Enabling MFA for AAD User with PowerShell 6.2

November 4, 2019, 10:58 am

≫ Next: Add alternate upn suffix azure connect

≪ Previous: Allow users at Azure B2C to access application at Azure AD

I'm working on a way to enable MFA for AAD / O365 users. I'm referring to this article from the MS docs:

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates

If I install the MSOnline module, import it, and connect-msolservice with PS version 5.1 it works as described. If I try to do this with PS version 6.2 I get:

Connect-MsolService : Could not load file or assembly 'System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'. The system cannot find the file specified.

Is this because PS 6.2 is built on .Net Core and it isn't able to load the libraries for a prior version of .Net that's part of the MSOnline module?

What I'm really after is a way to automate enabling MFA for AAD / O365 users, and I'm thinking about using an Azure Function App with PowerShell. This seems like good way to knit this together with our ITSM system calling a web hook made available via the Function App. Obviously there's some the permission and security elements to be worked out to do this. However, if I can't load the MSOnline module to PS 6.2, which is the PS platform available as a Function App, I don't think it would work to use a PowerShell Function App.

↧

Add alternate upn suffix azure connect

November 4, 2019, 10:20 am

≫ Next: Conditional access not prompting users for MFA

≪ Previous: Enabling MFA for AAD User with PowerShell 6.2

I am trying to add alternate upn suffix to Azure Connect, but I already have Azure Connect install. I know how to do it if I uninstall and reinstall Azure Connect:

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-install-custom#azure-ad-sign-in-configuration

Is there a way to change this setting without reinstalling?

↧

Conditional access not prompting users for MFA

May 17, 2018, 1:16 am

≫ Next: azur ad join local admin

≪ Previous: Add alternate upn suffix azure connect

Hi,

Hoping someone has seen this and can point me in the right direction.

We have a couple of conditional access policies set up in AAD, one that blocks users that arent on a trusted site and another that allows users access from untrusted locations if MFA is applied. Users are assigned one policy or the other not both. The block policy works fine, but the MFA policy allows the user to connect regardles of location.

The What IF tool shows the users getting the policy correctly based on IP:

Windows10_Allow_Untrusted_MFA

Require multi-factor authentication

And according to the sign in log MFA was required and done, the result says:

USER

Kathryn Janeway
USERNAME

kat.janeway@blahblahblah.com
APPLICATION ID

00000006-0000-0ff1-ce00-000000000000
APPLICATION
Microsoft Office 365 Portal
CLIENT

;Windows 10;Edge 16.1629;
LOCATION

Somewhere
IP ADDRESS

::Untrusted IP::
DATE

5/17/2018, 8:44:37 AM
MFA REQUIRED

Yes
MFA AUTH METHOD
MFA AUTH DETAIL
MFA RESULT
MFA requirement satisfied by claim in the token
SIGN-IN STATUS

Success

I'm obviously missing something but we need the users to be prompted for MFA every time they sign in when not on once of our sites.

↧

azur ad join local admin

November 9, 2019, 12:56 pm

≫ Next: AzureAD and user Consent

≪ Previous: Conditional access not prompting users for MFA

Hi,

when I join a laptop of my client to their azure AD that user is made local admin as soon as they login again, right?

So this means they can install any program they download from the internet.

Is that what most companies allow or how do you people do this?

I would think the advantage of joining them to azure AD is to use Intune as a GPO system and block/allow stuff and that the user is just a member, but not a local admin.

Or is it necessary that they are local admin and that you start blocking things from within Intune.... ?

↧

AzureAD and user Consent

November 6, 2019, 1:32 am

≫ Next: Azure Active Directory Sync Cycle

≪ Previous: azur ad join local admin

I am currently looking at Enterprise Applications, User Consent etc in AzureAD. I am located in the EU.

We might have a problem. People are using OAuth2 to authenticate towards 3rd party services, gets nice semi-SSO etc. Works great. But the problem is, that users gives 3rd parties access to personal data that can not be shared with a 3rd party without a data processing agreeement, Risk assesment, and Article 30 document.

One example is an app called "LinkedIn Microsoft Graph Connector" - Users has given it consent to read "relevant people lists", which is defined as "Allows the app to read a ranked list of relevant people of the signed-in user. The list includes local contacts, contacts from social networking, your organization's directory, and people from recent communications (such as email and Skype)."

