Welcome to 365 Admin - Office 365 Administration for Beginners



Office 365 Administration can be overwhelming for a beginner. The preparation and configuration of your admin PC can be a challenge if you aren't aware of what you need to install to manage the cloud effectively. Plus it is important to be aware of limitations in your browser when you are administering multiple Office 365 tenants.

There are multitudes of technical blogs for the advanced Office 365 administrator, but nothing focused on beginners. It is for this reason I have created this blog, to guide Office 365 Administrators through all the challenges that beginners will face.

Everything you need to become a competent Office 365 Administrator is here, all in one place.

My mission in this technical blog is to provide tips, tutorials and scripts to the professional IT community, with particular focus on helping newcomers with little real world experience in Office 365.

In this blog, I will be publishing Tutorials to help you quickly create powerful scripts to manage your environment, whether it is 5 users or 500,000 users. These tutorials also cover MFA (Multi-Factor Authentication as well as Hybrid Office 365 environments.

This content will cater for various environments from small businesses with a cloud only presence to Enterprise hybrid environments managing hundreds of thousands of mailboxes.

I hope this blog helps on your journey into the world of Office 365.

Tutorials - by subject
*** Complete list of all my tutorials - Link
Hybrid Administration tutorials - Link
MFA (Multi-Factor Authentication) Tutorials -Link
Enterprise Management - Link

PowerShell Script Repository -
Microsoft TechNet Gallery - Link

PowerShell Script Downloads - 
All my PowerShell TechNet Downloads - Link

Linked-In - Link

About Me - Link

Complete list of all my tutorials



Configure your Administration PC or Server
- How to configure your desktop PC for Office 365 Administration - including MFA - Link
- How to configure Server 2012 R2 for Office 365 Administration - including MFA - Link
- How to configure your desktop PC for Hybrid Exchange - Office 365 - Azure Administration - Link

Connection Scripts
- How to connect to Office 365 and Azure via PowerShell - Link
- How to connect to Hybrid Exchange - Office 365 - Azure AD and Local AD via PowerShell - Link
- How to connect to Office 365 via PowerShell with MFA - Multi-Factor Authentication - Link

All Hybrid Administration Tutorials
- How to configure your desktop PC for Hybrid Exchange - Office 365 - Azure Administration - Link
- How to connect to Hybrid Exchange - Office 365 - Azure AD and Local AD via PowerShell - Link
- Hybrid Management - Part 01 - Creating local User mailboxes - Link
- Hybrid Management - Part 02 - Creating local Exchange Shared Mailboxes - Link
- Hybrid Management - Part 03 - Creating local Exchange Room and Equipment Mailboxes - Link
- Hybrid Management - Part 04 - Configure the Hybrid Connection Wizard - Link
- Hybrid Management - Part 05 - Individual mailbox moves via the EAC - Link
- Hybrid Management - Part 06 - Bulk mailbox moves via the EAC - Link
- Hybrid Management - Part 07 - Moving bulk mailboxes with PowerShell - Link
- Hybrid Management - Part 08 - Creating Office 365 User Mailboxes via PowerShell - Link
- Hybrid Management - Part 09 - Creating Office 365 Shared Mailboxes via PowerShell - Link
- Hybrid Management - Part 10 - Creating Office 365 Room and Equipment Mailboxes via PowerShell - Link

All Modern Authentication and MFA (Multi-Factor Authentication) Tutorials
- All my MFA Tutorials on one page - Link
- How to configure your desktop PC for Office 365 Administration - including MFA - Link
- How to configure Server 2012 R2 for Office 365 Administration - including MFA - Link
- How to enable MFA (Multi-Factor Authentication) for Office 365 administrators - Link
- How to connect to Office 365 via PowerShell with MFA - Multi-Factor Authentication - Link
- How to protect your Office 365 MFA admin account from cell phone SIM hijacking - Link
- MFA Support - PowerShell modules and resources for Office 365  - Link

Security
- How to protect your Office 365 MFA admin account from cell phone SIM hijacking - Link

