User Profile
LainRobertson
Silver Contributor
Joined 7 years ago
User Widgets
Recent Discussions
Re: Unable to manage DFS namespace from DFS MMC
Hi DBY2025, Your screenshot is odd since the value of "\\4rail.mid\4rail" is showing up in the description bar. It ought to be the same value as the namespace. As to why you're only encountering this now after years of it being fine, my guess would be that you recently decommissioned something relating to 4rail.mid. What do you get if you run the following two commands from PowerShell? # Get the DFS root. Get-DfsnRoot -Path "\\man.mid\gem" | Format-List -Property NamespacePath, Path; # Get each DFS target. Get-DfsnRoot -Path "\\man.mid\gem" | Get-DfsnRootTarget | Format-List -Property NamespacePath, Path, TargetPath; Example output Repeating what I said at the start, the value for NamespacePath and Path ought to be the same, but I anticipate they're not. There's no supported way to change these values either, meaning if they don't match, you would have to recreate the namespace. Cheers, LainRe: Add members to a dynamic sec-grp excluding users with a specific "serviceplanid" assigned license
Hi Az_Iz, The problem with your rule is it's going to almost always include all people, since their account will have more than a single enabled service. When it comes to matching a single entry in a list of entries for the purpose of exclusion, you need to perform a negative match rather than a positive match. You can do this two ways: Use the "-any" operator in conjunction with the not() function; Use the "-all" operator rather than the "-any" operator. Using -any plus not() New-MgBetaGroup -DisplayName "Forum Test" -MailEnabled:$false -SecurityEnabled:$true -MailNickname "ForumTest" -GroupTypes "DynamicMembership" -MembershipRule "(user.accountEnabled -eq true) -and (user.mail -ne null) -and not((user.assignedPlans -any ((assignedPlan.servicePlanId -eq `"43de0ff5-c92c-492b-9116-175376d08c38`") -and (assignedPlan.capabilityStatus -eq `"Enabled`"))))" -MembershipRuleProcessingState "On"; Example output Using -all instead of -any New-MgBetaGroup -DisplayName "Forum Test 2" -MailEnabled:$false -SecurityEnabled:$true -MailNickname "ForumTest2" -GroupTypes "DynamicMembership" -MembershipRule "(user.accountEnabled -eq true) -and (user.mail -ne null) -and (user.assignedPlans -all ((assignedPlan.servicePlanId -ne `"43de0ff5-c92c-492b-9116-175376d08c38`") -or (assignedPlan.capabilityStatus -ne `"Enabled`")))" -MembershipRuleProcessingState "On"; Example output Cheers, LainRe: Hyper-v Replica Traffic segregation
Hi StefanoC66, I'd expect you're running into Kerberos authentication issues since there's no service principal name registrations (contained in the servicePrincipalName attribute) matching your CNAME on the Active Directory computer objects belonging to the hypervisor hosts. What I wouldn't expect it to relate to is the self-signed certificate, though if you're getting an untrusted root error, you can easily get around that by putting the partner's certificate (without the private key - so just the CER file type) in the other partner's trusted root authority store. Taking one of my Hyper-V hosts as an example, you can see that by default the hosts registers a number of services under the NetBIOS and DNS names of the actual host: However, if I knock up a CNAME - doesn't matter where (such as in a DNS zone or in the hosts file as you've done), then I'd have to go and add an entry for each relevant service to the computer object's servicePrincipalName attribute. I haven't bothered using CNAME records for Hyper-V hosts before so I can't authoritatively say which ones are required for your exact scenario, but if I had to guess, I'd work through the services in this order: Hyper-V Replica Service; Microsoft Virtual System Migration Service; WSMAN; HOST; Microsoft Virtual Console Service (I can't see this being needed but I've listed it for completeness). Do not add entries for the RestrictedKrbHost or TERMSRV services. As an example, if I wanted to register a CNAME of hv1.repl.company.com for the Hyper-V Replica Service then my list would grow from: To: Naturally, you'd need to do this for each required service. Once that's done, you'd likely need to restart the Hyper-V host for the changes to take effect. In any case, this is what's required to get Kerberos working with the CNAME. If Kerberos isn't what's holding you back then you may still run into this as an issue later, but for now, this would be my first item to check based on your description. Cheers, LainRe: New-MgBookingBusinessService | Turn Customer Information Questions Off
