QNAP Friends… Update your firmware…

Unless you’re running your servers, devices and other items that connect to a network of some sort in a pile of concrete at the bottom of a lake (perhaps a Great Lake) disconnected from the world, it may be time to go and start checking your firmware. I know that it’s one of the most fun activities to do over a Memorial Day weekend – right?

In this case I noticed a post about something called VPNFilter over on Ars Technica – sounds nasty right? It makes mention of what software systems and devices are affected –  in a particular set of QNAP devices as well as the software platform that operates QNAP devices, QTS.

For me, I quickly checked my firmware and noticed that I was not in the impacted group, but that’s not to say that you shouldn’t check your QNAP device if you’ve got one. Obviously check to make certain that you’ve got a backup of your QNAP sitting somewhere that you’re able to roll back to if you need to (I’ve never had a problem with their firmware personally).

More details are available here:  https://www.qnap.com/en-us/security-advisory/nas-201805-24

 

Azure: Public Preview of Serial Console

I have to say that this is crazy that Microsoft Azure now supports a Serial Console for Virtual Machines (at least in Public Preview).  Check out the blog entry over here – https://azure.microsoft.com/en-us/updates/azure-serial-console/

I decided to give it a little try to see more and it works like a champ. Very cool to see this capability coming to light as it’s been something that I know I’ve been looking for some time to have available when a VM wasn’t coming back up slower than I would have assumed it would. Well done folks!

Check out the announcement yonder on the Azure blog – https://azure.microsoft.com/en-us/blog/virtual-machine-serial-console-access/

Don’t lose your identity in the Cloud…

If you happen to log into your Office 365 Admin Portal on a regular basis good on you – though perhaps you can get most of your alerts through the Office 365 Admin app on your phone. If you do happen to log in though and you’re using Directory Synchronization by way of either Azure AD Connect or Microsoft Identity Manager, you hopefully don’t stumble upon a message like this on the Home page.

Screenshot 2018-03-24 23.31.07

If you do though, don’t worry, it’s not just a red highlighted bit of text, but it’s a link to your Directory Synchronization status (not DirSync is no longer around… AAD Connect is the way to go these days). What does it mean to your end users if Directory Synchronization is failing? Well, any change that they happen to make to their profile within your on-premises Active Directory won’t be synchronized with Azure Active Directory until the issue is resolved. Not a big deal – right? Well, just think if you changed your password on-premises, you’ll still be using your old password through Office 365.

If you happen to click the error message though you’ll come to a page with this displayed, you’ll note that you see something like this:

Screenshot 2018-03-24 23.28.11

If you’re not familiar with the above, it’s the Sync Status Health page. Typically if things are working good then you’ll see the last time that you sync’d successfully in addition to other pertinent information about your Office 365 tenant’s synchronization status as well as a less stormy picture of the cloud. 🙂

In this case though, the troubleshooting tips are fairly helpful and link to https://support.office.com/en-us/article/fixing-problems-with-directory-synchronization-for-office-365-79c43023-5a47-45ae-8068-d8a26eee6bc2?ui=en-US&rs=en-US&ad=US

In this case, it just happens to be that I turned off the server that the Azure AD Connect tool was running on. Turning the server back and on and the error messages go away and identity changes begin to synchronize once more – life is good.

How do I remove my domain name from Office 365?

So you have a proof of concept Office 365 instance and you realize that you want to take things to Production, but you also realize that you want to keep your POC tenant up and oeprational. Caveat, you went through and applied your Domain Name to your tenant thorugh another registrar.  How do you get your domain back?

Well, it’s not as difficult as you might think.  Simply wander into the Office 365 Admin Portal over at https://portal.office.com/adminportal/

Under the “Setup” section of the Admin Center, you should see “Domains“. That will show you what domains you currently have associated with your Office 365 Tenant.

Screenshot 2018-03-25 21.32.07.pngIn my case I’ve got a custom domain, “potatoe.cloud” associated with my Office 365 tenant but still have my “onmicrosoft.com” domain as the default.

Step one to removing a domain is setting another domain as default. It’s pretty quick and easy, click on the other domain (in this case spsvabeach.onmicrosoft.com) and click “Set as Default.”

Next, within potatoe.cloud, I need to click on “Remove.” This should be simple enough.

Screenshot 2018-03-25 21.34.44.png

Crikey! What’s this message at the bottom yammering about being enabled in the region? So essentially, I get to write a quick PowerShell script using some of the Azure AD components available over at the PowerShell Gallery – https://www.powershellgallery.com/packages/MSOnline/1.1.166.0

The gist of the script was running get-msoluser and feeding that to an array. From there looping through and modifying the UserPrincipalName’s domain name. Required a little more work than expected but in the end, worked quite nicely.

If you’ve only got a few users, probably easy enough to make this change through the Office 365 Admin UI. If you’ve got more than a few, PowerShell is your friend – working with arrays and foreach clauses to filter out the users you need to update to the “onmicrosoft.com” domain or another domain you’ve established and working.

Screenshot 2018-03-25 22.57.27

After you get below a certain number of users (unknown what that is) with the non-offending domain remaining in the UPN, you can delete the domain from the tenant.

From there you can change your DNS settings back within your DNS registrar to continue making use of the domain or setting it up on your new Office 365 tenant that you’re actually switching over to use for production.

Nevertheless, be sure to try this all out in a test tenant and be mindful that if you’ve got a provider hosted app that’s looking for a specific domain name associated with a user and it’s changed, the user’s access may also have been changed with it. This is similar to if you have an on-premises application and you modify the user’s User Principal Name on-premises – applications that used to rely on that begin to break.

