PowerShell is a task automation and configuration management framework from Microsoft, consisting of a command-line shell and associated scripting language built on the .NET Framework.

, , , , , , , , , , , , , , ,

Restrict Access to Office 365 Exchange Online | HowTo | 2 of 2

Part One | Part Two

In Part One we learnt:

  1. Install and update Windows Server with Active Directory Federation Services version 2.0 (AD FS 2.0) with update Rollup 2, KB2681584.

  2. Set-up AD FS for Office 365 for Single Sign-On.

    To continue . . .

  3. Add five claim rules to the Active Directory Claims Provider trust.

    Use the following procedure to add a set of claim rules that make the new claim types available to the policy engine. In this step, you will have to add five acceptance transform rules for each of the new request context claim types using the following procedure.  On the Active Directory claims provider trust, create a new acceptance transform rule to pass through each of the new request context claim types.

    a. Select Start, go to Programs, then to Administrative Tools. Click on AD FS 2.0 Management.

    b. In the console tree, under AD FS 2.0\Trust Relationships, click Claims Provider Trusts, right-click Active Directory, and then click Edit Claim Rules.

    c. In the Edit Claim Rules dialog box, select the Acceptance Transform Rules tab, and then click Add Rule to start the Rule wizard.

    d. On the Select Rule Template page, under Claim Rule Template, select Pass Through or Filter an Incoming Claim from the list, and then click Next.

    e. On the Configure Rule page, under Claim Rule Name, type the display name for this rule; in Incoming Claim Type, paste the Issued Claim Type URL, and then select Pass through all claim values. Complete this step for all five Issued Claim Type URLs below:

    Rule Name Issued Claim Type URL
    EQ-Forwarded-client-ip http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip
    EQ-client-application http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application
    EQ-client-user-agent http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-user-agent
    EQ-Proxy http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy
    EQ-endpoint-absolute-path http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path


    f. To verify the first rule, EQ-Forwarded-client-ip select it in the list and click Edit Rule, then click View Rule Language. The claim rule language should appear as follows:

    c:[Type == “http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip”%5D => issue(claim = c)

    g. Click Finish and in the Edit Claim Rules dialog box, click OK to save the rules.

  4. Create a rule to block all external IP address access to Office 365 & Exchange Online

    If you want to simply block access to Office 365 & Exchange Online from the public Internet you need to carry out the following:

    a. Click Start, point to Programs, point to Administrative Tools, and then click AD FS 2.0 Management.

    b. In the console tree, under AD FS 2.0\Trust Relationships, click Claims Provider Trusts, right-click Active Directory, and then click Edit Claim Rules.

    c. In the Edit Claim Rules dialog box, select the Acceptance Transform Rules tab, and then click Add Rule to start the Rule wizard.

    d. On the Select Rule Template page, under Claim Rule Template, select Pass Through or Filter an Incoming Claim from the list, and then click Next.

    e. On the Configure Rule page, under Claim Rule Name, type the display name for this rule, such as Block Office 365 Exchange Online from the Internet. Under Custom Rule, paste the following claim rule language syntax:

    exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy"]) && NOT exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip", Value=~"customer-provided public ip address regex"]) => issue(Type = "http://schemas.microsoft.com/authorization/claims/deny", Value = "true");

    customer-provided public ip address regexBuilding the IP address range expression

  5. Update the Microsoft Office 365 Identity Platform relying party trust

    This step allows you to configure what type of clients to block. Below there is a custom block scenario. Block all external access to Office 365, except Exchange ActiveSync and browser-based applications such as Outlook Web Access or SharePoint Online.

    exists([Type == “http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy”%5D) && 

    The ‘Type’ x-ms-proxy exists. This  means that the claim came through an ADFS Proxy (or other compatible proxy such as Azure).

    NOT exists([Type == “http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application”, Value==”Microsoft.Exchange.Autodiscover”]) &&

    ClientApplication is RPC or WebServices. The ‘or’ can be used (using the ‘|’ character) syntax to check the value field. The value of this is Microsoft.Exchange.Autodiscover.

