Set Up Self Service Password Reset in Office 365 (Cloud Identities)

Microsoft’s Enterprise Mobility + Security (EMS) is a combination of products under Microsoft’s portfolio. At first glance, it is basically can relate to modern work space. Right now, when we talk about Modern work space, the first thing which come to our mind is all about how secure we are and is this work space is really comfortable for our users. Considering all these, Microsoft has bundle below five components to Microsoft EMS+S.

  • Azure Active Directory Premium
  • Microsoft Intune
  • Azure Rights Management
  • Microsoft Advanced Threat Analytics (ATA)
  • Cloud App Security (CAS)

All in all, you can think of Microsoft EMS+S as a device-management and virtual-identity-management suite. However, in a cloud-based world where employees want to work from all of their devices, Microsoft EMS+S allows your IT team to gain the maximum security and control.

Azure Active Directory Premium edition is a paid offering of Azure Active Directory and it includes the following features:

  • Self-service password reset
  • Company branding
  • Group-based application access
  • Self-service group management
  • Advanced security reports and alerts
  • Multi-Factor Authentication
  • Forefront Identity Manager (FIM)

As a Part one of the EMS+S, today, I am going to enable one feature which is falling under Azure Active Directory Premium (AAD) which is Password Reset.

So lets see how we enable the Password reset for you users.

    Set Up Self Service Password Reset in Office 365 (Cloud Identities)

    Set up SSPR

    1. Sign in to Azure Portal https://portal.azure.com/
    2. Choose More Services -> Azure Active Directory

    image

        3. Select Password reset

    image

       4. From Properties, select All for Self service password reset enabled.

    image

     5. [OPTIONAL] Selecting Selected for Self service password reset enable helps you control the set of users who can reset their passwords. Users’ group membership controls this restriction. (If you chose to restrict access to    password reset, Please move to step 6. Otherwise, skip to step 7.)

    image

        6.[OPTIONAL] From the Select groups, pick the security or distribution groups that contain users who will have access to SSPR

        7.Next, from Authentication Methods, select the alternate identity verification methods available to users.

    image

    8.Number of methods required to reset, will configures the minimum number of alternative identity verification methods a user must have in order to reset the password.

    9.Next in the Registration, Select Yes or No for Require users to register when signing in? (Selecting the option Yes will force users to register alternative identity verification methods when they sign in. Otherwise the administrator will have to set identity verification options for users manually or will have to direct users to https://account.activedirectory.windowsazure.com/PasswordReset/Register.aspx to set this information. If you choose Yes for this, then move to step 10 or otherwise skip to step 11.)

    image

    10. Enter a value for Number of days before users are asked to re-confirm their authentication information. (This value controls the number of days before the service prompts users to verify/update their alternative identity verification information. You can specify a number between 1-730. Setting 0 here will not ask users to verify/update their alternate identity verification methods.)

   11. From the Notification, you can enable notifications to be sent to users when they reset their own passwords through SSPR.

    image

     12. Selecting Yes to Customize helpdesk link will allow you to set a custom email address or a URL for Contact your administrator link in password reset wizard.

    image

     13. Enter the desired URL or the email address for the help desk if you select Yes to above option.

    Users Registering for SSPR

   14. If you enabled registration while sign in, users will be asked to setup the alternate identity verification methods. (This will be the same screen users see when they access the self service password reset registration URL manually as well.)

    image

   15. To setup the authentication phone, click on Set it up now. Select the country and enter the phone number and select either text me or call me.

    clip_image010

16. If you choose to have Microsoft called you, you will need to answer the call and press # key to verify the number. If you choose to receive a text message, as seen below, you will have to enter the verification code that it sends.

    clip_image011

17. To set up the authentication email address, click on set it up now. Enter the email address and click email me. Once you receive the email with the verification code in the mail, enter it and verify.

