Thursday, April 20, 2017

Enable Phone Sign In -Microsoft Authenticator

Recently, Alex Simons has blogged on "No password, phone sign in for Microsoft accounts". This a great enhancement in Microsoft second factor or "no password" technology.

With phone sign-in, Microsoft shifting the security burden from our memory to our device. Just add our account to the Android or iOS Microsoft Authenticator app, then enter our username as usual when signing in somewhere new. Instead of entering our password, we’ll get a notification on our phone. Unlock our phone, tap “Approve”, and we’re in.

This process is easier than standard two-step verification and significantly more secure than only a password, which can be forgotten, phished, or compromised. Using your phone to sign in with PIN or fingerprint is a seamless way to incorporate two account “proofs” in a way that feels natural and familiar.

There are a few things you need to consider to complete "phone sign" option.
  
First download Microsoft Authenticator app from store than configured for personal account, you will see an option from the drop-down menu to select Enable phone sign-in.

If you don't configure or add your Microsoft account in your Authenticator App, you don't see a "use the Microsoft Authenticator app instead" option.  Instead, you will have only see the password sign-in option as shown below:


You will see the following verification message on your login screen and on your mobile device.


Open your Microsoft account and click on next



Now you will see the option "Use the Microsoft Authenticator app instead", once you click you will get
You can also copy the code


Once click "Use the Microsoft Authenticator app instead" you will get following option "Deny" or "Approve"



Once approve you have to open your phone
once approve we are in in my emails



But you don't see this option If you are adding a new Microsoft account on an iPhone.  Microsoft will automatically set it up for you by default.  So add your Microsoft Account and login to a Microsoft service using this account. You will see an additional "password less".

TimeZone /Regional Settings for Shared Mailboxes in Office 365

During the migration to Office 365, I was working with one of the user to correct the issue of time zone of shared mailboxes. I noticed the time was off by a few hours when accessing some shared mailboxes in Office 365 using Outlook Web App (OWA). It was set to Microsoft’s default—Pacific Standard Time.
If you access the shared mailboxes using the desktop version of Outlook (2010, 2013 or 2016), this typically won’t be a problem as the desktop version of Outlook will simply use your PC’s regional settings. However, for various reasons, the desktop version of Outlook may not be an option.
OWA Timezone Settings for User Mailboxes in Office 365
By default when we logs into the OWA for first time, it will give us option to set the regional settings by choosing the default language and time zone, also we can change from Settings -->Mail -->General and select the time zone.
OWA Timezone Settings for Shared Mailboxes in Office 365
In Shared mailboxes work a little differently. We are not log directly into a shared mailbox as there is no user associated with one. If we have the requisite permissions to access a shared mailbox, we could open it in OWA to set the regional settings for it. The process is a little more involved than if you were opening your own mailbox for the first time.
Configure Timezone Settings for Shared mailboxes in Office 365 using OWA
To manually configure region and timezone settings for a shared mailbox via OWA, simply log into OWA as yourself, click your avatar and select Open another mailbox. Enter the shared mailbox name and click Open. From here, go to Options and select Mail from the navigation pane on the right. Select General from the navigation pane on the left, and click Region and timezone. Make any applicable changes to your language, date format, time format and/or timezone settings, then click Save.
Using PowerShell
For all shared mailboxes
Get-Mailbox –RecipientTypeDetails SharedMailbox | Set-MailboxRegionalConfiguration –Language “en-US” –TimeZone “Central Standard Time” –DateFormat “M/d/yyyy” –TimeFormat “h:mm tt”
For a single shared or user mailbox
Get-Mailbox –Identity sharedmailbox@Domain.com | Set-MailboxRegionalConfiguration –Language “en-US” –TimeZone “Central Standard Time” –DateFormat “M/d/yyyy” –TimeFormat “h:mm tt”
For all mailboxes
Get-Mailbox | Set-MailboxRegionalConfiguration –Language “en-US” –TimeZone “Central Standard Time” –DateFormat “M/d/yyyy” –TimeFormat “h:mm tt”


Tuesday, April 18, 2017

AAD Connect Version 1.1.484.0 Released

Azure Active Directory Connect version 1.1.484.0 has been released, which includes several fixes and service account improvements. It also simplifies the port architecture required during the setup of Pass-Through Authentication.

Proper directory synchronization is key to a healthy hybrid environment, so it's important to keep on top of upgrades to your directory synchronization infrastructure.

