1. Logon

  • Browse to https://entra.microsoft.com.

  • System Admin: Log in as Microsoft 365 - BHF IT Admin with the bhf@tbhf.onmicrosoft.com email account.

  • IT Helpdesk: Log in as Microsoft 365 - BHF IT Helpdesk with the bhf-it@bhf-th.org email account.

2. Information

3. Users

3.1. Add Guest User

  • Select More services.

  • Select Identity | Microsoft Entra ID.

  • Select Users in Manage section.

  • Select All users (preview).

  • Select New user > Invite external user.

  • Choose Invite user for Select template.

  • Type the first name and last name in the Name field.

  • Type the email address in the Email address field.

  • Type the first name in the First name field.

  • Type the last name in the Last name field.

  • Click Invite.

  • Log out from Azure Portal.

  • Close Browser.

4. Add Thai VAT registration number

  • Select More services.

  • Select General | Cost Management + Billing.

  • Click bhf@tbhf.onmicrosoft.com.

  • Select Properties.

  • Click Manage Tax IDs.

  • Check Please confirm you are an authorized purchaser for a VAT registered entity.

  • Type 0993000390563 in the VAT ID field.

  • Click Save.

  • Log out from Azure Portal.

  • Close Browser.

5. Email pop-ups (show option to remain signed in)

  • Select More services.

  • Select Identity | Microsoft Entra ID.

  • Select Company branding under Manage.

  • Select Default.

  • Select No for Show option to remain signed in.

  • Click Save.

  • Log out from Azure Portal.

  • Close Browser.

6. Security

6.1. Trusted Locations

  • Select More services.

  • Select Identity | Azure AD Security.

  • Select Manage > Named locations.

  • Click New location.

  • Type SMRU in Name field.

  • Choose IP ranges.

  • Check Mark as trusted location.

  • Type 110.77.148.10/24 in IP ranges field.

  • Click Create.

7. Policies

7.1. MFA

  • Select Protection | Conditional Access.

  • Select Policies.

  • Click New policy.

  • Type SMRU: MFA in Name field.

  • Select Assignments > Users and groups.

  • Select Include.

  • Choose Select users and groups.

  • Check Users and groups.

  • Select Select.

  • Select <User> or <Group.

  • Click Select

  • Click Exclude.

  • Check Directory roles.

  • Select Select.

  • Check Global administrator.

  • Click Select.

  • Select Assignments > Cloud apps or actions.

  • Choose All cloud apps.

  • Select Assignments > Conditions.

  • Select Locations.

  • Click Yes.

  • Select Include.

  • Choose Any location.

  • Select Exclude.

  • Choose All trusted location

  • Select Client apps (Preview).

  • Click Yes to enable.

  • Check Browser.

  • Check Mobile apps and desktop clients.

  • Check Modern authentication clients.

  • Check Exchange ActiveSync clients.

  • Uncheck Apply policy only to supported platforms.

  • Check Other clients (This include POP, IMAP, SMTP and Office 2010).

  • Click Done.

  • Select Access controls > Grant.

  • Choose Grant access.

  • Check Require multi-factor authentication.

  • Uncheck Require device to be marked as compliant.

  • Uncheck Require Hybrid Azure AD joined device.

  • Uncheck Require approved client app.

  • Uncheck Require app protection policy (Preview).

  • Choose Require all the selected controls.

  • Click Select.

  • Select Enable policy > On.

  • Click Create.

7.2. Block Legacy Authentication

  • Select Protection | Conditional Access.

  • Select Policies.

  • Click New policy.

  • Type SMRU: Block Legacy Authentication in Name field.

  • Select Assignments > Users.

  • Select Include.

  • Choose Select users and groups.

  • Check Users and groups.

  • Select Select.

  • Select All Users.

  • Click Select

  • Click Exclude.

  • Check Directory roles.

  • Select Select.

  • Check Global administrator.

  • Click Select.

  • Check Users and groups.

