User Profile
NidalT
Brass Contributor
Joined Sep 06, 2016
User Widgets
Recent Discussions
Turning on Modern Authentication with mixed Outlook versions
Hi, We have not yet turned on Modern Authentication in our tenant. Our scenario: Hybrid environment with Exchange 2010 and Office 365 without ADFS. We have approximately 1.5k users with an Enterprise E3 licenses and Office 365 ProPlus 2016 Another 1.5k users with Enterprise E1 license and Office 2010 (we still have a lot of licenses for Ofiice 2010, and E3 is quite expensive) And another 2k users with Enterprise F1 (formerly K1) licenses. Multi-Factor Authentication is enforced on all our users. All Outlook and Skype for Business profiles have been set up with an App Password because of MFA. If we enable Modern Authentication, what would happen with all those configured accounts? Would they get another login prompt or would it just continue to work? There is no way to enable it to a couple of users and see what would happen. Also, what about the users who still have Office 2010? Would they be able to continue working with the App Passwords? Or would we render them to be unable to login in Outlook anymore? It's hard for us to know what the consequences are. The last thing we want is to cause issues with users' Outlook and Skype for Business. It took us a lot of effort to teach them about MFA and App Passwords.Re: Android - Corporate-owned devices with work profile - Screen lockout time
Hi Ruud, Initially I have adjusted the existing settings. This, however, didn't do anything. I have then created a new configuration profile with the desired settings. Excluded the devices I'm testing with from the initial configutation profile and assigned it to the new profile. I can clearly see that the devices have this new configuration profile applied. Not the old one. Only the new profile. Clicking on it shows all green checkmarks and each setting is applied. I obviously did sync the policies in the Intune app. But as this is already going on for weeks there is also a lot of time passed in between 🙂 What does work though is if I wipe the device and onboard it from scratch with the same configuration profile and same policies. Here I do see the desired options in the Security settings. The settings are just not "unlocked" on devices that are already onboarded. The policy is exactly the same. I can even reproduce the issue. I have created a new enrollment profile, created a dynamic Azure AD group to add devices to which are onboarded with that profile. Set the device restriction to how I don't want it to be. (as before). Then, after device is onboarded I changed the same policy to my desired configuration, but nothing changes on the devices. If I would onboard again with the desired settings in place, the options would show correctly. So, as far as I can see, in the testing I've done in the last couple of weeks... Once onboarded and once the settings are applied, you can pretty much do whatever you want with the configuration profile (device restrictions). Nothing will be applied to the devices already onboarded. I have even opened a Premer Support ticket with Microsoft. They found it odd, but at the end said that they cannot guarantee that Intune will work on all Android devices. To mee this seems like one of the most basic features that should just work. If this doesn't work, you basically don't have any management capabilities. Yes, you have the option to wipe the devices. And that's about it. That is why I opened this community post in hopes that someone has more experience with it than me and might push me in the right direction. I can't imagine that such a basic thing doesn't work.Android - Corporate-owned devices with work profile - Screen lockout time
Hi, I have an issue with some Android devices managed via Intune. These devices are enrolled as "Corporate-owned devices with work profile". Initially, the devices have been enrolled with a specific set of settings. We now have a need to change the screen lock timeout of those devices to allow for different screen lock timeouts. The issue is that the new settings are not applied on the devices. We have set everything to our needs, but the new policy is just not applied. The initial set of settings is still in effect. Reboot, Sync, Wating for a couple of days, etc... nothing changes the settings. I have created a new enrollment profile with the desired settings as a matter of test. When enrolling new devices, these settings are correctly applied. It does what we want it to do. However, settings these settings on devices already enrolled doesn't seem to do much. We woud very much like to avoid having to enroll all those devices again. Logistically it is almost impossible to get them to do that due as those particular users are not very IT-minded. Does anyone have any idea on what to do here? The devices with this issue are CAT phones wchich run on Stock Android (v12). I have tested this with a Samsung Galaxy phone and have the exact same issue. Am I missing something here? This should be possible, right? Thank you for your time.Re: Report on MFA Status with Conditional Access
