap
New-AuthenticationPolicy "Allow only BasicAuth SMTP, IMAP" -AllowBasicAuthSMTP -AllowBasicAuthImap

Create these policies as needed and set the most restrictive as an organization default which is in this case "Disable all BasicAuth". Setting this default ensures that every user account is no longer allowed to use legacy authentication. You do this with the Set-OrganizationConfig cmdlet:

Set-OrganizationConfig -DefaultAuthenticationPolicy "Disable all BasicAuth"

For the accounts that still require legacy authentication, you specify a less restrictive policy. You can use the Set-User cmdlet for this. In this example the user still requires PowerShell and Exchange Webservices with legacy authentication. Configure this as needed with:

Set-User -Identity troy.winger -AuthenticationPolicy "Allow only BasicAuth PowerShell, EWS"

This user can now use legacy authentication only on those protocols. Do note that you must perform this on the user authenticating, not on the target mailbox. This also means this user can connect to every mailbox with legacy authentication. You should provide access to a specific mailbox and not more than is required.

After implementing, be sure to check your Azure AD Sign-in report again to confirm no legacy authentication is being performed anymore, besides the exceptions you've implemented. Monitor those exceptions closely and remove them when Legacy Authentication is no longer required. You will reduce your attack surface with each step you take by removing Legacy Authentication.

Update July 17, 2020

Joshua Bines commented to me via LinkedIn that enabling Authentication Policies might have some negative consequences when migrating from on-premises to Exchange Online. See this Microsoft article to learn more. Also, fellow MVP Gareth Gudger has a blogpost discussing similar issues you might run into when moving mailboxes with some mitigating solutions.

The post How To: Exchange Authentication Policies appeared first on Dave Stork's IMHO.

It's time for a little personal update on what's happening, it's been a while since I've blogged. I wanted to write and post this for myself, but it might be interesting for others. It was a period of heavy soul-searching and job hunting, eventually leading me to join a new consulting company named NeoNomads as a Cloud Architect starting July 1st 2020!

Leaving

I was a bit restless for a few years now, but it took me a while to realize this. I was also focused on buying a new home and similar things. But eventually I realized that I wanted to go on a different path than my employer OGD ict-diensten could offer. Eventually I concluded that it meant changing jobs. In some ways it was not an easy decision, I was with this company for over 18 years! It was my first real job and I learned a lot about IT, saw a lot of environments, got excellent opportunities, and have worked with a lot of good people. But sometimes the best thing to do is to leave. And that's okay, these things can happen.

I made the decision to leave somewhere in February this year and March was my last month working. At the time I didn't have a new job lined up, especially as I wanted to figure some things out during a several months long sabbatical (or vacation). This including investigating self-employment but I also figured that I needed a reboot opportunity before starting a new job. I planned to do city trips around Europe, sometimes combined with a local "Microsoft Ignite on Tour" edition. But yeah, then life (well, a virus) had other plans…

Job hunting

It has been an interesting sabbatical as it started immediately with job hunting. I already concluded that self-employment wasn't something I wanted to pursue anymore. I then started talking with companies, getting to know them and what they could offer. But most importantly if it would be a good match. Due to the lockdown we had, all interactions where via Microsoft Teams and I believe I had about 18 Teams meetings and two in-real-life (IRL) social distanced meetings in about 5 weeks. Although this is obviously anecdotal, but I do think the lockdown enabled me to have more meetings than without a lockdown. However, I also know that IRL meetings offer insights that virtual meetings can't.

Those meetings where fun to have, I learned a lot and gained new insights just talking about IT. There are a lot of good IT people and companies out there! And yes, I am aware of my specific position and privilege resulting in some observer bias. But in any case, I am thankful for time and effort all those companies and IT people took to investigate what we could mean for each other. And eventually I believe NeoNomads is the best match for me and signed on early May.

Sabbatical

After that I still had May and June as a sabbatical. Focused on some IT home improvement and other tasks that had been waiting for this (digitizing old magazines or reparing old modelkits for instance ). But also took time to contemplate my work in the IT community, trying to re-invent myself and looking for interesting new ways to share content. I'll experiment with several formats and look what works for me. Could be writing blogs or even doing some video's, it will still contain my contributions towards Practical PowerShell projects.

But I have not been blind what's happening in my own country and in the world. I realize am lucky and privileged to tell my personal story that had this outcome. It has influenced my thinking about what I could and should do to improve our world.

So, now you are a little updated on what has been going on. Feel free to leave comments and/or ask questions.

The post A new job at NeoNomads! appeared first on Dave Stork's IMHO.

I like to minimize places I have to monitor and that includes looking at several places for assigned tasks. Unfortunately Azure DevOps Work Items are not shown in To-Do app as of today. So, I want an automatic way to get those DevOps objects into my To-Do list. Is that possible? Well, yes!

I used Microsoft Flow in order to copy any newly assigned DevOps task to the To-Do list. Unfortunately (currently) no synchronization between the two objects, but I can live with. The benefit of having one aggregated list with all my tasks is greater than that downside. Obviously there are more ways and variations possible, but for that you might have to dig deeper into Flow.

Creating and configuring the Flow

First, go to https://flow.microsoft.com or via the waffle menu within you Office 365 browser session. You need to create a new Flow. There is a template for this scenario, but I like to break this down so in this case we will use “+ Automated – from blank”:

A new screen popups in which you can name the Flow and search for the first trigger. The trigger is the event the Flow watches for to be true and if so, perform the action(s) you have defined:

You might have to search and scroll for the correct trigger, in this case I’ve choose “Azure DevOps – When a work item is assigned”:

Select “Create” when you're ready. Now are in the edit phase of this Flow. First you would have to specify the Azure DevOps account, Project and team: note that you could be part of multiple of them, so choose the correct one in order to get the correct work items.

In my case I used these values:

The account name is the connection where your tenants Azure DevOps instances is hosted, it’s possible you get notified to authenticate to your Azure DevOps instances before you can select the Account. After that, it should be able to see the projects and specifically the Azure DevOps team you’re a member off. Note that this trigger is till in Preview, meaning that might be some kinks and issues with it. The “Assigned To” field is the field where you have to enter your (Azure DevOps) identity.

These are the most important values, but if you require even more granular approach or other things the Advanced Options might help with that. If you have configured and connected this first event trigger, the following would be to define the next step.

For this step, I’ve specifically chosen the “Add To-Do”. You can search for in it in the “Choose an action” step:

There are other options that would also result in tasks within To-Do (such as Outlook Tasks), however I’ve noticed this specific step has less issues with propagating certain Azure DevOps object information. After you added the “Add a to-do” action, you see this:

Obviously you have to name the new To-Do, but the nice thing with Flow is that it has remembered the attributes of the Azure DevOps work item. You could compare it to object piping such as PowerShell cmdlets do. When you select the field, a new selection menu will appear:

You can already see some of the dynamic content options available and it depends on your preferences what kind of naming convention you want or require. In my case I decided to use the Work Item ID, Work Item Type and Title. It looks like this

and will result in this To-Do task:

Using Reminder and Due Dates

For Microsoft Flow, the title is the bare minimal information required to create a successful Flow. However, I’m not that easily satisfied. My team works in two week long sprints, with a planning on Monday on which work items are assigned to team members. Our review is on the second Friday, which would be the ultimate deadline for those tasks. We can use that in our Flow and I have:

What are those purple things, you say? I have configured the Due Date, Reminder Date-Time and the Start Date of the To-Do task, using Expressions.

The Start Date is the easiest as in this case it uses the current date, which would be the date this Flow is running and happens when a Work Item is assigned to my name. Just use the utcNow() expression, that will use the current date. When you select the Start Date field, a new menu will appear on the right side. Be sure to select the Expression tab and scroll down to the “Date and time” section and add that item to the field as shown below. That it’s!

The Due Date and Reminder date are a little bit more complex. I’ve used the values I required, but YMMV obviously. The Due-Date will be the second Friday of our sprint to, which would be 11 days from planning (and when the Work Item is assigned). For the Reminder I choose a week later, so 7 days from planning.

Luckily there is a Expression that can add an integer of days to any value: addDays(). You can combine it with the utcNow() expression and add the amount of days you want, resulting in addDays(utcNow(),11) in the Expression field:

For the Reminder date it would be addDays(utcNow(),7). You can obviously change that to suit your own needs or maybe even use different content or expressions.

And as you have seen in a previous screenshot, within To-Do you can see the effect of what we just did. The reminder is on a Monday and the Due Date is on a Friday, as was intended:

Yes, the time is a bit late but it depends on when the Work Item is assigned and this was tested at 7pm. If you have your actual task planning and assigning at noon, the reminder will be at noon. It’s just one of those little things that might require some extra attention later by refining the Expression. Just like that if you get a Work Item assigned later in the week, the Due and Reminder dates are obviously not matching your sprint. Something for another time.