So clearly personal data, much of it not owned by the end-user (organization's directory). So data that the user giving the consent is clearly not authorized to give consent to if he is in the EU, and most likely not so elsewhere. Microsoft knows the directory is company property, and not property of each individual user. We are not sure if Microsoft uses the directory, but just asking consent from someone who is not authorized to do so is clearly in a legal grayzone.

Can we get some higher level control of what we want users to consent to.
We also want to control what the user can give offline access (I assume that is long access tokens) to. It is OK if the app is running on the end-users device, it is NOT ok if it is running in the cloud, as that has GDPR impact.

↧

Azure Active Directory Sync Cycle

November 6, 2019, 2:45 am

≫ Next: Bind Refresh Tokens To Device using Windows OnBoard Tools

≪ Previous: AzureAD and user Consent

Hi,

We have recently introduced to Office 365 and Azure portal. So I want to check if we can setup a script to get a email after every sync cycle.

Is it possible to do? If yes, can anyone suggesting me how to proceed with it.

Thank you.

↧

Bind Refresh Tokens To Device using Windows OnBoard Tools

November 11, 2019, 12:39 am

≫ Next: Azure AD Connect Pass-through Authentication Enable single sign-on Error

≪ Previous: Azure Active Directory Sync Cycle

Hi all,

I am new using this forum. I'd like to talk about refresh tokens one more time. It is clear that these tokens have to be stored securely.

One scenario we would like to prevent is, that when a device stores a refresh token and the device backup is stored in the cloud, an attacker could read from the token store in the case he was able to steal the backup

To avoid such a scenario, a solution could be to bind the token to the device on which it is stored, right?

Short time ago somebody told me that there is a MS Windows 10 onboard solution to bind tokens to a device. Unfortunately he is not available anymore.

Is anybody aware of such an onboard solution to bind tokens to a device?

Thanks and kind regards,

Seb

↧

Azure AD Connect Pass-through Authentication Enable single sign-on Error

November 4, 2019, 7:54 am

≫ Next: Impact of adding Domain Services for LDAPS authentication

≪ Previous: Bind Refresh Tokens To Device using Windows OnBoard Tools

I am attempting to migrate from AD FS authentication to Pass-through Authentication, and am getting "An error occured while locating computer account." error when entering domain administrator credentials on the Single sign-on screen.

I have tried a few different domain admin accounts.

I did notice that there is a computer account in AD called AZUREADSSOACC which was created in 2017. Could this be a pat of the problem?

The trace logs show this:

[15:28:51.976] [ 1] [INFO ] Authenticate-ADAL: successfully acquired an access token. TenantId=a481ae96-6a20-4f90-9ab6-f0819c93f62b, ExpiresUTC=04/11/2019 16:28:48 +00:00, UserInfo=ict.billing@ensors.onmicrosoft.com, IdentityProvider=https://sts.windows.net/a481ae96-6a20-4f90-9ab6-f0819c93f62b/.
[15:28:52.663] [ 1] [INFO ] DesktopSso is only available for Active Directory forests. Getting all AD forests
[15:28:52.663] [ 1] [INFO ] There are 1 eligible forests.
[15:28:52.663] [ 1] [INFO ] MYDOMAIN.com are available for desktopsso.
[15:29:01.990] [ 1] [INFO ] Check if username is in samAccount format
[15:29:01.990] [ 1] [INFO ] Username is in samAccount format
[15:29:01.990] [ 1] [INFO ] desktopsso computer account will be created in MY_DOM
[15:29:01.990] [ 1] [INFO ] Checking if credentials belong to the forest
[15:29:02.008] [ 1] [INFO ] ValidateForest: using IPSWICHDCB.MYDOMAIN.com to validate domain MYDOMAIN.com
[15:29:02.010] [ 1] [INFO ] Successfully examined domain MYDOMAIN.com GUID:9bfa0096-9848-4ec2-8c27-6cd202950362 DN:DC=MYDOMAIN,DC=com
[15:29:02.010] [ 1] [INFO ] MY_DOM\bhatt.admin belongs to the forest
[15:29:02.240] [ 1] [ERROR] An error occurred while locating computer account.

↧

Impact of adding Domain Services for LDAPS authentication

November 15, 2019, 5:39 am

≫ Next: How configure SCIM provision to add owners to group POST request?

≪ Previous: Azure AD Connect Pass-through Authentication Enable single sign-on Error

Hi, we're planning to allow a subset of our users to authenticate via Azure AD Domain Services via secure LDAP. We have a mixture of cloud-only Azure AD users, and internal Active Directory sync'd to Azure AD accounts. The accounts we want to enable LDAPS for are all synced from our internal AD. The cloud-only Azure AD accounts won't need this functionality.

We have Azure AD Domain Services setup (not yet set for LDAPS), and we have Azure AD Connect setup for password hash sync, and we have the write-back passwords to on-premise directory set.

We have NOT yet run the PowerShell scripts on our Azure AD Connect machines to enable legacy password hash sync for NTLM and Kerberos, and I'm not 100% positive that's even necessary, but the documentation implies that it is.

My big questions are:

1) If it is necessary to run the PowerShell scripts to enable the legacy hash sync, will that have any impact on our cloud-only Azure AD accounts?

2) And, if that hash sync change is necessary, will that have any impact on the current users who have been successfully synced from our on-premise AD?

Thanks for your help.

↧

How configure SCIM provision to add owners to group POST request?

November 12, 2019, 2:59 am

≫ Next: AADSTS65001 error trying to access mt Web API from Angular client

≪ Previous: Impact of adding Domain Services for LDAPS authentication

I connected AD application with SCIM endpoint. But group post request do not contains owners list. How I can configure mapping, to add owners to request payload?

↧

AADSTS65001 error trying to access mt Web API from Angular client

November 15, 2019, 8:58 am

≫ Next: Azure AD Application Proxy started to return 302 redirect randomly

≪ Previous: How configure SCIM provision to add owners to group POST request?

I have and angular project talking to .Net Core 3.0 Web API, authentication Azure AD. Apps setup for both, have followed instructions to expose API and then Grant Permissions. Client app logs in successfully but get this error at the point it trys to call my web api.

Anyone got any ideas?

Regards

Mike

↧

Azure AD Application Proxy started to return 302 redirect randomly

March 5, 2019, 11:38 am

≫ Next: Service Principle Creation using java api fails

≪ Previous: AADSTS65001 error trying to access mt Web API from Angular client

Hi,

We are using Azure AD Application Proxy for over a year now and it started to return 302 randomly since the last 2 days.

We are accessing our internal WebApi hosted on-premise through the App Proxy's external url and we use access token for authorization.

Starting on last Sunday, it started to return 302 Found randomly, similar a response that look like this:

HTTP/1.1 302 Found
Content-Length: 0
Location: https://login.microsoftonline.com/<tenantId>/oauth2/authorize?response_type=id_token&client_id=<clientId>&scope=openid&nonce=e7a73a84-926a-4666-a9b8-bae143c0ad08&response_mode=form_post&redirect_uri=https%3a%2f%2f<externalName>.msappproxy.net%2f&state=AppProxyState%3a%7b%22InvalidTokenRetry%22%3atrue%2c%22IsMsofba%22%3afalse%2c%22OriginalRawUrl%22%3a%22https%3a%5c%2f%5c%2f<externalName>.msappproxy.net%5c%2f<path>%22%2c%22RequestProfileId%22%3a%2269a6ba6c-268e-4ede-9dd8-bdf57c31479c%22%7d%23EndOfStateParam%23
Server: Microsoft-HTTPAPI/2.0
Set-Cookie: AzureAppProxyAnalyticCookie_<......>; path=/
Date: Tue, 05 Mar 2019 16:39:37 GMT

When hitting the url directly in the browser, we can see the redirect to login.microsoftonline.com for a second, then it redirects back to the original url and the request is processed, then we get our expected WebApi response.

There was no redirect before, this is new.

The issue is when we're making the call programmatically, we set the Authorization: Bearer <access_token> header but we also receive the 302, this is breaking all our applications.

Anyone aware of an update with potentially a breaking changes happening on Azure side last Sunday?
Maybe something related to Set-Cookie: AzureAppProxyAnalyticCookie being required now?

Any ideas?

↧

Service Principle Creation using java api fails

November 17, 2019, 8:36 pm

≫ Next: Azure Active Directory Authentication via Laravel Webapp

≪ Previous: Azure AD Application Proxy started to return 302 redirect randomly

I am using MSICredentials to logina nd then create a service principle using java api.

MSICredentials credentails = new MSICredentials(AzureEnvironment.AZURE);
autheticated = Azure.configure().authenticate(credentails);

ServicePrincipal principle = null;
String password = generatePassword(MAX_PASSWORD_SIZE);
if(principle == null)
principle = autheticated.servicePrincipals().define(name).withNewApplication("https://infa-agent/" + name).definePasswordCredential(name).withPasswordValue(password).attach().create();

The above code is throwing below exception:

java.lang.IllegalArgumentException: Parameter this.client.tenantID() is required and cannot be null.
at com.microsoft.azure.management.graphrbac.implementation.ApplicationsInner.createWithServiceResponseAsync(ApplicationsInner.java:167)
at com.microsoft.azure.management.graphrbac.implementation.ApplicationsInner.createAsync(ApplicationsInner.java:150)
at com.microsoft.azure.management.graphrbac.implementation.ActiveDirectoryApplicationImpl.createResourceAsync(ActiveDirectoryApplicationImpl.java:63)
at com.microsoft.azure.management.resources.fluentcore.model.implementation.CreateUpdateTask.invokeAsync(CreateUpdateTask.java:57)
at com.microsoft.azure.management.resources.fluentcore.dag.TaskGroupEntry.invokeTaskAsync(TaskGroupEntry.java:112)
at com.microsoft.azure.management.resources.fluentcore.dag.TaskGroup$2.call(TaskGroup.java:395)
at com.microsoft.azure.management.resources.fluentcore.dag.TaskGroup$2.call(TaskGroup.java:381)
at rx.internal.operators.OnSubscribeDefer.call(OnSubscribeDefer.java:46)
at rx.internal.operators.OnSubscribeDefer.call(OnSubscribeDefer.java:35)
at rx.Observable.unsafeSubscribe(Observable.java:10327)
at rx.internal.operators.OperatorMerge$MergeSubscriber.onNext(OperatorMerge.java:248)
at rx.internal.operators.OperatorMerge$MergeSubscriber.onNext(OperatorMerge.java:148)
at rx.internal.operators.OnSubscribeFromIterable$IterableProducer.fastPath(OnSubscribeFromIterable.java:173)
at rx.internal.operators.OnSubscribeFromIterable$IterableProducer.request(OnSubscribeFromIterable.java:86)
at rx.Subscriber.setProducer(Subscriber.java:211)
at rx.internal.operators.OnSubscribeFromIterable.call(OnSubscribeFromIterable.java:63)
at rx.internal.operators.OnSubscribeFromIterable.call(OnSubscribeFromIterable.java:34)
at rx.internal.operators.OnSubscribeLift.call(OnSubscribeLift.java:48)
at rx.internal.operators.OnSubscribeLift.call(OnSubscribeLift.java:30)
at rx.Observable.unsafeSubscribe(Observable.java:10327)
at rx.internal.operators.OnSubscribeDefer.call(OnSubscribeDefer.java:51)
at rx.internal.operators.OnSubscribeDefer.call(OnSubscribeDefer.java:35)
at rx.Observable.unsafeSubscribe(Observable.java:10327)
at rx.internal.operators.DeferredScalarSubscriber.subscribeTo(DeferredScalarSubscriber.java:153)
at rx.internal.operators.OnSubscribeTakeLastOne.call(OnSubscribeTakeLastOne.java:32)
at rx.internal.operators.OnSubscribeTakeLastOne.call(OnSubscribeTakeLastOne.java:22)
at rx.internal.operators.OnSubscribeLift.call(OnSubscribeLift.java:48)
at rx.internal.operators.OnSubscribeLift.call(OnSubscribeLift.java:30)
at rx.Observable.unsafeSubscribe(Observable.java:10327)
at rx.internal.operators.OnSubscribeMap.call(OnSubscribeMap.java:48)
at rx.internal.operators.OnSubscribeMap.call(OnSubscribeMap.java:33)
at rx.internal.operators.OnSubscribeLift.call(OnSubscribeLift.java:48)
at rx.internal.operators.OnSubscribeLift.call(OnSubscribeLift.java:30)
at rx.Observable.subscribe(Observable.java:10423)
at rx.Observable.subscribe(Observable.java:10390)
at rx.observables.BlockingObservable.blockForSingle(BlockingObservable.java:443)

