📋 Preparation Checklist:

• Administrator Access:
  Ensure you have local administrator privileges on the device and permissions to join devices to your Azure AD tenant.
• Backup Tools:
  Prepare external storage or a secure share for temporary backup of user data.

---

🛠️ Step-by-Step Migration Process:

1. Backup User Data

Before making any changes to domain membership, back up critical user data:

• Folders: Documents, Desktop, Downloads, Pictures
• Browser Favorites and Passwords:
  Export bookmarks from Chrome, Edge, or Firefox.
  Backup or sync saved passwords if available.
• Mapped Drives and Group Shares:
  Document connections if needed for re-mapping after migration.

---

2. Disjoin Device from On-Premises Domain

• Navigate to Settings > System > About > Domain or Workgroup settings.
• Choose to Disconnect from the domain.
• When prompted, join a Workgroup (e.g., WORKGROUP).
• Important:
  Ensure you know the local administrator credentials before disjoining.

Restart the device after disjoining.

---

3. Join Device to Azure AD

✅ Two methods:

GUI Method (Recommended):

• Open Settings > Accounts > Access Work or School > Connect.
• Select Join this device to Azure Active Directory.
• Enter the user’s Azure AD email address and password.

PowerShell Method (Optional for Advanced Users):

powershellCopyEditdsregcmd /join

(Additional setup like authentication context may apply.)

Restart the device after joining.

---

4. Confirm Azure AD Join Success

Open PowerShell and run:

powershellCopyEditdsregcmd /status

✅ Look for:

• AzureAdJoined : YES
• DomainJoined : NO (expected after leaving on-premises domain)

---

5. Restore User Data

• Copy back Documents, Desktop, Downloads, and Pictures.
• Restore browser favorites and re-import saved passwords.
• Reconnect mapped drives, printers, or any network-based resources.

---

6. User Login

The user can now log in using their Azure AD email address and password.

✅ If Multi-Factor Authentication (MFA) is enabled, users should complete MFA registration during first login.

---

7. Final Configuration

• Verify mapped network drives.
• Ensure printer connections are restored.
• Test access to any business-critical applications.
• Confirm OneDrive sync settings if applicable.

---

🧠 Important Tips:

• Double-check BitLocker status. If BitLocker is enabled, back up recovery keys before starting.
• Some applications (like SolidWorks or AutoCAD) may require license reactivation post-migration.
• Communicate expected login changes to users ahead of time to minimize confusion.

---

🌟 Conclusion:

Migrating from on-premises Active Directory to Azure AD doesn’t have to be stressful.
With careful preparation — backing up data, ensuring admin access, and confirming every step — you can move endpoints securely and efficiently into the modern cloud ecosystem.

Taking the time to handle each stage methodically ensures a smooth experience for both the IT team and end users alike.

Stay ready. Stay secure. 🛡️

© 2012–2025 Jet Mariano. All rights reserved.
For usage terms, please see the Legal Disclaimer.

In today’s fast-moving world, opportunities can appear when we least expect them.
Whether it’s a job opening, a new project, or a chance to lead, how we prepare determines how we rise.

Here are five key pillars to help anyone stay ready, resilient, and confident:

---

🧠 1. Build a Clear Self-Story

When opportunities come, be ready to introduce yourself with calm clarity.

Focus on:

• Who you are
• What you specialize in
• What unique value you bring
• Why you’re passionate about growing and contributing

Knowing your story strengthens your voice — and your direction.

---

🛡️ 2. Think in Pillars, Not Panic

When facing challenges (whether designing a system, a business, or a solution), anchor yourself on these five pillars:

• Scalability — Can this grow without breaking?
• Security — Is it protected from threats?
• Availability — Will it stay reliable under pressure?
• Monitoring — Can I see when things go wrong?
• Recovery — Can I bring it back if disaster strikes?

No matter the project or problem, thinking in pillars brings focus and confidence.

---

🛠️ 3. Automate and Secure What You Build

Whatever you create — systems, habits, workflows — build them with automation and security in mind.

• Script and standardize repeatable steps.
• Protect secrets and sensitive information.
• Monitor what you’ve built so it stays healthy.

Success isn’t just about starting strong — it’s about sustaining strength through discipline.

---

✍️ 4. Turn Mistakes into Upgrades

Mistakes aren’t failures — they’re training.

When things go wrong:

• Stay calm.
• Own the problem.
• Fix it thoughtfully.
• Strengthen the system so it doesn’t happen again.

Each mistake, if treated right, becomes a foundation stone for bigger resilience.

---

🔥 5. Lead with Calm Power

Before stepping into any new opportunity, remind yourself:

“I’m not seeking approval.
I’m offering protection, innovation, and stability to the right people.”

Confidence isn’t noise — it’s calm clarity.
You don’t need to push yourself forward — your strength will naturally pull the right opportunities to you.

---

🌟 Final Thought:

Opportunity doesn’t knock when we beg for it.
It finds those who are quietly building, strengthening, and preparing every day.

Stay ready. Stay strong. Stay you. 🛡️

Written by Jet Mariano
Systems Engineer | Cloud Security Specialist | Creator of jetmariano.us

© 2012–2025 Jet Mariano. All rights reserved.
For usage terms, please see the Legal Disclaimer.

Introduction

A shared mailbox allows multiple users to send and receive emails from a common address, making collaboration easier for teams. This guide walks you through creating a shared mailbox, assigning permissions, and verifying settings using PowerShell.

Using PowerShell provides faster and more efficient management, especially when handling multiple mailboxes.

---

🔹 Step 1: Connect to Microsoft 365 PowerShell

Before creating the shared mailbox, connect to Exchange Online.

Run the following command:

powershellCopyEditConnect-ExchangeOnline -UserPrincipalName [email protected]

📌 Replace [email protected] with your admin account email.

---

🔹 Step 2: Create the Shared Mailbox

Use this PowerShell command to create a shared mailbox:

powershellCopyEditNew-Mailbox -Shared -Name "TeamMailbox" -DisplayName "Team Shared Mailbox" -PrimarySmtpAddress "[email protected]"

📌 Replace "TeamMailbox" and "[email protected]" with your preferred mailbox name and email address.

---

🔹 Step 3: Assign Permissions

Once the mailbox is created, grant access to specific users.

Grant Full Access (Allows users to manage the mailbox)

powershellCopyEditAdd-MailboxPermission -Identity "[email protected]" -User "[email protected]" -AccessRights FullAccess -InheritanceType All

Grant Send As Permission (Allows users to send emails from the shared mailbox)

powershellCopyEditAdd-RecipientPermission -Identity "[email protected]" -Trustee "[email protected]" -AccessRights SendAs -Confirm:$false

📌 Replace "[email protected]" with the email of the user who needs access.

---

🔹 Step 4: Verify the Shared Mailbox and Permissions

Once configured, verify that the mailbox exists and has the correct settings.

Check Mailbox Details

powershellCopyEditGet-Mailbox -Identity "[email protected]" | Format-List DisplayName,PrimarySmtpAddress,RecipientTypeDetails

List Users with Full Access

powershellCopyEditGet-MailboxPermission -Identity "[email protected]" | Where-Object { $_.AccessRights -eq "FullAccess" -and $_.User -notlike "NT AUTHORITY\SELF" } | Select-Object User,AccessRights

List Users with Send As Permission

powershellCopyEditGet-RecipientPermission -Identity "[email protected]" | Where-Object { $_.AccessRights -eq "SendAs" } | Select-Object Trustee,AccessRights

---

🔹 Step 5: Confirm the Shared Mailbox in Microsoft 365

You can also check the mailbox in Microsoft 365 Admin Center:

1️⃣ Sign in to Microsoft Admin Center.
2️⃣ Go to Exchange Admin Center → Recipients → Shared.
3️⃣ Locate the mailbox and confirm the settings.

---

🚀 Conclusion

By following these steps, you can create, manage, and verify a shared mailbox using PowerShell.

✔ No license required
✔ Centralized team email management
✔ Easier collaboration

💬 How do you manage shared mailboxes in your organization? Share your best practices in the comments below! ⬇️

© 2012–2025 Jet Mariano. All rights reserved.
For usage terms, please see the Legal Disclaimer.

Introduction VMware PowerCLI is a powerful tool that allows administrators to manage VMware environments using PowerShell. Whether you need to create virtual machines, check resource usage, or troubleshoot storage capacity, PowerCLI provides a streamlined approach to VMware management. Below is a guide to setting up PowerCLI and using essential commands for day-to-day VMware administration.

---

Step 1: Install and Import VMware PowerCLI

Before running VMware-related PowerShell commands, ensure that VMware PowerCLI is installed on your system.

Install-Module -Name VMware.PowerCLI -Scope CurrentUser -Force

After installation, import the module:

Import-Module VMware.PowerCLI

If you encounter SSL/TLS certificate warnings while connecting, configure PowerCLI to ignore invalid certificates:

Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -Confirm:$false

---

Step 2: Connect to vCenter Server

To manage your VMware environment, you need to authenticate with vCenter:

Connect-VIServer -Server <Your-VCenter-Server> -User <Your-Admin-User> -Password '<Your-Password>'

Once connected, you can retrieve information about your virtual infrastructure.

---

Step 3: List VMware Hosts

To view all available VMware hosts:

Get-VMHost

This provides a list of all ESXi hosts, their connection status, and available resources.

---

Step 4: Retrieve Virtual Machines

To get a list of all VMs in the environment:

Get-VM

For details of a specific VM:

Get-VM -Name <VM-Name>

---

Step 5: Checking vSAN Datastore Usage

One common challenge in VMware environments is monitoring vSAN datastore usage. To check storage space:

Get-VsanSpaceUsage -Cluster <Your-Cluster-Name>

To calculate the percentage of used space, run:

$vsanUsage = Get-VsanSpaceUsage -Cluster <Your-Cluster-Name>
$usedPercentage = 100 - (($vsanUsage.FreeSpaceGB / $vsanUsage.CapacityGB) * 100)
"vSAN Datastore is currently {0:N2}% full" -f $usedPercentage

---

Step 6: Creating a New Virtual Machine

If you need to create a new VM:

New-VM -Name <VM-Name> -VMHost <Host-Name> -Datastore <Datastore-Name> -DiskGB 50 -MemoryGB 4 -NumCPU 2

This command creates a VM with 50GB disk, 4GB RAM, and 2 CPUs.

---

Step 7: Cloning an Existing Virtual Machine

To create a clone of an existing VM:

New-VM -Name <New-VM-Name> -VM <Source-VM-Name> -Datastore <Datastore-Name> -VMHost <Target-Host>

---

Step 8: Managing VM Power States

To power on a VM:

Start-VM -VM <VM-Name>

To shut down a VM:

Stop-VM -VM <VM-Name> -Confirm:$false

To restart a VM:

Restart-VM -VM <VM-Name> -Confirm:$false

---

Step 9: Deleting a Virtual Machine

If a VM is no longer needed, you can remove it permanently:

Remove-VM -VM <VM-Name> -DeletePermanently -Confirm:$false

---

Step 10: Checking for Leftover Files in vSAN

Even after deleting a VM, some files may remain in the datastore. You can check for orphaned files:

Get-Datastore -Name <Datastore-Name> | Get-ChildItem -Recurse | Where-Object { $_.Name -like "*<VM-Name>*" }

To manually remove leftover files:

Remove-Item -Path "vmstore:\<Datastore-Name>\FolderName\<VM-Name>.vmdk" -Confirm:$false

---

Final Thoughts

Using PowerCLI to manage VMware environments improves efficiency and automation. Whether you need to monitor vSAN usage, create new VMs, or automate backups, PowerCLI provides a flexible solution. Keep this guide handy for reference as you work with VMware environments.

Have any useful PowerCLI commands that you frequently use? Share them in the comments below! 🚀

© 2012–2025 Jet Mariano. All rights reserved.
For usage terms, please see the Legal Disclaimer.

Introduction

Phishing attacks are one of the most common cybersecurity threats that IT administrators face. A single click on a malicious email link can lead to credential theft, data exfiltration, or malware infections.

