Personal blog on Microsoft technologies (Exchange, Skype for Business, SharePoint, Office 365,Azure, Intune, SCCM…)
Windows Server 2019 Preview (the next major release of Windows Server) is now available for Azure Virtual Machine.
Just search for Windows Server 2019 when you create a new virtual machine
Search the marketplace (https://azuremarketplace.microsoft.com/en-us/marketplace/apps/) for Windows Server 2019
Or access the marketplace directly from this URL https://azuremarketplace.microsoft.com/en-us/marketplace/apps/microsoft-hyperv.rs5_preview
Enjoy
So, you have deployed and registered your Azure AD Password Protection agents on your on-premises environment (see https://t.co/PnWZiWbWic).
Now you can manage this feature by controlling how it is going to work – aka manage your own banned passwords list, enforce the feature or enable the Smart Lookout (to restrict the risk of getting your AD account locked because somebody is trying to guess your password).
To manage Azure AD Password Protection, connect to your Azure portal (or Azure AD portal) with your global administrator account and reach the Authentication methods configuration blade shown below the Security option of your Azure AD
From this blade you have only one configuration option for Password Protection
The Password Protection blade will then let you configure:
NOTE the banned password can not be longer than 16 characters
You may already know that Azure AD is using advanced technologies to protect your credentials, especially your password. It even detects if the password you are trying to use (when you have to change it due to expiration) has been used too much or has been compromised (or banned).
This is a huge security feature but until now this was only available if you use Azure AD for authentication. Starting today (in preview), you can now use these capabilities with your on-premises Active Directory with a component called Azure AD password protection for Windows Server Active Directory.
First things first, here are the requirements to get it working with your on-premises environment:
The below diagram is a courtesy of Microsoft, describing how this feature works.
NOTE you can deploy it silently as there is no installation options required(msiexec.exe /i AzureADPasswordProtectionProxy.msi /quiet /qn or with SCCM) and then once ready execute the registration steps
NOTE if you had a PowerShell prompt already opened, you will need to open a new one
Import-Module AzureADPasswordProtection
If your Azure AD global administrator account is the same (and sync with Azure AD) than the AD DS domain admin account, you can ignore the -ForestCredential parameter
NOTE it may take sometime to complete the registration process for the first agent
$tenantAdminCreds = Get-Credential
$domainAdminCreds = Get-Credential
Register-AzureADPasswordProtectionProxy -AzureCredential $tenantAdminCreds –ForestCredential $domainAdminCreds
You can check the registration has been successfully completed (unless you got an error message) by accessing the Windows Event log for the AzureADPasswordProtection (available below the following path Applications and Services Logs\Microsoft\AzureADPasswordProtection\Operational) log and look for the events:
NOTE you just need to run this AD DS forest registration step only once. If you deploy multiple proxy agent, there is no need to run again this command
Register-AzureADPasswordProtectionForest -AzureCredential $tenantAdminCreds
You can check the registration has been successfully completed (unless you got an error message) by accessing the Windows Event log for the AzureADPasswordProtection (available below the following path Applications and Services Logs\Microsoft\AzureADPasswordProtection\Operational) log and look for the events:
A new service container is being created in your AD DS forest. This container is used to register all agent (DC or proxy) and the certificates used to authenticate against Azure AD
CN=Azure AD Password Protection,CN=Services,CN=Configuration,DC=<removed>,DC=local
NOTE it is important to note that a server restart is required after installing the DC agent
You can check the registration has been successfully completed (after the server restart) by accessing the Windows Event log for the AzureADPasswordProtection (available below the following path Applications and Services Logs\Microsoft\AzureADPasswordProtection\DCAgent\Operational) log and look for the events:
This is it, once you have deployed at least one proxy and one DC agent, you are now able to use Azure AD Password Protection.
To keep SharePoint external files (or folders) sharing secure while improving the end-user experience, an update is being deployed (roll out completion scheduled for end of June) to change the ‘one-time password’ functionality for external users which are also hosted on another Office 365 tenant.
With this update, they will no longer need a one-time password but will logon using their current Office 365 credentials when accessing shared files/folders.
This will end with the creation of a guest account on your tenant.
As announced few days ago, I have decided to move on from SharePoint 2016 for hosting my blog.
Now, my blog is running on WordPress using SQL Server as database server, and not MySQL (even if this is still installed anyway).
As promised when I have announced the migration, here are few details about my migration which went quite smoothly, despite few issues:
Installing in this order helps to ensure all the requirements to get WordPress working with SQL are installed and configured properly (the Web Platform Installer is taking care of everything for you)
So then I had to identify and choose which plugins to use in order to protect my server and provide good user experience. I choose:
It is supposed to also handle the redirections but this part of the plugin does not work (as it uses his own table, and so is incompatible with the SQL query expected by SQL server). Quite useful anyway because of the 404 logs
Off course there has been another choice: which theme to use. I finally decided to keep one of the default themes provided by ProjectNami.
And last but not least, was to migrate the content of the SharePoint blog to WordPress.
In fact I had no really choice for the migration as the out of the box migration components (or even plugins) were not satisfying; either because of the SharePoint constraints (like the RSS feed) or because I have loosing all the formatting (CSV export/import).
I finally found a tool developed by René Hézser (https://www.hezser.de/blog/2014/10/01/migrate-sharepoint-blog-to-wordpress/) which did also a SharePoint blog to WordPress migration. Unfortunately I faced a blocking issue when migrating the posts; the categories were migrated successfully.
When running René’s tool, I got an access denied when creating the posts on WordPress. Obviously this was not a WordPress permission issue as I got the categories created. Thankfully René also provides the source code of his tool, so I used Visual Studio and ran the code in debug mode to identify the issue was with the blog’s attachments. Indeed, all the screenshots on my posts were attached to the post and not save to a Picture library because I’m using Live Writer.
So I isolated the code use to migrate the pictures (from the SharePoint library) to not use it (this implies few code change on multiple place) and successfully ran the full migration of my SharePoint blog to WordPress, keeping the formatting, published date (mostly, I will come back on this one later)… To fully complete the migration I opened the SharePoint blog using Windows Explorer (best is to use Map a network drive) to browse to the Posts library and copy the Attachments folder. I saved this folder in the file system on the WordPress server (ensure you are keeping the complete relative path /Lists/Posts/Attachments).
I then use Excel to generate the URL redirection list for the posts and category to map with the WordPress format (like /Lists/Categories/Category.aspx?CategoryId= or /Lists/Categories/Category.aspx?Name= to /category/).
After going live I monitored thanks to the Redirection plugin the 404 errors to handle redirection updates. This is when I discovered I got few (thankfully) posts with a published date set to 1 day after the real one (as of today I have something like 50 impacted posts, over more than 1000’s).
This is it; this was my, quite overall, easy migration from SharePoint blog to WordPress.
You know already that you can integrate your Exchange On-Premises with Exchange Online in an Exchange Hybrid configuration, allowing a consistent user experience wherever the mailbox is hosted.
But there was still few things missing. Few of them are (or were) the retention policies / retention tags, OWA / Mobile /ActiveSync policies which needed to be re-created on Exchange Online and maintain in both place.
An updated Exchange Hybrid Configuration Wizard had been deployed and is now allowing you can also transfer (one time transfer anyway) your retention policies from On-Premises (from Exchange 2010 to Exchange 2016) to Online.
As first step, only missing policies on ExO will be transfer. You will still have to maintain in both place if you make any updates on these policies (which usually is not the so frequent).
The option to transfer the missing retention policies is available when running the Exchange Hybrid Configuration Wizard (https://configure.office.com/Scenario.aspx?sid=33&uid=4541433136) by enabling the Organization Configuration Transfer show at the bottom of the wizard. You can take advantage of this capability with both hybrid configuration options (minimal or full).
And the result is shown below; first screenshots are the existing retention policies on my Exchange On-Premises and Exchange Online, and then after running the update HCW, the missing retention policies in ExO have been created.
As you may know, before installing Office 365 Pro Plus it is recommended to uninstall previous MSI Office install.
While it was already possible to perform this uninstall either manually when running the Office 365 Pro Plus setup or using an XML configuration file, it was not so easy.
An updated version of the Office Deployment Tool is now available which includes a new RemoveMSI capability, helping you to properly uninstall previous MSI install (like remove all other Office products or keep some)
You can get more detail here https://docs.microsoft.com/en-us/DeployOffice/upgrade-from-msi-version
NOTE to use this new capability you must deploy at least Office 365 Pro Plus version 1803 on Windows 7 or later
An updated experience for alerts on Azure is coming (currently in preview).
If you want to enable the new experience, access your Azure portal and reach the Monitor\Alerts blade, then click on the purple banner to enable it
The new experience is providing better insight on alerts and what is happening on your Azure tenant/resources by grouping by severity (the well known severity level 0 (critical) to 4)
You can roll back to the previous experience (at least until the experience is GA) by clicking again on the blue banner.
If there is any alert, you can click on it to get more details and history
Also similar alerts will be automatically group, using machine learning, to reduce the noise
As you may have notice, I have migrated my blog from SharePoint 2016 to WordPress.
I will post later some information as I have been facing an issue to get the all the previous posts migrated.
It is now live. I still have few work to do but the main things are done. By the way, all previous URL’s should continue to work as I’m implementing a redirection for all ‘SharePoint post’.
Thanks
An update is going to be rolled out (and disabled by default) for Office 365 Message Encryption.
With this update administrators will be able to allow/deny the opening of an attachment outside of an Office 365 service (like Gmail or Outlook) were not able to open attachments send using Office 365 Message Encryption.
As of today (and until your administrators enable it), attachments can not be opened when sent through Message Encryption.
IMPORTANT if downloading/opening attachments sent through Message Encryption is being allowed by your administrator, the attachment will not be protected. The principle of this update is the decryption/protection is being removed on the back end to allow recipient opening the attachments. Additional protection (like Azure Information Protection) is required if you want to keep encrypted/protected your attachment.
To enable (or disable) this feature (“Decrypt Attachment”) you need to run the following Exchange Online PowerShell (get if from https://aka.ms/exopowershell) command
Set-IRMConfiguration –DecryptAttachmentFromPortal $true (or $false)