↧

Azure Active Directory Authentication via Laravel Webapp

November 17, 2019, 9:32 pm

≫ Next: creating domain services - error 'The operation failed because resource is in the: 'Failed' state'

≪ Previous: Service Principle Creation using java api fails

Hey guys i'm really lost. I have really tried many hours (30+) to research and try to login users in my laravel app via azure ad auth. At the moment I think I'm going nuts. Can somebody, please, help me with this problem. I have (or think at least) that I have setup my App correctly in the azure portal , but I don't know how to handle the php side. I tried using the metrogistics library https://github.com/metrogistics/laravel-azure-ad-oauth which seems outdated. Can somebody guide me in the correct direction. please ?

↧

creating domain services - error 'The operation failed because resource is in the: 'Failed' state'

November 12, 2019, 5:46 pm

≫ Next: Migrate AD to Azure AD

≪ Previous: Azure Active Directory Authentication via Laravel Webapp

i'm trying to create domain services by running the code below.
the code runs fine to the line containing:

New-AzResource -ResourceId "/subscriptions/$AzureSubscriptionId...

then i get:

VERBOSE: Performing the operation "Creating the resource..." on target "/subscriptions/guid/resourceGroups/aadds-resgrp-01/providers/Microsoft.AAD/DomainServices/xxx.domain.com".
New-AzResource : The operation failed because resource is in the: 'Failed' state. Please check the logs for more details.
At E:\__FVHS\!!!!!__Azure_AD_etc\create_Azure_Active_Directory_Domain_Services.ps1:168 char:2+     New-AzResource -ResourceId "/subscriptions/$AzureSubscriptionId/r ...+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+ CategoryInfo          : CloseError: (:) [New-AzResource], InvalidOperationException+ FullyQualifiedErrorId : Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.NewAzureResourceCmdlet

here's the code:

## code is based on https://docs.microsoft.com/en-us/azure/active-directory-domain-services/powershell-create-instance


if ($PSVersionTable.PSVersion.Major -ne 5) {
	write-host 'this script must be run in powershell 5.n, aborting...'
	return;
}

$module_names = @("Az", "AzureAD")
# $module_names = @("AzureAD")

foreach ($module_name in $module_names) {
	# if (!(Get-InstalledModule -Name $module_name)) {
	# 	Install-Module -Name $module_name -AllowClobber -Scope AllUsers
	# } 
	Get-InstalledModule -Name $module_name

	# if (!(Get-Module -ListAvailable -Name $module_name)) {
	# 	Import-Module -Name $module_name
	# } 
	Get-Module -ListAvailable -Name $module_name
}

function create_Azure_Active_Directory_Domain_Services {
	
	$ErrorActionPreference = 'Stop'
	
	Set-Alias -Name wh -Value write-host
	
	clear

	# Change the following values to match your deployment.
	$AaddsAdminUserUpn = "email"
	$ResourceGroupName = "aadds-resgrp-01"

	$Vnet = "aadds-vnet-01"
	$Vnet_AddressPrefix = "10.0.0.0/16"

	$SubnetDs1 = "aadds-subnet-DS01"
	$SubnetDs1_AddressPrefix = "10.0.0.0/24"

	$SubnetDs2 = "aadds-subnet-DS02"
	$SubnetDs2_AddressPrefix = "10.0.1.0/24"

	$AzureLocation = "eastus"
	$AzureSubscriptionId = "guid"
	$ManagedDomainName = "xxx.domain.com"
	$AaddcGroupName = "AAD DC Administrators"
	$ResourceProvider = "Microsoft.AAD"

	$pwd = ConvertTo-SecureString 'pwd' -AsPlainText -Force
	$pscred = New-Object System.Management.Automation.PSCredential (
		"email", 
		$pwd
	)

