TODO: Require MFA from four more Azure AD Roles through your Conditional Access Policies

As part of MC224734, Microsoft has communicated publicly that they are requiring multi-factor authentication (MFA) from four more Azure AD privileged roles through the Security Defaults functionality. Organizations leveraging Conditional Access to require MFA from privileged accounts should take note.   About Security Defaults Security Defaults is an Identity security feature. When enabled, it requires … Continue reading "TODO: Require MFA from four more Azure AD Roles through your Conditional Access Policies"

Easily list mail DNS records via this PowerShell script

I get to investigate quite some mail environments in my work as a consultant. At a certain point you see some patterns emerging. One of those patterns is the correct configuration of mail related DNS records. It's one of the first things I check when I must check an unfamiliar environment. I have talked about … Continue reading "Easily list mail DNS records via this PowerShell script"

Five things to know about the Office 365 app in Azure AD Conditional Access

After being in Public Preview since February 2020, Microsoft made the Office 365 app in Azure AD Conditional Access Generally Available. The below image sums up what is in the Office 365 app: The Office 365 app helps with common challenges Microsoft 365 admins have: All the individual services in the Office 365 Suite are … Continue reading "Five things to know about the Office 365 app in Azure AD Conditional Access"

Mainstream support for Microsoft Advanced Threat Analytics (ATA) ends in three months

We’ve helped organizations embrace Microsoft’s Advanced Threat Analytics (ATA) solution to protect their Active Directory environments from attacks. On January 12th, 2021, mainstream support for this product ends. ATA version 1.9.3, released on September 14th, 2020 is the final update as part of mainstream support. It’s time to move on to Microsoft Defender for Identity. … Continue reading "Mainstream support for Microsoft Advanced Threat Analytics (ATA) ends in three months"

Field Notes: DKIM and missing selector records

During a project with one of my customers, I was tasked to look at a non-delivery report (NDR) for a mail message. The bounce error was pretty confusing, but after reviewing the headers, we noticed that the DKIM check had failed. This was a bit of a surprise, because the message was sent from Microsoft … Continue reading "Field Notes: DKIM and missing selector records"

HOWTO: Harden Remote Desktop connections to Domain Controllers

Workstations that are allowed to communicate to Domain Controllers pose a risk of lateral movement. To mitigate some of these risks, we can harden the Remote Desktop connections to Domain Controllers. Note: For organizations that have implemented the Active Directory administrative tier model, or are striving to embrace, their Privileged Access Workstations (PAWs) pose a … Continue reading "HOWTO: Harden Remote Desktop connections to Domain Controllers"

Quick tips to limit sending mail to the wrong recipient

It happened to all of us: sending a mail to the wrong recipient. Or disclosing the other recipients to each other.Let me show some quick tips that might help limit your users sending information to the wrong recipient. Embarrassing The Dutch Data Protection Agency (Dutch: Autoriteit Persoonsgegevens) is responsible for the supervision of correct handing … Continue reading "Quick tips to limit sending mail to the wrong recipient"

HOWTO: Enable Extended Protection for Authentication on the SQL Servers hosting the AD FS and Azure AD Connect databases

Most Microsoft-based Hybrid Identity implementations use Active Directory Federation Services (AD FS) Servers, Web Application Proxies and Azure AD Connect installations. In this series, labeled Hardening Hybrid Identity, we’re looking at hardening these implementations, using recommended practices. In the pervious post of this series, we discussed encrypting traffic between AD FS Servers, servers running Azure … Continue reading "HOWTO: Enable Extended Protection for Authentication on the SQL Servers hosting the AD FS and Azure AD Connect databases"

HOWTO: Set an alert to notify when an additional person is assigned the Azure AD Global Administrator role

Azure Active Directory is Microsoft's Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. User objects with the Global administrator role are the highest privileged objects in Azure AD and should be monitored.   The challenge with Global Admins Some organizations have opted for a Technical State … Continue reading "HOWTO: Set an alert to notify when an additional person is assigned the Azure AD Global Administrator role"

How To: Exchange Authentication Policies

There are several ways how you can protect and limit access to Exchange Online. Conditional Access, Client Access Rules, the older ActiveSync Device rules and, the topic of this post, Authentication Policies. These policies are available in Exchange Online and Exchange Server 2019 since CU2. This article will show you how to implement this. Why … Continue reading "How To: Exchange Authentication Policies"