18. Once you have set up the minimum number of authentication methods required by the administrator or more, you can click Finish.

    clip_image012

Advertisements

Azure Information Protection client files and usage logging details for inquiries!!

 

When we are talking about data classification and  data protection, one of the major concern which customer are asking is, can we have a audit if they want to identify who has done the classification changes to the documents. The reason for this is in case of a audit requirement, they might need to check who has done the changes to the documents. However, so far the log files are storing in respective individual machines and not in a central data base or in a cloud. Therefore, we have to grab the details in the individual machines for this matter. Therefore, there are few log files which you need to go through. All these log can be seen in Event viewer.

clip_image002

There are few log files which you will need in case of a Administration or Auditing.

The events include the following information:

· Date, client version, policy ID

· Signed in user name, computer name

· File name and location

· Action:

o Set Label: Information ID 101​

o Set Label (lower): Information ID 102​

o Set Label (higher): Information ID 103​

o Remove label: Information ID 104​

o Recommended tip: Information 105​

o Apply custom protection: Information ID 201​

o Remove custom protection: Information ID 202​

o Sign in (operational): Information ID 902​

o Download policy (operational): Information ID 901

Further the Azure Information Protection Client Files are located in 3 locations as below;
For 64-bit operating systems: \ProgramFiles (x86)\Microsoft Azure Information Protection

  • For 32-bit operating systems: \Program Files\Microsoft Azure Information Protection

Client logs files and currently installed policy file:

  • For 64-bit and 32-bit operating systems: %localappdata%\Microsoft\MSIP

On my Next Blog I will show you how you can collect all these logs in to one location and do the auditing rather than finding through individual machines. For the moment the configurations are still going on and in this manner, I am trying to use OMS and SysLog server for this process. Let’s hope for the best and let’s wait for the outcome.

Download Microsoft Azure Information Protection Tool (AIP) for your Devices

Hello,

Good Day!

In case if you need to download the AIP tool for your relevant device type as a viewer or owner, kindly look in to the below URL’s and get it download for yourself.

If you are a Windows Desktop User click the below link to get the latest Application.

https://www.microsoft.com/en-us/download/details.aspx?id=53018

For MAC, iOS and Android Users, you can refer to the below link.

https://www.microsoft.com/en-us/download/details.aspx?id=53018

clip_image002

Note– However, mobile device users such as Android, Windows Mobile and iOS users can go to their relevant App Portal (Apple Store, Play Store and Windows Store) and search for the Microsoft Information Protection App and get it installed to read the protected documents.

Configure Android for Work Binding for Microsoft Intune

clip_image001[6]

Step 3- Log in to Google using your Google Account.
On Google’s sign-in page, enter the Google account that will be associated with all Android for Work management tasks for this tenant

clip_image002[4]

Step 4- Finally Click Confirm Tab to Complete the BIND of Android for Work with Microsoft Intune portal.

clip_image003[4]

Step 5- Click Complete Registration.

clip_image004[4]

Step 6- After the Registration Completes, you can see the Integration status of Android for Work + Microsoft Intune. Once the Sync is Complete, you will be able to visible Work Application you have purchased under Volume Purchased App Location. Check Figure 7.

clip_image005[4]

Step 7 – Volume Purchased App Location as below. All the apps which you have purchased can visible in the below location

clip_image006[4]

Note- The same method you can use for iOS Devices as well and all the Apple Volume Purchase Program (Apple – VPP) can integrate too.

How to Manage Rooted Devices Using Intune Mobile Application Management Policies

Hello,

In this Blog I am going to show you how we identify the Rooted devices which your users are using in your environment. This is basically covering under Microsoft Intune Mobile Application Management feature. Basically, here we protect LOB Apps using MAM Policies but WITHOUT Enrolling it with Intune. So how we do this ?

It is very straight Forward.

Step1- Create an Application Policy based on my Previous Blog Article which mentioned HERE.