This guide provides a step-by-step approach to investigating and securing a potentially compromised account in Microsoft 365 using PowerShell and the Microsoft Security Portal.

---

🔹 Immediate Response: Disconnect & Secure the Affected Computer

Before investigating, act fast to prevent further damage:

1️⃣ Shut down the compromised computer immediately.
2️⃣ Disconnect from the network (unplug Ethernet, disable Wi-Fi).
3️⃣ Reset the password for the affected user.
4️⃣ Revoke all active sessions to log out any potential attacker.

PowerShell Command to Revoke Sessions:

powershellCopyEditRevoke-AzureADUserAllRefreshToken -ObjectId "[email protected]"

Reset MFA to Prevent Unauthorized Re-Login:

powershellCopyEditReset-MsolStrongAuthenticationMethodByUpn -UserPrincipalName "[email protected]"

---

🔹 Step 1: Check for Unauthorized Sign-ins in Azure AD

Use Azure AD Sign-in Logs to check for suspicious login attempts.

PowerShell Command to Retrieve Sign-in Logs:

powershellCopyEditConnect-AzureAD
Get-AzureADAuditSignInLogs -Filter "status/errorCode ne '0'"

✅ Alternative:

• Go to Microsoft Security Portal
• Navigate to: Azure AD Sign-in Logs

🔍 Red Flags:

🚩 Logins from unexpected locations or devices
🚩 Multiple failed MFA attempts
🚩 Impossible travel scenarios (e.g., two logins from different continents within minutes)

---

🔹 Step 2: Investigate Phishing Emails Across the Organization

If an attacker sent phishing emails to multiple employees, run a Compliance Search to identify all affected mailboxes.

PowerShell Command to Search All Mailboxes for Suspicious Emails:

powershellCopyEditNew-ComplianceSearch -Name "CompanyPhishingScan" -ExchangeLocation All -ContentMatchQuery 'has:attachment OR has:link'
Start-ComplianceSearch -Identity "CompanyPhishingScan"

Check Results:

powershellCopyEditGet-ComplianceSearch -Name "CompanyPhishingScan" | Select Name, Status, Items

If Phishing Emails Are Found, Remove Them:

powershellCopyEditNew-ComplianceSearchAction -SearchName "CompanyPhishingScan" -Purge -PurgeType SoftDelete

🚨 Use HardDelete only if emails must be permanently removed.

---

🔹 Step 3: Check & Remove Hidden Forwarding Rules

Attackers often set up automatic forwarding to steal emails.

Check for Forwarding Rules:

powershellCopyEditGet-Mailbox -Identity "[email protected]" | Select ForwardingAddress, ForwardingSmtpAddress

Disable Auto-Forwarding if Found:

powershellCopyEditSet-Mailbox -Identity "[email protected]" -ForwardingAddress $null -ForwardingSmtpAddress $null

---

🔹 Step 4: Scan the Compromised Computer Before Reconnecting

Since a phishing link was clicked, scan the system for malware before reconnecting to the network.

Offline Windows Defender Scan:

powershellCopyEditStart-MpScan -ScanType FullScan

If Threats Are Found, Remove Them:

powershellCopyEditRemove-MpThreat -AllThreats

For a Deep Rootkit Scan, Use Windows Defender Offline:

powershellCopyEditStart-MpWDOScan

✅ This will restart the system and scan before Windows boots.

---

🔹 Step 5: Implement Long-Term Protection Measures

✅ Enable Safe Links & Safe Attachments in Microsoft Defender

• Safe Links: Blocks phishing links before users click them.
• Safe Attachments: Scans email attachments for malware before delivery.

Enable Safe Links Policy:

powershellCopyEditSet-SafeLinksPolicy -Identity "Default" -EnableSafeLinks $true -TrackClicks $true

Enable Safe Attachments Policy:

powershellCopyEditSet-MalwareFilterPolicy -Identity "Default" -EnableSafeAttachmentsForMail $true

---

✅ Educate Users on Phishing Awareness

🔹 Enable the “Report Message” button in Outlook so employees can easily flag suspicious emails.
🔹 Train employees to recognize phishing emails:
✔ Unexpected links
✔ Urgent language
✔ Sender impersonation

---

🚀 Final Wrap-Up: Is the Account and System Secure?

✔ Account fully secured: No unauthorized logins, MFA reset, all active sessions revoked.
✔ Email threats removed: No phishing emails remain in any mailbox.
✔ PC scanned and clean: No malware detected before reconnecting.
✔ Long-term protections enabled: Safe Links, Safe Attachments, user education.

✅ By following these steps, IT admins can quickly contain and prevent phishing incidents in Microsoft 365! 🚀

---

💬 What’s Next?

How does your organization handle phishing attacks? Share your best practices in the comments below! ⬇️

© 2012–2025 Jet Mariano. All rights reserved.
For usage terms, please see the Legal Disclaimer.

If you’re an IT professional or cloud enthusiast, you’ve likely used PowerShell to manage Azure resources. But did you know there’s a better way? Azure Cloud Shell offers a streamlined, cloud-based command-line experience that makes managing Azure easier than ever.

---

🚀 What is Azure Cloud Shell?

Azure Cloud Shell is a browser-based command-line tool that lets you manage Azure resources without the need to install or configure anything on your local machine. It supports both PowerShell and Bash, giving you flexibility depending on your workflow.

---

🔥 Why Use Azure Cloud Shell Over Local PowerShell?

✅ Pre-installed Azure Modules – No need to manually install or update Az PowerShell modules. ✅ Persistent Environment – Your session and files persist across devices. ✅ Works on Any OS – Since it’s browser-based, you can use it on Windows, Mac, or Linux. ✅ Built-in Authentication – No need to repeatedly sign in to Azure. ✅ Seamless Access to Azure Resources – Direct integration with your Azure subscriptions. ✅ Supports Both Bash & PowerShell – Choose the scripting environment that works best for you.

---

🔎 How to Access Azure Cloud Shell

1. Go to the Azure Portal: Open portal.azure.com.
2. Locate the Cloud Shell Icon: Look for the PowerShell logo (or the Bash icon) at the top-right of the screen.
3. Click to Launch: This will open a terminal at the bottom of the Azure Portal.
4. Sign In with Your Credentials: If prompted, sign in to Azure.
5. Authenticate: If needed, go to Microsoft Device Login and enter the code displayed.

---

🔧 Basic Azure Cloud Shell Commands to Get Started

🔹 Check Your Active Subscription

Get-AzContext  # Displays your current subscription

🔹 List All Azure Subscriptions

Get-AzSubscription  # Shows all available subscriptions

🔹 List All Resource Groups

Get-AzResourceGroup  # Displays all resource groups in your active subscription

🔹 List All Virtual Machines

Get-AzVM  # Lists all VMs in your subscription

🔹 Check Azure AD Users

Get-AzADUser -First 10  # Retrieves the first 10 users in Azure AD

🔹 Manage Storage Accounts

Get-AzStorageAccount  # Lists all storage accounts in your subscription

---

⚡ Why IT Admins Love Azure Cloud Shell

Azure Cloud Shell makes it easier to manage Azure environments without worrying about PowerShell version mismatches or module updates. It’s accessible from anywhere, even on a mobile device, making it a go-to tool for IT admins who need quick access to their cloud resources.

---

💡 Final Thoughts

If you’re still using local PowerShell to manage Azure, it’s time to upgrade your workflow. Azure Cloud Shell offers convenience, security, and efficiency—all without the hassle of local configurations.

Try it today and take your Azure management to the next level! 🚀

Windows updates can sometimes cause issues, especially when they force restarts or interfere with applications. This guide will show you how to remove pending updates to prevent Windows from installing them. These steps apply to both Windows 10 and Windows 11.

Step 1: Stop Windows Update Services

Before removing pending updates, you need to stop the Windows Update service.

Open Command Prompt (Admin) and run:

net stop wuauserv
net stop bits
net stop cryptsvc

Step 2: Delete Pending Updates

Once the services are stopped, delete the update files stored in SoftwareDistribution and WinSxS.

Command Prompt Method:

del /f /s /q C:\Windows\SoftwareDistribution\DataStore\* 
del /f /s /q C:\Windows\SoftwareDistribution\Download\* 
del /f /s /q C:\Windows\WinSxS\pending.xml

PowerShell Method:

Remove-Item -Path "C:\Windows\SoftwareDistribution\DataStore\*" -Force -Recurse
Remove-Item -Path "C:\Windows\SoftwareDistribution\Download\*" -Force -Recurse
Remove-Item -Path "C:\Windows\WinSxS\pending.xml" -Force

If access is denied to pending.xml, take ownership and modify permissions first:

takeown /f C:\Windows\WinSxS\pending.xml /A
icacls C:\Windows\WinSxS\pending.xml /grant Administrators:F

Then, retry deleting the file.

Step 3: Restart Windows Update Services

Once files are deleted, restart the Windows Update services:

net start wuauserv
net start bits
net start cryptsvc

Windows 11 Extra Step

On Windows 11, Tamper Protection in Windows Security may prevent modification of update files. If you encounter issues:

1. Open Windows Security
2. Navigate to Virus & Threat Protection > Manage Settings
3. Disable Tamper Protection temporarily
4. Follow the steps above and re-enable it after removal.

Conclusion

By following these steps, you can effectively remove pending Windows updates, preventing them from being installed. This is particularly useful for IT professionals managing production-critical systems.

Introduction In IT administration, managing Remote Desktop Protocol (RDP) sessions is essential to maintain system security and performance. Whether you need to log off a disconnected session or forcefully remove an active session, using Command Prompt (CMD) or PowerShell can streamline the process. This guide will walk you through the methods to list, disconnect, and remove RDP sessions.

---

Step 1: List Active RDP Sessions Before removing a session, you need to check which users are currently logged in. Run the following command in CMD:

query session /server:localhost

This will display all active and disconnected sessions along with their IDs.

Alternatively, in PowerShell, use:

qwinsta /server:localhost

Both commands provide the session ID required to log off a user.

---

Step 2: Log Off an RDP Session Once you have the session ID, you can log off a user session using CMD:

logoff <SessionID> /server:localhost

Example:

logoff 2 /server:localhost

This will terminate session ID 2.

In PowerShell, use:

rwinsta <SessionID>

Example:

rwinsta 2

This will remove session ID 2 from the system.

---

Step 3: Forcefully Remove a Stuck RDP Session If a session does not close properly, use this CMD command:

taskkill /F /IM mstsc.exe

This will forcefully terminate all remote desktop connections.

In PowerShell, use:

Stop-Process -Name mstsc -Force

This achieves the same result.

---

Conclusion Managing RDP sessions efficiently helps prevent resource exhaustion and unauthorized access. By using CMD or PowerShell, IT admins can quickly remove inactive or unresponsive RDP sessions, ensuring smooth operations. Bookmark these commands for future reference!

Introduction

With the rise of remote work and cloud-based applications, organizations need secure and efficient ways to provide access to internal applications. Azure Application Proxy is a lightweight, cloud-based solution that allows users to access on-premises applications securely from anywhere without a VPN.

This blog will cover:
✅ What is Azure App Proxy?
✅ How it works
✅ Prerequisites for deployment
✅ Step-by-step setup using Azure Portal & PowerShell
✅ Best practices for security & performance

---

🔹 What is Azure Application Proxy?

Azure Application Proxy is a cloud-based service in Microsoft Entra ID (formerly Azure AD) that provides secure remote access to on-premises web applications.
✔ No VPN required – Reduces complexity & costs
✔ Single Sign-On (SSO) – Seamless authentication via Entra ID
✔ Secure & Scalable – Uses reverse proxy architecture
✔ Conditional Access Support – Controls access based on risk level

💡 Common Use Cases

🔹 Access legacy web apps from any device
🔹 Provide secure extranet access for partners
🔹 Replace traditional VPNs for application access
🔹 Enable remote access to intranet apps

---

🔹 How Does Azure App Proxy Work?

Azure App Proxy consists of two main components:

1. Application Proxy Service (Cloud-based)
   • Runs in Azure
   • Authenticates users via Entra ID
   • Sends requests to the on-premises connector
2. Application Proxy Connector (On-Premises Agent)
   • Installed inside the corporate network
   • Forwards authenticated requests to internal applications
   • Uses outbound traffic only (no firewall holes needed)

📌 Architecture Flow

1️⃣ User accesses app-protected URL
2️⃣ Azure App Proxy authenticates the user via Entra ID
3️⃣ Request is forwarded to the on-premises App Proxy Connector
4️⃣ Connector retrieves the response & sends it back via Azure Proxy

---

🔹 Prerequisites

Before deploying Azure App Proxy, ensure:
✅ Microsoft Entra ID (Azure AD) P1 or P2 license
✅ An on-premises Windows Server (2016+) to install the connector
✅ Outbound internet access on the connector server
✅ Domain-joined or cloud-hybrid environment (if using SSO)
✅ App must use HTTP/HTTPS (No TCP/UDP apps)

---

🛠️ Deploying Azure App Proxy

🔹 Step 1: Install Application Proxy Connector

📌 Run the following PowerShell command on your Windows Server:

powershellCopyEditInvoke-WebRequest -Uri https://aka.ms/aadappproxy -OutFile "AADAppProxyInstaller.exe"
Start-Process "AADAppProxyInstaller.exe" -ArgumentList "/quiet" -Wait

👉 Sign in with Global Admin credentials to register the connector.

Verify that the connector is running:

powershellCopyEditGet-Service | Where-Object { $_.DisplayName -match "Application Proxy Connector" }

---

🔹 Step 2: Register the Application in Azure

1️⃣ Sign into the Azure Portal
2️⃣ Go to Microsoft Entra ID → Enterprise Applications
3️⃣ Click New Application → On-premises Application
4️⃣ Set External URL (e.g., https://app.jetmariano.us)
5️⃣ Set Internal URL (e.g., http://internal-app-server.local)
6️⃣ Choose Pre-authentication method:
✔ Azure AD (Recommended) – Uses SSO & Conditional Access
✔ Passthrough – No authentication (use only if required)

---

🔹 Step 3: Configure Single Sign-On (SSO) (Optional)

If using SSO with Kerberos, configure:

powershellCopyEditSet-WebApplicationProxyApplication -Name "InternalApp" -BackendApplicationUrl "http://internal-app.local" -ExternalApplicationUrl "https://app.jetmariano.us" -ConnectorGroupID "ConnectorGroup1" -SSOType "KerberosConstrainedDelegation"

✅ This allows seamless authentication without repeated login prompts.

---

🔹 Step 4: Test & Secure the Application

🔹 Access your external URL and verify that it works.
🔹 Enable Conditional Access for added security.
🔹 Restrict access based on device compliance, location, MFA, etc.

---

🔒 Best Practices for Azure App Proxy

✔ Use Azure AD Pre-authentication – Avoid exposing internal apps
✔ Enable Conditional Access – Enforce MFA & compliance policies
✔ Monitor access logs – Track login attempts & potential threats
✔ Use HTTPS for internal apps – Encrypt traffic end-to-end
✔ Scale with multiple connectors – Ensure redundancy & load balancing

---

✅ Conclusion

Azure Application Proxy modernizes remote access by eliminating VPN dependencies and enhancing security with Azure AD SSO & Conditional Access.

🚀 Next Steps:
🔹 Explore Hybrid Azure AD Join for better identity management
🔹 Implement Privileged Access Management (PAM) for sensitive apps
🔹 Set up Azure AD Identity Protection to detect risk-based sign-ins

🔹 Have you implemented Azure App Proxy? Share your experience below! 💬

Introduction

Multi-Factor Authentication (MFA) is a crucial security measure in Microsoft Entra ID (formerly Azure AD) to protect against unauthorized access. However, users and administrators often encounter MFA lockout issues, preventing legitimate users from accessing their accounts. This can be due to device loss, incorrect configurations, or a lack of backup authentication methods.

In this blog, we will cover: ✅ Why MFA lockout happens
✅ How to reset MFA for users
✅ Bypass methods for emergency access
✅ Best practices to prevent future issues

---

🔍 Why Does MFA Lockout Happen?

MFA lockouts typically occur due to:

• Device Change – User loses access to their phone or resets their device
• Authenticator App Issues – User gets a new phone and doesn’t migrate the Authenticator app
• Phone Number Change – SMS authentication fails due to a new phone number
• Policy Restrictions – Conditional Access or legacy MFA settings prevent login
• MFA Throttling – Too many failed attempts lock out the user

---

🛠️ How to Reset MFA for a User

If a user is locked out, an Azure AD admin can reset their MFA settings. Here’s how:

🔹 Reset MFA via Microsoft Entra Admin Center

1. Sign in to Microsoft Entra Admin Center as an administrator.
2. Navigate to Users > All users
3. Search for the affected user and select them
4. Click Authentication methods > Require Re-register MFA
5. Have the user sign in again and set up MFA from scratch

---

🔹 Reset MFA Using PowerShell

Admins can reset MFA via PowerShell with Microsoft Graph PowerShell.

1️⃣ Connect to Microsoft Graph

powershellCopyEditConnect-MgGraph -Scopes "User.ReadWrite.All"

2️⃣ Find the user needing an MFA reset

powershellCopyEditGet-MgUser -UserId [email protected] | Select-Object DisplayName,UserPrincipalName,Id

3️⃣ Reset MFA settings for the user

powershellCopyEditRevoke-MgUserAuthenticationMethod -UserId [email protected]

4️⃣ Confirm the user is cleared of previous MFA methods

powershellCopyEditGet-MgUserAuthenticationMethod -UserId [email protected]

The user will now be prompted to re-enroll in MFA at their next login.

---

🚨 Emergency MFA Bypass Methods

In cases where users are locked out and immediate access is required, temporary workarounds can help.

1️⃣ Use a Temporary Access Pass (TAP)

A Temporary Access Pass (TAP) allows a user to log in without MFA for a limited time.

Enable TAP:

1. Go to Microsoft Entra Admin Center
2. Navigate to Users > Authentication Methods
3. Enable Temporary Access Pass policy

Issue a TAP for the user:

powershellCopyEditNew-MgUserAuthenticationTemporaryAccessPassMethod -UserId [email protected] -LifetimeInMinutes 30 -IsUsableOnce $true

The user can now sign in using the TAP and reset their MFA.

---

2️⃣ Add a Backup Authentication Method

If a user still has access to another sign-in method, add an additional MFA option.

Via Admin Portal:

1. Go to Users in Entra Admin Center
2. Select the user > Authentication methods
3. Click Add method and enter an alternate phone number or security key

Via PowerShell:

powershellCopyEditNew-MgUserAuthenticationPhoneMethod -UserId [email protected] -PhoneNumber "+1234567890" -PhoneType Mobile -SmsSignInState Enabled

Now, the user can verify via SMS instead.

---

3️⃣ Disable MFA Temporarily

⚠ Warning: This is a security risk and should only be used as a last resort.

Disable MFA for a user via PowerShell

powershellCopyEditSet-MsolUser -UserPrincipalName [email protected] -StrongAuthenticationRequirements @()

OR disable MFA for an entire tenant (not recommended):

powershellCopyEditSet-MsolCompanySettings -PreventPerUserMFA $true

Re-enable MFA as soon as possible.

---

✅ Best Practices to Prevent MFA Lockouts

🔹 Enable Multiple Authentication Methods – Users should register both phone and Authenticator app.
🔹 Use Temporary Access Passes (TAP) – Helps in cases of device loss.
🔹 Educate Users on MFA Backup Codes – Encourage users to save backup codes.
🔹 Enable Admin Recovery Options – Allow trusted admins to reset MFA.
🔹 Monitor MFA Logs – Use Azure Sign-In Logs to track MFA failures:

powershellCopyEditGet-MgAuditLogSignIn -Filter "status/errorCode eq 500121"

---

📌 Conclusion

MFA is essential for securing accounts, but lockouts can frustrate users and disrupt productivity. By using TAP, PowerShell resets, and backup methods, admins can quickly restore access while keeping security intact.

🚀 What’s next? Consider automating MFA resets with Microsoft Graph API or setting up self-service MFA reset policies for users.

🔹 Have you experienced MFA lockout issues? What solutions worked best for you? Let’s discuss in the comments! 💬

Introduction to Azure SSO

Azure Single Sign-On (SSO) is an identity authentication mechanism that allows users to log in once and gain access to multiple applications without needing to re-enter credentials. It integrates with Azure Active Directory (Azure AD) and supports modern authentication protocols like SAML, OpenID Connect (OIDC), and OAuth 2.0.

Organizations use Azure SSO to improve security, user experience, and IT efficiency while reducing password fatigue and helpdesk requests for password resets.

---

🔹 Why Use Azure SSO?

✅ Improves Security – Reduces password-based attacks by enforcing authentication policies.
✅ Enhances User Experience – Eliminates the need for multiple logins across cloud apps.
✅ Reduces IT Workload – Minimizes helpdesk tickets for password resets.
✅ Centralized Access Control – Manages authentication and access policies in one place.
✅ Supports Hybrid Environments – Works with cloud and on-premises apps.

---

🔹 How Azure SSO Works

Azure SSO uses Azure AD as the identity provider (IdP) to authenticate users. The authentication flow varies based on the authentication protocol used:

1️⃣ SAML-based SSO – Azure AD sends a SAML token to authenticate the user.
2️⃣ OAuth 2.0 / OpenID Connect (OIDC) – The user is authenticated via an authorization token.
3️⃣ Password-based SSO – Azure AD stores credentials and auto-fills login fields for legacy apps.
4️⃣ Linked-based SSO – Redirects users to a third-party identity provider for authentication.

---

🔹 Implementing Azure SSO Using PowerShell

Step 1: Prerequisites

Before configuring SSO, ensure:
✅ You have Global Admin or Application Administrator role in Azure AD.
✅ The application supports SAML, OAuth, or OIDC.
✅ Azure AD Premium P1/P2 is available for Conditional Access policies (optional).
✅ You have PowerShell with AzureAD Module installed.

To install the AzureAD module, run:

powershellCopyEditInstall-Module AzureAD -Force -AllowClobber

Connect to Azure AD:

powershellCopyEditConnect-AzureAD

---

Step 2: Register an Application in Azure AD

To enable SSO, register the app in Azure AD.

Using PowerShell

1️⃣ Create the App Registration:

powershellCopyEdit$AppName = "MyAzureSSOApp"
$App = New-AzureADApplication -DisplayName $AppName
$AppId = $App.AppId

2️⃣ Create a Service Principal for the App:

powershellCopyEditNew-AzureADServicePrincipal -AppId $AppId

3️⃣ Assign Required Permissions (Example: Graph API)

powershellCopyEdit$Permission = "User.Read.All"
$AppRole = Get-AzureADServicePrincipal -Filter "AppId eq '$AppId'"
New-AzureADServiceAppRoleAssignment -ObjectId $AppRole.ObjectId -PrincipalId $AppRole.ObjectId -ResourceId $AppRole.ObjectId -Id $Permission

---

Step 3: Configure SSO for a SAML-based App

1️⃣ Enable SAML SSO

• Go to Azure AD > Enterprise Applications > Select App > Single sign-on
• Choose SAML
• Set Identifier (Entity ID) and Reply URL (Assertion Consumer Service URL) provided by the app.
• Download Azure AD Federation Metadata XML and provide it to the app vendor.

2️⃣ Configure User Attributes & Claims

powershellCopyEditSet-AzureADServicePrincipal -ObjectId $AppRole.ObjectId -Saml2TokenIssuerName "https://login.microsoftonline.com/{tenant_id}/v2.0"

3️⃣ Assign Users or Groups to the App

powershellCopyEdit$User = Get-AzureADUser -ObjectId "[email protected]"
Add-AzureADUserAppRoleAssignment -ObjectId $User.ObjectId -PrincipalId $AppRole.ObjectId -ResourceId $AppRole.ObjectId

---

🔹 Best Practices for Azure SSO

✔ Use Conditional Access Policies – Require MFA for risky sign-ins.
✔ Enforce Role-Based Access Control (RBAC) – Assign least privilege access.
✔ Use Azure AD Identity Protection – Detect and mitigate suspicious activities.
✔ Regularly Review Application Permissions – Ensure only necessary apps have access.
✔ Enable SSO Logging and Monitoring – Track authentication attempts in Azure AD Sign-in Logs.

---

🔹 Testing & Troubleshooting SSO

After setup, test SSO via MyApps (https://myapps.microsoft.com) or direct application login.

Common Fixes:

🔹 Incorrect Reply URL? Ensure the correct Assertion Consumer Service (ACS) URL is set.
🔹 User Not Assigned? Assign users or groups to the application.
🔹 Invalid SAML Assertion? Check SAML response in Azure AD Sign-in Logs.
🔹 SSO Failing for On-Prem Apps? Ensure Azure AD Connect is properly configured.

---

🔹 Conclusion

Azure SSO simplifies authentication, enhances security, and streamlines user access to applications. With Azure AD and PowerShell, you can automate SSO setup, manage user permissions, and enforce security best practices.

🚀 Next Steps:
✅ Test your SSO setup and monitor sign-in logs.
✅ Apply Conditional Access policies for better security.
✅ Integrate more apps to provide a seamless user experience.

For Azure AD, use Microsoft Graph PowerShell.

Step 1: Install & Connect to Azure AD

powershellCopyEditInstall-Module -Name Microsoft.Graph -Scope CurrentUser -Force
Connect-MgGraph -Scopes "User.Read.All"

Step 2: Retrieve Enabled Users from Azure AD

powershellCopyEdit$AzureEnabledUsers = Get-MgUser -Filter "accountEnabled eq true" | 
    Select-Object DisplayName, UserPrincipalName, Mail, Id 

$AzureEnabledUsers | Format-Table -AutoSize

✅ Filters only enabled accounts
✅ Displays key details (Display Name, UPN, Email, Object ID)

---

🔹 Step 3: Export Azure AD Enabled Users to CSV

powershellCopyEdit$AzureEnabledUsers | Export-Csv -Path "C:\Reports\AzureEnabledUsers.csv" -NoTypeInformation -Encoding UTF8

📌 Use this report for license management, compliance checks, and security audits.

---

🔹 Automating the Process (Scheduled Task)

To automate this script daily or weekly, set up a PowerShell scheduled task:

1️⃣ Save the script as EnabledUsersReport.ps1
2️⃣ Open Task Scheduler → Create Basic Task
3️⃣ Set Trigger (Daily, Weekly, etc.)
4️⃣ Set Action → Start a Program → powershell.exe -File C:\Scripts\EnabledUsersReport.ps1
5️⃣ Save & Run

✅ Now, you will get automated reports without manual effort! 🚀

---

🔹 Summary

✅ Enabled accounts must be regularly audited to maintain security & compliance.
✅ PowerShell simplifies the process of retrieving and exporting enabled accounts.
✅ On-Prem AD & Azure AD scripts ensure comprehensive user monitoring.
✅ Automating via scheduled tasks ensures continuous and hands-free monitoring.

By implementing this automation, IT administrators can proactively identify security risks, optimize licensing, and ensure compliance.

Automating the Disabling of Inactive Accounts in Active Directory & Azure AD Using PowerShell

Introduction

Inactive user accounts pose a serious security risk to any IT environment. Accounts that remain enabled but unused can be exploited by attackers, leading to potential data breaches, unauthorized access, and compliance violations.

By automating the identification and disabling of inactive accounts in Active Directory (AD) and Azure AD, organizations can enhance security and reduce attack surfaces.

This blog provides step-by-step PowerShell scripts to:
✅ Identify inactive accounts
✅ Disable inactive users automatically
✅ Export the results for auditing
✅ Schedule the task for continuous security

---

🔹 Why Disable Inactive Accounts?

📌 Security – Reduce the risk of unauthorized access.
📌 Compliance – Align with industry regulations (ISO 27001, NIST, GDPR, HIPAA).
📌 License Optimization – Free up unused Microsoft 365 & Azure AD licenses.
📌 Operational Efficiency – Keep Active Directory clean and organized.

Let’s automate this process using PowerShell. 🚀

---

🔹 Identifying & Disabling Inactive Accounts in On-Prem Active Directory

In Active Directory, a user is considered inactive if they haven’t logged in for a specific period (e.g., 90 days).

Step 1: Install & Import the Active Directory Module

Ensure the AD module is installed before running the script:

powershellCopyEditInstall-WindowsFeature -Name RSAT-AD-PowerShell
Import-Module ActiveDirectory

Step 2: Find Inactive Users (No Login for 90 Days)

powershellCopyEdit$InactiveUsers = Get-ADUser -Filter {Enabled -eq $true} -Properties LastLogonDate | 
    Where-Object { $_.LastLogonDate -lt (Get-Date).AddDays(-90) } | 
    Select-Object DisplayName, SamAccountName, LastLogonDate, Enabled

$InactiveUsers | Format-Table -AutoSize

✅ Retrieves all enabled users
✅ Filters users who haven’t logged in for 90+ days
✅ Displays Name, Username, Last Login Date

---

🔹 Step 3: Disable Inactive Users

powershellCopyEdit$InactiveUsers | ForEach-Object {
    Disable-ADUser -Identity $_.SamAccountName -Confirm:$false
}
Write-Host "Inactive accounts disabled successfully!" -ForegroundColor Green

📌 The accounts remain in AD but are disabled 🛑

---

🔹 Step 4: Export Disabled Users for Auditing

powershellCopyEdit$InactiveUsers | Export-Csv -Path "C:\Reports\DisabledUsers.csv" -NoTypeInformation -Encoding UTF8

📌 Keeps a record of disabled accounts for auditing & rollback if needed

---

🔹 Identifying & Disabling Inactive Users in Azure AD

For Azure AD, user inactivity is determined based on the LastSignInDateTime attribute.

Step 1: Install & Connect to Azure AD

powershellCopyEditInstall-Module -Name Microsoft.Graph -Scope CurrentUser -Force
Connect-MgGraph -Scopes "User.ReadWrite.All"

Step 2: Find Inactive Azure AD Users (90 Days of Inactivity)

powershellCopyEdit$AzureInactiveUsers = Get-MgUser -Filter "accountEnabled eq true" -Property DisplayName,UserPrincipalName,SignInActivity | 
    Where-Object { $_.SignInActivity.LastSignInDateTime -lt (Get-Date).AddDays(-90) } | 
    Select-Object DisplayName, UserPrincipalName, SignInActivity.LastSignInDateTime

$AzureInactiveUsers | Format-Table -AutoSize

✅ Retrieves all enabled users
✅ Filters users who haven’t signed in for 90+ days
✅ Displays Name, UPN, Last Sign-In Date

---

🔹 Step 3: Disable Inactive Azure AD Users

powershellCopyEdit$AzureInactiveUsers | ForEach-Object {
    Update-MgUser -UserId $_.UserPrincipalName -AccountEnabled:$false
}
Write-Host "Inactive Azure AD accounts disabled successfully!" -ForegroundColor Green

📌 Azure AD users are now disabled 🛑

---

🔹 Step 4: Export Disabled Azure AD Users for Auditing

powershellCopyEdit$AzureInactiveUsers | Export-Csv -Path "C:\Reports\DisabledAzureUsers.csv" -NoTypeInformation -Encoding UTF8

📌 Retains a record for compliance and rollback purposes

---

🔹 Automating the Process (Scheduled Task)

To automate the process, create a PowerShell script and schedule it to run periodically.

1️⃣ Save the script as DisableInactiveUsers.ps1
2️⃣ Open Task Scheduler → Create Basic Task
3️⃣ Set Trigger (e.g., Weekly, Monthly)
4️⃣ Set Action → Start a Program → powershell.exe -File C:\Scripts\DisableInactiveUsers.ps1
5️⃣ Save & Run

📌 Now, the script will run automatically, disabling inactive users on schedule.

---

🔹 Summary

✅ Inactive accounts are a security risk—automate their disabling.
✅ PowerShell simplifies managing on-prem AD & Azure AD users.
✅ Exporting logs ensures compliance and rollback safety.
✅ Automating with Task Scheduler keeps environments secure without manual work.

By implementing this automated approach, IT teams can enhance security, ensure compliance, and reduce risk—all with PowerShell! 🚀

Re-Enabling Disabled Users in Azure AD

For Azure AD, we need to use Microsoft Graph PowerShell.

Step 1: Install & Connect to Azure AD

powershellCopyEditInstall-Module -Name Microsoft.Graph -Scope CurrentUser -Force
Connect-MgGraph -Scopes "User.ReadWrite.All"

Step 2: Find Disabled Users in Azure AD

powershellCopyEdit$DisabledAzureUsers = Get-MgUser -Filter "accountEnabled eq false" -Property DisplayName, UserPrincipalName | 
    Select-Object DisplayName, UserPrincipalName

$DisabledAzureUsers | Format-Table -AutoSize

✅ Lists all disabled users in Azure AD

---

🔹 Step 3: Re-Enable Disabled Azure AD Users

powershellCopyEdit$DisabledAzureUsers | ForEach-Object {
    Update-MgUser -UserId $_.UserPrincipalName -AccountEnabled:$true
}
Write-Host "All disabled Azure AD users have been re-enabled!" -ForegroundColor Green

📌 Azure AD users are now restored and can log in again 🔄

---

🔹 Step 4: Export Re-Enabled Azure AD Users for Auditing

powershellCopyEdit$DisabledAzureUsers | Export-Csv -Path "C:\Reports\ReEnabledAzureUsers.csv" -NoTypeInformation -Encoding UTF8

📌 Keeps an audit log of re-enabled accounts

---

🔹 Automating the Re-Enablement Process (Scheduled Task)

To automate the process, create a PowerShell script and schedule it to run periodically.

1️⃣ Save the script as ReEnableUsers.ps1
2️⃣ Open Task Scheduler → Create Basic Task
3️⃣ Set Trigger (e.g., Weekly, Monthly)
4️⃣ Set Action → Start a Program → powershell.exe -File C:\Scripts\ReEnableUsers.ps1
5️⃣ Save & Run

📌 Now, the script will run automatically, checking for and re-enabling disabled users.

---

🔹 Summary

✅ Automating re-enablement helps streamline IT operations.
✅ PowerShell makes it easy to manage AD & Azure AD accounts.
✅ Exporting logs ensures accountability for security compliance.
✅ Task Scheduler keeps everything automated.

By implementing this automated approach, IT teams can quickly restore access when needed, without manual work. 🚀

Automating User Notifications for Account Disablement & Re-Enablement Using PowerShell

🔹 Introduction

Managing user accounts effectively requires clear communication between IT and employees. When a user’s account is disabled or re-enabled, notifying them (or their manager) reduces confusion and improves security compliance.

This blog provides PowerShell scripts to:
✅ Automatically notify users when their account is disabled
✅ Send alerts when accounts are re-enabled
✅ Email managers about account status changes
✅ Export logs for auditing

---

🔹 Why Automate Account Status Notifications?

📌 Security Awareness – Notifies users when access is revoked or restored.
📌 Compliance – Ensures logs are maintained for security audits.
📌 Operational Efficiency – Eliminates manual notifications from IT.
📌 User Experience – Keeps employees informed about their account status.

---

🔹 Prerequisites

🔹 SMTP Server or Microsoft 365 Exchange Online (for sending emails)
🔹 PowerShell module installed for Active Directory and Microsoft Graph

🔹 Step 1: Configure Email Settings

Define email settings for notifications:

powershellCopyEdit$SMTPServer = "smtp.office365.com"
$SMTPPort = 587
$FromEmail = "[email protected]"
$Credential = Get-Credential  # Enter email credentials for authentication

---

🔹 Notifying Users When Their Account is Disabled

Step 2: Identify Recently Disabled Users

powershellCopyEdit$DisabledUsers = Get-ADUser -Filter {Enabled -eq $false} -Properties DisplayName, EmailAddress, Manager | 
    Select-Object DisplayName, EmailAddress, Manager

✅ Finds all recently disabled users

---

Step 3: Send Email Notifications

powershellCopyEditforeach ($User in $DisabledUsers) {
    $Subject = "Your Account Has Been Disabled"
    $Body = @"
Hello $($User.DisplayName),

Your account has been disabled due to security policies or organizational requirements. 
If you need further assistance, please contact IT Support.

Best regards,  
IT Support Team
"@

    Send-MailMessage -To $User.EmailAddress -From $FromEmail -Subject $Subject -Body $Body -SmtpServer $SMTPServer -Port $SMTPPort -UseSsl -Credential $Credential
}

📌 Notifies users that their access has been disabled.

---

Step 4: Notify Their Manager (Optional)

If users have managers assigned in Active Directory, notify them too:

powershellCopyEditforeach ($User in $DisabledUsers) {
    $Manager = Get-ADUser -Identity $User.Manager -Properties EmailAddress
    if ($Manager.EmailAddress) {
        $ManagerSubject = "Account Disabled Notification - $($User.DisplayName)"
        $ManagerBody = @"
Hello,

The account for $($User.DisplayName) has been disabled. 
Please reach out to IT if further actions are required.

Best regards,  
IT Support Team
"@
        Send-MailMessage -To $Manager.EmailAddress -From $FromEmail -Subject $ManagerSubject -Body $ManagerBody -SmtpServer $SMTPServer -Port $SMTPPort -UseSsl -Credential $Credential
    }
}

📌 Managers are informed about user account deactivation.

---

🔹 Notifying Users When Their Account is Re-Enabled

Step 5: Identify Recently Re-Enabled Users

powershellCopyEdit$ReEnabledUsers = Get-ADUser -Filter {Enabled -eq $true} -Properties DisplayName, EmailAddress | 
    Select-Object DisplayName, EmailAddress

✅ Finds all users who were just re-enabled

---

Step 6: Send Account Re-Enablement Notifications

powershellCopyEditforeach ($User in $ReEnabledUsers) {
    $Subject = "Your Account Has Been Re-Enabled"
    $Body = @"
Hello $($User.DisplayName),

Your account has been re-enabled, and you can now log in as usual.  
If you experience any issues, please contact IT Support.

Best regards,  
IT Support Team
"@

    Send-MailMessage -To $User.EmailAddress -From $FromEmail -Subject $Subject -Body $Body -SmtpServer $SMTPServer -Port $SMTPPort -UseSsl -Credential $Credential
}

📌 Notifies users that their access has been restored.

---

🔹 Automating Notifications for Azure AD Users

If managing Azure AD, use Microsoft Graph PowerShell.

Step 7: Install & Connect to Azure AD

powershellCopyEditInstall-Module -Name Microsoft.Graph -Scope CurrentUser -Force
Connect-MgGraph -Scopes "User.ReadWrite.All", "Mail.Send"

Step 8: Identify Disabled Users in Azure AD

powershellCopyEdit$DisabledAzureUsers = Get-MgUser -Filter "accountEnabled eq false" -Property DisplayName, Mail | 
    Select-Object DisplayName, Mail

Step 9: Send Notification to Disabled Azure AD Users

powershellCopyEditforeach ($User in $DisabledAzureUsers) {
    $Subject = "Your Account Has Been Disabled"
    $Body = "Hello $($User.DisplayName),`n`nYour account has been disabled. Contact IT for assistance."
    
    Send-MgUserMail -UserId $User.Mail -Message @{
        Subject = $Subject
        Body = @{ Content = $Body; ContentType = "Text" }
    }
}

📌 Azure AD users will receive an email alerting them about their account status.

---

🔹 Automating the Process with Task Scheduler

To automate the notifications:

1️⃣ Save the script as AccountNotifications.ps1
2️⃣ Open Task Scheduler → Create Basic Task
3️⃣ Set Trigger (e.g., Daily at 8 AM)
4️⃣ Set Action → Start a Program → powershell.exe -File C:\Scripts\AccountNotifications.ps1
5️⃣ Save & Run

📌 Now, account status changes will trigger email notifications automatically.

---

🔹 Summary

✅ Users receive notifications when their account is disabled/re-enabled.
✅ Managers get alerts about changes to their team’s access.
✅ Automation ensures no manual emails are needed.
✅ Works for both Active Directory & Azure AD.
✅ Logs can be exported for security compliance.

By implementing this automated notification system, IT teams can streamline account management, improve communication, and enhance security awareness. 🚀

Enforcing MFA Before Re-Enabling User Accounts – PowerShell Automation

🔹 Introduction

Multi-Factor Authentication (MFA) is a crucial security layer that helps prevent unauthorized access, especially after a user account is disabled and later re-enabled. Before restoring access, it’s best practice to enforce MFA enrollment to enhance security and prevent potential account compromise.

This blog provides a PowerShell script to:
✅ Automatically check MFA status before re-enabling accounts
✅ Require MFA enrollment before re-enabling
✅ Send notifications to users and IT teams

---

🔹 Why Enforce MFA Before Re-Enabling Accounts?

📌 Security Enhancement – Prevents unauthorized access after re-enablement.
📌 Compliance Requirements – Many security frameworks require MFA enforcement.
📌 Risk Mitigation – Reduces the risk of compromised credentials being reused.
📌 Automation Efficiency – Ensures a seamless security-first workflow.

---

🔹 Prerequisites

🔹 Azure AD Module installed (Install-Module AzureAD)
🔹 PowerShell with Admin Rights
🔹 Global Administrator or Privileged Authentication Admin Role

---

🔹 Step 1: Connect to Microsoft Entra ID (Azure AD)

powershellCopyEditInstall-Module -Name AzureAD -Force
Import-Module AzureAD
Connect-AzureAD

📌 This will prompt for admin credentials to authenticate.

---

🔹 Step 2: Identify Recently Disabled Users

powershellCopyEdit$DisabledUsers = Get-AzureADUser -All $true | Where-Object { $_.AccountEnabled -eq $false } |
    Select-Object DisplayName, UserPrincipalName, ObjectId

📌 Finds all disabled user accounts.

---

🔹 Step 3: Check MFA Enrollment Status

powershellCopyEditforeach ($User in $DisabledUsers) {
    $MFAStatus = Get-MsolUser -UserPrincipalName $User.UserPrincipalName | Select-Object -ExpandProperty StrongAuthenticationMethods
    if ($MFAStatus -eq $null) {
        Write-Host "MFA not enabled for $($User.DisplayName). Enforcing MFA before re-enabling..." -ForegroundColor Yellow
        # Proceed to enforce MFA
    } else {
        Write-Host "MFA already enabled for $($User.DisplayName). Ready to re-enable." -ForegroundColor Green
    }
}

📌 This script checks if MFA is enabled before proceeding.

---

🔹 Step 4: Enforce MFA Enrollment for Users Without MFA

powershellCopyEditforeach ($User in $DisabledUsers) {
    $MFAStatus = Get-MsolUser -UserPrincipalName $User.UserPrincipalName | Select-Object -ExpandProperty StrongAuthenticationMethods
    if ($MFAStatus -eq $null) {
        Write-Host "Forcing MFA registration for $($User.DisplayName)..."
        Set-MsolUser -UserPrincipalName $User.UserPrincipalName -StrongAuthenticationRequirements @(@{State="Enabled"; })
        
        # Send notification email to user
        $Subject = "MFA Enrollment Required Before Account Re-Enablement"
        $Body = "Hello $($User.DisplayName),`n`nYour account is being re-enabled, but MFA is required before accessing your account. Please complete MFA enrollment immediately."
        Send-MailMessage -To $User.UserPrincipalName -From "[email protected]" -Subject $Subject -Body $Body -SmtpServer "smtp.office365.com" -Credential (Get-Credential)
        
        Write-Host "MFA enforced and email notification sent to $($User.DisplayName)." -ForegroundColor Cyan
    }
}

📌 This forces MFA enrollment and notifies the user via email.

---

🔹 Step 5: Re-Enable the User Account

powershellCopyEditforeach ($User in $DisabledUsers) {
    $MFAStatus = Get-MsolUser -UserPrincipalName $User.UserPrincipalName | Select-Object -ExpandProperty StrongAuthenticationMethods
    if ($MFAStatus -ne $null) {
        Write-Host "Re-enabling account for $($User.DisplayName)..." -ForegroundColor Green
        Set-AzureADUser -ObjectId $User.ObjectId -AccountEnabled $true

        # Notify the user
        $Subject = "Your Account Has Been Re-Enabled"
        $Body = "Hello $($User.DisplayName),`n`nYour account has been successfully re-enabled. You may now log in using MFA."
        Send-MailMessage -To $User.UserPrincipalName -From "[email protected]" -Subject $Subject -Body $Body -SmtpServer "smtp.office365.com" -Credential (Get-Credential)

        Write-Host "Account re-enabled and email sent to $($User.DisplayName)." -ForegroundColor Cyan
    }
}

📌 Only users who have completed MFA enrollment will be re-enabled.

---

🔹 Automating the Process

To automate MFA enforcement before re-enabling accounts:

1️⃣ Save the script as Enforce-MFA-AccountReenable.ps1
2️⃣ Open Task Scheduler → Create Basic Task
3️⃣ Set Trigger (e.g., Daily at 8 AM)
4️⃣ Set Action → Start a Program → powershell.exe -File C:\Scripts\Enforce-MFA-AccountReenable.ps1
5️⃣ Save & Run

📌 Now, all disabled accounts must complete MFA before being re-enabled!

---

🔹 Summary

✅ Users cannot log in until MFA is configured
✅ Automated enforcement ensures security compliance
✅ Users and IT teams are notified via email
✅ Script works for both Active Directory & Azure AD
✅ Scheduled automation eliminates manual work

With this automation, IT teams can enforce MFA before restoring user access, ensuring security-first policies and preventing unauthorized logins. 🚀

Introduction to SAML

Security Assertion Markup Language (SAML) is an XML-based authentication standard used for Single Sign-On (SSO). It allows users to log in once and access multiple applications without entering credentials repeatedly.

Why Use SAML?

• Enhanced Security: SAML enables authentication via an identity provider (IdP) rather than storing credentials in multiple applications.
• SSO Capabilities: Users only log in once to access different apps.
• Interoperability: Works across various identity providers and service providers.

How SAML Works

1. User Requests Access: The user tries to access an application (Service Provider – SP).
2. Redirect to Identity Provider (IdP): The user is redirected to the IdP for authentication.
3. Authentication & Assertion: The IdP verifies credentials and sends a SAML assertion (authentication token) back.
4. User Gains Access: The SP validates the assertion and grants access.

---

How to Configure SAML Authentication in Entra ID

To set up SAML-based authentication in Entra ID, follow these steps:

Step 1: Register an Enterprise Application

1. Go to Microsoft Entra ID in the Azure Portal.
2. Navigate to Enterprise Applications > New Application.
3. Select Non-gallery application and provide a name for your app.
4. Click Create.

Step 2: Configure Single Sign-On (SSO)

1. In the newly created app, go to Single sign-on.
2. Choose SAML as the authentication method.
3. Configure the Basic SAML Configuration:
   • Identifier (Entity ID): https://yourapp.com
   • Reply URL (Assertion Consumer Service URL): https://yourapp.com/sso/callback
   • Sign-on URL: https://yourapp.com/login
4. Click Save.

Step 3: Download & Share SAML Metadata

• Download the Federation Metadata XML from the SAML Signing Certificate section.
• Provide this XML file to the Service Provider (SP) to complete the integration.

Step 4: Assign Users to the Application

1. Go to Users and Groups in the Enterprise Application.
2. Assign users who should have access to the app.

Step 5: Test SSO

1. Click on Test SSO in the SAML settings.
2. Ensure authentication is successful and users can log in.

---

Configuring SAML in Entra ID Using PowerShell

You can automate the setup using PowerShell with the Microsoft Graph API.

Step 1: Connect to Microsoft Graph

powershellCopyEditConnect-MgGraph -Scopes "Application.ReadWrite.All", "AppRoleAssignment.ReadWrite.All"

Step 2: Register an Enterprise Application

powershellCopyEdit$enterpriseApp = New-MgServicePrincipal -AppId "00000003-0000-0000-c000-000000000000"

Step 3: Configure SAML SSO

powershellCopyEdit$sp = Get-MgServicePrincipal -Filter "DisplayName eq 'YourAppName'"

# Set SAML properties
Update-MgServicePrincipal -ServicePrincipalId $sp.Id -PreferredTokenSigningKeyThumbprint "YourThumbprint"

Step 4: Assign Users

powershellCopyEdit$user = Get-MgUser -UserPrincipalName "[email protected]"
New-MgUserAppRoleAssignment -UserId $user.Id -ResourceId $sp.Id -AppRoleId "Role ID"

---

Conclusion

SAML authentication provides a secure and efficient way for users to authenticate with multiple applications using a single sign-on (SSO) process. Configuring SAML in Microsoft Entra ID enhances security, simplifies user access, and integrates seamlessly with cloud-based applications.

Entra ID App Registration – Introduction, Purpose, and PowerShell Guide

Introduction

Microsoft Entra ID (formerly known as Azure AD) is the identity and access management (IAM) solution for Microsoft cloud services. App registration in Entra ID is essential for integrating applications with Entra ID, enabling authentication and authorization for users and services.

Purpose of Entra ID App Registration

Entra ID App Registration allows developers and IT admins to:

• Enable secure authentication for applications.
• Configure permissions for Microsoft Graph and other APIs.
• Use OAuth 2.0 and OpenID Connect for secure authentication.
• Enable multi-tenant access for applications.

By registering an app, you establish its identity with Entra ID, allowing it to authenticate users and access resources.

---

Creating an Entra ID App Registration Using PowerShell

To create an app registration in Entra ID using PowerShell, follow these steps:

Prerequisites

• You must have AzureAD or Microsoft.Graph PowerShell module installed.
• You need Global Administrator or Application Administrator permissions.

Steps to Create an App Registration Using PowerShell

Step 1: Install and Connect to Microsoft Graph PowerShell

powershellCopyEdit# Install the Microsoft Graph PowerShell module if not installed
Install-Module Microsoft.Graph -Scope CurrentUser

# Connect to Entra ID with the required permissions
Connect-MgGraph -Scopes "Application.ReadWrite.All", "AppRoleAssignment.ReadWrite.All"

Step 2: Create the App Registration

powershellCopyEdit# Define the application name
$appName = "MyEntraApp"

# Register the application
$app = New-MgApplication -DisplayName $appName

# Output the app details
$app

Step 3: Create a Service Principal for the App

powershellCopyEdit# Create a service principal to enable authentication for the app
$sp = New-MgServicePrincipal -AppId $app.AppId

# Output the service principal details
$sp

Step 4: Assign API Permissions

powershellCopyEdit# Define API permissions
$graphPermission = @{
    "resourceAppId" = "00000003-0000-0000-c000-000000000000" # Microsoft Graph
    "resourceAccess" = @(@{"id"="Role ID";"type"="Role"})  # Replace Role ID with the specific permission ID
}

# Assign permissions to the app
Update-MgApplication -ApplicationId $app.Id -RequiredResourceAccess $graphPermission

Step 5: Generate a Client Secret

powershellCopyEdit# Create a client secret for the application
$clientSecret = Add-MgApplicationPassword -ApplicationId $app.Id -DisplayName "MySecret"

# Output client secret details
$clientSecret

Step 6: Retrieve the App Details

powershellCopyEditWrite-Host "Application ID: $($app.AppId)"
Write-Host "Service Principal ID: $($sp.Id)"
Write-Host "Client Secret: $($clientSecret.SecretText) (Copy this as it won't be retrievable again!)"

Conclusion

By following these steps, you have successfully registered an application in Microsoft Entra ID using PowerShell. This setup allows your app to authenticate users, request API permissions, and securely interact with cloud resources.

In today’s rapidly evolving cybersecurity landscape, Multi-Factor Authentication (MFA) plays a pivotal role in securing user access to critical systems and data. While Azure Active Directory (now Entra ID) provides a robust and comprehensive MFA solution, ensuring that users are using the right authentication methods and tracking that data can be time-consuming without proper automation.

In this blog, we’ll explore what it means to identify users with phone-based MFA in Entra ID, why it’s important to automate this process, and how using PowerShell can significantly streamline the task.

---

Understanding Phone-based MFA in Entra ID

Phone-based MFA refers to the method of using a mobile phone or a phone number to authenticate users trying to access applications, services, or systems in Entra ID. This typically involves one of two methods:

• Phone App Notification: The user receives a push notification to their phone and must approve or deny the login attempt.
• Phone App OTP (One-Time Password): The user receives a temporary code (OTP) on their phone, which they must enter to complete the authentication.

While these are robust forms of authentication, not every user within an organization will necessarily have phone-based MFA set up. Additionally, some users may be using alternate authentication methods, such as hardware tokens or biometrics, while others may have not configured any form of MFA at all.

Based on my experience, phone-based MFA can cause issues with cross-tenant synchronization. Specifically, users who have phone-based MFA set up may face challenges in being provisioned to other tenants. The “NotInScope” and “NotEffectivelyEntitled” errors are often encountered during cross-tenant sync, preventing the proper provisioning of these users. This can cause delays and disrupt workflows, highlighting the importance of understanding and monitoring the MFA configurations of users across tenants.

Why Track Active Users with Phone-based MFA?

Ensuring that the right users are utilizing MFA, especially phone-based methods, is a key component of maintaining a secure environment. Here are a few reasons why tracking active users with phone-based MFA is crucial for your organization:

1. Enhanced Security: With the rise of phishing attacks and data breaches, enforcing MFA provides an additional layer of security, ensuring that even if a user’s password is compromised, unauthorized access is still blocked. Phone-based MFA is one of the most secure forms of two-factor authentication.
2. Compliance: Many organizations are bound by regulatory requirements, such as GDPR or HIPAA, that mandate MFA for accessing sensitive data. By ensuring that active users have MFA set up, especially phone-based methods, you can stay compliant with industry standards.
3. User Experience: Simplified user access can lead to fewer friction points in daily workflows. With phone-based MFA, users can easily authenticate themselves without needing complicated hardware setups. Tracking and reporting on these users ensures that your organization stays on top of who’s set up and using MFA.
4. Auditing and Reporting: Having visibility into the MFA status of your users is important for security auditing. Automated reporting ensures you’re not missing any critical configurations, and it can highlight any gaps that need addressing.
5. Efficiency: Manual checks for MFA statuses and configurations can be tedious, especially for larger organizations with hundreds or thousands of users. By automating this process, you free up time for other essential tasks.

---

Automating the MFA Reporting Process in Entra ID

Manual auditing of MFA configurations can be error-prone, especially when done across large environments with multiple users. Automating the process not only improves accuracy but also ensures that the task is completed consistently.

PowerShell provides a simple yet powerful solution for automating the reporting of active users who have phone-based MFA enabled in Entra ID. Here is how you can automate this process using PowerShell:

Using the AzureAD Module:

powershellCopy# Connect to Azure AD
Connect-AzureAD

# Get the list of active users with phone-based MFA enabled
$usersWithPhoneMFA = Get-AzureADUser -All $true | 
    Where-Object {
        $_.AccountEnabled -eq $true -and
        (Get-AzureADUserMFA -ObjectId $_.ObjectId).Methods |
        Where-Object { $_.MethodType -eq "PhoneAppNotification" -or $_.MethodType -eq "PhoneAppOTP" }
    }

# Display the users
$usersWithPhoneMFA | Select DisplayName, UserPrincipalName

Using the MSOnline Module:

powershellCopy# Connect to MSOnline Connect-MsolService # Get the list of active users with phone-based MFA enabled $usersWithPhoneMFA = Get-MsolUser -All | Where-Object { $_.BlockCredential -eq $false -and ( $_.StrongAuthenticationMethods.MethodType -eq "PhoneAppNotification" -or $_.StrongAuthenticationMethods.MethodType -eq "PhoneAppOTP" ) } # Display the users $usersWithPhoneMFA | Select DisplayName, UserPrincipalName

---

Why Automate This Process?

Automating the reporting of active users with phone-based MFA brings a multitude of benefits:

• Time-Saving: Automation allows you to quickly run reports and receive accurate information, which can otherwise take hours when done manually.
• Real-Time Visibility: With automation, you get updated data at any time, helping you respond to potential security risks in real-time.
• Scalability: Whether you have 10 or 10,000 users, automation ensures that the process scales to match your organization’s size without increasing the workload.
• Accuracy: The automation removes the risk of human error, ensuring that the right users are being reported and that configurations are accurate.

---

Conclusion

Tracking active users with phone-based MFA is essential to maintaining security and compliance within your organization. By automating this process with PowerShell, you can save valuable time, improve reporting accuracy, and make better, data-driven decisions regarding your organization’s security posture.

Automating these tasks also prepares your organization to scale efficiently and ensures that all users are adhering to the security standards you’ve set.

If you haven’t yet automated your MFA reporting process, consider implementing a PowerShell solution and integrate it into your IT operations today. It’s a small investment that will yield significant improvements in both security and efficiency.

Introduction

Provisioning users in Azure AD ensures security and compliance, especially with Multi-Factor Authentication (MFA) and proper licensing. This guide walks through setting up a new user with M365 E3 licensing using PowerShell.

Prerequisites

✔ PowerShell installed
✔ Azure AD module installed (Install-Module AzureAD)
✔ Global Admin or User Admin role in Azure

PowerShell Script

powershellCopyEdit# Connect to Azure AD
Connect-AzureAD

# Create a new user
$PasswordProfile = New-Object -TypeName Microsoft.Open.AzureAD.Model.PasswordProfile
$PasswordProfile.Password = "P@ssw0rd!"

New-AzureADUser -UserPrincipalName "[email protected]" `
                -DisplayName "New User" `
                -PasswordProfile $PasswordProfile `
                -MailNickName "newuser" `
                -AccountEnabled $true

# Assign Microsoft 365 E3 License
$license = Get-AzureADSubscribedSku | Where-Object {$_.SkuPartNumber -eq "ENTERPRISEPACK"}
Set-AzureADUserLicense -ObjectId "[email protected]" -AddLicenses @(@{SkuId=$license.SkuId})

# Enable MFA
$StrongAuthRequirement = New-Object -TypeName Microsoft.Open.AzureAD.Model.StrongAuthenticationRequirement
$StrongAuthRequirement.RelyingParty = "*"
$StrongAuthRequirement.State = "Enabled"
Set-MsolUser -UserPrincipalName "[email protected]" -StrongAuthenticationRequirements @($StrongAuthRequirement)

Write-Host "User provisioned successfully with MFA and E3 license."

✅ Done! Your new user is now provisioned with an E3 license and MFA enforced.

As organizations migrate to the cloud, understanding the core components of Azure is essential for a successful deployment. Unlike AWS, where you need to set up VPCs, security groups, IAM policies, and EC2 instances, Azure has its own ecosystem of services tailored for enterprise workloads.

In this blog, we’ll break down the essential Azure resources needed to provision a new Azure environment and help businesses scale securely and efficiently.

---

🔹 1. What You Need to Run a Business in Azure

When setting up Azure for an enterprise, you’ll need the following:

Component	Purpose
Azure Active Directory (Entra ID)	Identity & Access Management (like AWS IAM)
Azure Virtual Network (VNet)	Private networking (like AWS VPC)
Azure Virtual Machines (VMs)	Compute power for applications (like AWS EC2)
Azure Storage Accounts	Cloud storage for files, databases, backups
Azure Firewall / NSGs	Security for controlling inbound/outbound traffic
Azure Site Recovery & Backup	Disaster recovery and business continuity
Azure Monitor & Security Center	Log analytics, security monitoring, and alerting
Azure App Services	Hosting for web applications (like AWS Elastic Beanstalk)
Azure SQL / Cosmos DB	Managed database services for storing business data

---

🔹 2. Step-by-Step: Setting Up an Azure Business Environment

🆕 Step 1: Create an Azure Subscription

Before you deploy resources, you need an Azure account and subscription:

powershellCopyEditConnect-AzAccount
New-AzSubscription -Name "CompanySubscription"

👉 This allows billing, permissions, and resource management.

---

🔑 Step 2: Configure Azure Active Directory (Entra ID)

Azure AD (now Entra ID) manages user access and authentication:

1️⃣ Create a new Azure AD Tenant:

powershellCopyEditNew-AzADServicePrincipal -DisplayName "CompanyAD"

2️⃣ Add users & assign roles:

powershellCopyEditNew-AzADUser -DisplayName "Admin User" -UserPrincipalName "[email protected]" -PasswordProfile (New-Object -TypeName Microsoft.Open.AzureAD.Model.PasswordProfile -Property @{Password = "SecurePass123!"})

3️⃣ Enable Multi-Factor Authentication (MFA):

powershellCopyEditSet-MsolUser -UserPrincipalName "[email protected]" -StrongAuthenticationRequirements @(New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement -Property @{RelyingParty = "*"; State = "Enabled"})

✅ Why? Azure AD ensures secure authentication, integrates with SSO, and supports Conditional Access to prevent unauthorized logins.

---

🌐 Step 3: Set Up Azure Virtual Network (VNet)

Azure VNets allow private, secure communication between resources (like AWS VPC).

powershellCopyEditNew-AzVirtualNetwork -Name "CompanyVNet" -ResourceGroupName "CompanyResources" -Location "EastUS" -AddressPrefix "10.0.0.0/16"

Add a subnet for workloads:

powershellCopyEditAdd-AzVirtualNetworkSubnetConfig -Name "WebSubnet" -VirtualNetwork (Get-AzVirtualNetwork -Name "CompanyVNet") -AddressPrefix "10.0.1.0/24"

✅ Why? A VNet is required to connect virtual machines, databases, and cloud apps securely.

---

💻 Step 4: Deploy Virtual Machines (VMs) for Workloads

To host applications, databases, or remote desktops, deploy Azure Virtual Machines:

powershellCopyEditNew-AzVM -ResourceGroupName "CompanyResources" -Name "CompanyWebServer" -Location "EastUS" -VirtualNetworkName "CompanyVNet" -SubnetName "WebSubnet" -Image "Win2022Datacenter" -Size "Standard_B2ms"

✅ Why? VMs are essential for compute power, running legacy applications, or supporting cloud-based workloads.

---

💾 Step 5: Create Azure Storage Accounts for Business Data

Azure Storage Accounts allow businesses to store and manage files, backups, and logs:

powershellCopyEditNew-AzStorageAccount -ResourceGroupName "CompanyResources" -AccountName "companyfiles" -Location "EastUS" -SkuName "Standard_LRS"

✅ Why? Storage accounts support blobs, file shares, queues, and tables, making it ideal for structured and unstructured data.

---

🚀 Step 6: Implement Network Security (NSGs & Firewalls)

To secure Azure workloads, configure Network Security Groups (NSGs) and Azure Firewall:

1️⃣ Create an NSG and apply security rules:

powershellCopyEditNew-AzNetworkSecurityGroup -ResourceGroupName "CompanyResources" -Location "EastUS" -Name "CompanyNSG"
Add-AzNetworkSecurityRuleConfig -NetworkSecurityGroupName "CompanyNSG" -Name "AllowWeb" -Direction Inbound -Priority 100 -Access Allow -SourceAddressPrefix "*" -SourcePortRange "*" -DestinationAddressPrefix "*" -DestinationPortRange "80,443" -Protocol Tcp

2️⃣ Deploy Azure Firewall:

powershellCopyEditNew-AzFirewall -Name "CompanyFirewall" -ResourceGroupName "CompanyResources" -Location "EastUS" -Sku "Standard"

✅ Why? NSGs protect workloads from cyber threats, while Azure Firewall enables advanced network security policies.

---

📊 Step 7: Enable Monitoring & Security

Monitor performance, security, and alerts using Azure Monitor and Defender for Cloud.

1️⃣ Enable Azure Monitor:

powershellCopyEditNew-AzMonitorLogProfile -Name "CompanyMonitor" -Locations "EastUS" -StorageAccountId "/subscriptions/xxx/resourceGroups/CompanyResources/providers/Microsoft.Storage/storageAccounts/companyfiles"

2️⃣ Enable Microsoft Defender for Cloud:

powershellCopyEditSet-AzSecurityCenterSetting -Name "SecurityCenter" -Enable

✅ Why? Proactive security monitoring helps prevent breaches, downtime, and performance issues.

---

📌 Step 8: Set Up Azure SQL Database or CosmosDB for Business Data

To store business data, you can use Azure SQL Database or Cosmos DB.

1️⃣ Create a SQL Database:

powershellCopyEditNew-AzSqlDatabase -ResourceGroupName "CompanyResources" -ServerName "CompanyDBServer" -DatabaseName "CompanyData"

2️⃣ Create a Cosmos DB for NoSQL workloads:

powershellCopyEditNew-AzCosmosDBAccount -ResourceGroupName "CompanyResources" -Name "CompanyCosmosDB" -Location "EastUS" -Kind GlobalDocumentDB

✅ Why? SQL databases support transactional workloads, while Cosmos DB is best for scalable, NoSQL applications.

---

💡 Best Practices for a New Azure Environment

✔ Use Role-Based Access Control (RBAC) to grant least privilege access
✔ Enable Multi-Factor Authentication (MFA) for admin accounts
✔ Implement Azure Security Center for real-time threat monitoring
✔ Use Azure Policy to enforce governance and compliance
✔ Set up Backup & Disaster Recovery (Azure Site Recovery)

---

🚀 Final Thoughts

Setting up Azure for a business requires careful planning. Whether migrating from on-premises or AWS, you need to configure:

✅ Identity & Access (Azure AD)
✅ Networking (VNet, NSGs, Firewalls)
✅ Compute (Azure VMs, App Services)
✅ Storage (Blob, File Shares, Databases)
✅ Security (Defender for Cloud, Monitor, MFA)

📌 By automating Azure provisioning with PowerShell, businesses can save time, improve security, and scale efficiently.

💬 Are you setting up a new Azure environment? What challenges have you faced? Let’s discuss! 🚀

Phishing, spam, and malware-laden emails are still a major threat to organizations, even with security tools like Microsoft Defender for Office 365 in place. Attackers evolve their techniques to bypass filters, making it critical for IT professionals to quickly analyze and block these threats.

In this blog, we’ll explore how to quickly determine if an email is malicious and use PowerShell to identify, investigate, and stop phishing attempts in Microsoft Exchange Online.

---

🔹 1. How to Identify a Suspicious Email Quickly

Before using PowerShell, here are quick ways to spot a malicious email:

✔ Check the sender’s email domain → Look for spoofed domains (e.g., @microsft-support.com instead of @microsoft.com).
✔ Hover over links (DO NOT CLICK) → If URLs contain random characters or redirect to unknown domains, they are likely phishing.
✔ Look for urgency or threats → Phrases like “Your account will be locked in 24 hours!” are red flags.
✔ Check for spelling errors & odd formatting → Professional companies don’t send typo-ridden emails.
✔ Check email headers for anomalies → Fake “From” addresses or mismatched domains are common in phishing emails.

🚨 Automate these checks with PowerShell!

---

🔹 2. Investigating Suspicious Emails Using PowerShell

🔍 Find Emails by Subject, Sender, or Date

To search for phishing emails across mailboxes:

powershellCopyEditSearch-Mailbox -Identity "[email protected]" -SearchQuery 'Subject:"Urgent Security Notice"' -TargetMailbox [email protected] -TargetFolder PhishingReports

👉 What this does:

• Searches all mailboxes for emails with “Urgent Security Notice” in the subject.
• Moves them to the PhishingReports folder in the [email protected] mailbox for further analysis.

---

📧 Check Email Headers for Spoofing & Authentication Failures

To inspect email headers and verify SPF, DKIM, and DMARC:

powershellCopyEditGet-MessageTrace -SenderAddress "[email protected]" -StartDate (Get-Date).AddDays(-3) -EndDate (Get-Date)

👉 What this does:

• Traces emails sent from [email protected] in the last 3 days.
• Helps identify whether attackers are spoofing legitimate domains.

---

🛑 Identify Users Who Clicked on a Phishing Email

To find who clicked on malicious links in a phishing email, run:

powershellCopyEditGet-MailDetailATPReport -StartDate "03/01/2024" -EndDate "03/10/2024" -EventType Click

👉 What this does:

• Retrieves users who clicked on malicious URLs detected by Safe Links in Defender for Office 365.

🚨 Immediate Action: Force password reset for affected users.

powershellCopyEditSet-MsolUserPassword -UserPrincipalName "[email protected]" -NewPassword "SecureP@ssw0rd!" -ForceChangePassword $true

---

🔹 3. Stopping Phishing, Spam, and Malware Attacks

🚫 Block the Sender or Entire Domain

To block the sender or domain at the organization level:

powershellCopyEditNew-TenantAllowBlockListItems -Block -Entries "[email protected]" -ListType Sender

👉 What this does:

• Adds [email protected] to the Tenant Allow/Block List, preventing future emails from this sender.

To block an entire domain (e.g., @malicious.com):

powershellCopyEditNew-TenantAllowBlockListItems -Block -Entries "@malicious.com" -ListType Domain

---

🛡️ Quarantine Suspicious Emails

To move all emails from a specific sender to Quarantine:

powershellCopyEditSet-HostedContentFilterPolicy -Identity Default -BlockedSenderDomains "malicious.com"

👉 What this does:

• Blocks all emails from malicious.com and moves them to Quarantine.

🚨 To review quarantined emails:

powershellCopyEditGet-QuarantineMessage -StartReceivedDate (Get-Date).AddDays(-3) -EndReceivedDate (Get-Date)

---

🔐 Block Malicious Attachments & URLs

To block email attachments containing malware:

powershellCopyEditSet-MalwareFilterPolicy -Identity "Default" -EnableFileFilter $true -FileTypes exe,js,vbs,bat,cmd,scr

👉 What this does:

• Blocks dangerous file types commonly used in phishing and malware attacks.

To block all URLs in emails unless they are verified safe:

powershellCopyEditSet-SafeLinksPolicy -Identity "Default" -EnableSafeLinks $true -ScanUrls $true

---

🔹 4. Automating Phishing Incident Response

✅ Automatically Remove Phishing Emails from User Mailboxes

To remove an email that has already been delivered:

powershellCopyEditGet-Mailbox -ResultSize Unlimited | Search-Mailbox -SearchQuery "subject:'Important Update Required'" -DeleteContent

👉 What this does:

• Deletes all emails with “Important Update Required” in the subject across all mailboxes.

---

📌 Summary: Key PowerShell Commands for Email Security

Task	PowerShell Command
Find phishing emails	Search-Mailbox -SearchQuery 'Subject:"Urgent Security Notice"'
Check email headers	Get-MessageTrace -SenderAddress "[email protected]"
Find users who clicked phishing links	Get-MailDetailATPReport -EventType Click
Block sender	New-TenantAllowBlockListItems -Block -Entries "[email protected]"
Block domain	New-TenantAllowBlockListItems -Block -Entries "@malicious.com"
Quarantine emails	Set-HostedContentFilterPolicy -BlockedSenderDomains "malicious.com"
Block malicious attachments	Set-MalwareFilterPolicy -EnableFileFilter $true -FileTypes exe,js,vbs,bat,cmd,scr
Delete phishing emails	`Get-Mailbox

---

🚀 Final Thoughts: Proactive Phishing Defense

Even with Microsoft Defender, attackers continue to find ways to bypass security filters. PowerShell automation helps identify, block, and remove phishing, spam, and malware attacks quickly.

