Azure MFA – Enabled or Enforced, what’s the diff?

Just because a user has registered for MFA doesn’t mean their status is Enforced.


On the outside this is a fairly simple question with a very clear answer: after a user has registered for MFA, their status is automatically changed by #Azure #MFA from Enabled, to Enforced.

Microsoft’s guidance is to not manually change a user from enabled to enforced; since it’s an automatic process with a workflow behind it, it’s probably a good idea to follow that guidance as a general practice.

From the above it would stand up to reason that if we use PowerShell to verify who has configured MFA (phone, text, app) that no enabled users would have data in this field and all enforced users would have data in this field – the “field” here is user.StrongAuthenticationMethods.MethodType.

After hours of digging, I finally found the catalyst for the switch from Enabled to Enforced: app password creation. Azure MFA switches the users’ MFA status from Enabled to Enforced when an app password has been created. This is Step 3 of the Azure MFA registration process.

That’s great information to know, but it doesn’t explain how a user has Strong Authentication Methods configured and yet their account still shows only Enabled. Enter Office 2016. After some testing, I found that when the registration process is performed via an Office 2016 app – for example Skype for Business or Outlook – Step 3 does not automatically create an app password. The configuration completes successfully, and the user account is secured, but since Office 2016 supports modern authentication natively, logically it does not force the app password creation. Instead, Step 3 of the MFA setup in the Office client provides a link to the app password proofup page.

Azure MFA Bulk Loading

In another case of just use the Azure CLI or PowerShell

Here’s a quick tip for you. In another case of just use the Azure CLI or PowerShell, I found that using the bulk update button in the Office 365/Azure MFA settings only enabled about 1/5 of the users in my .csv file (limit 500 lines). Using PowerShell I was able to enable 1500+ users (we have 16k total currently) with 100% accuracy. I don’t do much math, but that makes sense to me!

First, put all UPNs in a .txt file, one per line and run the following:
foreach ($user in $(Get-Content C:\Userlist.txt))
$st = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
$st.RelyingParty = "*"
$st.State = “Enabled”
$sta = @($st)
Set-MsolUser -UserPrincipalName $user -StrongAuthenticationRequirements $sta

Verify this worked with the following:

$missing = foreach ($user in $(Get-Content C:\Userlist.txt))


Get-msoluser -UserPrincipalName $user| Select UserPrincipalName, @{N='MFA State'; E={($_.StrongAuthenticationRequirements.State)}}


$missing | Export-csv C:\missingmfa.csv -NoTypeInformation

And of course if you want to get the status for all your licensed users run this:

Get-msoluser -all | Select UserPrincipalName, isLicensed, @{N='MFA State'; E={($_.StrongAuthenticationRequirements.State)}} |Export-csv C:\mfausers.csv 


That should get you confidently through a large rollout.

Check us out at Centric Consulting!

Azure Active Directory Conditional Access

I wanted to share a high-level overview of Azure Active Directory Premium Conditional Access

The blog is in a deck this time.

I wanted to share a high-level overview of Azure Active Directory Premium Conditional Access and I had just done a presentation so instead of just text, it’s available via slideshare.

Take a look now!


The intranet is dead, long live micronets

The intranet failed for three (or more) basic reasons.

The intranet failed for three (or more) basic reasons:

  1. Findability
  2. Freshness
  3. Focus

While corporate champions love their intranets, users, in large part have to be forced to use them, and teams of people deployed to keep content up-to-date. One size never fit all no matter how pretty, slidey, rotatey or flashy the intranet is. While improvements in search have brought us to the point where we are provided type-ahead bits of what we need almost before we start typing, users were never taught how or when to search, and so, they rarely do. AI provides us with targeted information and that helps, but even that, for an intranet so far, is woefully inadequate.

Look at your coworker/friend/family member’s laptop, tablet, or phone. I would challenge you to find one device with the same apps installed and icons in the same location, as yours. Even services vary from device to device. So, you have a piece of equipment that includes the different pieces of work and life that you need or want to use daily, in the location that suits you best, but how does that translate to productivity? What you want are micronets, smaller groups of resources targeted to specific work and goals. What you need is a platform, app, or service that allows you to work with the products you use every day, in one place, and interact with the people you work with every day, but in a customizable way that is easily adapted or enhanced to meet your needs for actual day-to-day business.