    NOT exists([Type == “http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application”, Value==”Microsoft.Exchange.ActiveSync”]) &&

    ClientApplication is RPC or WebServices. The ‘or’ can be used (using the ‘|’ character) syntax to check the value field. The value of this is Microsoft.Exchange.ActiveSync.

    NOT exists([Type == “http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path”, Value == “/adfs/ls/”])

    The type x-ms-endpoint-absolute-path exists and has a value of for the ls policy. This is the name of the endpoint for _Active_ ADFS Claim.

    NOT exists([Type == “http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip”, Value=~”\b192\.168\.1\.([1-9]|[1-9][0-9]|1[0-9][0-9]|2[0-5][0-9])\b|\b255\.255\.255\.255\b”]) &&

    The value for the type x-ms-forwarded-client-ip has a value that DOES NOT MATCH the regular expression “”. The only allowed range is 192.168.1.0 to 192.168.1.255 plus a single address 255.255.255.255.

    i. What is the source of “x-ms-forwarded-client-ip” and what are the values we should expect to see? ii. What is the format of the expression? Building the IP address range expression

    => issue(Type = “http://schemas.microsoft.com/authorization/claims/deny”, Value = “true”);


With over 20 years of experience, Serviceteam IT design and deliver sophisticated connectivitycommunicationcontinuity, and cloud services, for organisations that need to stay connected 24/7. We take the time to fully understand your current challenges, and provide a solution that gives you a clear understanding of what you are purchasing and the benefits it will bring you.

To find out how we can help you, call us on 0121 468 0101use the Contact Us form, or why not drop in and visit us at 49 Frederick Road, Edgbaston, Birmingham, B15 1HN.

We’d love to hear from you!

, , , , , , , , , , , , , , ,

Restrict Access to Office 365 Exchange Online: Limiting by Network, IP, Client, Group or Policy | HowTo | 1 of 2

Active Directory Federation Services (AD FS) 2.0 provides a way to configure access restriction policies. Office 365 & Exchange Online customers using Single Sign-On (SSO) who require these policies can now use Client Access Policy rules to restrict access based on the location of the computer or device that is making the request and prevent access from the Internet

Part One | Part Two

Restricting access to email and communications services in the cloud from the Internet, in Office 365 & Exchange Online, may at first seem a little counter intuitive, however, it is very sensible. Data loss is minimised. Time and working hours restrictions are adhered to. Personal devices and the compromised security they pose are removed. Compliance and regulatory restrictions, for example for finance or health care sectors, are met. Fundamentally, it ensures the control an organisation requires, whilst meeting the needs of flexibility and reduced costs, that the cloud offers.

Perhaps you want to ensure Outlook users can only use corporate laptops to connect as long as they establish a VPN tunnel to the corporate network? Outlook Web App (OWA) can be used from any machine without restrictions within the corporate network or from a named IP or IP address range? ActiveSync can be used from any device, as long as the device or user has been approved by an administrator, and that device is secured according to the policy regarding passcode length, installed OS etc? Restrict or block access based upon Group Policy membership?

The simple scenario options are:

Scenario Description
Block all external access to Office 365 & Exchange Online
Office 365 access is allowed from all clients on the internal corporate network, but requests from external clients are denied based on the IP address of the external client.
Block all external access to Office 365, except Exchange ActiveSync
Office 365 access is allowed from all clients on the internal corporate network, as well as from any external client devices, such as smart phones, that make use of Exchange ActiveSync. All other external clients, such as those using Outlook, are blocked.
Block all external access to Office 365, except for browser-based applications such as Outlook Web Access or SharePoint Online
Blocks external access to Office 365, except for passive (browser-based) applications such as Outlook Web Access or SharePoint Online.
Block all external access to Office 365 for members of designated Active Directory groups
This scenario is used for testing and validating client access policy deployment. It blocks external access to Office 365 only for members of one or more Active Directory group. It can also be used to provide external access only to members of a group.