Enterprise Management
How to manage Enterprise environments - Part 1 - Filtering queries - Link
How to manage Enterprise environments - Part 2 - Creating scripts with a filtered query - Link
How to manage Enterprise environments - Part 3 - Bulk management using multiple filters - Link

PowerShell
How to create basic PowerShell scripts - Link
How to create basic PowerShell scripts with Export-CSV - Link
How to create basic PowerShell scripts with Import-CSV - Link
PowerShell modules and resources for Office 365 - Link

Downloads -
All my PowerShell TechNet Downloads - Link

Tips and Tricks -
General Tips and Tricks for better Office 365 Administration - Link
How to extend your Office 365 Trial - Link
How to get a 180 day trial tenant in Office 365 for testing - Link
PowerShell modules and resources for Office 365 - Link

How to get a 180 day trial tenant in Office 365 for testing



30 day trials just aren't long enough, especially if you are testing a Hybrid configuration.

One of the biggest frustrations for Office 365 Administrators who are trying to learn this awesome technology, is that trial tenants expire after 30 days. This is annoying if you have a cloud only trial environment, but what if you are testing a Local - Hybrid Exchange environment that has taken weeks to configure. It is simply too much effort to create a new trial E3 tenant from scratch, remove your domain from the expired tenant, and then configure your new tenant with domains, users, data, and re-configuring the Hybrid Connection Wizard to continue after the initial 30 day trial.

----- What if I told you that you could get a 180 day free trial on Office 365 -----

Most people know that you can extend your existing Office 365 E3 trial for another 30 days, but did you know you can further extend your existing test environment by assigning an E5 trial, and then extending that? This would give you a total of 120 days testing. After that, you can then assign an Office 365 Business Premium  trial license and extend that as well, giving you a total of 180 days free testing.

By utilising the three Office 365 trials with Exchange Online and extending them, you will get a total of 180 days of free Exchange Online testing.

So how does this work in the real world?

My original 30 day E3 trial expired just over a month ago, and I extended it for another 30 days, using this process.
How to extend your Office 365 Trial - Link

The extended period has just expired as well. Rather than get all upset about having to recreate a new tenant and deprovision the old tenant, I started investigating to see if I was able to assign a trial E5 license to my about to expire (extended) E3 license. And it worked !!!

I am now in my third month of my Office 365 trial. I have spent countless hours over the last three months creating and configuring an Office 365 - Hybrid test environment, and it is re-assuring to know that I do not need deprovision my old tenant and create a new one to keep testing.

Follow the processes below to  create - extend your Office 365 tenant for a total of six months - 

--------------------------------------------------------------------------------------------

Sign up and create your tenant with an E3 license if you haven't already done it -

First thing we need to do is sign up for a standard Office 365 E3 trial. Browse to this web page -
Office 365 Enterprise E3 Trial - Link - And sign up for your E3 trial.
Fill in your personal details making sure that you enter your valid email and international mobile number.

At the Create your user ID page, select your username and tenant name. Note that your tenant name must be unique and cannot be changed once created.









Use your mobile for verification, and voila - You have just created a test tenant with an Office 365 E3 subscription.

Once you log into the Office 365 portal, go to Billing - Subscriptions -



.








You will see that you have an active Office 365 Enterprise E3 trial with 25 licenses available.











------------------------------------------------------------------------------

At the end of your 30 day trial (Enterprise E3) - Extend your trial
How to extend your Office 365 Trial - Link

------------------------------------------------------------------------------

At the end of trial extension - Add a new subscription for a different 30 day trial
- Note that you can actually mix Business Premium Trial and Enterprise E3 Trial
- In the steps below, I am adding an Enterprise E5 trial

To add a new subscription, click on - Add Subscriptions -






You will now be able to add extra subscriptions.

Under the Purchase Services - Enterprise Suite - Highlight Office 365 Enterprise E5 - Start Free Trial











Under Checkout - Confirm your order - Click 'Try Now'













Continue -

Assign your new licences to your existing users and you will extend the subscription by 30 days.