Hi AP_TC_ECASD, I don't use these APIs, but looking at the documentation, Graph shows that bookingBusiness and bookingCustomQuestion are two separate endpoints. The bookingBusiness endpoint documentation even lists customQuestions as a relationship (read-only, at that) rather than a property. What this collectively points to is that you cannot create the businessBooking entity and the bookingCustomQuestion with a single call to New-MgBookingBusinessService. Rather, you will need to: Call New-MgBookingBusiness first; Call New-MgBookingBusinessCustomQuestion afterwards, using the "id" obtained from the above commandlet. You'll need to call this once per question as it doesn't take multiple questions as input. References: New-MgBookingBusiness (Microsoft.Graph.Bookings) | Microsoft Learn New-MgBookingBusinessCustomQuestion (Microsoft.Graph.Bookings) | Microsoft Learn bookingBusiness resource type - Microsoft Graph v1.0 | Microsoft Learn bookingCustomQuestion resource type - Microsoft Graph v1.0 | Microsoft Learn Create bookingCustomQuestion - Microsoft Graph v1.0 | Microsoft Learn Cheers, LainRe: Creating Claims Mapping Policy in Entra ID
Hi MustangProgrammer, The format of your claim is incorrect, which based on version 2.30.0 of the commandlet does indeed show up in the error: The specific issue is you haven't provided the key-value pair correctly, where it is supposed to be in the format of "ID":"attributeName". Here's the correct format: $params = @{ definition = @( '{"ClaimsMappingPolicy":{"Version":1,"IncludeBasicClaimSet":"false","ClaimsSchema":[{"Source":"user","ID":"onpremisesssamaccountname","SamlClaimType": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"}]}}' ) displayName = "ClaimTest" } Which is then accepted by Graph, as demonstrated below: Cheers, LainRe: Why does this return a .csv with the length of the group names?
Hi kcelmer, There's two things going on here: An automatic type conversion; Using Export-Csv properly. The first point isn't something you'd be aware of unless you've been curious enough to dig into how PowerShell works, so you can't beat yourself up over this one. The short explanation is that PowerShell will attempt to make your life easier by attempting to convert different types in the background. You can see this in action in the following examples, where PowerShell attempts to cast the right-side value to the type of the left: PowerShell works well with the HashTable data type, but the AdditionalProperties is a dictionary type - which looks similar to the eye but can result in pipeline conversion issues under the hood, which is the reason you're seeing lengths rather than strings. Secondly, with your example commands, you're attempting to send the plain string value to be parsed by Export-Csv, which is expecting to receive header information. It does this by looking for attribute names, which will be missing if you are simply passing in flat string values. We can solve both issues by creating a new PSCustomObject that is in turn sent to Export-Csv, which is an object type the command is quite accustomed to dealing with: (Get-MgBetaUserMemberOf -UserId "lain.robertson [at] robertsonpayne.com").AdditionalProperties.ForEach({ [PSCustomObject] @{ DisplayName = $_["displayName"]; } }) | Export-Csv -NoTypeInformation -Path "D:\Data\Temp\Forum\forum.csv"; This yields the expected CSV content (including a proper column header): You'll get used to PowerShell's automatic type conversion peculiarities the more you tinker with it, but they are very subtle and confusing until you do. Cheers, LainRe: API-driven provisioning field mapping changes resynchronize all users and groups
Hi Brian_TheMessiah, The scope of impact is any joined user, which on the Active Directory side can be located anywhere - in our outside of the default creation organisational unit. The default organisational unit is where creations are effected, but if they're then moved elsewhere in the directory outside of that default organisational unit, the synchronisation process still tracks them based on whichever attribute(s) was nominated as the "match objects using this attribute = yes" definition, as shown below: Tutorial - Customize Microsoft Entra attribute mappings in Application Provisioning - Microsoft Entra ID | Microsoft Learn As an aside, this holds true for both users and groups. That's the scope question answered. Moving onto LJohn's second question of what is "changed" in Active Directory, the answer is all attribute mappings where "apply this mapping = always". Conversely, any attribute mapping where "apply this mapping = only during creation" will not be updated. Generally speaking, nothing should change other than the attribute whose mapping you've updated. Just to be clear (I'm probably being overly cautious in making this point), if you update an attribute mapping then that is applied to all joined accounts retrospectively (assuming the provisioning rule has the "update" target objects action setting checked). It isn't the case that the updated rule mapping is only applied to new account creations. This is where the "apply this mapping" setting acts as an important determinant. Cheers, LainRe: Problem restoring deleted user with mggraph
Hi Adamneedshelpwithpowershell, It's not your fault. The example within the Microsoft documentation is incorrect. Where the example lists the "-BodyParameter" parameter, it should have instead used the "-Headers" parameter. Quality assurance for the loss. To provide some tangible evidence, the following screenshot shows the list of parameters for the 2.30.0 version of Restore-MgDirectoryDeletedItem where you can see there is no such parameter as "BodyParameter", but there is one named "Headers". And here is an end-to-end example demonstrating the autoReconcileProxyConflict header from the documentation. The commands - in order - show: A deleted user; Restoring the user whilst using the autoReconcileProxyConflict header; That the user can now be seen as a normal user once more; Deleted the user, sending it to the recycle bin (a soft delete); Deleted the user from the recycle bin (a hard delete). Footnote: My examples use the beta endpoint commands but there's no difference with the v1.0 commands I referenced in my original reply. Cheers, LainRe: Problem restoring deleted user with mggraph
Hi Adamneedshelpwithpowershell, Use the Restore-MgDirectoryDeletedItem commandlet (from the Microsoft.Graph.Identity.DirectoryManagement module) in conjunction with the autoReconcileProxyConflict header: Restore-MgDirectoryDeletedItem (Microsoft.Graph.Identity.DirectoryManagement) | Microsoft Learn Restore deleted directory object item - Microsoft Graph v1.0 | Microsoft Learn Cheers, LainRe: Microsoft Entra Connect connecting always to old DC
Hi jpart_777, You're right to not set a preferred domain controller. That should never be used unless it cannot be avoided (which is typically only when someone has botched their Active Directory site topology design and implementation - which is sadly rather common). You ought to be fine with following your hunch and not specifying a preferred domain controller list. I've run a quick test on AAD Connect v2.4.131.0 and it cut over fine when I blocked access from the AAD Connect host to the domain controller it typically connects to. The test was basic but effective and entailed: Configuring the Windows Firewall on the AAD Connect host to block LDAP (and GC) traffic to the usual domain controller; Running a delta import (DI) on the Active Directory connector; Observing the result of the DI run. I actually expected that the DI may not work and an FI might have been required, but I was pleasantly surprised to see that the DI run succeeded. Prior to the blocking of the "usual" domain controller The firewall change to block access to rpdc01.robertsonpayne.com After the firewall change, showing the automatic switch to another domain controller Cheers, LainRe: Windows Authentication for Entra ID for SQL MI
Hi Zahid_Yaqub, Q: We have to synchronize service accounts and users to Entra IS that are used by applications? A: Yes, you do need to synchronise the on-premise account from Active Directory to Entra ID. Q: Does the client (running application to SQL management studio) require access to Entra ID...? A: I'm unclear on what you mean by "client". Do you mean the user launching SSMS? If so, then: If the user wishes to log onto SQL MI using SSO based on Windows Authentication (as shown below) - or Entra ID Integrated, then yes, their account needs to be synchronised to Entra ID. This remains true for all on-premise accounts looking to access SQL MI - service accounts, application accounts, etc. If you are looking to migrate databases from on-premise SQL Server to Azure SQL MI, you will need to plan for recreating/altering the existing on-premise identities to their Entra ID synchronised representations. The reason for this is that it's not actually your Active Directory account logging onto SQL MI. Here's a loose description of what happens: You are logged onto your domain- or hybrid-joined computer with your Active Directory account; You launch SSMS, choose Windows Authentication and connect to the Azure SQL MI; Under the hood, Windows requests a Kerberos ticket from Entra ID, where that ticket is actually aligned to your Entra ID account (which is why your account has to be synchronised to Entra ID); That ticket is presented to Azure SQL MI. Again, as I mentioned, the process is the same for any Active Directory account accessing SQL MI. This is why: The account must be synchronised from Active Directory to Entra ID; and The synchronised Entra ID account must have access to the SQL MI instance (as a login, user or most likely both - depending on whether or not the database is contained). Cheers, LainRe: Entra ID User Properties - Dynamic Groups
