MS-100 Implement MFA

May 31st, 2019 | Posted by admin in Exchange - (0 Comments)

Design an MFA solution

Azure AD P1, P2, EMS E3 & EMS E5 includes the option to enable Azure Multi factor Authentication. As a Microsoft 365 Enterprise Customer, you need to design MFA authentication to protect your organization data access by authenticated users.

Design a solution like below


  • Implement Conditional Access to enable MFA for the required applications.
  • If required, set MFA exception is the application is accessed from Compliant / Hybrid Azure AD Joined / Corporate Trusted Location
  • Irrespective of any application force Users with Admin Roles to challenge MFA
  • In addition, keep the below questions to design your MFA solution
  • Does your company need to protect privileged accounts with MFA?
  • Does your company need to enable MFA for certain application for compliance reasons?
  • Does your company need to enable MFA for all eligible users of these application or only administrators?
  • Do you need have MFA always enabled or only when the users are logged outside of your corporate network?

Configure MFA for Apps or Users

Configured MFA for Apps

Use Azure AD Conditional Access Policies to enable MFA for Azure On-boarded Application.

To create a Conditional Access Policy

Azure Portal -> Azure AD -> Conditional Access -> New CA Policy -> Select the Users -> Select the Application -> review the other settings -> enabled MFA on the Grant section and save

Configured MFA for Users

We can enable MFA on the user level so that whenever user access an Office 365 services or Azure AD Integrated Application, user will be prompted for MFA challenge for second factor authentication.

Azure Portal -> Azure AD -> Users -> Open the Multi-Factor Authentication -> Search for the User -> Enabled MFA

Administer MFA Users

Manage MFA Service Settings:

We can configure below MFA service settings as an administrator for the organization.

App Passwords: Users can use the app password to sign in to non-browser apps. We have the option to allow or restrict.

Verification Options:

If MFA enabled, what are the verification options allowed for users. We can control the options here.

Remember Multi factor Authentication: If a user passed the MFA validation, it will be a annoying prompt every time they access the service. We can control the option on how long to remember the MFA authentication on that device. By default, this is not enabled.

Azure Portal -> Azure AD -> Users -> Open the Multi-Factor Authentication -> Service Settings

And, from Azure AD Portal -> Security -> MFA -> MFA Server -> Activity Report

Mange User Settings

If MFA enabled on an account, we have the below options to administer on the account

Above 3 options are self-explanatory. Please know the available options.

Report MFA utilization

MFA activity reports are available for administrator review.

To monitor MFA usage, we have the option to use the below PowerShell

Get-MsolUser -All | where {$_.StrongAuthenticationMethods -ne $null} | Select-Object -Property UserPrincipalName

Navigate to Azure Portal -> Azure AD -> Security -> MFA -> Manage MFA Server -> Reports -> Activity Reports

Identify users who have registered for MFA using the PowerShell that follows.

Get-MsolUser -All | where {$_.StrongAuthenticationMethods -ne $null} | Select-Object -Property UserPrincipalName

Identify users who have not registered for MFA using the PowerShell that follows.

Get-MsolUser -All | where {$_.StrongAuthenticationMethods.Count -eq 0} | Select-Object -Property UserPrincipalName

MS-100 Manage Authentication

May 31st, 2019 | Posted by admin in Exchange - (0 Comments)

Manage Authentication

To manage the authentication options, we need to know the Authentication Methods available and how that works.

Understanding Authentication Methods:


Below are the authentication options or Sign-In options available for Office 365 / Azure AD.

  • Federation Authentication
  • Password Hash Synchronization Authentication
  • Pass-through Authentication
  • Seamless SSO (enabled when choosing PHS or PTA)

Federated Authentication

Most of the Companies preferred to use federated authentication. When the federation sign in option enabled, the domain used for authentication will be configured as federated domain in Azure AD. Below shows the authentication flow for federation sign-in

How it works

To explain the Federation Sign-in flow, when you access any claims aware application that trusts Azure AD as the STS, the application will redirect you to authenticate with Azure AD, Azure AD prompts you to login with the user name option only and when you enter the user name, the domain validated whether it is a federated domain. Since it is a federated domain, you are redirected to On-Premise ADFS infrastructure with a Token Request from On-Premise AD, (to WAP server if you are in Internet and to ADFS server if you sign-in from Intranet). ADFS receive the SAML request and prompts you to enter the user name and password passed and it authenticates with Active Directory. On successful authentication with AD, ADFS send a Security token with claims to User that will be send back to Azure AD. Azure AD evaluates the token response and if valid response, Azure AD confirms the successful authentication and user will be allowed to access the application.