------------------------------------------------------------------------------

At the end of your second 30 day trial (Small Business Suite) - Extend your trial
How to extend your Office 365 Trial - Link

------------------------------------------------------------------------------

At the end of your second trial extension - Add a new subscription for a different 30 day trial
- Note that you can actually mix Business Premium Trial and Enterprise E3 Trial
- In the steps below, I am adding an Business Premium Trial

To add your new subscription, click on -
Billing - Subscriptions -












Add Subscriptions -






Under the Purchase Services - Scroll down to - Small Business Suite - Office 365 Business Premium
- Start Free Trial










Under Checkout - Confirm your order - Click 'Try Now'












Continue -

Assign your new licences to your existing users and you will extend the subscription by 30 days.

------------------------------------------------------------------------------------------

At the end of your third 30 day trial (Business Premium) - Extend your trial
How to extend your Office 365 Trial - Link

-------------------------------------------------------------------------------------------

In my testing I have confirmed that even though the Business Premium trial licenses are Exchange Plan 1 (against E3 and E5 trials being Exchange Plan 2), I had no issues with my Hybrid environment. You will however lose Exchange Plan 2 features when switching to Business Premium (eDiscovery, Litigation Hold etc), so ensure you do the Exchange Plan 2 testing before switching to the Business Premium trial licenses.

-------------------------------------------------------------------------------------------

Extra info -
Here are the direct links to all the available Office 365 Trials

Office 365 Enterprise E3 Trial - Link
Office 365 Enterprise E5 Trial - Link
Office 365 Business Premium Trial - Link

-------------------------------------------------------------------------------------------

Update - 15 May 2017 - Now extended to cover my sixth month
My fifth month of using the Office 365 trials with extensions has now finished. I have now confirmed I can extend my third trial to give me a full 180 day trial.

As the third trial was for an E5 license, I can extend the trial as before.

Under my Subscriptions you can see that the E5 trial has expired and is now in Reduced Functionality mode -










To extend the trial, I click on Billing - Purchase Services
Select the appropriate service (E5), Extend trial.












Select - Next







Select your credit card (no payment will be charged)

Extend trial -

Your trial will now be extended.






The Purchase Services page will update to show that the trial has been extended with a new expiry date.











-------------------------------------------------------------------------------------------

Congratulations !!!
You have now extended your Office 365 trial for the full 180 days.

-------------------------------------------------------------------------------------------

Basic PowerShell Tutorials
01. How to configure your desktop PC for Office 365 Administration - Link
02. How to connect to Office 365 via PowerShell - Link
03. How to create basic PowerShell scripts - Link
04. How to create basic PowerShell scripts with Export-CSV - Link
05. How to create basic PowerShell scripts with Import-CSV - Link

Series Tutorials -
How to manage Enterprise environments - Part 1 - Filtering queries - Link
How to manage Enterprise environments - Part 2 - Creating scripts with a filtered query - Link
How to manage Enterprise environments - Part 3 - Bulk management using multiple filters - Link

Tips and Tricks
General Tips and Tricks for better Office 365 Administration - Link
How to extend your Office 365 Trial - Link
How to get a 180 day trial tenant in Office 365 for testing - Link

--------------------------------------------------------------------------------------------

All Hybrid Management and Administration Tutorials


All Hybrid Management and Administration Tutorials

Hybrid Management Pre-requisites
- How to configure your desktop PC for Hybrid Exchange - Office 365 - Azure Administration - Link
- How to connect to Hybrid Exchange - Office 365 - Azure AD and Local AD via PowerShell - Link

Hybrid Management and Administration -
- Hybrid Management - Part 01 - Creating local User mailboxes - Link
- Hybrid Management - Part 02 - Creating local Exchange Shared Mailboxes - Link
- Hybrid Management - Part 03 - Creating local Exchange Room and Equipment Mailboxes - Link
- Hybrid Management - Part 04 - Configure the Hybrid Connection Wizard - Link
- Hybrid Management - Part 05 - Individual mailbox moves via the EAC - Link
- Hybrid Management - Part 06 - Bulk mailbox moves via the EAC - Link
- Hybrid Management - Part 07 - Moving bulk mailboxes with PowerShell - Link
- Hybrid Management - Part 08 - Creating Office 365 User Mailboxes via PowerShell - Link
- Hybrid Management - Part 09 - Creating Office 365 Shared Mailboxes via PowerShell - Link
- Hybrid Management - Part 10 - Creating Office 365 Room and Equipment Mailboxes via PowerShell - Link