	# Connect to Azure AD directory.
	Connect-AzureAD -Credential $pscred

	# Login to Azure subscription.
	Connect-AzAccount -Credential $pscred


	# Create the service principal for Azure AD Domain Services.
	if (! $(Get-AzADServicePrincipal | ? { $_.ApplicationId -eq "2565bd9d-da50-47d4-8b85-4c97f669dc36" })) {
		New-AzADServicePrincipal -ApplicationId "2565bd9d-da50-47d4-8b85-4c97f669dc36"
		wh "created ServicePrincipal 'Domain Controller Services'"
	}
	else {
		wh "ServicePrincipal 'Domain Controller Services' already exists"
	}


	# Create the delegated administration group for AAD Domain Services.
	if (! $(Get-AzureADGroup | ? { $_.DisplayName -eq $AaddcGroupName })) {
		New-AzureADGroup -DisplayName "AAD DC Administrators" `
			-Description "Delegated group to administer Azure AD Domain Services" `
			-SecurityEnabled $true -MailEnabled $false `
			-MailNickName "AzAdDcAdministrators"
		wh "created AzureADGroup '$AaddcGroupName'"
	}
	else {
		wh "AzureADGroup '$AaddcGroupName' already exists"
	}
	# First, retrieve the object ID of the newly created 'AAD DC Administrators' group.

	$GroupObjectId = Get-AzureADGroup `
		-Filter "DisplayName eq '$AaddcGroupName'" | `
		Select-Object ObjectId

	# Now, retrieve the object ID of the user you'd like to add to the group.
	$UserObjectId = Get-AzureADUser `
		-Filter "UserPrincipalName eq '$AaddsAdminUserUpn'" | `
		Select-Object ObjectId

	$GroupId = ($GroupObjectId.ObjectId).toString()
	$UserId = ($UserObjectId.ObjectId).toString()

	# Add the user to the 'AAD DC Administrators' group.
	if (!(Get-AzureADGroupMember -ObjectId $GroupId | ? { $_.UserPrincipalName -eq $AaddsAdminUserUpn } )) {
		Add-AzureADGroupMember -ObjectId $GroupId -RefObjectId $UserId
	}

	# Register the resource provider for Azure AD Domain Services with Resource Manager.
	if (! $(Get-AzResourceProvider | ? { $_.ProviderNamespace -eq $ResourceProvider })) {
		Register-AzResourceProvider -ProviderNamespace $ResourceProvider
		wh "registered resource provider '$ResourceProvider'"
	}
	else {
		wh "resource provider '$ResourceProvider' was already registered"
	}


	# Create the resource group.
	if (! $(Get-AzResourceGroup | ? { $_.ResourceGroupName -eq $ResourceGroupName })) {
		New-AzResourceGroup -Name $ResourceGroupName -Location $AzureLocation
		wh "created resource group '$ResourceGroupName'"
	}
	else {
		wh "resource group '$ResourceGroupName' already exists"
	}

	# Create the dedicated subnet for AAD Domain Services.
	$AaddsSubnet = New-AzVirtualNetworkSubnetConfig `
		-Name $SubnetDs1 `
		-AddressPrefix $SubnetDs1_AddressPrefix


	$WorkloadSubnet = New-AzVirtualNetworkSubnetConfig `
		-Name $SubnetDs2 `
		-AddressPrefix $SubnetDs2_AddressPrefix

	# Create the virtual network in which you will enable Azure AD Domain Services.
	$AaddsVirtualNetwork = New-AzVirtualNetwork `
		-Name $Vnet `
		-ResourceGroupName $ResourceGroupName `
		-Location $AzureLocation `
		-AddressPrefix $Vnet_AddressPrefix `
		-Subnet $AaddsSubnet, $WorkloadSubnet
	

	# Enable Azure AD Domain Services for the directory.
	New-AzResource -ResourceId "/subscriptions/$AzureSubscriptionId/resourceGroups/$ResourceGroupName/providers/Microsoft.AAD/DomainServices/$ManagedDomainName" `
		-Location $AzureLocation `
		-Properties @{ `"DomainName" = $ManagedDomainName; `"SubnetId"   = "/subscriptions/$AzureSubscriptionId/resourceGroups/$ResourceGroupName/providers/Microsoft.Network/virtualNetworks/$Vnet/subnets/DomainServices"
	} `
		-Force -Verbose
}

create_Azure_Active_Directory_Domain_Services

i can't find any logs for this domain services object.
the only error i can find is the powershell error.

thanks for your help.

tom johnson

↧

Migrate AD to Azure AD

November 18, 2019, 12:52 am

≫ Next: Changes in MFA & Azure Audit logs

≪ Previous: creating domain services - error 'The operation failed because resource is in the: 'Failed' state'

Dear all,

I have an AD Directory Synchronization, So, now i want to migrate them to cloud. So I would like to get any advice or resource regarding to this.