Note: You need to maintain a ADFS infrastructure to have this federation sign-in option and it is having additional benefits like you use On-Premise MFA server for multifactor authentication.

Password Hash Synchronization Authentication

No need to confuse about the Password Synchronization option, we are not directly synchronizing the password from On-Premise to Azure AD. Only the Hash of the Password hash synchronized with Azure AD using Azure AD connect.

How it works

When Password Hash Synchronization authentication enabled for the tenant, Hash of the password hash is available in Azure AD after Synchronization. If a user access a Azure Integrated application, user redirected to authenticate with Azure AD, Azure AD prompt the user to enter the credential, both user name and the password will be entered in Azure AD authentication dialogue window and it will be validated against the hash Synced in Azure. If successful, user provided with security token to authenticate the service\application. Switching from one application to other prompts the user to validate the credential when this sign-in option used.

Pass-through Authentication

If we use the Pass-through authentication, user name the password gathered in Azure AD but Passwords validated in On-Premise AD. AuthN Agent configured in AD Connect or any member server supports this Pass through Authentication. Below shows the pass-through authentication flow.

How it works

When user access any office 365 application, it will redirect the user to Azure AD for authentication, Azure AD prompt the user to enter both the user and password and it will be sent to AuthN agent server in On-Premise using a securing tunnel established when configuring the AuthN agent. AuthN agent component validate the user name and password with Active Directory using a Win32 API call to Active Directory and the successful authentication will be sent back to Azure AD. Azure AD authentication successful and send a security token to access the application, the user will gain access to Application.

Seamless Single Sign-On Authentication

Seamless SSO works with Password Hash Synchronization and Pass-through authentication. For the seamless SSO to work, the machine has to be domain joined and should have access to AD. Machine authenticates with Azure AD using Kerberos token.

How it works

When Seamless SSO enabled, new computer object created in AD that holds 2 SPN for authentication with Azure AD. Let us take User access a claims aware application, user will be redirected to Azure AD for authentication, Azure AD instructs the client to do an authentication test to find the client is SSO capable and it will send an unauthorized response and to get a token a token from AD. Client requests a Kerberos token ticket from AD and the same will be send it to Azure AD, Azure AD returns a security token which will sent to application and the authentication will be successful.

If Seamless SSO fails, the other enabled option PTA or PHS used for authentication.

Design Authentication Method:

You can choose from below Authentication methods and design your Azure Authentication

  • Cloud Authentication.
  • Federated Authentication
  • Federated Authentication with Password Hash Sync
  • Federated Authentication with Pass-Through Authentication
  • Seamless SSO with Password Hash Sync
  • Seamless SSO with Pass-Through Authentication

Configure Authentication

Enterprise Customers will deploy ADFS for authentication and we will see how to configure Microsoft 365 Authentication using ADFS

ADFS configuration requires

  • Domain Admin Account
  • Publically Trusted Certificate for SSL server authentication
  • ADFS Prerequisites like ADFS Service Name, Service Account, and SQL Database etc.
  • DNS A records for ADFS Service Name in Internal and External DNS
  • Domain going to be federated to added and verified in Azure

Once any of the above authentication method selected, we have the option to Configure Multi factor Authentication for end users.

MFA can be enabled at the account level or it can be enabled per application by using Conditional Access.

ADFS Supports certificate based authentication (smart card certificates)

Implement Authentication Method

Below are the two options available for configuring authentication for Office 365.

Configuring Office 365 / Azure AD Authentication via ADFS

Once the ADFS infrastructure deployed, we need to convert the required domain as federated domain using the below 2 commands

Set-MsolADFSContext -Computer ADFS_Server_FQDN

Convert-MsolDomainToFederated –DomainName SuperHybridCloud.com

Above command will convert the domain as federated domain and it will create a relying party trust for Office 365 services with default claims required for Authentication.