How to protect your Office 365 MFA admin account from cell phone SIM hijacking


Introduction

Hackers are actively attacking Office 365 administrator accounts. With the default MFA configuration, password reset requests are authenticated via your cell phone (SMS or phone call), but the code is actually sent to your SIM. If a hacker has hijacked your SIM, they can also reset your password and gain access to Office 365.

This tutorial will step you through how to configure your Office 365 MFA settings to get around the risk of having your SIM hijacked and your authentication phone being unavailable to receive the codes.

Before I explain SIM hijacking and how to protect your accounts, I strongly recommend you have followed my previous MFA (Multi-Factor Authentication) tutorials -

Modern Authentication and Multi-Factor Authentication -
- How to configure your desktop PC for Office 365 Administration - including MFA - Link
- How to configure Server 2012 R2 for Office 365 Administration - including MFA - Link
- How to connect to Office 365 via PowerShell with MFA - Multi-Factor Authentication - Link
- MFA Support - PowerShell modules and resources for Office 365  - Link

MFA (Multi-Factor Authentication) Pre-requisites
- How to enable MFA (Multi-Factor Authentication) for Office 365 administrators - Link

Download my Office 365 PowerShell Connection script that supports MFA
Now with a user friendly GUI - Link












=============================================================

So what is SIM Hijacking?

SIM Hijacking - Quote from - Link
"The problem, of course, is that, SMS codes aren’t actually sent to your phone. They’re sent to the phone in which the SIM card registered to your number is installed.

So, if your SIM has been cancelled, and a new one issued to someone else, the SMS codes no longer go to you.

Even if you had a strong passcode on your own phone, or a PIN code on your SIM, all bets are off. The crooks simply put the new SIM (for which they get to choose the PIN code, if any) into a phone of their own (for which they get to chose the passcode, if any.)"

Read the SIM Hijacking Stories below to get a better understanding of how hackers are using social engineering to get your cell number associated to a new SIM that they possess.


SIM Hijacking Stories -
Your Privacy is at risk - Link - YouTube video (Language Warning)
- Twitter Activist SIM hijacking - Link
- Indian two-factor authentication fraudsters busted by Delhi cops - Link
- Keeping text message multi-factor authentication secure - Link

==============================================================

So what are the default settings for MFA enabled accounts?

If you have accepted the default MFA settings (your mobile phone to receive phone calls for authentication), you are at risk by SIM hijacking. The same risk applies if you have selected the option to receive the authentication code via SMS to your cell phone.

For this tutorial, I have created a new Office 365 admin account -
admin-mfa-txt@hybrid0617.onmicrosoft.com - and then enabled MFA on that account.









At initial login as that user, it will be prompted to set up MFA - Click "Set it up now"












You will then be presented with three options when selecting the drop down box -
- Authentication Phone
- Office Phone
- Mobile App













The default settings will be - Authentication Phone and Call me.
For this tutorial, I will accept the default and enter my mobile phone number and country, and the "call me" option.
I then receive a phone call which instructs me to press the 'pound' key.
Once done, my authentication phone is registered.
Click - 'Done'.

Next I will confirm that MFA has been configured on my account.

I log in to the portal and enter my username and password. Microsoft will call my mobile phone and I press the 'pound' key. I am then granted access.

As you can see, MFA works fine with the default settings, and you are protected as a hacker must have access to your phone to receive authentication codes. This seems fine until you review how Office 365 processes a request to reset a password.

==============================================================

So what is the process for password resets with MFA enabled admin accounts?

The process for password resets starts when you (or a hacker) clicks on 'Can't access your account?' on the portal page.