Other useful information

There are situations you require to edit the original Work Item or need some more information in To-Do besides the name. The status of the To-Do is default on NotStarted and I guess that should remain so. The “To-do List” option is a great way to order all your To-Do’s in a specific list, not everybody will need it but it’s very good that the option is available.

The biggest field you can add additional useful data is “Body Content”. In my case I’ve added the Description, the Iteration (name of the sprint in DevOps), the direct URL and the creation date:

I think by now you should be able to construct this however you please, using the Dynamic Content menu. I felt the Description and the direct URL to the Azure DevOp Work Items are the most useful. The Body Content would look something like this (Windows 10 To-Do) and do note the clickable link (had to obfuscate the complete link, sorry):

The formatting can use some work, but that also depends on the client capabilities. You can choose whether to use plain text or HTML, but for that option you have to click on “Show advanced options”:

Unfortunately most HTML code isn’t processed. The Bold tag is useless as the Windows 10 To-Do app doesn’t show this. This could be true for more of the To-Do app, but perhaps that will change in time. Things to experiment with, I guess.

As a final reminder: the “Is Reminder On” option is also hidden in the advanced option, but is important if you want to set the Remind date. So remember to turn that option on.

I hope you now have a good basis to use Microsoft Flow to aggregate your Azure DevOps items in Microsoft To-Do, making that app even more attractive as the task application. Unfortunately, this current flow doesn’t update the To-Do when the Work Item has changed. That might another project or feel free to comment below on ideas. Obviously the best solution would be a native integration from Microsoft which also would update bi-directional where possible, such as the Flagged Mails option.

The post Getting Azure DevOps tasks in To-Do with Flow appeared first on Dave Stork's IMHO.

Under the Practical PowerShell flag, we've recently posted an instructional YouTube video showing the installation of Exchange Server 2019 on Windows Server 2019 Core. It's light on PowerShell, but as it is Windows Server Core there is a lot of text screens . The 12 minute video can be seen here, but be sure to maximize your screen for the best experience:

If you like the video be sure to like it. We plan to have more instructional videos on this channel in the near future, be sure to subscribe if you want to have an alert!

The post Installing Exchange 2019 on Windows 2019 Core appeared first on Dave Stork's IMHO.

Simple Mail Transport Protocol, or as it is better known, SMTP, should be simple. It says so in the name. However, the internet of today is not what is was when SMTP was designed. In this session, we will discuss best practices, security measures and other aspects that will enable you to master the control of mail. Topics will include transport encryption of SMTP; spam filtering concepts (recipient filtering, tar pitting, reverse DNS, etc.); anti-spoofing methods (SPF, DMARC, DKIM); encryption of messages (not transport); and DANE and SMTP STS.

If you haven’t booked yet, do it with my promo/discount code STORK which will save you quite a lot of money! And if you can’t make my session, I’ll be present during the whole conference. So drop me a message (contact info here) if you want to talk about this or adjacent topics!

Hopefully I will see you in Dallas!

The post I will be speaking at IT/Dev Connections 2018! appeared first on Dave Stork's IMHO.

Where can I download the Preview bits?

Click here to download Exchange Server 2019 Preview.

Warning: These are Preview bits and are not meant to be used in a production environment (not even as a added Exchange server!). Use a lab environment to test out this preview.

Windows Server Core support

YES! It will be finally possible to install Exchange Server 2019 Preview on Windows Server Core 2016 and 2019. The Product Group mentions that they consider this the best deployment option. Most admin tasks are either performed via the web based Exchange Admin Center or via remote Exchange PowerShell (/plug: have you bought our book?). That means that there isn’t really a need for a desktop experience but that remains an option. Windows Server 2019 is still in preview, but you can download the Windows Server Insider Preview here (after signup).

Performance (size)

This is obviously a required feature: better performance in a new major build. They engineered Exchange 2019 to support 48 CPU cores and 256GB RAM. That is a huge improvement from the previous maximum server configuration (max 24 CPU cores & 192GB RAM) for Exchange 2013/2016. This is mostly an improvement for large Exchange deployments containing thousands of mailboxes; those deployments now can opt to have less Exchange servers and save on licenses. Smaller environments probably won't benefit from this.