Step2- On the Policy Configuration Tab, Configure the below option in case if you need to identify the Rooted devices. In this scenario, I am going to use the Android Device which I have rooted using Cynogen Mode :).

Note- In case if you Don’t want Users to Access using the Rooted devices, You can simply Block them even without letting them to open any of the LOB Documents.

clip_image001

Step 3- Once you configured Policies based on the above way, you will get a Notification on the Dash Board Under the Flagged Users area as shown in below screen.

clip_image002

Step 4- Further, when you click the Flagged User Tab, you can find the User and the Device Details as follows.

clip_image003

Step 5- In case if you Block the Rooted Device for users you will get a notification like this in your device.

clip_image004

Hope the above step gives you some idea how to manage Rooted Devices.

Thanks

Protect line-of-business apps and data on devices that are not enrolled in Microsoft Intune

Note- Before you add the Line-Of-Business Apps to the MAM Portal, make sure to WRAP it using Android App Wrapper Tool.

https://docs.microsoft.com/en-us/intune-classic/deploy-use/decide-how-to-prepare-apps-for-mobile-application-management-with-microsoft-intune

Step-1 Go to https://Portal.Azure.com and search for Intune Mobile Application Management

clip_image001

Step2- Go to App Policy and Create a New Policy using Add a Policy Option

clip_image002

Step 3- Type a Name to the Policy and Select the Mobile Platform Version. So in my case I have selected the platform as Android.

clip_image003

Step 4- After that finished just add the Application which you want to Manage. By default, there are few applications available and in case if you have inhouse developed application, you can add it as well. In this case I am going to add a custom application.

clip_image004

Step 5- Click More Apps and Type the Package ID which basically goes as com.app.xxxxxxx. This you can get from the developer. Package ID is the identifier for your LOB app. Once you add the wrapped app in to the More Apps, you will be able to see it listing down in your Application list.

image

Screen clipping taken: 07/06/2017 14:54

clip_image006

Screen clipping taken: 07/06/2017 14:42

Step 6- Once that is completed, Next you have to configure the policies for your Application. Basically in here you can configure all the policies you want to bind with your app. Click Create option once you completed these configurations.

clip_image007

Step-7- Once the policy creation is done, you must assigned the users to the same policy. The user who is signed in to this app will get all the policies you have define in this policy settings.

clip_image008

Step 8- Click Assignments to Add user Groups. In my case I have a separated user group for Android users only. Click Select Option to add the user groups.

clip_image009

Step 9- Once the above completion is done you must install the LOB app in to your device and try to access it and see how the behaviour is and further the policies you have define is working or not.

In addition to that on the main page you will get all the notification for these and even if user is using a Rooted device, you will get the notification under Flagged Users View.

clip_image010

How to Add a Friendly Name to Configuration Manager Application Catalog Web Portal

In case if you need to hide your server name in Configuration Manager App Catalog or if the default name is too long to remember, you can simply follow the below steps to Add a friendly name to it.

Step- First you must Create a CNAME based on follow screen. You can use any Alias name you prefer for this.

clip_image001

Step 2- Once the CNAME creation completed, make sure to Restart the DNS service.

clip_image002

Step 3- Once the DNS Restart competed, Open the IIS Server in Configuration Manager server and Go to Binding under Default Web Site.

clip_image003

Step 4- Add a New Binding under the Host Name and Type the Same FQDN (Friendly Name) which you mentioned in your CNAME Record.

clip_image004

Step 5-Once the Binding settings done, Restart the IIS service and Open the Configuration Manager Server Console. Remove the existing Application Catalog Website and Change the Web Application Name the way you want and also Change the Netbios Name which going to use for the App Catalog URL.

clip_image005

Step 6- After that, Go to Configuration Manager Agent Settings and Under Computer Agent / Set Website/ Select the NetBios Name and Save the Client Settings. Once that is completed, manually push the Computer Policies to the device collections.

clip_image006

Step 7- After a while verify the URL works with new name.

clip_image007