SuperTekBoy

Office Activation fails ‘This feature has been disabled by your administrator.’

March 17, 2022 By Gareth Gudger Leave a Comment

When trying to activate (or sign in to) Microsoft Office with your Office 365 enterprise credentials, you may receive the following error.

Office Activation - This feature has been disabled by your administrator

This feature has been disabled by your administrator.

This error is likely a result of a group policy.

To check this, open Group Policy Management Console (GPMC). From the GPMC, expand your domain name (e.g., skaro.local) and Group Policy Objects.

Select your policy that is managing the Office suite and click the Settings tab. Expand User Configuration (Enabled) > Policies > Administrative Templates > Microsoft Office 2016 > Miscellaneous. If you see a setting named Block signing into Office that is Enabled, this is the culprit.

Group Policy - Block signing into Office Group Policy Management Console

Note: If you do not see this setting, I recommend checking all group policies currently applied to the impacted user. You can get this by running GPRESULT from a command prompt on your impacted user’s computer.

[Read more…]

RPC/HTTP & Security Defaults may prevent Outlook reconfiguration after migrating to Exchange Online

March 14, 2022 By Gareth Gudger 2 Comments

In a previous article, we discussed how a conditional access policy blocking basic authentication prevents Outlook clients (leveraging RPC over HTTP) from reconfiguring after a mailbox migration to Exchange Online. This is due to RPC over HTTP not supporting modern authentication. On the other hand, Outlook clients leveraging MAPI over HTTP would reconfigure without incident. This is due to MAPI over HTTP supporting modern (and basic) authentication.

This article explores how security defaults, which Microsoft has been enabling on all new tenants to block basic auth, could also prevent Outlook clients (leveraging RPC over HTTP) from reconfiguring after migration to Exchange Online.

How to check if Security Defaults are enabled (modern authentication is enforced)

To determine if security defaults are enabled in your tenant.

Log into the Microsoft 365 Admin Center. From the left pane expand Settings and select Org Settings. From the Services tab, select Modern Authentication. The Modern Authentication pop-out will identify if security defaults have been enabled.

The screenshot below shows the message that security defaults are enabled, indicating that modern authentication is required and basic auth connections are blocked.

If security defaults have not been enabled in your tenant, the modern authentication pop-out will have configurable options. The screenshot below shows that modern authentication has been enabled (but it is not enforced). We can also see which protocols permit clients to use basic auth. Based on the selections in the screenshots, Outlook clients are still permitted to use basic auth (via either RPC over HTTP or MAPI over HTTP).

Tip: While not the focus of this article, I highly recommend working towards disabling basic auth on as many protocols as you can before the October 1st, 2022 deadline. This not only improves your security posture prior to October but also gets you prepared for the retiring of basic auth.

[Read more…]

RunAs Radio #818 – Email Transport Security

March 9, 2022 By Gareth Gudger Leave a Comment

On February 15th, I had the great pleasure of being a guest on RunAs Radio. I joined host Richard Campbell to discuss email transport security; including:

Introductions
Coauthoring Office 365 for IT Pros 8th Edition
Clarifying the acronym soup
Collecting all 11 RunAs Radio mugs
Where is Exchange vNext?
What happens to mail relay if we eliminate our last on-prem Exchange Server?
How to make email transport more secure
- Forced TLS vs. Opportunistic TLS
- DANE for SMTP (DNS Authentication of Named Entities)
- MTA-STS (Message Transport Agent – Strict Transport Security)
- DANE versus MTA-STS versus Forced TLS
How to make individual messages more secure
- Should we use S/MIME?
- Need for Office 365 Message Encryption in addition to transport layer security (TLS)
- Office 365 Message Encryption versus Advanced Message Encryption
Challenges of Multi-Factor Authentication (“MFA”)
M365 Maps by Aaron Dinnage
Domains that do not send email should have Sender Policy Framework (SPF) records
Homoglyph attacks
Closing thoughts

Gareth on Runas Radio #818 - Email Transport Security with Gareth Gudger

Opinion change: Since recording, I think that even if the MTA-STS TXT record was victim to a man-in-the-middle attack it probably would not be much of an issue. If the bad actor changed the ID in the TXT it would simply tell the sender to pull a new policy from a website the recipient owns and controls. As mentioned in the podcast, I believe DANE is the more secure solution. Be sure to consult with your security team about which solution best suits the needs of your organization.

[Read more…]

Configure global mail flow settings from the new Exchange Admin Center

March 7, 2022 By Gareth Gudger Leave a Comment

One of the new Exchange Admin Center benefits is that many of the global mail flow settings that were previously only available via PowerShell are now available in this new GUI. For example, the Mail Flow settings page allows you to define several global transport configurations. This article will look at these settings and what they do. These settings are:

Plus addressing
Sending from aliases
Enabling SMTP AUTH protocol
Legacy SMTP AUTH endpoint for TLS 1.0 / TLS 1.1 clients
Reply-All storm protection

To find these settings, log into the new Exchange Admin Center and navigate to the Settings tab on the left navigation pane. Then select Mail Flow.

This will pop out a dialog with the following options.

