User Profile
bart_vermeersch
Iron Contributor
Joined 10 years ago
User Widgets
Recent Discussions
Re: Understanding Sign-In logs - password hash sync from another country?
Password hash sync means that the DC is owner of the password and a hash (of a hash) of that password is synced to your Entra ID tenant. That hash is used to validate the credentials from the user trying to sign in. It this case some malicious users are probably trying to password spray some of your users. You should look out for valid passwords and failed MFA's. (I do hope all your users are on MFA).Re: Migration to Cloud Sync (passwords)
VasilMichevI'm afraid that's AAD Connect sync only, unless someone has other experience. When looking at the docs of Cloud sync, there is no reference to ForcePasswordChangeOnLogOn or userForcePasswordChangeOnLogonEnabled. I'm looking for confirmation that this scenario is indeed not supported when using Cloud Sync. According to the MS docs, not even the password get synced when "change password on next logon" is set in AD. https://learn.microsoft.com/en-us/entra/identity/hybrid/cloud-sync/reference-cloud-sync-faq#what-happens-when-a-synced-user-is-required-to-change-password-on-next-logon- What happens when a synced user is required to change password on next logon? If password hash sync is enabled in cloud sync and the synced user is required to change password on next logon in on-premises AD, cloud sync doesn't provision the "to-be-changed" password hash to Microsoft Entra ID. Once the user changes the password, the user password hash is provisioned from AD to Microsoft Entra ID.Migration to Cloud Sync (passwords)
We want to migrate from AAD Connect Sync to Cloud Sync. When provisioning new users we could use temporarily passwords in AAD Connect Sync, through this feature: Set-ADSyncAADCompanyFeature -ForcePasswordChangeOnLogOn $true Is this feature still available in Cloud Sync? If not what is the workaround?Sharing your calendar within a department or team
I would like to discuss the best way of sharing a personal calendar with your coworkers/team/department We often get requests of a groups of people they want to share their personal calendar with each other. We used AD security groups for this (often mail enabled), but would like to know if there are better solutions since we gradually move online. We are pushing towards Office 365 groups, so people can manage the group members themselves but these groups can't be assigned calendar permissions. We want to avoid creating multiple type of groups with identical members. Any suggestions on best practices in this quickly evolving landscape? Thanks!Office 365 ProPlus Activation on Mac
We frequently receive call from our endusers who are unable to activate Office 365 ProPlus on Mac. When providing their credentials on the ADFS screen to activate Office 365 ProPlus, the login page refreshes without an error. The user is unable to get passed the login page and can't activate the installation. Resetting the keychain didn't helped. Any ideas on how to troubleshoot? Do you know which browser is used by Office to show the activation login page? BartIntegrate 3rd party saas app with Azure AD
We would like to add a Saas application to Azure AD. Is my understanding correct that you need a premium licenses to assign roles to user groups? If we want to assign default access to all our users, is this possible without premium license? (eg I can't find a select all or do I need to use Powershell for this?) Thanks! BartDevices in Azure AD visible to all users
We were a bit surprised to find out that a regular user can see the list of all devices using portal.azure.com They can see the name and owner of the device, the OS version, when it was activated. Most actions are greyed out, but Disable and Remove aren't greyed out. We tried the actions on one device and luckily it resulted in an error. Is everyone ok with this info being available to all users, or is it possible to hide this?Adding a custom SAML or OIDC app in Azure AD
Is the following assumption correct? And if so, what is the rationale behind the different approach? When adding a custom SaaS application using saml, you need to create a service principal (through the Enterprise Application blade), Azure also creates an application object in the background. When adding a custom SaaS application using OIDC/oauth, you need to create an application object (through the App registrations blade), Azure also creates a service principal in the background. Thank you!Unable to set SSO in Azure AD Connect
We were unable to set SSO in the Azure AD connect configuration for a brand new tenant. An error appeared: Cannot retrieve single sign-on status. The trace log shows: Authenticate-ADAL: user name or password is invalid [invalid_grant] - AADSTS50126: Error validating credentials due to invalid username or password. After disabling the security defaults (which enforce mfa on global admins) in the Azure tenant, the error disappeared and we could enable SSO. I assume re-enabling the security defaults will not impact the SSO setting? https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults
