How to Enforce Multi-Factor Authentication for All Users of Your Office 365 Subscription

Multi-Factor Authentication (MFA) is a great security tool, and we always recommend it. Office 365 admins can enforce MFA for users, which means you can help protect anyone sharing your Office 365 business subscription.

To do this you’ll need to be an Office 365 administrator, which only happens with a business plan. If your Office 365 subscription comes as part of a domain hosting package, then you’ll have access to the Admin console. However, if you’ve just purchased a personal subscription (or home subscription for your family), then you won’t have access to the Admin console, and you can only turn MFA on for yourself. If you’re not sure, click the Office 365 app launcher and look for the Admin tile.

The Admin tile on the O365 app launcher

If it’s there, you’ve got access to the Admin console. Click the Admin tile, and on the menu on the left-hand side click Settings > Services and add-ins.

The "Services & add-ins" option in the Admin menu

This opens the Services and add-ins page, where you can make various tenant-level changes. One of the top items will be “Azure multi-factor authentication.”

The "Azure multi-factor authentication" option

Click this, and on the panel that opens on the right, click “Manage multi-factor authentication.”

The "Azure multi-factor authentication" link

This will take you to the multi-factor authentication page. You can immediately turn MFA on for anyone who is using your Office 365 subscription, but, before that it’s best to acquaint yourself with the default settings. To do this, click “Service Settings.”

The "service settings" tab

You can change whatever settings you like, or leave them as the defaults. One potential setting to look at changing is whether or not MFA can be remembered on a device. By default this is off, but turning it on means your family won’t have to go through the MFA process every time they want to check their email or edit a document.

If you switch this on, the default number of days a device can go before having to re-authenticate is 14, which means a phone/tablet/computer will be trusted for 14 days before the user has to go through the MFA process again. Having to go through the MFA process is simple, but having to do it every 2 weeks on every device that your family uses might still be a bit too much and you have the option to set this as high as 60 days.

If you do make any changes to this or any other settings, click “Save” at the bottom to the panel to save the changes, then click “users” to go back to turning on MFA.

The "service settings" options and the "users" tab

Now that you’ve made sure the settings are right, you can enable MFA for each user. Select the users for whom you want to turn MFA.

The users table with a selected user

To the right of the table of users, click the “Enable” option that appears.

The Enable option

On the confirmation screen, click “Enable Multi-Factor Authentication.”

The "enable multi-factor authentication" button

This will enable MFA for the user, and the next time they login to Office 365 on the web, they’ll have to go through a process of setting up MFA. If they don’t log in very often (or you want to make sure you’re around to help them through the process), you can also send them the link from the confirmation screen so that they can set up MFA at a time that suits them. The link is https://aka.ms/MFASetup, which is the same for everyone setting up MFA.

Once you’ve clicked “Enable Multi-Factor Authentication” you’ll see a success message, which you can close.

The "Updates successful" dialogue

MFA is now enabled for the user; now, they need to set it up. Whether they wait until the next time they login, or they use the link we mentioned above, the process for setting up MFA is exactly the same.

Login to your Office 365 account as normal, and a screen will be displayed telling you that “your organisation needs more information to keep your account secure.”

The start of the O365 login process

Click “Next” to be taken to the “Additional security verification” panel, where you can choose your MFA method. We always recommend using an authenticator app, and you’ll have to use Microsoft Authenticator with Office 365. Even using MFA via SMS is still better than not having MFA at all, so choose the method that works best for you in the first dropdown.

The "Additional security verification" panel

We’re going to use a mobile app, which will change the available configuration options. First you need to choose whether to”Receive notifications for verification” (which means a message will pop up on the Microsoft Authenticator app on your phone asking you to approve or deny a login to your account) or whether to “Use verification code” (which means you’ll have to enter a code generated by the Microsoft Authenticator app on your phone when you login to Office 365). Either works fine, and it’s up to you what you choose. After this, you need to click the “Set Up” button to set up the app.