Plus Addressing

Plus addressing allows users to create their own unique email addresses by leveraging a plus sign in their email address—for example, apond+newsletter@exchangeservergeek.com. Anything after the plus sign is completely at the discretion of the user.

This becomes particularly useful when you want to target newsletters to a unique email address, especially when configuring inbox rules. It is also helpful to determine who might have sold or leaked your email address.

To enable this feature from the new Exchange Admin Center, navigate to Settings > Mail Flow. From the pop-up window, select Turn on plus addressing from your organization and click the Save button.

If you prefer to enable this from PowerShell, log onto Exchange Online PowerShell and run the following command.

 C:\> Set-OrganizationConfig -AllowPlusAddressInRecipients $true

To confirm the setting has taken effect, run Get-OrganizationConfig.

 C:\> Get-OrganizationConfig | FL AllowPlusAddressInRecipients

AllowPlusAddressInRecipients : True

Users can then start leveraging plus addresses. Emails addressed to a plus address will appear in the user’s inbox without any further user intervention. From there, the user can build inbox rules for the plus addresses if they desire.

Reference: Plus Addressing Now Available in Exchange Online

[Read more…]

Accessing HPe iLO 3 fails with Unsupported Protocol: ERR SSL VERSION OR CIPHER MISMATCH

November 19, 2021 By Gareth Gudger 29 Comments

UPDATE: Since writing this article in November it does not appear this fix works anymore. I am guessing the AES/3DES ciphers have been deprecated in modern browsers. I can confirm David’s comment using Internet Explorer mode in Microsoft Edge does work.

To enable IE mode, launch edge and type edge://settings/defaultBrowser in the address bar. From the Allow sites to be reloaded in Internet Explorer mode drop-down, select Allow.

Navigate to your iLO URL, select the three dots in the top right (Settings), and pick Reload in Internet Explorer mode from the menu. Edge will remember this setting on each subsequent visit.

If you are trying to connect a modern browser such as Microsoft Edge to HPe’s Integrated Lights Out 3 (iLO 3) management interface, you may receive the following error and be blocked from accessing the iLO webpage.

ERR_SSL_VERSION_OR_CIPHER_MISMATCH

Unsupported protocol
The client or server don't support a common SSL protocol version or cipher suite.

ERR SSL VERSION OR CIPHER MISMATCH - The client or server don't support a common SSL protocol version or cipher suite.

To resolve this error, I recommend ensuring you are on the latest iLO 3 firmware from HPe. At the time of writing, 1.94 was the latest HPe firmware for iLO 3 (released Dec 17, 2020). Firmware can be updated in several ways, including uploading the BIN file via the iLO webpage or online from any number of operating systems, including Windows, Linux, and VMware. Also, refer to the HPe documentation on how to upgrade your firmware.

Once you have the latest firmware, log into the iLO webpage from an older browser, such as Internet Explorer. Then, from the left navigation menu, expand Administration and select Security.

From the Security page, select the Encryption tab.

Then, under the Encryption Enforcement Settings section, toggle the Enforce AES/3DES Encryption dropdown to Enabled.

Click Apply.

[Read more…]

Outlook 2013: Your account is in a bad state

November 19, 2021 By Gareth Gudger Leave a Comment

Starting November 1st, 2021, only Outlook 2013 SP1 (build 15.0.4971.1 and greater) will be able to connect to Microsoft 365 services. This means older Outlook 2013 builds, and Outlook 2010 and earlier will not connect to Microsoft 365. This new requirement goes hand in hand with the deprecation of basic auth, requiring Outlook 2013 SP1 (build 15.0.4753.1 and greater). Microsoft is deprecating basic auth on October 1st, 2022.

That said, if you are already blocking legacy auth for Outlook clients (or you are reading this post after October 1st, 2022), you may receive the following error when trying to sign in to your Office 365 account with Outlook 2013 or any other Office suite product. In addition, your Outlook 2013 client might not be able to connect to your Office 365 mailbox either.

When signing in to your Office 365 account via File > Office Account > Sign In from any Office suite product, you receive the following error.

Your account is in a bad state. Please sign-in to this account online to address the issue.

Your account is in a bad state. Please sign-in to this account online to address the issue

Alternatively, you may first see the error below which can then lead to the error above when you click the Fix me button.

Account Error: There are problems with your account. To fix them, please sign in again.

There are problems with your account. To fix them, please sign in again.

[Read more…]

Office Activation fails ‘This feature has been disabled by your administrator.’

RPC/HTTP & Security Defaults may prevent Outlook reconfiguration after migrating to Exchange Online

How to check if Security Defaults are enabled (modern authentication is enforced)

RunAs Radio #818 – Email Transport Security

Configure global mail flow settings from the new Exchange Admin Center

Plus Addressing

Accessing HPe iLO 3 fails with Unsupported Protocol: ERR SSL VERSION OR CIPHER MISMATCH

Outlook 2013: Your account is in a bad state

Site Navigation

Want to stay up to date?

Join the conversation

How to check if Security Defaults are enabled (modern authentication is enforced)

Plus Addressing

Footer

Site Navigation

Want to stay up to date?

Join the conversation