If you are a little overwhelmed by PowerShell and expressions there is a useful GUI for PowerShell which builds the expressions for the most common scenarios:

Office 365 & Exchange Online Client Access Policy Builder

In order to enable an external access policy for Office 365 & Exchange Online the following steps are required:

  1. Ensure you have a Windows Server with Active Directory Federation Services version 2.0 (AD FS 2.0) with update Rollup 2, KB2681584.

    After the Update Rollup 2 for Active Directory Federation Services (AD FS) 2.0 package has been installed on all federation servers and federation server proxies, restart the AD FS Windows service.

  2. Follow the video guide here to Set-up AD FS for Office 365 for Single Sign-On.

    a. If you do not have Active Directory Federation Services installed, add ADFS by using the Add Roles and Features Wizard. If you are using Windows Server 2008, you need to download and install ADFS 2.0: Active Directory Federation Services 2.0 RTW. After the installation, use Windows Update to install all applicable updates and reboot as required.

    b. Request a certificate from a third-party CA for the Federation server name as Office 365 needs a trusted certificate on your ADFS server. You need to obtain a certificate from a third-party certification authority (CA). When you customise the certificate request, ensure you add your Federation Server name in to the Common Name field.

    The video only explains how to generate a certificate signing request (CSR). You need to send the CSR file to a third-party CA. Once the CA has returned a signed certificate, follow these steps to import the certificate to your certificate store:

    i. Run Certlm.msc to open the local computer’s certificate store.
    ii. In the navigation pane, Expand Personal, expand Certificate, right click the Certificate folder, and then click Import.

    The Federation Service name is the Internet-facing domain name of your ADFS server. Your Office 365 users will be directed to this domain for authentication, therefore, make sure that you add a public A record for the domain name in your DNS.

    c. To configure ADFS you cannot manually type a name as the Federation Server name. The name is determined by the subject name (Common name) of a certificate in the local computer’s certificate store.

    In ADFS 2.0, the Federation server name is determined by the certificate that binds to “Default Web Site” in Internet Information Services (IIS). You must bind the new certificate to the Default website before you configure ADFS.

    You can use any account as the service account. If the service account password is expires, ADFS will stop working. Therefore, make sure that the password of the account is set to never expire.

    d. Download the Office 365 tools, including Windows Azure Active Directory Module for Windows PowerShell and Azure Active Directory sync appliance. They are available in the Office 365 portal. Go to Active Users, and then click Single sign-on: Set up.

    d. Now you need to add your domain to Office 365 as the first video does not explain how to add and verify your domain to Office 365. For more information about that procedure, see the video below:
    .

    e. You can now connect ADFS to Office 365 by running the following commands in Windows Azure Directory Module for Windows PowerShell. In the Set-MsolADFSContext command, specify the FQDN (Fully Qualified Domain Name) of the ADFS server in your internal domain instead of the Federation server name. In the example below I have used adfs.serviceteamit.co.uk.

    Enable-PSRemoting  Connect-MsolService  Set-MsolADFSContext –computer <the FQDN of the ADFS server> Convert-MsolDomainToFederated –domain adfs.serviceteamit.co.uk

    If the command ran successfully, you should see the following: A “Microsoft Office 365 Identify Platform” Relying Party Trust is added to your ADFS server.

    f. Once the ADFS domain is added you need to Synchronise the local Active Directory user accounts to Office 365. If your internal domain or suffix is different from the external domain, you have to add the external domain as an alternative UPN in the local Active Directory. For example, the internal domain name is “serviceteamit.local” but the external domain name is “serviceteamit.co.uk.” So, serviceteamit.co.uk needs to be added as an alternative UPN suffix. Now you can synchronise the local user accounts to Office 365 by using the Directory Sync Tool.