You (or the hacker) will be taken to the password reset page.
Enter the UserId, the captcha code, and click next -



The only options for password reset are to text or call the mobile phone.












Once you authenticate via the mobile phone call or text, you will be able to choose a new password.
If a hacker has hijacked your SIM, they will be able to authenticate and choose a new password.









The password will then be reset.







You (or the hacker) have now successfully reset your password.

Note that if a hacker has hijacked your SIM by the process in the SIM Hijacker Stories, the hacker can follow the process above and reset the password as the authentication code is sent to the SIM. The hacker has now taken over your account and has the same access that your Admin account has. If your Admin account is a Global Admin, then the hacker can now do whatever they want to.

The first you will know about this is when your cell phone goes offline, and while you are investigating why this happened, the hacker has full control and will be accessing your confidential data and creating back doors to the Organization.

==========================================================

So how do I protect our Admin accounts from SIM hijacking?

There are two steps to protecting your Admin accounts from SIM hijacking.
- Setting your default authentication to 'Verification code via app'
- Removing the option for phone authentication and enabling Office phone authentication instead.

To protect against SIM hijacking you need to change your authentication process from being cell phone based (SIM) to being application based (using the Microsoft Authenticator app).

Configure your Security Verification Options -
Log in to your apps portal - https://myapps.microsoft.com - Authenticate if needed

In the Apps Portal - click your Profile (person icon) - then select - Profile









Select - Additional security verification









You will now see the current configuration for your account.
As this account was configured with default settings, it is currently set to
- Call my authentication phone














To edit your verification options, click the drop down arrow and change from 'Call my authentication phone' to 'Use verification code from app'.










A red message appears advising that you must enable and configure this option








Tick - Authenticator App
Click - Configure







The Configure mobile app screen will start to load.






The Configure mobile app screen will change and display the steps on how to configure the mobile app.














Search for and install the 'Microsoft Authenticator' app on your mobile device.
- Google Play Store - Link
- Apple Store - Link

The steps below are from the Google Play Store app -
In the app, add an account and choose "Work or school account"
Scan the QR image.

The Microsoft Authenticator app will automatically add that account.
Click 'Next on the Configure mobile app screen in the MyApps Portal

The Authenticator app will then be configured.









There is one more very important step to perform to protect your cell phone from SIM hijacking.
You will need to untick your Authentication phone setting and change to Office Phone.








Enter the details of your Office phone (or just some random numbers if you want).
It doesn't really matter what numbers are here. We are just changing the options to Office phone as your configuration MUST have a phone number, and we don't want the number to be your mobile.










Once we have configured the verification app and changed the Authentication phone to Office phone, we can click Save.

You will then be prompted to verify due to the change of preferred option.
Click - Verify preferred option








Open the Microsoft Authenticator app on your phone or device, enter the verification code in the box displayed.











Once verified, you will be advised that the update was successful.
Click - Close








You have now successfully changed your verification process.

Now sign out of the portal and sign back in to confirm that the process has changed to support the verification via app.

When signing in to the portal, the authentication process will now be changed and advise that it is using the verification code from your mobile app. Sign in to confirm the process works.



Excellent. We have now configured the Office 365 MFA admin account correctly.

==========================================================

So what happens when a hacker with my SIM tries to reset my password after this change?

As before, the process for password resets starts when the hacker clicks on 'Can't access your account?' on the portal page.










The hacker will be taken to the password reset page.
Enter the UserId, the captcha code, and click next -



Even after the configuration change, the only options are to text or call the mobile phone.












If the hacker has hijacked your SIM, they can authenticate via the mobile phone call or text.
*** The hacker will be able to choose a new password. ****









Your password will then be reset.







*** The hacker has now successfully reset the password ***

If the hijacker has reset your password, they will still be unable to log into your account as they will need the mobile app password, which is not tied to your SIM.



But what happens if they try to 'Use a different verification option'
















The hacker will then be presented with the options below.
But as we have set up the Office phone options, and removed the mobile phone option (that is tied to your SIM), the hacker will not be able to log in.













By changing the two settings in your authentication process, you are able to protect your MFA enabled admin account from SIM hijacking.