To covert a domain to standard (Managed) or federated, we can use any of the below PowerShell Commands

  • Set-MsolDomainAuthentication
  • Convert-MsolDomainToStandard or Convert-MsolDomainToFederated

Configuring Office 365 / Azure AD Authentication via Azure AD Connect

While configuring the AD Connect, we will have an option to select the sign in option also the ADFS configuration which will convert the domain and create the relying party trust during the Azure AD Connect configuration.

Make a note, Password Hash Sync and Pass through authentication can be done only from Azure AD Connect.

Manage Authentication

To change the authentication method,

On the AD Connect Configuration Wizard -> Configure -> Configure Sign in Options and select the authentication method required for your organization.

To view the configured authentication method,

MFA can be enabled or disabled from the properties of the User Account or via Conditional Access Policy.

Monitor authentication

Azure AD Sign-In Logs are available for 30 days for review; we can navigate to Azure AD portal to view the Sign-In logs. It requires Azure AD P1 or P2

To view the Sign-In logs: Azure AD -> Sign-Ins

MS-100 Manage User Roles

May 31st, 2019 | Posted by admin in Exchange - (0 Comments)

Plan User Roles

Below are the admin roles available in Azure AD. We can plan to designate the roles to user who manage the Microsoft 365 Services.


To manage User Settings

From the Azure AD Portal, navigate to Azure Portal -> Azure AD -> User Settings to manage the below options


Plan the Enterprise Application settings required for your organization


Are you going to restrict access to Azure AD Administration Portal?


Allow \ Restrict users to register an application on their own


Manage external Collaboration Setting


Allocate Roles in workloads

By default, Tenant admin \ Global Admin will have full access to all the Microsoft 365 workloads. In addition, Global Admin can designate other users as administrators on specific Microsoft 365 workloads like EXO and SPO

Exchange Online

Below are Roles Available in Exchange Online, we have the RBAC option to define granular permission based on our requirement.


Skype for Business and Microsoft Teams

Below are the default admin roles available for Skype for Business and Microsoft Teams


SharePoint and OneDrive

SharePoint Online and OneDrive for Business Administrator has only one default admin role – SharePoint Administrator. To give granular control we can assign the particular users are Site Collection Administrators.

Configure Administrative Accounts:

We know the below administrative accounts in Azure AD and this can be delegated to respective service administrator.


We can configure below steps to monitor administrative accounts.

  • Configure MFA to protect those accounts
  • Configure Conditional Access Policy to allow the administrator account usage only from Corporate Network
  • Configure Access Reviews for the Administrative Role Groups
  • Configure Identity Protection for Administrative Accounts
  • Use PIM to elevate the permission temporary

Configure RBAC within Azure AD


Delegate admin rights

https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/roles-concept-delegation

Manage admin roles


To assign an Azure AD Role,

Open the User properties and assign the above admin roles based on the service that he is managing.

To view the sign in logs, user has to be member of Security Administrator, User Administrator and Compliance Management Role.

Manage role allocations by using Azure AD

Plan security and compliance roles for Microsoft 365

Security and Compliance

We have the below Default Roles Groups available in Security and Compliance. We can customize this based on our requirement with 29 Roles.

  • Reviewer: Use a limited set of the analysis features in Office 365 Advanced eDiscovery. Members of this group can see only the documents that are assigned to them
  • Records Management: Members of this management role group have permissions to manage and dispose record content.
  • Security Administrator: Members has permission like Security Reader + DLP Compliance Management, Device Management and Audit Logs
  • Organization Management: Members of this management role group have permissions to manage Exchange objects and their properties in the Exchange organization. Members can also delegate role groups and management roles in the organization. This role group should not be deleted.
  • Supervisory Review: Members can Control policies and permissions for reviewing employee communications.
  • Compliance Administrator: Members can manage settings for device management, data loss prevention, reports, and preservation.
  • Security Reader: Members can View the Alerts, View DLP Compliance Management, View Device Management and Security Reader
  • eDiscovery Manager: Members can Perform searches and place holds on mailboxes, SharePoint Online sites, and OneDrive for Business locations
  • Service Assurance User: Members can review documents related to security, privacy, and compliance in Office 365 to perform risk and assurance reviews for their own organization
  • Mail Flow Administrator: View Only Recipient Role Assigned