  • Select the following 16 users.

    inventory@shoklo-unit.com
postmaster@shoklo-unit.com
powershell@shoklo-unit.com
tbhf-anc-mrm@shoklo-unit.com
smru-sfw-hph@shoklo-unit.com
smru-sfw-mkt@shoklo-unit.com
smru-sfw-mku@shoklo-unit.com
smru-sfw-mla@shoklo-unit.com
smru-sfw-mrh@shoklo-unit.com
smru-sfw-mrm@shoklo-unit.com
smru-sfw-msl@shoklo-unit.com
smru-sfw-skk@shoklo-unit.com
smru-sfw-tst@shoklo-unit.com
smru-sfw-wpa@shoklo-unit.com
relay@shoklo-unit.com
root@shoklo-unit.com

  • Click Select.

  • Select Assignments > Cloud apps or actions.

  • Choose None.

  • Select Assignments > Conditions.

  • Select Locations.

  • Click Yes.

  • Select Include.

  • Choose Any location.

  • Select Client apps.

  • Uncheck Browser.

  • Uncheck Mobile apps and desktop clients.

  • Uncheck Exchange ActiveSync clients.

  • Check Other clients.

  • Click Done.

  • Select Access controls > Grant.

  • Choose Block access.

  • Uncheck Require multi-factor authentication.

  • Uncheck Require device to be marked as compliant.

  • Uncheck Require Hybrid Azure AD joined device.

  • Uncheck Require approved client app.

  • Uncheck Require app protection policy.

  • Choose Require all the selected controls.

  • Click Select.

  • Select Enable policy > On.

  • Click Create.

7.3. Sign-in Frequency

  • Select Protection | Conditional Access.

  • Select Policies.

  • Click New policy.

  • Type SMRU: Sign-in Frequency in Name field.

  • Select Assignments > Users and groups.

  • Select Include.

  • Choose Select users and groups.

  • Check Users and groups.

  • Select the following user(s).

    kevin@bhf-th.org
rose@shoklo-unit.com

  • Click Select.

  • Select Assignments > Cloud apps or actions.

  • Select Cloud apps.

  • Select Include

  • Choose All cloud apps.

  • Select Access controls > Session.

  • Check only Persistent browser session.

  • Select Always persistent for the Persistent browser session.

  • Click Select.

  • Select Enable policy > On.

  • Click Create.

8. Identify Legacy Authentication Use

  • Select More services.

  • Select Identity | Microsoft Entra ID.

  • Select Monitoring | Sign-in logs.

  • Click Columns.

  • Check Client app.

  • Click Ok.

9. Powershell

9.1. Status

CLI ~ PowerShell

  • Enter the following commands at a PowerShell Command Prompt.

    # Register PSGallery
# Install the PSGallery module if this is first use.
Register-PackageSource -ErrorAction SilentlyContinue -Name PSGallery -ProviderName PowerShellGet -Trusted

# Install the MSOnline module if this is first use.
Install-Module -Force -Name MsOnline

# Add the MSOnline module to the PowerShell session
Import-Module MsOnline

Connect-MsOlService
# Login with the Microsoft 365 Admin Account.

$Users = Get-MsolUser -All | ? { $_.UserType -ne "Guest" }
$Report = [System.Collections.Generic.List[Object]]::new() # Create output file
$NotMFAUser = [System.Collections.Generic.List[Object]]::new() # Create output file
$MFANotUsed = [System.Collections.Generic.List[Object]]::new() # Create output file
ForEach ($User in $Users) {
    $MFAEnforced = $User.StrongAuthenticationRequirements.State
    $MFAPhone = $User.StrongAuthenticationUserDetails.PhoneNumber
    $DefaultMFAMethod = ($User.StrongAuthenticationMethods | ? { $_.IsDefault -eq "True" }).MethodType
    If (($MFAEnforced -eq "Enforced") -or ($MFAEnforced -eq "Enabled")) {
        Switch ($DefaultMFAMethod) {
            "OneWaySMS" { $MethodUsed = "One-way SMS" }
            "TwoWayVoiceMobile" { $MethodUsed = "Phone call verification" }
            "PhoneAppOTP" { $MethodUsed = "Hardware token or authenticator app" }
            "PhoneAppNotification" { $MethodUsed = "Authenticator app" }
        }
    }
    Else {
        $MFAEnforced = "Disabled"
        $MethodUsed = "MFA Not Used"
    }