Performance (search)

And again search has been re-engineered; now search uses Bing technology; faster/better results, better database fail-over etc.. We’ll have to experience the build with production data in order to check their promises. The most visible change is that index data is now stored inside the database. Previously it were files/folders located in the same folder as the database file and indexing was a per database process (eventually). By integrating the search index, they hope to improve database fail-over with consistent search indexes.
Let’s hope that it’s more stable and we won’t have to regularly rebuild the content index…

Performance (SSD)

It's not in the preview build, but eventually there will be support for SSD storage solutions for specific Exchange data. I find this quite interesting how this would work in real production environments. However, most on-premises Exchange environments I've encounter are virtualized with shared storage with traditional spinning disks.

Calendaring

There will be some calendaring improvements from Exchange Online that will come on-premises, such as Simplified Calendar Sharing, Do Not Forward for meeting request and more managing options for admins.

No Unified Messaging Role

This might be a shocking reveal to some, but there where signs that this was about to happen. If you require Exchange UM functionality (i.e. Voicemail or Auto Attendant) for Exchange Server 2019 mailboxes, Microsoft states that you should consider migrating to Skype for Business 2019/Office 365 and use Cloud Voicemail. This means that if you require Voicemail functionality with Exchange Server 2019, you have to leverage the Microsoft Cloud.

MFA on-premises

Product Manager Greg Taylor mentioned this during Microsoft Ignite 2017. This specific featured enabled Modern Authentication on Exchange protocols (including for Outlook). This would become possible without requiring Azure Active Directory/Office 365. And Modern Authentication brings us MFA capabilities. They did not mentioned it in this article, so it might not be present in this preview. I’ve added this here in order to collect as much new publicly announced functionality in one post. You can see Product Manager Greg Taylor talk about authentication during that talk here.

Want to know more? Check out this page on all Wave 2019 products. Or see Greg Taylor inviting you to Microsoft Ignite 2018 this September in Orlando. They will launch Exchange Server 2019 at Ignite. It stands to reason that they have a lot of sessions regarding this 2019 release! Exciting! I will be there as well!

The post Exchange Server 2019 Preview is available! appeared first on Dave Stork's IMHO.

What will we be speaking about exactly?

“Migrating mailboxes. Something every Exchange admin has done. Whether it be from legacy to a more modern version of on-premises Exchange, Cross-forest, to the cloud or even from other groupware solutions. But even if the process has been improved over the years, there are still things to consider. Such as:

• Inter or Cross-forest?
• To the cloud with Hybrid, Cutover, Staged or Express: Which approach do I choose?
• Third party tools or native?
• What will the user impact be?
• What about AutoDiscover?

If time permits followed by Q&A.”

This one will be special as this event is on my birthday! Hope to see you at ExpertsLive NL!

The post I will be speaking at ExpertsLive NL 2018! appeared first on Dave Stork's IMHO.

My session is “Securing Exchange Online” and during that hour I will go through the capabilities of Exchange Online (Office 365) to further secure your email data and mail flow based on up-to-date know-how. It’s a topic I like, is quite relevant and popular, I also have to update my session every time with new information and considerations.

The Summit itself looks like a must attend conference with a lot of high quality sessions and speakers; more than 70 members of Microsoft’s product teams, MVPs, MCMs, and other experts, from 21 countries and five continent.

Discount!

Too make it even more easy to attend, I’m allowed to hand out €20 discount codes! Use promo code: ECS18-STORK while registering!

I hope to see you there!

The post I will be speaking at the European Collaboration Summit 2018 appeared first on Dave Stork's IMHO.

When? This Thursday evening starting at 18:00.

Where? Maarssen (near Utrecht) at the Fujitsu office.

Who? MVPs like Jaap Wesselius, Dave Stork, Michel de Rooij, Steven Van Houttum and Michael Van Horenbeeck along with well-respected experts such as Thomas Verwer, Kay Sellenrode will be there.

How? For more info and sign up: click here!

The post Free community event in Maarssen (NL) this Thursday evening appeared first on Dave Stork's IMHO.

Update 21 July 2020

Microsoft has set a new date for the deprecation of TLS1.0 and 1.1, after a previous postponement due to the pandemic. You can find it in the Microsoft 365 Message Center message MC218794, which also references this Docs article.

From October 15, 2020 onward, Microsoft will gradually enforce TLS1.2 on Office 365 services. Note that this enforcement change will take to roll-out to every tenant etc., so you might not see it immediately.

I hope everybody has been working towards this important change since the initial announcement at the end of 2017 and this post from early 2018 (!). I've changed the title of this post to reflect this change, but the URL should stay the same.

Update 5 September 2018

I got confirmation that SMTP also requires TLS1.2, see also this support article. Be sure to check all of you incoming/outgoing SMTP connections. That might be a good time to review those SMTP connections with this and this Microsoft article.