Radio buttons to choose the contact method

At this point a panel will appear telling you to install the Microsoft Authenticator app on your phone and then either scan a QR code or, if you can’t scan the QR code, enter a code and URL instead. Once you’ve done this, click “Next” to go back to the Additional Security Verification window, which will show that the activation status is being checked.

The "Checking activation status" message

This may take a few seconds, and once it’s finished the message will change to show that MFA has been configured.

The successful MFA configuration message

Click Next, and Office 365 will check that everything is working. Depending on what option you selected for verification, it will either send a Deny or Approve message to your app, or ask you to enter a code from the app. In this example, it sent a Deny or Approve message and is waiting for a response.

A message displayed while waiting for you to respond to the test notification

After you’ve verified that MFA is working, you’ll be asked for a phone number in case you lose access to the app.

The mobile phone number text field

This phone number will be used as backup to use SMS or voice calls in the event that you can’t use the Microsoft Authenticator app, such as when you haven’t got Wi-Fi (or you’ve run out of data on your monthly plan, and you’re out and about). It could also be used if you’ve lost your phone, so you might want to choose the number of a family member instead of your own. Once you’ve entered a number, click “Next” to see the final screen.

The app passwordtext box, and Finished button

This page includes a Microsoft-generated password that it will recognize as being created for MFA use. You’ll need to use this password now on rather than the one you normally use, in all of the following apps:

  • Outlook desktop app for your PC or Mac
  • Email apps (except the Outlook app) on an iOS, Android or BlackBerry device
  • Office 2010, Office for Mac 2011 or earlier
  • Windows Essentials (Photo Gallery, Movie Maker, Mail)
  • Zune desktop app
  • Xbox 360
  • Windows Phone 8 or earlier

The next time you try to open any of these apps they’ll ask for your password, so copy it down from here and use it when asked. We can verify that Outlook on your computer needs to use the generated password but the Outlook app on your phone doesn’t, and yes, we find that odd as well, but it’s not a great hardship.

Click “Finished,” and you’ll be taken back to the login screen to login as normal, but this time using MFA. It’s a simple, quick process that provide a valuable layer of extra security, and one that we at How-To Geek strongly recommend.

Error: No-Start-Connection in AD Connect Export Sync

Getting this error while exporting the objects in AD Connect. You will also see the below result in Sync service.

image

 

Resolution:- To resolve this issue go to Connectors, go to the properties of the connector giving the above error, select “Connect to Active Directory Forest” option and provide the credentials to connect. Once this is successful then sync will start again.

How to put O365 mailbox on in-place hold using the Exchange Online powershell

In Exchange Server, In-Place Hold functionality is integrated with In-Place eDiscovery searches. You can use the In-Place eDiscovery & Hold wizard in the Exchange Administration Center (EAC) or the New-MailboxSearch and related cmdlets in Exchange Management Shell to place a mailbox on In-Place Hold.

Connect to Exchange online powershell and run the below command

New-MailboxSearch -Name “NameOfMailbox” -SourceMailboxes EmailAddress -ExcludeDuplicateMessages $True -InPlaceHoldEnabled $true -ItemHoldPeriod Number of Days -Description In-PlaceHoldDescription

 

Many organizations require that users be informed when they’re placed on hold. Additionally, when a mailbox is on hold, any retention policies applicable to the mailbox user don’t need to be suspended. Because messages continue to be deleted as expected, users may not notice they’re on hold. If your organization requires that users on hold be informed, you can add a notification message to the mailbox user’s Retention Comment property and use the RetentionUrl property to link to a web page for more information. Outlook 2010 and later displays the notification and URL in the backstage area. You must use the Shell to add and manage these properties for a mailbox.

Difference Between Azure AD Connect and Single Sign-On Options

Azure AD Connect offers customers a number of ways to enable a “Single Sign-On” (or SSO) experience for users. I think it is important to understand the differences in these options, so that when you deploy Azure AD Connect into customer environments, you can pick the right solution to suit the business needs.

Single Sign-On is an experience, wherein a single logon event (like logging into your local workstation) will automatically qualify you for login to other, disparate systems (e.g. Office 365)–in other words, you have all the tokens, exchanges and mechanisms in place that are needed just from your primary logon event. From the user’s perspective: after signing into the local Active Directory network on their workstation using a corporate email address, they might then open a web browser, point it at https://mail.office365.com, and automatically be signed into their Office 365 mailbox, without having to provide credentials a second time. This is (so to speak) a “true” SSO experience.