    If you are using ADFS 2.0, you must change the UPN of the user account from “serviceteamit.local” to “serviceteamit.co.uk” before you synchronise the accounts to Office 365. If not, the user will not be validated on the ADFS server.

    g. Finally you can now configure the client computer for Single Sign-On. After you add the Federation server name to the local Intranet zone in Internet Explorer, the NTLM authentication is used when users try to authenticate on the ADFS server. Therefore, they are not prompted to enter their credentials.

    Administrators can implement Group Policy settings to configure a Single Sign-On solution on client computers that are joined to the domain.

    If you wish to enable additional services, such as Secure ID or Oracle Identity use the AD FS 2.0 Step-by-Step and How To Guides.

  3. Add five claim rules to the Active Directory Claims Provider trust.

    Continue to Part Two in order to add the rules.

With over 20 years of experience, Serviceteam IT design and deliver sophisticated connectivitycommunicationcontinuity, and cloud services, for organisations that need to stay connected 24/7. We take the time to fully understand your current challenges, and provide a solution that gives you a clear understanding of what you are purchasing and the benefits it will bring you.

To find out how we can help you, call us on 0121 468 0101use the Contact Us form, or why not drop in and visit us at 49 Frederick Road, Edgbaston, Birmingham, B15 1HN.

We’d love to hear from you!

, , , ,

Office 365 & Exchange Online Password PowerShell Commands | HowTo

The Admin Centres for Office 365 and for Exchange Online are great for simple and singular tasks regarding password management and policy, however, if you wish to carry wider tasks or bulk user management PowerShell is the best option. You can manage multiple domains simultaneously, or script the commands to include a CSV file of as many users as you require.


Set an Office 365 or Exchange Online user password so that it never expires

Set-MsolUserUserPrincipalName user.name@serviceteamit.co.uk -PasswordNeverExpires $True

This option turns off password expiry policy so that the user password never expires.

Set an Office 365 or Exchange Online user password so that it expires

Set-MsolUser -UserPrincipalName user.name@serviceteamit.co.uk -PasswordNeverExpires $False

This option turns on password expiry policy so that the user password expires according to the policy.

Enable password policy in Office 365 or Exchange Online

Get-MsolUser | Set-MsolUserPasswordNeverExpires $False

This option turns on password policy for all users so that the user passwords never expire.

Disable password policy in Office 365 or Exchange Online

Get-MsolUser | Set-MsolUserPasswordNeverExpires $True

This option turns off password policy for all users so that the user passwords expire according to the policy.

Set the Office 365 or Exchange Online Password Policy

Set-MsolPasswordPolicy -DomainName serviceteamit.co.uk -NotificationDays 14 -ValidityPeriod 90

This option sets the password policy for the domain serviceteamit.co.uk to a valid password period of 90 days and notify the user 14 days prior to expiry.

Create a new password for a user in Office 365 or Exchange Online

Set-MsolUserPassword -UserPrincipalName user.name@serviceteamit.co.uk -NewPassword An3wPa55w0rd -ForceChangePassword $False

This option sets the password to the chosen password An3wPa55w0rd for the named user user.name@serviceteamit.co.uk.

Create a new password for all users in Office 365 or Exchange Online

Get-MsolUser |%{Set-MsolUserPassword -UserPrincipalName $_.UserPrincipalName –NewPassword An3wPa55w0rd -ForceChangePassword $False}

This options sets the password to the chosen password An3wPa55w0rd for all users.

Set a new password for all users in Office 365 or Exchange Online with a CSV

  1. Create your CSV or export your user list from Office 365 or Exchange Online:
    Get-MsolUser | Select -All|Export-CSV C:\serviceteamit\customers\user_export.csv

    This option exports the user list in a handy CSV saving to the path C:\serviceteamit\customers\user_export.csv.

