User Profile
RobYoung
Iron Contributor
Joined Mar 09, 2017
User Widgets
Recent Discussions
Re: Seamless SSO According to MS Support
I have not come across any documentation that specifically states that seamless SSO is unsupported in a hybrid environment. In the document Configure single sign-on for Azure Virtual Desktop using Microsoft Entra ID - Azure Virtual Desktop | Microsoft Learn It does state that; If you enable single sign-on on Microsoft Entra hybrid joined session hosts without creating a Kerberos server object, one of the following things can happen when you try to connect to a remote session: You receive an error message saying the specific session doesn't exist. Single sign-on will be skipped and you see a standard authentication dialog for the session host. To resolve these issues, create the Kerberos server object, then connect again. So this tells me if I meet the required criteria, I can have seamless sso.Seamless SSO According to MS Support
I am in the process of setting up a POC for AVD and followed all the instructions that I have found for enabling Seamless SSO for AVD. We are currently running in hybrid mode and I have created a server 2025 with latest patches. When I attempt to sign in via web or windows app, I signin to the web interface or the app and I am presented with the desktops. I launch a desktop and it prompts me for a user and pass (the user is pre-populated) My understanding is that this should not happen. It should seamlessly signin (This would cause issues with our users not using passwords) I contacted Microsoft support and they state that this is by design. They stated this is how it operates in their lab. Can someone clarify, if I sign into Windows app or the web, that my authentication should seamlessly sign me into the AVD server I have published? ThanksCleanup Intune profiles and policies
We have come across an issue where a desktop support person was logging into each windows device that they were deploying which assigned them as the primary user on the device. I ran a script to switch the primary user to the last logged on user which cleaned up the devices and assigned them corrcetly but now the polcies and profiles are a mess. Most of our polcies and profiles are user based and when I changed the primary user, it left his polcies and profiles on the device. How do I purge their policies and profiles on these devices. could it be his work profile is also still assigned on this device?Re: Recieving increasing number of phishing attempts mimicking Microsoft MFA QR Codes
I think I am going to look at building a homegrown solution for scanning images for QR codes and building some rules around alerting on it (uncommon senders and from public email domains). Shouldnt be too difficult to do. Nice little side project.Re: New Outlook opens security hole
drogu-kangaroo Just an update, I performed the following test again and it did work: Create a test owa policy using powershell: New-OwaMailboxPolicy TestOWAPolicy Then I disabled personal accounts: Set-OwaMailboxPolicy -PersonalAccountsEnabled -$false -identity TestOWAPolicy Then I applied the policy to a test user: Set-CASMailbox <email address removed for privacy reasons> -OwaMailboxPolicy TestOWAPolicy I then tried to add my personal mailbox to my outlook. It goes through the motions and just as it is about to sync, I get this:Missing data from the Office Activity logs
I run a query on a daily basis that uses the OfficeActivity table and filters the term Send within the operation field. I started to notice that my results were decreasing so I ran a summary for the past month and noticed a huge decrease in OfiiceActivity capturing the send activity. Any thoughts on what would be the cause of this? PS it is not sentinel missing data, because when I check the activity in Defender for cloud, the results are the same. Here is the query I ran: OfficeActivity | where TimeGenerated > ago(30d) | where Operation contains "Send" | summarize count() by bin(TimeGenerated, 1d) And here are the results: TimeGenerated [UTC] count_ 8/25/2023 417 8/24/2023 66 8/23/2023 93 8/22/2023 77 8/21/2023 73 8/20/2023 16 8/19/2023 17 8/18/2023 326 8/17/2023 2978 8/16/2023 3175 8/15/2023 4106 8/14/2023 3632 8/13/2023 466 8/12/2023 527 8/11/2023 2516 8/10/2023 3187 8/9/2023 3143 8/8/2023 3289 Now today it is looking like it is starting to climb back but I need to rely on this data so I wouldn't mind knowing why it stopped for almost a week. (no changes that would impact our environment were made btw)Re: New Outlook opens security hole
Just an FYI, I am just in the process of testing the OWA polices which seem to apply to both Outlook on the Web and "New Outlook". I have setup a test OWA policy: New-OwaMailboxPolicy TestOWAPolicy Then I disabled personal accounts: Set-OwaMailboxPolicy -PersonalAccountsEnabled -$false -identity TestOWAPolicy Then I applied the policy to a test user: Set-CASMailbox email address removed for privacy reasons -OwaMailboxPolicy TestOWAPolicy Just waiting for the policy to kick-in. Here is the link for reference: https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/outlook-on-the-web/apply-or-remove-outlook-web-app-mailbox-policyRe: Attachment Count for Exchange Online Traffic
All I can think of is if you use Sentinel and create an alert with a playbook to block the user when the attachment count exceeds 20. For example, the query will list all the records of users who sent attachments with a count of 20 or higher: OfficeActivity | where RecordType contains "exchange" | where Operation contains "send" | extend InternetMessageId_ = tostring(parse_json(Item).InternetMessageId) | join kind=innerunique EmailEvents on $left.InternetMessageId_ == $right.InternetMessageId | extend Attachments_ = tostring(parse_json(Item).Attachments) |where AttachmentCount >= 20 (sorry, query is not polished but it gets the job done)