Known issues:
·         This version of Azure AD Connect will not install successfully if the following conditions are all true:
1.    You are performing either DirSync in-place upgrade or fresh installation of Azure AD Connect.
2.    You are using a localized version of Windows Server where the name of built-in Administrator group on the server isn't "Administrators".
3.    You are using the default SQL Server 2012 Express LocalDB installed with Azure AD Connect instead of providing your own full SQL.
Fixed issues:
Azure AD Connect sync
·         Fixed an issue where the sync scheduler skips the entire sync step if one or more connectors are missing run profile for that sync step. For example, you manually added a connector using the Synchronization Service Manager without creating a Delta Import run profile for it. This fix ensures that the sync scheduler continues to run Delta Import for other connectors.
·         Fixed an issue where the Synchronization Service immediately stops processing a run profile when it is encounters an issue with one of the run steps. This fix ensures that the Synchronization Service skips that run step and continues to process the rest. For example, you have a Delta Import run profile for your AD connector with multiple run steps (one for each on-premises AD domain). The Synchronization Service will run Delta Import with the other AD domains even if one of them has network connectivity issues.
·         Fixed an issue that causes the Azure AD Connector update to be skipped during Automatic Upgrade.
·         Fixed an issue that causes Azure AD Connect to incorrectly determine whether the server is a domain controller during setup, which in turn causes DirSync upgrade to fail.
·         Fixed an issue that causes DirSync in-place upgrade to not create any run profile for the Azure AD Connector.
·         Fixed an issue where the Synchronization Service Manager user interface becomes unresponsive when trying to configure Generic LDAP Connector.
AD FS management
·         Fixed an issue where the Azure AD Connect wizard fails if the AD FS primary node has been moved to another server.
Desktop SSO
·         Fixed an issue in the Azure AD Connect wizard where the Sign-In screen does not let you enable Desktop SSO feature if you chose Password Synchronization as your Sign-In option during new installation.
New features/improvements:
Azure AD Connect sync
·         Azure AD Connect Sync now supports the use of Virtual Service Account, Managed Service Account and Group Managed Service Account as its service account. This applies to new installation of Azure AD Connect only. When installing Azure AD Connect:
o    By default, Azure AD Connect wizard will create a Virtual Service Account and uses it as its service account.
o    If you are installing on a domain controller, Azure AD Connect falls back to previous behavior where it will create a domain user account and uses it as its service account instead.
o    You can override the default behavior by providing one of the following:
§  A Group Managed Service Account
§  A Managed Service Account
§  A domain user account
§  A local user account
·         Previously, if you upgrade to a new build of Azure AD Connect containing connectors update or sync rule changes, Azure AD Connect will trigger a full sync cycle. Now, Azure AD Connect selectively triggers Full Import step only for connectors with update, and Full Synchronization step only for connectors with sync rule changes.
·         Previously, the Export Deletion Threshold only applies to exports which are triggered through the sync scheduler. Now, the feature is extended to include exports manually triggered by the customer using the Synchronization Service Manager.
·         On your Azure AD tenant, there is a service configuration which indicates whether Password Synchronization feature is enabled for your tenant or not. Previously, it is easy for the service configuration to be incorrectly configured by Azure AD Connect when you have an active and a staging server. Now, Azure AD Connect will attempt to keep the service configuration consistent with your active Azure AD Connect server only.
·         Azure AD Connect wizard now detects and returns a warning if on-premises AD does not have AD Recycle Bin enabled.
·         Previously, Export to Azure AD times out and fails if the combined size of the objects in the batch exceeds certain threshold. Now, the Synchronization Service will reattempt to resend the objects in separate, smaller batches if the issue is encountered.
·         The Synchronization Service Key Management application has been removed from Windows Start Menu. Management of encryption key will continue to be supported through command-line interface using miiskmu.exe. For information about managing encryption key, refer to article Abandoning the Azure AD Connect Sync encryption key.
·         Previously, if you change the Azure AD Connect sync service account password, the Synchronization Service will not be able start correctly until you have abandoned the encryption key and reinitialized the Azure AD Connect sync service account password. Now, this is no longer required.
Desktop SSO
·         Azure AD Connect wizard no longer requires port 9090 to be opened on the network when configuring Pass-through Authentication and Desktop SSO. Only port 443 is required. 


Download the latest version of AAD Connect here.