Recently I deployed Azure AD Connect server and I notice there are lots of updates and changes made to the latest version of Azure AD Connect application.
The latest version of Azure AD Connect is 2.0. There are few conditions required to follow before setting up the Azure AD Connect application to be running smoothly.
Now there is a new requirement for the service account that is assign for Azure AD Connect application purpose only, the service account must be a member of Administrators group in your local Active Directory. Without this permission, you will faced the synchronization status shows as “completed-with-error” and “permission-denied-access“. You will have trouble in terms of password synchronization.
To further view of what’s new with the version 2.0, you may refer to the references below.
Hi guys and girls, hope you are doing well, as the pandemic is still on-going, hope that you guys are keeping cleanliness and safety first.
Today’s topic is about exchange migration of mailboxes from on-premises to Office 365. This issue is where the legacy windows client or legacy office apps has issue with their outlook applications keeps prompting for credentials and showing disconnection. The issue also do happen to Windows 10 machines but not as aggressive as the Windows 7 machines.
This environment has the following items,
Exchange server: 1 unit, version 2013, CU23 (latest)
Windows client: Combination of Windows 7 and Windows 10
Office applications: Combination of 2013, 2016, 2019 and Microsoft 365 apps for business in both windows 7 and windows 10 categories
Migration method: Remote move migration
Hybrid establishment: Yes
Microsoft 365 license: Business standard/basic
As we all know that the major pre-requisites must met before starting the hybrid and perform migration.
We notice intermittent connections while running the Wireshark on Windows 7 with M365 business apps, while trying to login using the migrated account credential on an Outlook app. We ran a re-creation of the outlook profile and the prompt for credential has stops. This is definitely not the right solution. Solutions is dependent with what caused the issue.
At first we suspected something got to do whitelisting on the network layer but we had confirmed that the whitelisting are correctly configured. Next, we suspected something go to do with compatibility on windows with/or office apps version. This is not a very good idea. After quick research, I came about modern authentication could be the caused, and there where I had an idea on suggesting to turn off the security default in Azure portal and then turn off the modern authentication in Office 3655 tenant. After 10 to 15 mins, the intermittent connections no longer shows up on the Wireshark.
Modern authentication is enabled by default for every new Office 365 tenants, so please be aware if your environment has legacy windows client running or legacy office applications, do consider to turn them off first before proceeding to deploy Microsoft 365 apps.
Modern authentication was the one the interfered with the machines and it kept challenging the users to key in credentials due to the compatibility was not met. Once the modern authentication is turn off, the environment now is running basic authentication.
I think playing with Rows and Columns is every beginner programmer’s nightmare. Rows and Columns concept is all the same for all coding languages. There’s no black magic here.Is all about the basic understanding and common sense. I’ve seen many fresh graduate find it difficult to understand the rows and columns and tend to overthink and turn their codes into a complex dark hole.
What you understand?
You come about FOR LOOP, WHILE LOOP or DO…WHILE LOOP. To identify Rows and Columns in loops form, let’s take FOR Loop as example, so below image is how you use the FOR Loop concept to get or apply table values. Inner FOR loop is define as your column, and the outer FOR loop define as your row.
So clear about it? In PowerShell, the concept is the same but it has been simplify with a command “Import-csv“.
What the beginners does?
This is the sample code that I have seen too much, in the beginners.
By apply this you will get duplicated result;
How PowerShell does it?
Now, let’s see the code for PowerShell, I’m going to show you how you get value list of rows and columns from Excel file, aka CSV file format.
This is the csv file for example, we have 2 columns with naming/attribute, UserPrincipalName and EmailAddresses as the first row. This is the view from excel and the view from notepad is different. Notepad, the columns are separated by a delimiter “,”
To put them into PowerShell, you just need a single FOR Loop to perform.
Lets output the result you will get is this, if you want to beautify your result is possible.
Good day everyone. Even with the Covid-19 is rising drastically in Malaysia, kind of brings my hopes down. Anyway, I still have to keep going with life.
Today’s topic is about the Azure’s conditional access policy. We found a bug in conditional access for iOS device platform. So basically our situation is that, if we would need the conditional app control to be functioning in the Cloud App Security, we would need to setup a conditional access policy. Our setup was only to achieve monitoring mode only. However, after enabling the policy we retrieve reports saying that all iOS devices are having trouble accessing their exchange online. Users are receiving an email notification, stating that their exchange online access is being blocked. We had to disable the policy temporary to troubleshoot it.
This was the email notification:
This was our configuration for the conditional access policy;
Assignment: Include a test group, Exclude the VIP accounts
Cloud apps: All cloud apps
Session: Use conditional app control (Monitor Only)
So this is the Microsoft article shows how the configuration/enablement is being setup in the conditional access in order for the app control to work, as you can see there weren’t any conditions being setup. Hence, it should not be doing any requirements checking or blocking.
To be honest, I had raise ticket to MCAS, Exchange Online and Azure team, and none of them able to get back to me an answers. MCAS team state that “no conditions are setup it SHOULD NOT be performing blocking”.
I had to stop relying the Microsoft Support for this case, as I had to find a way to identify it. So based on the image above, we can see that the article is not mature enough, because there weren’t any solid references or notes stating the limitations/restriction of monitor only of conditional app control.
Upon further checking, I had to analyze the logs of Azure Sign-in activity and Cloud App Security Activity log of that user whom experience the issue. We notice that the sign-in was shown as “Interrupted” and there was no failure sign in status. For your information, the iOS version is 14.