A product like Microsoft Teams allows your users to work the way they are most comfortable, with access to the most up-to-date, relevant information. Allowing people to group themselves into teams for specific work, special interests, human resources and other topics lets them work how they are most effective. Plus, it happens almost without them knowing it, while still being well-governed.

There are many benefits to the Microsoft Teams approach, among them:

  1. Current, relevant documents available instantly
  2. Required resources available on-demand or scheduled, grouped intelligently
  3. Audio/Video and chat built in
  4. Connectors to external apps

This approach will still require training and adoption efforts, governance and change management, but it fits the revolution, it fits the way people work and it fits the budget.

Office 365 Encryption

In Office 365 content is encrypted using several strong encryption, protocols, and technologies.

This article is a high-level look at Encryption using all default settings. It is in no way a comprehensive walk-through of all the available options for RMS, OME, IRM, or Forced TLS (this will not cover S/MIME digital ID encryption). It is intended to provide a quick start to additional encryption technologies in Office 365.

In Office 365 content is encrypted using several strong encryption, protocols, and technologies that include Transport Layer Security/Secure Sockets Layer (TLS/SSL), Internet Protocol Security (IPSec), and Advanced Encryption Standard (AES).

But . . . is that all? Of course not! There’s much more you can add to protect your emails and files in Office 365. We’ll discuss these in a successive order in the way we encounter in them in many organizations.

Azure RMS (E3/EM+S E3 or higher required) with IRM

The first enhanced layer of encryption available is added by enabling Azure RMS for your tenant. By default, this feature is off. By activating Azure RMS you open the door to several other technologies we’ll discuss in a moment.

First, locate and select Home > Settings > Services & add-ins > Microsoft Azure Information Protection and select the link for Microsoft Azure Information Protection. Azure RMS is a requirement for AIP.

Click on Activate to enable RMS for your tenant. You will see the screen below afterwards.

After activation, a few lines of PowerShell are required to configure Information Rights Management.


“RMS Online”



That provides the options in Outlook for users to apply RMS templates and protect messages. It also allows you to enable Information Rights Management in the SharePoint Administration console and apply rights protection to individual lists and libraries as needed.

When composing a new message in outlook, select the Options tab and the Permissions button to encrypt your message. The image below shows the default RMS templates. The default template, Unrestricted access, allows all operations on the message. The others are restricted as follows:

  • Do Not Forward – recipient cannot forward, print, or copy the message
  • Confidential\All Employees – recipient can Read and Edit
  • Highly Confidential\All Employees – recipient can only Read

The question of the hour for this process is usually, “What is the experience for the recipient?” Using Outlook without the reading pane, the message will appear like the image below. The red icon indicates that IRM protection is in place for this message.

Using the reading pane when an IRM message comes in, the recipient will see the message below indicating that the message is encrypted and cannot be displayed unless opened.

Every time you open a rights protected message, your computer will download the necessary IRM components to decrypt. It is a temporary operation and is usually very fast. It will look like this:

Great, you say, I can see my message. But what if you don’t have RMS on your local network or an Azure RMS subscription with RMS activated? This is no problem. Visit this Azure Information Protection site and enter your email address and Microsoft will verify if your account is sufficiently authorized already or you need to download the RMS for Individuals/Azure Information Protection client. For an excellent look at the Azure Information Protection client, visit my colleage, Pixie Vee’s, wordpress blog here. Once the client is installed you’ll be able to use the account you tested to open IRM protected emails, documents, etc.

Office 365 Message Encryption (OME) (E3/EM+S E3 or higher required)

Office 365 Messgae Encryption allows administrators to configure Exchange online mail flow rules to apply encryption based on Conditions and Exceptions. Please make a big note here: although I won’t mention it in this section, be aware that the same settings can be used to automatically apply to IRM protection as well. So, what are those settings? Let’s talk about it.

Office 365 Message Encryption goes a step further than IRM protection for emails by encrypting the email and attaching the original text as an html attachment. This will require the recipient to sign in with their Microsoft account, or get a one-time use code to open the email.

Here’s a quick look at configuring one of these very flexible and comprehensive mail flow rules. From the Exchange Admin Center:

As you can see below you can also choose to use Apply rights protection or Require TLS. For this example we’re using OME.

The finished product is a rule that uses OME to encrypt all messages to external users if the phrase “Highly Confidential” is located anywhere in the subject or body of the individual message. Mail flow rules check every email that is sent.

But, again, you ask me, “What is the user experience?” I need to know!

Here is a sample composed message that will have OME applied when it is sent to this external user. Please note the use of the words “Highly Confidential” in the subject line.

The recipient will see the image below.

When they double click on the attachment, the default browser will open to the following page:

The message will open in the browser.

Forced TLS

In much the same way that mail flow rules mix and match conditions and actions for Rights protection and OME, you could also use a mail flow rule to enforce TLS between sender and recipient. However, if you know that your partner, let’s say it’s a connection to your bank, uses TLS, you can force messages to use TLS and specify certificate names, or different MX, among other options with the partner. You can also force Exchange to only receive TLS encrypted messages from partners. You can do this using a connector. If you’ve created a mail flow rule with specific conditions and exceptions for using TLS, you can also configure a connector to use that mail flow rule. Here’s an example of a test connector that does not use a mail flow rule.

This blog is supposed to be easily digestible bits of the larger picture, but in this case, just the overview is fairly intense and required a bit longer entry to really give the basic idea of using encryption in Office 365. Thanks for reading!

Office 365 Decisions: it’s only Email and SharePoint

Create an Office 365 tenant, synchronize active directory, migrate mail and sites and you’re all set, right?

This post was previously published here.

Create an Office 365 tenant, synchronize active directory, migrate mail and sites and you’re all set, right? While consulting in the Office 365 space I continue to encounter clients who are either misinformed or completely uninformed about the breadth of decisions that are required to implement this cloud solution. Office 365 is not a single decision (i.e. let’s move to the cloud), rather a vast array of decisions most of which affect not only your IT staff but your end users and budgets as well. At Centric Consulting, we ask all of the questions required to help our clients successfully implement a cloud solution like Office 365; some of those questions are listed below to show the diversity of topics an implementation effort of this scale requires.


Which Office 365 features are you planning to use?

Some of the available features that will require decisions are as follows:

  • Office current version
  • Exchange
  • Skype
  • SharePoint
  • Mobile Device and Application Management
  • Information Retention and Management
  • Azure Active Directory
  • Multi-factor authentication
  • External Sharing
  • Sway
  • Rights Management
  • Outlook Groups


Is your network prepared?

Does your network have the capacity to migrate existing mailboxes and identities to the cloud while continuing day-to-day business without performance issues? Will that still be the case when users begin to synchronize their OneDrives, too? Before you start migrating users, be certain your network is prepared by using Microsoft’s tools for Planning and Performance.


How will you manage identities?

In most cases Centric Consulting has found that companies are synchronizing their on-premises Active Directory, but is that enough? If users have to sign in multiple times they will not use the solution; be prepared for federation. Standard Azure Active Directory may not provide all the features you need for identity and security management. A third-party identity provider solution can also be used to federate with Office 365.


How will you manage mobile and application access?

We have also found that most of our clients cannot meet their company’s security requirements surrounding mobile device management using the default settings in Office 365. Look to Microsoft’s Enterprise Mobility Suite for enhanced mobile security features.


Who will support Office 365?

The most underestimated and under-planned-for category of decisions is around who will support what parts of the Office 365 platform. Read what administration roles are available at the platform level alone to get a better idea of this undertaking. Along with help desk, business analyst roles, developers and other subject matter experts the support organization will require retraining or repurposing of existing staff and/or new hires, some of whom are difficult to find.


How will your users learn?

Most companies discover the questions they forgot to answer when their users locate and begin to use features for which no one planned. In order to avoid shadow training and hacks that users will find on their own, as well as the security of the company’s data, plan for training: not once, but continuously. The Office 365 platform is more fluid than static, and changes realized by the support team can be passed on to the training team for dissemination to users.


How will you manage change?

As mentioned, Office 365 is in a nearly constant state of flux with platform updates anticipated quarterly and additional feature updates on varying schedules. Managing the Office 365 Roadmap and the administration console message center are a requirement along with a governing body. A governance or steering committee will review current policies and the need for new policies. This committee should meet on a regular basis and include stakeholders not only from IT but from the businesses as well. This is vital to the overall management of the platform as well as user satisfaction.


I will repeat that this is in no way a comprehensive list of questions, nor will it get you on your way to purchasing, configuring or supporting Office 365. Rather, this is meant to illustrate the breadth of questions that need to be answered and some of the topics that need to be discussed before deciding to make a leap into the cloud.