✔ Best Practices:
✅ Enable Microsoft Defender policies (Safe Links, Safe Attachments, Anti-Phishing)
✅ Use PowerShell to monitor phishing trends & remove threats
✅ Train employees on phishing awareness (Attack Simulation Training)
✅ Regularly review email authentication (SPF, DKIM, DMARC)

🚀 IT admins should take a proactive approach—blocking phishing before it reaches users saves hours of security incidents.

💬 Have you encountered a phishing attack that bypassed Defender? What steps did you take to mitigate it? Share your experience!

Phishing attacks are one of the most common cybersecurity threats, targeting users through deceptive emails to steal credentials, inject malware, or compromise sensitive data. Microsoft Defender for Office 365 offers robust security features to detect, prevent, and respond to phishing threats.

🔹 Key Strategies to Protect Email from Phishing with Microsoft Defender

1️⃣ Enable Anti-Phishing Policies in Microsoft Defender

Microsoft Defender automatically analyzes email behavior, impersonation patterns, and sender reputation to detect phishing attempts.

✔ Configure Anti-Phishing Protection
1️⃣ Go to Microsoft Defender Security Portal
2️⃣ Navigate to: Email & Collaboration > Policies & Rules > Threat Policies
3️⃣ Select Anti-Phishing
4️⃣ Set Up Protection Against:

• User & domain impersonation
• Spoof intelligence
• Mailbox intelligence for anomaly detection
• Authentication failures (SPF, DKIM, DMARC)

✅ PowerShell to Enable Anti-Phishing Policies

powershellCopyEditSet-AntiPhishPolicy -Identity "Default" -EnableMailboxIntelligenceProtection $true -EnableTargetedUserProtection $true -EnableOrganizationDomainsProtection $true

---

2️⃣ Implement Advanced Threat Protection (ATP) Safe Links & Safe Attachments

Microsoft Defender provides Safe Links and Safe Attachments to scan URLs and files in real-time before users open them.

✔ Enable Safe Links (Protects URLs in Emails & Office Documents)
1️⃣ Go to: Microsoft Defender Security Portal
2️⃣ Navigate to: Threat Policies > Safe Links
3️⃣ Create a Safe Links Policy:

• Enable URL scanning for emails and Office apps
• Prevent users from clicking malicious links
• Enable time-of-click protection

✅ PowerShell to Enable Safe Links for Email Protection

powershellCopyEditNew-SafeLinksPolicy -Name "SafeLinksPolicy" -EnableForEmail $true -EnableForOffice $true

✔ Enable Safe Attachments (Protects Against Malicious Files)
1️⃣ Go to: Microsoft Defender Security Portal
2️⃣ Navigate to: Safe Attachments
3️⃣ Turn On:

• Dynamic Analysis to scan file behavior
• Zero-hour Auto Purge (ZAP) to remove malicious emails post-delivery

✅ PowerShell to Enable Safe Attachments

powershellCopyEditSet-SafeAttachmentsPolicy -Identity "SafeAttachmentsPolicy" -Enable $true -Action Block

---

3️⃣ Strengthen Email Authentication with SPF, DKIM & DMARC

Email authentication ensures only legitimate senders can send emails on behalf of your domain.

✔ Implement SPF (Sender Policy Framework)
SPF prevents spoofing by verifying if an email originated from an authorized server.
✅ PowerShell to Configure SPF

powershellCopyEditSet-DkimSigningConfig -Identity contoso.com -Enabled $true

👉 Add this TXT record to DNS:

txtCopyEditv=spf1 include:spf.protection.outlook.com -all

✔ Enable DKIM (DomainKeys Identified Mail)
DKIM ensures email integrity by adding an encrypted signature to each email.
✅ PowerShell to Enable DKIM

powershellCopyEditSet-DkimSigningConfig -Identity contoso.com -Enabled $true

✔ Enforce DMARC (Domain-based Message Authentication, Reporting, & Conformance)
DMARC prevents domain spoofing and reports unauthorized email activity.
✅ DMARC DNS TXT Record:

txtCopyEditv=DMARC1; p=quarantine; rua=mailto:[email protected]

---

4️⃣ Block High-Risk Attachments & Executable Files

Attackers use malicious attachments to deploy ransomware and trojans.

✔ Block Suspicious File Types in Defender
1️⃣ Go to: Security Portal > Threat Policies > Anti-Malware
2️⃣ Enable Real-Time Protection & Block Attachments:

• .exe, .js, .vbs, .bat, .cmd, .scr
• Compressed file types (.zip, .rar)

✅ PowerShell to Block High-Risk Attachments

powershellCopyEditSet-MalwareFilterPolicy -Identity "Default" -EnableFileFilter $true -FileTypes exe,js,vbs,bat,cmd,scr,zip,rar

---

5️⃣ Configure Microsoft Defender Attack Simulation Training

Users are the weakest security link—90% of successful attacks result from human error.
Microsoft Defender offers simulated phishing attacks to train employees.

✔ Create a Phishing Attack Simulation in Defender
1️⃣ Go to: Microsoft Defender Portal > Attack Simulation Training
2️⃣ Launch a Simulation
3️⃣ Target Specific Users & Departments
4️⃣ Analyze Who Clicked the Phishing Link & Failed

✅ PowerShell to Get Users Who Clicked on Phishing Emails

powershellCopyEditGet-MailDetailATPReport -StartDate "03/01/2024" -EndDate "03/10/2024" -EventType Click

---

6️⃣ Block International & High-Risk IPs Using Conditional Access

Many phishing attacks originate from foreign IPs or anonymous proxies.
✔ Restrict Login Attempts from High-Risk Countries

✅ PowerShell to Block All Non-US Logins

powershellCopyEditNew-AzureADConditionalAccessPolicy -DisplayName "Block Non-US Access" -State Enabled -Conditions @{
    UserRiskLevels = @("high")
    Locations = @("All Except US")
    Applications = @("Exchange Online")
} -GrantControls @("BlockAccess")

✔ Enable Risk-Based MFA
Force Multi-Factor Authentication (MFA) on risky sign-ins.
✅ PowerShell to Require MFA for High-Risk Users

powershellCopyEditSet-AuthenticationPolicy -Identity Default -AllowBasicAuthIMAP $false -AllowBasicAuthPOP $false

---

🔹 Final Best Practices to Secure Email from Phishing

✔ Enable Microsoft Defender XDR to correlate phishing threats across email, identity, and devices.
✔ Use Power Automate to quarantine suspicious emails automatically.
✔ Monitor Suspicious Email Forwarding Rules—attackers create auto-forwarding rules to exfiltrate emails.
✔ Review Email Logs in Defender Portal to detect suspicious login activity.
✔ Automate Incident Response using Microsoft Sentinel for real-time detection and alerting.

---

✅ Conclusion

Microsoft Defender for Office 365 provides AI-driven, multi-layered protection against phishing. By leveraging anti-phishing policies, Safe Links, Safe Attachments, SPF/DKIM/DMARC, and PowerShell automation, organizations can significantly reduce phishing risks and improve email security.

🚀 Next Steps:
🔹 Enable Anti-Phishing Policies in Microsoft Defender
🔹 Set Up Safe Links & Safe Attachments to block malicious content
🔹 Implement SPF, DKIM, and DMARC for sender authentication
🔹 Simulate phishing attacks using Microsoft Attack Simulation Training
🔹 Automate security incident response with PowerShell

💬 Have you encountered phishing attempts in your organization? How do you mitigate them? Share your experience! 🚀

🔹 Introduction

In today’s rapidly evolving cybersecurity landscape, organizations face constant threats from malware, phishing, ransomware, and advanced persistent attacks. Microsoft Defender provides a centralized security solution that enables IT and security professionals to detect, investigate, and respond to security incidents effectively.

This blog covers:
✅ What Microsoft Defender Incident & Alerts Are
✅ How Microsoft Defender Detects & Classifies Threats
✅ How to Investigate & Respond to Alerts
✅ Automating Incident Response with PowerShell
✅ Best Practices for Proactive Security

---

🔹 What Are Microsoft Defender Incidents & Alerts?

Microsoft Defender uses AI-driven threat detection to identify and categorize security threats within an organization.

🔸 What Is an Incident?

An incident is a collection of related security alerts grouped into a single case. It represents a potential breach, helping security teams focus on a broader attack pattern rather than isolated alerts.

🔸 What Is an Alert?

An alert is a single security event triggered by Microsoft Defender for Endpoint, Microsoft Defender for Office 365, or Microsoft Defender for Identity when suspicious activity is detected.

👉 Example Alerts:
🔹 A user clicked on a phishing link in an email
🔹 A process executed malicious PowerShell commands
🔹 An unauthorized login attempt was made from a foreign IP

---

🔹 How Microsoft Defender Detects & Classifies Threats

Microsoft Defender correlates signals from endpoints, email, identity, and cloud applications to detect and classify threats into different severity levels:

Severity	Description
High	Active malware/ransomware, active exploitation of vulnerabilities
Medium	Suspicious activity, potential phishing, or initial exploitation attempts
Low	Anomalies that may indicate reconnaissance or minor policy violations
Informational	Non-malicious unusual activity, failed login attempts, etc.

---

🔹 Investigating & Responding to Defender Alerts

Step 1: View Security Incidents in the Microsoft Defender Portal

1️⃣ Go to: Microsoft Defender Security Portal
2️⃣ Navigate to: Incidents & Alerts
3️⃣ Click on an Incident to view related alerts, affected assets, and recommendations

Step 2: Investigate Suspicious Activity

🔹 Check Alert Details (Time, Device, User, Process Executed)
🔹 View Process Tree Analysis to understand malware execution
🔹 Analyze Network Connections for suspicious IPs

Step 3: Take Remediation Actions

✅ Isolate a Compromised Device

powershellCopyEditInvoke-DeviceIsolation -DeviceId "DeviceID123" -IsolationType "Full"

✅ Run an Antivirus Scan on an Affected Machine

powershellCopyEditStart-MpScan -ScanType FullScan

✅ Block a Malicious URL Using Defender

powershellCopyEditAdd-MpPreference -AttackSurfaceReductionRules_Ids "D1E49AAC-8F56-4280-B9BA-993A6D77406C" -AttackSurfaceReductionRules_Actions Enabled

✅ Disable a Compromised User Account

powershellCopyEditDisable-AzureADUser -ObjectId "UserObjectID"

---

🔹 Automating Incident Response with PowerShell

Security teams can automate incident detection and response using Microsoft Graph Security API and PowerShell.

List All Security Incidents

powershellCopyEditConnect-MgGraph -Scopes SecurityEvents.Read.All
Get-MgSecurityIncident

Get Details of a Specific Incident

powershellCopyEdit$IncidentId = "<incidentID>"
Get-MgSecurityIncident -IncidentId $IncidentId

Resolve an Incident

powershellCopyEditUpdate-MgSecurityIncident -IncidentId $IncidentId -Status "Resolved"

---

🔹 Best Practices for Microsoft Defender Security Monitoring

✔ Enable Defender XDR (Extended Detection & Response) to correlate threats across email, endpoints, and identity.
✔ Use Automated Investigation & Response (AIR) to automatically contain threats.
✔ Set up Security Playbooks in Microsoft Sentinel for automated incident handling.
✔ Enable Threat Intelligence Integration to detect nation-state or advanced threats.
✔ Regularly review & tune alert policies to reduce false positives.

---

✅ Conclusion

Microsoft Defender provides real-time threat intelligence, automated incident response, and deep security insights to proactively protect organizations. By leveraging PowerShell, automation, and best practices, IT security teams can efficiently detect, investigate, and remediate security incidents.

🚀 Next Steps:
🔹 Set up Conditional Access Policies to block risky sign-ins
🔹 Integrate Microsoft Defender with Microsoft Sentinel for better threat visibility
🔹 Automate threat response workflows using Power Automate & Security Playbooks

💬 Have you encountered any security incidents recently? Share your experiences below!