- Window Server 2008 R2 Standard (SP1) ( Virtualization )

- PowerShell Version 3.0

- DirSync 1.1.561.0

Thank you

↧

Changes in MFA & Azure Audit logs

November 18, 2019, 4:07 am

≫ Next: Problem with Azure AD password Writeback

≪ Previous: Migrate AD to Azure AD

Hello,

Do you know if changes in MFA generate unique log event in audit logs?

Example:

User A disables the MFA from user B

User A disables MFA for the group C users etc.

The Use case would security surveillance. (SIEM/SOC)

Br,

Darren

↧

Problem with Azure AD password Writeback

November 18, 2019, 6:31 am

≫ Next: Roles at Subscription, AD org, and Resource Level

≪ Previous: Changes in MFA & Azure Audit logs

I've connected my AD with Azure AD connect. accounts are well synced from AD on premise to O365. I've added the password writeback, activated all opptions and licenses. But when I try to reset from reset website.I have the message that the onpremise is not reachable.

We could not reach your on-premises password reset service. Check your sync machine's event log

sometimes it works and says that I don't reach password complexity (just 6 characters.).

that's strange. When I changed from AD to O365 it works fine. is there any ports to open to authorize Azure AD to have access to onpremise AD ?

Thx

Stéphane

↧

Roles at Subscription, AD org, and Resource Level

November 18, 2019, 7:03 am

≫ Next: Duplicate Computers and Conditional Access (Hybrid Azure AD Join)

≪ Previous: Problem with Azure AD password Writeback

Hello,

I have general questions around the relationship of roles when using Azure AD (as we currently are), mainly because when I look at our subscription roles, they don't seem to directly tie in to what the Azure AD roles look like. For example, there are certain functions that you need to be a global admin at the Azure AD level to perform. One of these functions is the ability to use powershell scripts to edit Office 365 accounts.

Another example would be at a subscription level, there are specific resource actions that you need to be a subscription owner in order to perform functions. One example of this is would be creating Integration Runtimes in Azure Data Factory. If you're not a subscription owner (it is specified in the documentation how-to) then you will not be able to do this.

Now I'm new to my company but don't believe they've set up things to be the most efficient. At a resource level, they are using "Active Directory admin" to manage roles, but in some cases have an AD group selected, and in other cases have an email security group selected (created and managed at the office 365 level). Here's what I'm wanting to do:

I want to restrict access of all resources using AD groups (in IAM menu of resource)
For resources that have AD admin menu (not all Azure resources have this as an option), I want to make the admin an AD group
I want the ability to manage AD users simply by adding them to an AD group that corresponds to the access the need

Here's my problem:

I don't see a list that actually correlates Azure AD roles to Subscription roles, or a document that explain the full relationship. Can anyone help me out or point me in the right direction for this?

↧

Duplicate Computers and Conditional Access (Hybrid Azure AD Join)

June 22, 2018, 7:34 pm

≫ Next: Azure AD indentity certificate sharing with other apps in iPhone

≪ Previous: Roles at Subscription, AD org, and Resource Level

https://docs.microsoft.com/en-us/azure/active-directory/device-management-hybrid-azuread-joined-devices-setup#step-5-verify-joined-devices

We have set this up successfully, but we see two entries for the most part for each computer (one for Azure AD registered" and one for "Hybrid Azure AD joined")

We are trying to do some Intune conditional access with "Hybrid" Windows devices, but best we can tell, the computer thinks we are coming from the Azure AD Registered computer, not the Hybrid joined computer, even though they are one in the same.

It was our understanding that activating this would "merge" the entries together, but that doesn't seem to be the case. Can anyone shed some light on this situation? We are in a password hash sync environment with no federation.

↧