Error code 1:This is not an error – this is an interrupt that triggers device authentication when required due to a Conditional Access policy or because the application or resource requested the device ID in a token. This code alone does not indicate a failure on your users part to sign in. The sign in logs may indicate that the device authentication challenge was passed succesfully or failed.
Another finding was that there weren’t any Exchange mobile device access policy/rules being configure to perform the blocking.
I do know that once this conditional app control is enabled there will have this prompt page before entering into the Exchange online, this is my iPad Air by the way, running on the latest version. The prompt page can be turn off though. Anyway, that is not the case here. I ran a test to mimic the situation but I didn’t experience any email notification send to me stating my exchange online access is being blocked. There is no MFA or Biometric setup on my iPad.
The questions still lies is there a pre-requisites for iOS devices for conditional access policy, even though there is no conditions being set?
Hey guys and girls, how are you all doing working from home? Please stay safe and keep your distance.
Today’s topic is about creating multiple root certificate in a single forest, please take note that this is not a best practice by Microsoft but it was the right solutions for my situations. There will not be errors/stopping you to proceed, if you setup multiple root certificate authority.
So basically I have this tested on my lab only I proceed into production. Whenever you aren’t confident about the solutions please always run your lab. Don’t give people heart attack. Active Directory is a sensitive being.
My situation is that we have existing Windows Server 2008 R2 and is moving to Windows Server 2019, currently there is a root certificate authority siting in Windows Server 2008 R2 and would like to transition to Windows Server 2019 without downtime. Hence, Migrating is not the right word for this situation, because Migration required downtime. Imagine people working from home unable to VPN access into the work environment. You will get the scream and shout by them, Good Luck.
For having a multiple root CA, so that at the network layer/firewall layer, the network administrator can create another certificate access for user to VPN access using either the old Root CA or new Root CA. Hence, zero downtime.
Step by Step:
You have to add the roles and feature into your Windows Server 2019
Once you have the role installed and the configuration setup (just follow the default configuration, please choose Enterprise Root CA)
Make sure your instance naming or certificate authority name is not duplicated with your other certificate authority server name
This is the result of successful setup of the certificate authority
So now you got to make sure the certificate authority server has its certificate propagate on its local machine too
Launch Start > Run > mmc
MMC > File > Add/Remove Snap-in… > Certificates
Certificates > Computer account > Local computer > Finish
Certificates (Local Computer) > Expand the folder > Personal > Certificates
Hey guys and girls, hope you all are having a good day. Today’s topic has a relation of 3 platform.
Intune/Microsoft Endpoint Manager
Outlook App (Windows)
This topic is more related to migration situations, so basically the environment is running IMAP and are on the stage of migrating to Office 365. Hence, to allow users to able to proceed to make use of the new mailbox and having to receive latest emails without disruption or downtime, would need to create the office365 email account on their Outlook profile.
If you notice that you have an email account, firstname.lastname@example.org with the type “IMAP” on your outlook default profile, but you would like to also add the email@example.com with the type “Microsoft Exchange” on the outlook default profile too. This is where the issue happen, majority would just proceed to try to add the account from the Outlook app but it will never let you successfully add the new account in and return with the message saying “This account has been added.” It seems to me that the Outlook App unable to differentiate TYPES. If you dig into Google Search you will only get articles, guiding you to create a new Profile just for the Office 365 account.
Wait…there is a solution to this. Please don’t bother raising case to Microsoft Support from Intune, if you’re lucky you will meet a support that willing to go extra miles for you. Usually the support would recommend you to turn on this feature from Intune “Automating the creation of outlook profile for Exchange Accounts” this only applies to new profile not existing profile.
So basically the solution is simple but I’m still unable to find an automation way to perform this. Hence, manually, but luckily is was just a small business organization, else I’m poof of words. Just type organization that is not willing to spent other migration products such as BitTitan and etc..
Anyway, to create an email account o the default outlook profile we would need to
Launch your Start/Windows button
Search for “Control Panel”
Search for “Mail” in Control Panel
Select the Mail > select “email accounts”
Then select “New”
Enter the following details and click Next
Wait for the establish processing…
You will now have 2 firstname.lastname@example.org accounts in the default Outlook Profile with different types, IMAP and Microsoft Exchange.
If you are still wanting to go with having 2 profiles in Outlook to serve each types here is a simple PowerShell Script that you can upload to Intune;
#This is to create new Profile with the new Profile name New-Item -Path "HKCU:\Software\Microsoft\Office\16.0\Outlook\Profiles\<Profile Name>" -Value ""
#This is to allow the prompt to users to choose which Outlook profile Set-ItemProperty -Path "HKCU:\Software\Microsoft\Exchange\Client\Options" -Name "PickLogonProfile" -Value "1"
Hey guys good morning! Is a rainy day today, just brings the relax mood on.
Here is another topic on Microsoft Defender for Identity, is the troubleshooting on sensors.
When you notice that your sensor keeps disconnecting, while it was fine during the first 2 weeks of the deployment.
There are many possibilities that causes this issue, so I’m glad that there is this Sizing tool that you can use to identify the traffic on the domain controllers and it will provide you recommendation of the hardware requirements that needs increasing or look into it.
Sometimes this is not due to domain controllers or the sensor issue, it could meant that the environment is growing and numbers of applications required the LDAP authentications with the closest domain controllers or the FSMO holder domain controller.
This is how the alert looks like on the ATP portal;
To proof that whether the domain controller needs increment of the hardware resources