Hi adm_lawrimore, Anecdotally, nothing's likely to change any time soon as the dynamic rule builder engine hasn't changed in many years in the context of leveraging more existing attributes or adding new ones for customer data. Additionally, nothing's been announced that specifically relates to the rule engine, either - at least not where I'd expect it to be, which is here: What's new in Microsoft Graph - Microsoft Graph | Microsoft Learn You could look at using directory extensions but that's not really improving your position if you're already getting by using the extensionAttribute1-15 set. It's worth noting that extensionAttribute1-15 are also natively part of Azure AD, meaning you don't lose them if you cut over to being Azure-native. Cheers, LainRe: Copy text always as text from Onenote
Hi TF25, PowerShell can't help you here. Applications have their own direct clipboard implementation which outside processes can't generally interfere with. Microsoft's own advice for application developers is that if something is copied to the clipboard, it should be done so using as many different formats as possible (and practical). In OneNote's case, it's using at least two methods of storage: Rich text/HTML; Image. When you subsequently choose to paste into another application, that application doesn't speak to OneNote. All it sees it content on the clipboard, and if there's multiple presentations available, it's free to choose using any prioritisation is pleases which format(s) it's going to pull down. This is why you see many varied paste options in applications like Excel, Word, etc. When it comes to pasting in a browser like Edge, there's an additional level of control, which is on the visual control itself. For example, a textbox control will only be interested in plain text content on the clipboard; and image control may only be interested in an image; while other controls will let you drop both, at which point it'll decide which it prefers the most - which is why you may get an image by default but then text if you "control" the choice through using Ctrl+Shift+V. Anyhow, that background information is outside the scope of PowerShell, which unfortunately is of no assistance in this application-to-clipboard relationship. The most you can hope for is that the applications offer some control over their own copying and pasting behaviours, where for OneNote, it's limited to what you can find listed in the keyboard shortcut reference: Keyboard shortcuts in OneNote - Microsoft Support Cheers, LainRe: Cloud-First Attribute Ownership for Synced Users in Entra ID Is Not Supported
Hi DeeDeeGoss, Hybrid - which implies ongoing coexistence - is inherently complex, with business analysis and enterprise architecture planning being of far more significance than what is required for a migration project (which is a once-and-done cost of change exercise, even if it's lengthy in execution). 1. Attribute ownership delegation. This flies directly in the face of good data governance - specifically the concepts of source of truth and custodianship, where you want both to converge of the same body of people. Your specific focus seems to be on Workday - and I'm guessing therefore also Workday's adoption of Microsoft's Entra ID user provisioning API. With Workday, your integrator should have informed you there's multiple paths you can take: Workday Entra ID user provisioning; Workday Active Directory provisioning; Custom SOAP (or REST, but this is currently inferior to their SOAP APIs for complex scenarios). For a migration project, option 1 might be the better option for many customers (particularly if they're already cloud-native), but for hybrid customers where getting off Active Directory may be years away (typically due to critical applications), it certainly isn't. Option 2 would be ideal for hybrid customers with simple entity-relationship (ER) designs, with option 3 being the best for those with complex ER designs (think of many one-to-many and many-to-many relationships between identities, their positions, locations, sup-org placements, etc.). For a Workday customer operating as hybrid and wishing to retain robust governance, the correct approach would leverage either option 2 or 3, with Workday mastering the data in Active Directory and leaving AAD Connect to persistently manage the downstream data