    $ReportLine = [PSCustomObject] @{
        "User Email"   = $User.UserPrincipalName
        "User Name"    = $User.DisplayName
        "MFA Status"   = $MFAEnforced
        "MFA Method"   = $MethodUsed
        "Phone Number" = $MFAPhone
    }

    $Report.Add($ReportLine)

    If ($MFAEnforced -eq "Disabled") {
        $NotMFAUser.Add($ReportLine)
    }

    If (($MFAEnforced -ne "Disabled") -and ($MethodUsed -eq "MFA Not Used")) {
        $MFANotUsed.Add($ReportLine)
    }

}

# The users MFA status
$Users.Count
$Report | Select "User Email", "User Name", "MFA Status", "MFA Method", "Phone Number" | Sort Name | Out-GridView
# Export the users MFA status
$Report | Sort Name | Export-CSV -NoTypeInformation -Encoding UTF8 C:\Tmp\MFAUsers.csv

# Show the users with MFA disabled
$NotMFAUser.Count
$NotMFAUser | Format-Table

# Show the users with MFA enabled but never setup
$MFANotUsed.Count
$MFANotUsed | Format-Table
New CLI ~ PowerShell

  • Enter the following commands at a PowerShell Command Prompt.

    # Register PSGallery
Register-PackageSource -ErrorAction SilentlyContinue -Name PSGallery -ProviderName PowerShellGet -Trusted

# See https://learn.microsoft.com/en-us/powershell/microsoftgraph/overview?view=graph-powershell-1.0
# See https://learn.microsoft.com/en-us/powershell/module/microsoft.graph.reports/new-mgreportauthenticationmethoduserregistrationdetail?view=graph-powershell-1.0
# Install the Microsoft Graph PowerShell module
Install-Module Microsoft.Graph -Scope AllUsers
Connect-MgGraph -Scopes "User.Read.All", "Group.Read.All", "UserAuthenticationMethod.Read.All", "AuditLog.Read.All"
# Login with the Microsoft 365 Admin Account.

# IsMfaCapable = Indicates whether the user has registered a strong authentication method for multifactor authentication.
#                The method must be allowed by the authentication methods policy.
# IsMfaRegistered = Indicates whether the user has registered a strong authentication method for multifactor authentication.
#                   The method may not necessarily be allowed by the authentication methods policy.
$Users = Get-MgReportAuthenticationMethodUserRegistrationDetail -All | ? { $_.UserType -ne "Guest" }
$Report = foreach ($User in $Users) {
    [pscustomobject]@{
        UserDisplayName                              = $User.UserDisplayName
        UserPrincipalName                            = $User.UserPrincipalName
        IsMfaCapable                                 = $User.IsMfaCapable
        IsMfaRegistered                              = $User.IsMfaRegistered
        MethodsRegistered                            = $User.MethodsRegistered -join ', '
    }
}

$Report | Out-GridView -Title "MFA Status"
$Report | Export-CSV -NoTypeInformation -Encoding UTF8 C:\Tmp\MFAStatus.csv
GUI

  • Select Identity > Protection > Authentication methods.

  • Select Monitoring | User registration details.

9.2. Reset

CLI ~ PowerShell

  • Enter the following commands at a PowerShell Command Prompt.

    # Login with the admin user account.
Connect-MsOlService

# Still need to test
Reset-MsolStrongAuthenticationMethodByUpn -UserPrincipalName <user>@<domain>
exit
GUI

  • Select More services.

  • Select Identity > Users > All users.

  • Select All users.

  • Select <User Name>.

  • Select Authentication methods.

  • Click Require re-register multifactor authentication.

9.3. Authentication Methods

  • Select More services.

  • Select Identity | Microsoft Entra ID.

  • Select Security in Manage section.

  • Select Authentication methods in Manage section.

  • Select Registration campaign in Manage section.

  • Select Microsoft Authenticator | All users under Authentication method.

  • Remove All users.

  • Click Add users and groups.

  • Check chanchai@shoklo-unit.com.

  • Check unchuleeporn@shoklo-unit.com.

  • Click Select.

  • Click Save.

10. Global Secure Access

10.1. Microsoft Entra Internet Access

10.2. Microsoft Entra Private Access