Category Archives: Office 365

Exchange Hybrid lockdown to O365 IP’s only

With the recent Exchange vulnerabilities comes a moment to reflect on further ways to reduce the attach surface of Exchange Servers.

Many organizations still host an Exchange Server solely to maintain a hybrid connectivity link to Office 365. The server therefore has to be publicly accessible, but only to Microsoft. Often this is not the case.

If you don’t have a professional firewall to restrict traffic to only that coming from Microsoft, you can also do so at the IIS level. Microsoft publishes a list of IP’s they use here:

https://endpoints.office.com/endpoints/worldwide

We can then take that source address data and add each IP in it to an Allow entry at the global level in IIS using PowerShell:

$allRanges = @("fe80::946:a60c:3d5:ec11%3","127.0.0.1","::1")
$o365IPs = Invoke-RestMethod -Method GET -UseBasicParsing -Uri "https://endpoints.office.com/endpoints/worldwide" 
$o365IPs | % {$_.ips | %{if($allRanges -notcontains $_){$allRanges += $_}}}
$allRanges | % {
    if($_.IndexOf("/")){
        $payLoad = @{ipAddress=$_.Split("/")[0];allowed="true";subnetMask=$(([ipaddress]([double]4294967296-(1-shl32-$($_.Split("/")[1])))).IPAddressToString);}
    }else{
        $payLoad = @{ipAddress=$_;allowed="true";}
    }
    try{$null = Add-WebConfigurationProperty  -Filter 'system.webServer/security/ipSecurity' -PSPath "IIS:\" -Name "." -Value $payLoad -ErrorAction SilentlyContinue}catch{$Null}
}

Finally, set IIS’s IP Address and Domain restriction mode to Deny:

note: you can add additional ranges to $allRanges as needed for internal management, monitoring etc.

OnedriveMapper 4.04 with auto reconnect

Version 4.04 OnedriveMapper now automatically reconnects drives (of any type) when the cookie expires. No more ‘broken’ mappings! The script is smart enough to detect if its just a connectivity issue (= do nothing) or an actual drive issue.

All improvements since 4.00:

  1. Auto Remap (automatically reconnect disconnected drives)
  2. Block the IE firstrun wizard properly
  3. Bugfix: properly handle existing shortcuts instead of throwing an error
  4. Increase Converged Drive (single mapping with sub-mappings) reliability
  5. Better cleanup of existing mappings
  6. Always force the ‘keep me signed in’ option
  7. Support for root-level mappings

OnedriveMapper 4.00 with Modern Auth released!

Modern Authentication in OnedriveMapper

With version 4.00 OnedriveMapper now fully supports ‘Modern’ Authentication!

As I wrote started this script in my early programming days and there’s a lot of crap code in there I also finally cleaned up a little, reducing the total number of lines by ~50% 🙂

The result is a much faster, leaner script that will map and/or redirect to anything in Office 365 for any of your users. MFA? Not a problem. External MFA? Also not a problem. Conditional Access? Totally fine.

Some older rarely used legacy features were removed, and login is only silent if no MFA / SSO is configured for IE.

The older version (3.X) will remain in my git repo but will not be actively maintained.