Update 10 February 2018*
So, Microsoft announced a new date for this change and updated their support article regarding TLS support. It's now October 31st 2018, instead of March 1st 2018. This gives organizations a lot more time to prepare for this change. IMHO the previous date was maybe a little too ambitious. It seems that Microsoft got enough feedback to push back the date.

Even earlier the Exchange Product Team posted an article in a series of three, detailing how to prepare your environment. The first part can be found here: Exchange Server TLS guidance, part 1: Getting Ready for TLS 1.2

Unfortunately, I don't have anything to share yet regarding SMTP. But we've got a few more months. I still suggest you go ahead and check your environment whether the relevant parts have the capability to use TLS1.2.

Important change

Microsoft announced an upcoming change for secure connections in a support article last updated 19th December 2017. Office 365 will only initiate and accept connections secured by TLS 1.2 (Transport Layer Security) only as of March 1st 2018. There will be no support for older TLS versions 1.0 and 1.1. This is a pro-active measure before any possible downgrade attacks that might will pop-up in the future.

Microsoft warns that client-server and browser server combinations must use at least TLS1.2. Most connections to Office 365 already use TLS1.2 according to Microsoft. The change also impacts any on-premises architecture such as Active Directory Federation Services (ADFS) and Exchange Hybrid. These would require inbound and outbound TLS1.2 connections. You do not have to disable TLS1.0/1.1 on your on-premises environment. When you disable TLS 1.0 or 1.1 you might result into issues. Being up-to-date with software that is still in support is important. Check whether TLS1.2 is enabled after updates.

In another article Microsoft explains a little bit what the impact might be regarding different Windows OSes. The article does not explicitly mention non-Microsoft solutions that connect with Office 365. I fear some of those solution will not be checked. The longer I thought about those scenarios, I got a little bit worried that some organizations might run into issues when this change comes into effect. The support article does not specify any particular protocol. Therefore I assume that every protocol is affected. I can think of HTTPS, POP/IMAP and SMTP when regarding Exchange Online. I will only focus on these protocols. That doesn’t mean other protocols or services might have some impact specifically for that service (Skype for Business Online for instance).

HTTPS

Most solutions (like applications, devices, SaaS) use the HTTPS protocol to connect with Office 365, such as Exchange Web Services (EWS) or Microsoft Graph. I know of some Java or other platform based applications. It is feasible that they run on older versions that do not support TLS1.2 or need to actively enable it. Check every of those applications whether are already compliant. You might have to update the platform first, which could in turn break stuff and require some updates. I suggest you check your business critical applications as soon as possible. Doing so might give you enough time to prepare and hopefully prevent downtime. Also check any application or appliance that connects to Office 365, things like a room manager display for instance (my employer uses them for every bookable room). You might have to update the firmware.

If you are stuck with solutions that will not support the new security requirements you will have to consider workarounds. This could be something like a caching proxy that is able to create HTTPS TLS1.2 connections for the internal solutions that can’t. This is something that probably require some configuration and testing in your environment.

POP/IMAP

I know there are applications or appliances that still use this in order to extract data from mailboxes. As these are old protocols, some applications might not even support any form of secure POP/IMAP, let alone TLS1.2. Check those applications and check whether they (after updating) perhaps support more modern solutions based on HTTPS like EWS. A more modern protocol might also mean a more modern approach towards encryption such as supporting TLS1.2.

SMTP

I found SMTP especially an interesting protocol within the security change context. You have to check several uses:

• Applications/appliances that send mail directly via Office 365 to users or other organizations: Mail relaying.
• Incoming and outgoing mail from partners that require secure transport: Partner connections (Mandatory SMTP, Mutual TLS).
• Incoming and outgoing mail from and to unknown organizations: Opportunistic TLS SMTP.

Mail relaying

Check your applications/appliances that use SMTP to connect to Office 365, because they might require firmware or software updates to support TLS1.2. If the supplier has failed to support it at this time, you might have to contact them. You can use an relaying SMTP that does the direct connection to Office 365. You might have to plan, design and implement some necessary infrastructural changes that also might add costs.

Partner connections

If you have connections set up with partner organizations to ensure that SMTP transport is encrypted, your mail flow to that partner might fail. You have to contact your partner organization and warn them of the impending change so they can check and prepare. They might have to consider alternatives that do work within the new security reality.

Are they using Office 365 or even just Exchange Online Protection (EOP) the change obviously won’t be a problem. But if your partner organization uses another cloud solutions for the SMTP partner connection, let them check whether they support TLS1.2. If not, they have to contact their provider in time or switch.