in Azure AD. This is the only model that ensures data is consistent from Workday, through Active Directory, out to Azure AD and optionally downstream into Azure-native platforms, systems and applications. Conversely, if option 1 were somehow leveraged whilst still being in hybrid mode, data trust would be eroded due to the growing mismatch of data both at the attribute level as well as new objects (ostensibly this would be user objects) that do not exist in Active Directory since they would not be synchronised from Azure AD back into Active Directory. Governance would similarly be eroded as a knock-on consequence since if data had to be ported back into Active Directory, it would have to be effected (be that manually or via bespoke automation) by a different body of people (i.e. your IT Helpdesk or IT automation specialists). We already see this in practice on a very limited scale today with Microsoft's own introduction of shadow attributes. Fortunately, it's only for some key attributes (perhaps aside from "mobile", which is simply a frustration), which with proper planning, can be lived with. But trying to extend this model to potentially all attributes isn't workable. You'd end up with a multi-mastered scenario that would be a governance and operational nightmare, as well as a frustration for end users. 2. Writeable directory extensions for synced users. Can you qualify what you mean? If you're talking about Azure AD directory extensions, then so long as they're registered against an application that isn't the "Tenant Schema Extension App" application, you should already be able to populate those using Graph. 3. Dynamic query support for custom security attributes. We'd all love to see this. In fact, I've always been of the opinion that all indexed attributes should be consumable in dynamic rules (and derivatives such as administrative units) but that's not what we were given, and very little has improved over the years on this front. 4. Clear guidance and tooling for cloud-first identity models. I feel like what you're asking for is authoritative modelling - maybe even proscriptive solutions architecture - from Microsoft for all customer scenarios, which in my mind isn't practical or achievable. Out of necessity, you're going to have to take this burden on board yourself, since while Microsoft can and does provide high-level guidelines, there's always going to be an unavoidable need to assess third party platforms/systems/applications which requires looking at the documentation from those third parties. You'd also need to plan from the perspectives of business and technical strategy, and that's likely to look different between customers. And of course - given the nature of this question, you need to be crystal clear on whether the customer is remaining hybrid or looking to migrate, where the architecture and orchestration of events are very different between those two. I've made a good number of assumptions given your original post doesn't provide much detail on your specific position, and I do sympathise with where you are coming from. But I disagree with requesting a multi-master approach to data in any context - Azure AD being the specific scenario for this question, as it will undermine governance and data trust for the sake of the perception of flexibility (since flexibility is readily achievable using better-aligned architectures), which is a bridge too far in my humble opinion. Cheers, LainRe: Attempting Powershell Remoting but experiencing errors
Hi MBee, Between Kerberos constrained and CredSSP, you will find CredSSP easier to implement and maintain. If your jump host (the server in the middle) is going to talk to a lot of constantly changing remote servers, you might want to just run with the CredSSP approach. Kerberos constrained is more secure than CredSSP but you might find the ongoing administration overwhelming. The only point I wanted to make in my original reply is that the 4sysops article is the least secure option of all three. So, even if you settle on CredSSP instead of Kerberos constrained delegation, at least it's a more secure option than what's in that article. Cheers, LainRe: OU list incomplete in AAD connect
Hi StefanoC66, That's fine - it just means you're using the installation defaults. If you run the program named miisclient.exe on your AAD Connect box, then: Go to the Connectors tab; Right-click on the Active Directory Domain Service Connector and choose Properties; You will be able to see which account AAD Connect is using to talk to Active Directory; Cancel out - you don't want to make any changes here. This is the account you need to ensure has access to the missing organisational unit. Cheers, Lain