There are three primary methods we can use to achieve “true” SSO:

  1. Password Hash Synchronization with Seamless Single Sign-On enabled
  2. Pass-Through Authentication with Seamless Single Sign-On enabled
  3. Active Directory Federated Services

I am actually going to start with this last option, which was in fact, the original. Many early adopters of the 365 platform ended up with this type of configuration.

Pass-Through Authentication with Seamless SSO

Pass Through Authentication or PTA is the simplified cousin of AD FS. It works both very similarly, AND very differently from the above solution.

Similar to AD FS, it means that all logins rely on the local Active Directory for authentication and sign-in–we still have that same annoying dependency. However, because the cloud authentication takes place via the local Azure AD Connect service, and does not require a complex AD FS server infrastructure or SSL certificates, it might be preferred in some scenarios. You would still want the redundant ISP links, but there are no additional requirements. Therefore, if you are faced with the challenge of keeping passwords and authentication events on-premises, and the customer also wants to keep the complexity down with a lighter on-premises footprint, then PTA is your best option (be sure to also enable SSO in the AAD Connect configuration wizard when choosing this option).

Pass-Through Authentication with Seamless SSO

Pass Through Authentication or PTA is the simplified cousin of AD FS. It works both very similarly, AND very differently from the above solution.

Similar to AD FS, it means that all logins rely on the local Active Directory for authentication and sign-in–we still have that same annoying dependency. However, because the cloud authentication takes place via the local Azure AD Connect service, and does not require a complex AD FS server infrastructure or SSL certificates, it might be preferred in some scenarios. You would still want the redundant ISP links, but there are no additional requirements. Therefore, if you are faced with the challenge of keeping passwords and authentication events on-premises, and the customer also wants to keep the complexity down with a lighter on-premises footprint, then PTA is your best option (be sure to also enable SSO in the AAD Connect configuration wizard when choosing this option).

Active Directory Federated Services (AD FS)

With AD FS, you need to deploy an on-premises service called Active Directory Federated Services, and it’s best if you make this service highly available. In this configuration, passwords never leave the on-premises Active Directory.  When someone attempts to sign-in to the Azure AD application, there is a configuration bit in the tenant that says “I’m not in charge of authentication, I have to go check in with <insert corporate AD FS web address here>.” This is super cool for security and compliance, because all authentication attempts are still logged against the local Active Directory.

But it is super uncool for many small businesses, because it requires setup and installation of AD FS, which also means that the cloud-based applications are dependent on the local Active Directory. So, if the corporate internet connection is down, so is your email. Wait a minute… why did we move our email to the cloud again? To prevent this scenario, our design would need to include:

  1. Properly configured AD FS infrastructure with SSL Certificates
  2. At least 2x AD FS web servers on separate links/ISP’s for HA
  3. Planned recovery from total loss of this site/infrastructure

Not a popular option for these reasons (complexity + dependency).

There are a couple of other considerations that might come into play. Most notably, the only solution here that supports the on-premises Multifactor Authentication Server is (unfortunately) AD FS. It is still possible to enable MFA for cloud-based applications using Azure AD MFA provider with the other options, but you do not have the ability to bring MFA to your network locally, without AD FS. Just something to be aware of.  On the flip side, it is worth noting that Azure Identity Protection (which requires additional licensing, e.g. P2) is not compatible with AD FS (because the authentication attempts must happen against Azure AD for Azure ID Protection reports to work).

Another consideration that applies only to PHS w/ SSO enabled: there may be a delay between, for example, disabling an account on-premises, and having that change updated in the cloud (because AAD Connect only synchronizes every 30 minutes by default). Furthermore, users who have passwords synchronized to Azure AD will technically have their cloud passwords set to never expire, and the password policies that apply on-premises will control when they need to update their password–but it is enforced on-premises only. Therefore it is possible, for example, to sign-in to cloud-based resources, even if the password on-premises has expired, because until the user changes the on-premises password, the old value will not be overwritten in the cloud.

