de-DEen-GB
 
rss

Just can't get enough of IT

This blog is about mostly anything in IT. But the primary focuses are Microsoft Technologies like Exchange, Office 365, Azure and Cloud Security.

When you run software solutions that make use of TLS secured communication channels the applications need to have access to the certificate's private key. The private key is part of the certificate stored in the local certificate store of the computer. In most cases the software solution creates a new self-signed certificate and configures access rights appropriately.

When establishing TLS communication channels to external partners, the use of a public SSL/TLS certificate is a must have requirement.

The following step-by-step instructions describe how to assign Read permisson for the Email Security Solution Gateway NoSpamProxy. In this case the solution does not utilize a classic service account, but a so-called virtual service account. Virtual service accounts provide a much better access security when executing Windows services.

Step-by-Step Instructions

Step 1

Open the local computers certificate store using the MMC Snap-Ins.

 

Step 2

Select the certificate to use and open the context menu (right click).

SSL Certificate Conext Menu

Select Manage Private Keys to manage the private key permissions.

 

Step 3

Click Add and add the required service accounts.

In this case the virtual service accounts are part of the local computer entity. Select the local computer and not the Active Directory domain as source when searching accounts. Virtual accounts us the prefix NT Service.

Add the follow accounts to configure read access for NoSpamProxy.

NT Service\NetatworkMailGatewayIntranetRole
NT Service\NetatworkMailGatewayManagementService
NT Service\NetatworkMailGatewayGatewayRole
NT Service\NetatworkMailGatewayPrivilegedService

Add virtual service accounts

Click Check Names to verifiy the existence of the entered service accounts.

 

Step 4

When correctly resolved the accounts names are replaced by theis respective display names. Click OK to add the accounts. 

Resolved service accounts

 

Step 5

Configure read access for all added service accounts and click OK.

Configure read access

The software solution is now capable of accessing the private key of the certificate.

Link

 

 

Read More »

Office 365Problem

You can block an user from logging on to Office 365 by setting the BlockCredential attribute to $true.

Set-MsolUser -UserPrincipalName myuser@mcsmemail.de -BlockCredential $true

But the MSOL user attribute is reverted to $false, when ADD Connect synchonization cycle runs.

This happens, because the local Active Directory attribute accountEnabled is used to controll the BlockCredential attribute in Azure AD.

Solution

If your IT operation requires the ability to have enabled users in your local Active Directory infrastructure and you need to prevent logon to cloud services you need to prevent the accountEnabled attribute from being synchronized to Azure AD. This might not necessarily be a general requirement during normal operations, but might be useful while doing a Proof-of-Concept.

Just exclude the attribute from the Azure Active Directory connector in the Synchronization Service Manager.

Excluding the accountEnabled attribute from being synchronized with Azure AD

The following script disables all users excluding

  • Users following a specific naming pattern
  • Users listed in a string array
# Userfilter
$UserExceptions = ("Sync_SYNC01_add98768492f@mcsmemail.onmicrosoft.com","SPO-SRV-ACCOUNT@mcsmemail.de","SynchedAdmin@mcsmemail.de")

# Fetch synchronized users 
$DomainAccounts = Get-MsolUser -EnabledFilter EnabledOnly -MaxResults 5000 | Where-Object -Property LastDirSyncTime -ne $null

# Select synchronized users not following the pattern ADM*@mcsmemail.de (admin accounts in this case)
$DomainAccountsWithoutAdmins =  $DomainAccounts | Where-Object -Property UserPrincipalName -notlike "ADM*@mcsmemail.de"

# Exclude accounts listed in $UserExceptions
$DomainAccountsWithoutAdminsFiltered = $DomainAccountsWithoutAdmins | Where-Object -Property UserPrincipalName -NotIn $UserExceptions
 

# Now block cloud logon for all filtered users
ForEach ($User2Block in $DomainAccountsWithoutAdminsFiltered) {
  Write-Host ('Disabling User: {0}.UserPrincipalName)' -f $User2Block)
  Set-MsolUser -UserPrincipalName $User2Block.UserPrincipalName -BlockCredential $true
}

Enjoy Office 365.

 

 

 

Read More »