  2. Create unique passwords for all your users via your favourite bulk password generator.
  3. Import your CSV to Office 365 or Exchange Online:
    Import-CSV –Path C:\serviceteamit\customers\user_import.csv| ForEach-Object { Set-MsolUserPassword -UserPrincipalName $_.UserPrincipalName –NewPassword $_.NewPassword -ForceChangePassword $True }

    This option imports the user list from the the path C:\serviceteamit\customers\user_import.csv and requires users reset their password when they first login. You can download a sample CSV file Office 365 & Exchange Online sample CSV user_import.csv.

You can find additional information regarding passwords in this post. If you have any questions or need a little more in-depth help please get in touch.

 

, , , , , ,

User Password Expiry settings in Office 365 | HowTo

In Office 365 and Exchange Online the simplest and easiest place to change the expiry term for passwords is in the Admin Centre. The expiry term is set at 90 days by default, with a default 14 day notice prior to the expiry. You can also disable password expiry, however as always, this is not recommended.

  1. Select Settings on the left:
    Office 365 Password Expiry Admin Centre
  2. Select Security and privacy. Click Edit password policy on this page:
    Office 365 Password Expiry Settings
  3. Make your changes to expiry time and notification time, or disable expiry entirely. Click Save:
    Office 365 Password Expiry Security & Privacy

And that’s it, all done. There are other ways to change these settings, including via the Azure control panel or using PowerShell with either Office 365 Exchange Online or Azure.

The PowerShell method to set Office 365 and Exchange Online password policy expiry settings is:

Set-MsolPasswordPolicy -DomainName serviceteamit.co.uk -NotificationDays 14 -ValidityPeriod 90

The PowerShell method to display password expiry policy in Office 365 and Exchange Online:

Get-MsolPasswordPolicy –DomainName  serviceteamit.co.uk

Where:

-DomainName: is the domain you wish to manage

-NotificationDays: are the number of days notification prior to expiry

-ValidityPeriod: are the number of days passwords can be valid for

Additional PowerShell methods to set individual user password options can be found in this post.

If you have any questions or need a little more in-depth help please get in touch.

, , , , , ,

Exchange Online Office 365 Reports with Excel and OData | HowTo

Open Office 365 reports from directly in Excel and get your Exchange Online reporting!

Predefined reports in the Office 365 Admin Portal are fine for overview, however, if you require more granularity then Office 365 reporting has to be performed via PowerShell or some other development language to access the Office 365 Exchange Online reporting service. Custom reports are very flexible where you can specify how the data is sorted, grouped and retained. PowerShell is less user friendly when looking for output, especially if you want to set reports as jobs and export the data to your own control panel or support dashboard.

But what if you want full reporting without having to create custom scripts, which are complex and time consuming? Luckily if you’re a little more capable with Excel this can be achieved reasonably easily and without the need to learn an entirely new process. In order to get those juicy reports all you have to do is:

1. Start by opening a new sheet in Excel. On that worksheet, click Data:

1

2. Click From Other Sources, and then click From OData Feed.

2

3. That brings up the Data Connection Wizard dialog box. On the Connect to a Data Feed dialog, enter the reporting service URL: https://reports.office365.com/ecp/reportingwebservice/reporting.svc/ as the data feed location. You will need to enter Administrator credentials with the necessary permissions. Click Next.

3

4. After your user and password has been authenticated you will see the Select Tables dialog. Select a report, here I have chosen ClientSoftwareBrowserDetail, then click Next. Note that it is possible to select multiple reports which results in multiple tables and charts or to create a single table and chart that combines all of the data.

4

5. Now you should see the Save Data Connection File and Finish dialog. You can opt to save the password in the file, but this is not recommended. Click Finish.

5

6. Finally you will be presented with the Import Data dialog box with options of how to view the data and where to put it. Make your choices and click OK.

6

The options for handling the data are vast! Perhaps create an Excel Services Dashboard using the OData feed, filtered and sliced, and publish it to your SharePoint server? From SharePoint you could export as XML to a custom monitoring tool or push the feed data to an SQL Server for your support system?

If you have any questions or need a little more in-depth help please get in touch.