There may be other small differences, but these are the noticeable ones that matter most to small businesses. I have summarized all of these points into this table for ease of reference:

Error: Remote Server returned ‘550 5.2.11 RESOLVER.RST.SendSizeLimit.Sender; message too large for this sender’

Please check the message send/receive limit. You are sending message which is larger than the allowed limit.

Change message size limit using powershell.

How to Change maximum Office 365 attachment size with PowerShell

Change message size limit using admin center.

How To Change Office 365 Message Size Limit Using Web Console

 

Error: Your message wasn’t delivered to anyone because it’s too large.

Please check the message send/receive limit. You are sending message which is larger than the allowed limit.

Change message size limit using powershell.

How to Change maximum Office 365 attachment size with PowerShell

Change message size limit using admin center.

How To Change Office 365 Message Size Limit Using Web Console

 

How To Change Office 365 Message Size Limit Using Web Console

Change Office 365 Message Limit for one mailbox

Step 1. Open Exchange Admin

Once logged in to your Office 365 portal click on Admin on then left menu bar and then Exchange to open the Exchange Admin

Step 2. Open the Recipients Mailbox Properties

Click on Recipients in the left side bar, click on the Individual Mailbox and then click on the edit icon.

Step 3. Change the Message Size Limit

Click on Mailbox Features and then scroll down to Message Size Restrictions.  Click on View details

Step 4. Change the Maximum Message Size

Change the Maximum Message size up to a maximum of 150000KB for Sent and Received message

Office-365-Maximum-Message-Size-Limit

Change Office 365 Message Limit for All New Accounts

Step 1. Open Exchange Admin

Once logged in to your Office 365 portal click on Admin on then left menu bar and then Exchange to open the Exchange Admin

Step 2. Change the Default Message Size Limit

In the mailbox view click on the … and then click on Set Default Message Size Restrictions.

Office-365-Set-Default-Message-Size-Restrictions

Azure Active Directory Single Sign-On Using Azure Ad Connect

Azure Active Directory Seamless Single Sign-On: Quick start

Deploy Seamless Single Sign-On

Azure Active Directory (Azure AD) Seamless Single Sign-On (Seamless SSO) automatically signs in users when they are on their corporate desktops that are connected to your corporate network. Seamless SSO provides your users with easy access to your cloud-based applications without needing any additional on-premises components.

To deploy Seamless SSO, follow these steps.

Step 1: Check the prerequisites

Ensure that the following prerequisites are in place:

  • Set up your Azure AD Connect server: If you use Pass-through Authentication as your sign-in method, no additional prerequisite check is required. If you use password hash synchronization as your sign-in method, and if there is a firewall between Azure AD Connect and Azure AD, ensure that:
    • You use version 1.1.644.0 or later of Azure AD Connect.
    • If your firewall or proxy allows DNS whitelisting, whitelist the connections to the *.msappproxy.net URLs over port 443. If not, allow access to the Azure datacenter IP ranges, which are updated weekly. This prerequisite is applicable only when you enable the feature. It is not required for actual user sign-ins.

Note

Azure AD Connect versions 1.1.557.0, 1.1.558.0, 1.1.561.0, and 1.1.614.0 have a problem related to password hash synchronization. If you don’t intend to use password hash synchronization in conjunction with Pass-through Authentication, read the Azure AD Connect release notes to learn more.

  • Use a supported Azure AD Connect topology: Ensure that you are using one of Azure AD Connect’s supported topologies described here.

Note

Seamless SSO supports multiple AD forests, whether there are AD trusts between them or not.

  • Set up domain administrator credentials: You need to have domain administrator credentials for each Active Directory forest that:
    • You synchronize to Azure AD through Azure AD Connect.
    • Contains users you want to enable for Seamless SSO.
  • Enable modern authentication: You need to enable modern authentication on your tenant for this feature to work.
  • Use the latest versions of Office 365 clients: To get a silent sign-on experience with Office 365 clients (Outlook, Word, Excel, and others), your users need to use versions 16.0.8730.xxxx or above.