As you can see, if a hacker hijacks your SIM, they can still cause havoc by changing your password, but they can't actually log in due to the way we have configured your account.

===========================================================

Awesome... 
So is there a way to check if my Admin accounts are configured correctly?

Yes. I have created a basic script that can be used to determine firstly which accounts are configured for MFA, and secondly, if they are configured with the verification app and Office phone authentication.

Before running this script, I have deleted my previous MFA enabled admin accounts and created three new MFA enabled admin accounts with the following authentication settings.

admin-mfa-default
- Default authentication settings - Phone call to cell

admin-mfa-app-cell
- Authentication settings changed to Microsoft Authenticator app and cell phone

admin-mfa-app-office
- Authentication settings changed to Microsoft Authenticator app and Office phone


Note, before running these PowerShell scripts - 
Use the tutorials mentioned at the start of this tutorial if you have not configured your admin machine for PowerShell administration. -


Script to determine which accounts are configured for MFA -

Connect to Azure AD v1 (see tutorial links above)

Run the following script to determine which accounts are configured for MFA -


Get-MsolUser | Where {$_.StrongAuthenticationMethods -ne $null} | foreach {
    ForEach ($entry in $_.StrongAuthenticationMethods) {
        $Data = New-Object PSObject
        $Data | Add-Member -MemberType NoteProperty –name UserPrincipalName –value $($_.UserPrincipalName)
        $Data | Add-Member -MemberType NoteProperty –name Default –value $($entry.IsDefault)
        $Data | Add-Member -MemberType NoteProperty –name MethodType –value $($entry.MethodType)
        #write-output $Data
        $Data | export-csv -NoTypeInformation -append -Path "C:\Scripts\MFA-Users-And-Configuration.csv"
    }
}


The csv results will look similar to the following.










The only account that is correctly configured (as per this article) and protected against SIM hijacking, is the account - mfa-app-office. Notice the keywords 'PhoneApp' and 'Office' in the MethodType column confirming the correct configuration.

This account uses the PhoneAppOTP as the default authentication, as well as only using PhoneAppNotification and TwoWayVoiceOffice as secondary authentication.







===========================================================

Any mention of Mobile or SMS in the MethodType column confirms that that account is at risk of SIM hijacking due to authentication codes being sent to cell phones underlying SIM.

The account - mfa-default - uses TwoWayVoiceMobile as the default authentication and OneWaySMS for secondary authentication.
This account is not protected against SIM hijacking

The account - mfa-app-cell - uses the PhoneAppOTP as the default authentication, which is correct. However, it also uses OneWaySMS and TwoWayVoiceMobile for secondary authentication.
This account is not protected against SIM hijacking

Only the account - mfa-app-office - is protected against SIM hijacking.
This account uses the PhoneAppOTP as the default authentication, as well as only using PhoneAppNotification and TwoWayVoiceOffice as secondary authentication.



============================================================

Congratulations.
You now know how to configure your Office 365 Admin accounts to protect against SIM hijacking.

===========================================================

A LOT of research has gone into this tutorial, so I have decided to include the resources links below for you if you would like more information.

Resources –
Available versions of Azure MFA - Link
Security Best Practices for using Azure Multi-Factor Authentication with Azure AD accounts - Link
Securing Office 365 Administrator Accounts with Multi-Factor Authentication - Link
MFA options with Azure AD plans - Link
Configure Azure Multi-Factor Authentication settings - Link
How Azure Multi-Factor Authentication works (Methods available) - Link
Use PowerShell to report on individuals MFA configuration (phone number etc) - Link
Multi-Factor Authentication (MFA) Setup and End-User Experience with Office 365 and PowerShell - Link
Active Directory conditional access device policies for Office 365 services - Link
Getting started with Azure Multi-Factor Authentication in the cloud - Link
Configure Azure Multi-Factor Authentication settings - Link
Azure Multi-Factor Authentication features per license and implementation - Link
First Steps: Securing Office 365 Administrator Accounts with Multi-Factor Authentication - Link