To be clear, we are talking about the first connection point from your Office 365 environment to their organization. This is sometimes different from their MX configuration.

Opportunistic TLS SMTP

The change could impact all incoming or outgoing mail. Opportunistic TLS is the principle that for the incoming or outgoing SMTP connection is attempted first with an encrypted connection. Mail servers use non encrypted connections when no encryption is possible.

The need to fallback to older or no layer security is quite common with SMTP connections. Due to lazy admins, misconfigurations, “it’s always done this way and we rather have mail at all than have it transported securely”. Preferably every SMTP connection uses some form of encryption, but this is just the way it is and we have to accept it.

Create a partner connection if you really require a guaranteed secure mail flow with some of your partners. But remember the caveats from the previous paragraph.

I have asked Microsoft some clarification regarding SMTP. There are very valid reasons to still allow TLS1.0/1.1 for SMTP connections. When I get a reaction I will update this post. It is technically possible that SMTP is the exception to this new support statement. But I will not assume this.

How to check?

How do you if there are any issues? It highly depends on your infrastructure. You need access to OSI model Layer 7 in order to inspect the TLS version. Check connection logging  available. Use OpenSSL tools to check whether TLS1.2 is available. Use Fiddler to monitor whether TLS1.2 connections are actually used. I’ve written a blog post two years ago on how to check your connections.

When you know which connections still aren’t able to leverage TLS1.2, you have some work to do.

Note: I expect that Office 365 will support TLS1.3 that is still in development, Cloudfare has an interesting blog post about this.

The post Office 365 to enforce TLS 1.2 per October 15, 2020 appeared first on Dave Stork's IMHO.

In this session, Dave Stork will go through the capabilities of Exchange Online (Office 365) to further secure your email data and mail flow. Questions like:
•    How can I ensure mails are not intercepted by third parties?
•    Which tools are available to limit (inadvertent) data leaks?
•    How can I mitigate mail spoofing and malicious emails?
•    How to ensure end-point security on clients?
During the sessions techniques like Exchange Online Protection (EOP) and Advanced Threat Protection (ATP), SPF, DKIM, DMARC, TLS, RMS (Rights Management Services), DLP (Data Loss Prevention) are discussed and how an admin can use them to further secure their organizations mail platform. The focus will be Exchange Online, but other services from Office 365 and Azure AD will make an appearance. Also, some techniques are also valid for On-premises Exchange environments.

If that doesn’t interest you, there are obviously other sessions within two tracks covering Office 365 & Exchange and Skype for Business, presented by an impressive list of Microsoft MVPs and other experts.

There is an entrance fee (€49) which also covers for drinks & catering during the day. Be sure to check out the conference page and register!

The post I'll be speaking at E-Communications & Collaboration Day 2017 (BE-COM.eu) on May 3rd 2017 appeared first on Dave Stork's IMHO.

Consider the following scenario; you share a document via SharePoint via an Anonymous link, meaning that everyone that has the link can download the document you just shared it under. Downloads are logged, but you require an alert right after it happens.

When you got to Security & Compliance>Search & Investigation>Audit log search you will see a “New alert policy” button at the bottom of the page.

Click on that button and a new screen shows up (click on image for original size):

Give it a name and a clear description. Under “Alert Type” you can choose “Custom” or “Elevation of privilege”. Choose Custom. Under “Choose activities for alert” select “Downloaded file”

Under Users, keep the field empty in order to monitor Anonymous actions.

In the field “Send this alert to…” fill in the user ( s ) you want the alert sent to. Unfortunately it doesn’t seem to work with groups/contacts, but does work with Shared Mailboxes. Per default the address of the admin creating the alert is used.

After that the configured mailbox will get an alert mail when it’s triggered (click on image for original size).

If you no longer require the alert or need to adjust it, you can do that under Security & Compliance>Alerts>Manage Alerts (click on image for original size).

Unfortunately the alerts are less granular as the search it includes a field to further specify a file, folder or site, which is not available for alerts.

Even so, it’s a great addition for those organization that require a more pro-active monitoring of certain actions in your Office 365 tenant. There are a lot of actions from different services (SharePoint, Exchange, User provisioning, Teams etc.) that can be monitored, so check it out!

As the alert mails have a consistent format, you could create further actions based on the mail. For instance with Microsoft Flow.

The post Creating an Activity alert in Office 365 appeared first on Dave Stork's IMHO.