Step 2: Enable the feature

Enable Seamless SSO through Azure AD Connect.

If you’re doing a fresh installation of Azure AD Connect, choose the custom installation path. At the User sign-in page, select the Enable single sign on option.

Note

The option will be available for selection only if the Sign On method is Password Hash Synchronization or Pass-through Authentication.

clip_image002

If you already have an installation of Azure AD Connect, select the Change user sign-in page in Azure AD Connect, and then select Next. If you are using Azure AD Connect versions 1.1.880.0 or above, the Enable single sign on option will be selected by default. If you are using older versions of Azure AD Connect, select the Enable single sign on option.

clip_image004

Continue through the wizard until you get to the Enable single sign on page. Provide domain administrator credentials for each Active Directory forest that:

  • You synchronize to Azure AD through Azure AD Connect.
  • Contains users you want to enable for Seamless SSO.

After completion of the wizard, Seamless SSO is enabled on your tenant.

Note

The domain administrator credentials are not stored in Azure AD Connect or in Azure AD. They’re used only to enable the feature.

Follow these instructions to verify that you have enabled Seamless SSO correctly:

  1. Sign in to the Azure Active Directory administrative center with the global administrator credentials for your tenant.
  2. Select Azure Active Directory in the left pane.
  3. Select Azure AD Connect.
  4. Verify that the Seamless single sign-on feature appears as Enabled.

clip_image006

Important

Seamless SSO creates a computer account named AZUREADSSOACC (which represents Azure AD) in your on-premises Active Directory (AD) in each AD forest. This computer account is needed for the feature to work. Move the AZUREADSSOACC computer account to an Organization Unit (OU) where other computer accounts are stored to ensure that it is managed in the same way and is not deleted.

Step 3: Roll out the feature

You can gradually roll out Seamless SSO to your users using the instructions provided below. You start by adding the following Azure AD URL to all or selected users’ Intranet zone settings by using Group Policy in Active Directory:

  • https://autologon.microsoftazuread-sso.com

In addition, you need to enable an Intranet zone policy setting called Allow updates to status bar via script through Group Policy.

Note

The following instructions work only for Internet Explorer and Google Chrome on Windows (if it shares a set of trusted site URLs with Internet Explorer). Read the next section for instructions on how to set up Mozilla Firefox and Google Chrome on macOS.

Why do you need to modify users’ Intranet zone settings?

By default, the browser automatically calculates the correct zone, either Internet or Intranet, from a specific URL. For example, “http://contoso/” maps to the Intranet zone, whereas “http://intranet.contoso.com/” maps to the Internet zone (because the URL contains a period). Browsers will not send Kerberos tickets to a cloud endpoint, like the Azure AD URL, unless you explicitly add the URL to the browser’s Intranet zone.

There are two ways to modify users’ Intranet zone settings:

Option

Admin consideration

User experience

Group policy

Admin locks down editing of Intranet zone settings

Users cannot modify their own settings

Group policy preference

Admin allows editing on Intranet zone settings

Users can modify their own settings

“Group policy” option – Detailed steps

  1. Open the Group Policy Management Editor tool.
  2. Edit the group policy that’s applied to some or all your users. This example uses Default Domain Policy.
  3. Browse to User Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page. Then select Site to Zone Assignment List.

clip_image008

  1. Enable the policy, and then enter the following values in the dialog box:
    • Value name: The Azure AD URL where the Kerberos tickets are forwarded.
    • Value (Data): 1 indicates the Intranet zone.The result looks like this:Value: https://autologon.microsoftazuread-sso.comData: 1

Note

If you want to disallow some users from using Seamless SSO (for instance, if these users sign in on shared kiosks), set the preceding values to 4. This action adds the Azure AD URL to the Restricted zone, and fails Seamless SSO all the time.