Bottom line – TEST! TEST! TEST!

After you’ve worked out the kinks, you should be good to go! Best of luck!

 

Are you blocking Office 365?

One of the funnier things that I run into every so often is when someone’s Office 365 implementation isn’t working because their firewall administrator is following the age-old practice of least permission.  Definitely, a good way to keep your environment secure, and I wouldn’t tell you not to go down this path… but you probably want to tell your firewall admin to open up the IPs and URLs that are needed for your end users to make use of Office 365 appropriately.

Check out the latest and greatest list here – https://support.office.com/en-us/article/office-365-urls-and-ip-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US

Subscribe to the RSS feed while you’re at it 🙂

Azure: Setting up a custom domain for Office 365 by way of Azure Active Directory

If you’re like me, sometimes you like to do things a little more efficiently and elegantly through PowerShell or through the Azure portal when it deals with the underlying infrastructure that’s associated with an Office 365 tenant. If you’re using Office 365 you’ve established a tenant with a .onmicrosoft.com name.  Reminder PSA: You can’t change your tenant name after you’ve created it – at least not right now.  But you can mask it using custom DNS names.

If you’re a little leery of Azure, then perhaps this will help to peel back the onion and bring tears of happiness to your face.

Step 0 – realize what you’re doing 🙂 and also that you probably want to make certain that you have permission to use the domain name that you’re setting up on the Office 365 / Azure instance that you’re going to perform these configuration changes on. Note that if you’re using a domain name already for something else that it might be wise to create a subdomain to tinker with rather than making “adjustments” to the main domain that you’ve got (e.g. something.danusher.com rather than danusher.com).

Step 1 – Head on over to your Office 365 admin portal (https://portal.office.com/adminportal/) and go to the bottom left corner to expand the “Admin Centers” section and click on “Azure Active Directory” (https://aad.portal.azure.com/binarybrewery.onmicrosoft.com). This will launch you to your Azure Active Directory admin center within Azure (alternatively, you can go to portal.azure.com and click on Azure Active Directory from the left most blade to open these settings).

Step 2 – Expand “Azure Active Directory” from the left most blade and then select “Custom domain names” from the blade that appears. This will list out the default tenant name that you have with your Office 365 tenant that was built out with your tenant when it was provisioned.

Screenshot 2018-03-27 21.52.54.png

Step 3 – Add a custom domain by typing in the name of the domain and then determining if you want to use a TXT record or an MX record to verify that you own the domain. If you’re not familiar with how to edit your TXT or MX records, Microsoft has some handy documentation on this over on the Office 365 support documents – https://support.office.com/en-us/article/gather-the-information-you-need-to-create-office-365-dns-records-77f90d4a-dc7f-4f09-8972-c1b03ea85a67

Screenshot 2018-03-27 21.57.20.png

Step 4 – Wait a while. Or as Spence would say while provisioning your User Profile Application, get a cuppa coffee.  DNS sometimes can take a while to provision.

Screenshot 2018-03-27 21.58.58.png

Sadly there are no exciting fireworks through the Azure Portal when you verify ownership of a domain.Screenshot 2018-03-27 22.31.19.png

Just a quick toast that briefly appears in the upper right hand corner of the Azure Portal.

Step 5 – Determine whether you just want to setup Azure AD Connect to get started with Directory and Password Synchronization, or go back to the Office 365 portal and setup the remaining DNS entries to be able to fully recognize the capabilities of Office 365. Nevertheless, you’ll see this screen within Azure upon completion of domain verification.

Screenshot 2018-03-27 22.14.05.png

Back in the Office 365 Admin Center however, you’ll notice that the domain says that it’s still being setup.

Screenshot 2018-03-27 22.34.09.pngStep 6 – Complete the setup of the domain by clicking on the line item associated with the domain name that has been verified by Microsoft Azure.

If I point my name servers from this domain through my registrar to be managed by Microsoft’s name servers, a lot of things just go away as Microsoft manages the domain for me at that point. If I however want to perform these configurations on my own as I have a complex DNS environment, I can do so by adding the values similar to these (fairly standard where you simply replace “potatoe-cloud” with your DNS name)word:

screenshot-2018-03-27-22-35-13.png

After you’ve updated your DNS within your registrar, you’ll see something like this if you happen to have an incorrect record…

Screenshot 2018-03-27 22.48.11.png

In my case I accidentally had an extra character in there – simple cut and paste error. 😐

After making my corrections and verifying settings I received a nice note that all was configured and ready to go.

Screenshot 2018-03-27 22.54.53.png

From there, any new user I create within Office 365 will make use of the @potatoe.cloud domain name rather than the Tenant name.

Congrats on having your Office 365 email accounts now masked as well as user login’s. I’d recommend learning how to setup and use Azure AD Connect so that you’re able to move forward with having your domain identities provisioned with Office 365 / Azure Active Directory to enhance your end user’s experience.

Remember – DNS isn’t that difficult. But it’s easy to mess up and also then make things more difficult.

Security and Compliance with Office 365

If you’ve signed up for Office 365 and kicking the tires? Consider checking some of the capabilities that you get with the Security and Compliance Portal within Office 365.  How do you get there? If you head over to https://protection.office.com you’ll be prompted to log in with your Work ID.  Once you’re in you’ll be able to configure components of your tenant for data loss prevention in addition to many additional capabilities.

For a quick overview of capabilities, head on over to the overview available here:

https://support.office.com/en-us/article/overview-of-security-and-compliance-in-office-365-dcb83b2c-ac66-4ced-925d-50eb9698a0b2