  1. Select OK, and then select OK again.

clip_image010

  1. Browse to User Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Intranet Zone. Then select Allow updates to status bar via script.

clip_image011

  1. Enable the policy setting, and then select OK.

clip_image012

“Group policy preference” option – Detailed steps

  1. Open the Group Policy Management Editor tool.
  2. Edit the group policy that’s applied to some or all your users. This example uses Default Domain Policy.
  3. Browse to User Configuration > Preferences > Windows Settings > Registry > New > Registry item.

clip_image013

  1. Enter the following values in appropriate fields and click OK.
    • Key Path: Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\microsoftazuread-sso.com\autologon
    • Value name: https.
    • Value type: REG_DWORD.
    • Value data: 00000001.

clip_image014

clip_image015

  1. Browse to User Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Intranet Zone. Then select Allow updates to status bar via script.

clip_image016

  1. Enable the policy setting, and then select OK.

clip_image017

Browser considerations

Mozilla Firefox (all platforms)

Mozilla Firefox doesn’t automatically use Kerberos authentication. Each user must manually add the Azure AD URL to their Firefox settings by using the following steps:

  1. Run Firefox and enter about:config in the address bar. Dismiss any notifications that you see.
  2. Search for the network.negotiate-auth.trusted-uris preference. This preference lists Firefox’s trusted sites for Kerberos authentication.
  3. Right-click and select Modify.
  4. Enter https://autologon.microsoftazuread-sso.com in the field.
  5. Select OK and then reopen the browser.

Safari (macOS)

Ensure that the machine running the macOS is joined to AD. Instructions for AD-joining your macOS device is outside the scope of this article.

Google Chrome (all platforms)

If you have overridden the AuthNegotiateDelegateWhitelist or the AuthServerWhitelist policy settings in your environment, ensure that you add Azure AD’s URL (https://autologon.microsoftazuread-sso.com) to them as well.

Google Chrome (macOS only)

For Google Chrome on Mac OS and other non-Windows platforms, refer to The Chromium Project Policy List for information on how to whitelist the Azure AD URL for integrated authentication.

The use of third-party Active Directory Group Policy extensions to roll out the Azure AD URL to Firefox and Google Chrome on Mac users is outside the scope of this article.

Known browser limitations

Seamless SSO doesn’t work in private browsing mode on Firefox and Edge browsers. It also doesn’t work on Internet Explorer if the browser is running in Enhanced Protected mode.

Step 4: Test the feature

To test the feature for a specific user, ensure that all the following conditions are in place:

  • The user signs in on a corporate device.
  • The device is joined to your Active Directory domain. The device doesn’t need to be Azure AD Joined.
  • The device has a direct connection to your domain controller (DC), either on the corporate wired or wireless network or via a remote access connection, such as a VPN connection.
  • You have rolled out the feature to this user through Group Policy.

To test the scenario where the user enters only the username, but not the password:

  • Sign in to https://myapps.microsoft.com/ in a new private browser session.

To test the scenario where the user doesn’t have to enter the username or the password, use one of these steps:

  • Sign in to https://myapps.microsoft.com/contoso.onmicrosoft.com in a new private browser session. Replace contoso with your tenant’s name.
  • Sign in to https://myapps.microsoft.com/contoso.com in a new private browser session. Replace contoso.com with a verified domain (not a federated domain) on your tenant.

Step 5: Roll over keys

In Step 2, Azure AD Connect creates computer accounts (representing Azure AD) in all the Active Directory forests on which you have enabled Seamless SSO. To learn more, see Azure Active Directory Seamless Single Sign-On: Technical deep dive.

Important

The Kerberos decryption key on a computer account, if leaked, can be used to generate Kerberos tickets for any user in its AD forest. Malicious actors can then impersonate Azure AD sign-ins for compromised users. We highly recommend that you periodically roll over these Kerberos decryption keys – at least once every 30 days.

For instructions on how to roll over keys, see Azure Active Directory Seamless Single Sign-On: Frequently asked questions. We are working on a capability to introduce automated roll over of keys.

Important

You don’t need to do this step immediately after you have enabled the feature. Roll over the Kerberos decryption keys at least once every 30 days.

How to connect to Exchange Online using Powershell

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $Cred -Authentication Basic -AllowRedirection

Set-ExecutionPolicy -ExecutionPolicy unrestricted

Import-PSSession $Session