justJustinian The way I have resolved this is by creating a Dynamic Azure AD Group that adds all users eligible for MFA via Conditional Access (e.g. having the correct license assigned). Then scoped the Conditional Access policy to that group. Then, for the inventory, I have Powershell script using MsGraph that will chcek to see if any Authentication Method exists for all users and what method it is. In the same script, I cross-reference these users with the Azure AD Group membership for the group that's scoped for Conditional License). If user has an Authentication Method configured and is member of the group, MFA is enabled and enforced. If user has an Authentication Method configured and not a member of the group, MFA is not enforced. If user does not have an Authentication Method configured but is a member of the group, MFA is enabled but not yet enforced (e.g. user didn't enroll yet). If user is not a member of the group, MFA is disabled. Now this all sounds too much. And it is. It's unbelievable that we have to do all of this to be able to report on such a basic feature. But I really didn't see any other way to have a reliable inventory in our environment for MFA. I would share the script, but it's really fully customized for our own environment and it wouldn't be usefull for you. It does a complete inventory of all users, guests, licenses, last login, mfa, etc... But as I've said... it's specific to our environment and it would be useless to share it with anyone. The MFA part is loosely based on this script: https://github.com/admindroid-community/powershell-scripts/blob/master/Export%20MFA%20Status%20Report%20using%20MS%20Graph/GetMFAStatusReport.ps1 I took snippets of that script because it's very well written. But if you use it as is, and add a few lines to get AAD Group membership, you would have the same.Enable MFA with AzureAD Module V2
Hi there, I have written a lot of Powershell scripts to automate and report Office 365/Azure in the last couple of years. Now I'm in the process of re-writing some of them to utilize the new AzureAD v2 module instead of the old MSOL module. Whih, I think, will be deprecated soon? One of the benefits of this will be that will will be able to enable MFA on ALL admin accounts. The only thing that's holding me back is the fact that I can't figure out how to enable MFA with the new AzureAD module. Our user provisioning script will enable MFA for all new users. With the old MSOL cmdlets it is a piece of cake. But how to do it with AzureAD Module? ThanksWindows Virtual Desktop Client can't connect
Hi, We're in the process of rolling out WVD to some users, one of which is me. I can connect via the Web Client without problems. I can connect to a full desktop and start apps only. So no issues there. However, with the Remote Desktop Client I receive the following error (screenshot attached): "Your computer can't connect to the remote computer because a security package error occurred in the transport layer. Retry the connection or contact your network administrator for assistance". Other colleagues can also connect without problems with the RD Client. I also can connect from other devices with my account. So it's clearly something on my own device. Important to note is that I can see all the WVD's and apps in the client. It's when I try to connect to it that it throws the error. What I've done: Clear all entries from the Credential Manager No proxy Not blocked on firewall Created this registry entry: HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client Name: RDGClientTransport Type: Dword Data: 1 Created this registry key: Key: HKLM\SYSTEM\CurrentControlSet\Control\Lsa Name: LMCompatilityLevel Type: REG_DWORD Value: 3 Honestly no idea why it doesn't work. I don't think that my device differs anything from those of my colleagues and from other domain joined devices. Btw... Normal RDP to on-prem servers is working just fine. Any thoughts?Re: Report on MFA Status with Conditional Access
n3vers Thanks. I already came across that script. It basically does the same as mine. It's not accurate. If there is a Conditional Access policy, but due to some conditions a particular account is not affacted by it and he has an Authentication Phone configured, the script (like mine) will report that MFA is enabled even though it's not enforced. We have a couple of these accounts in our environment. While everything is under control here, I wanted to have a reliable report where I can look at occasionally to identify such accounts if they, for some reason, slip through.Report on MFA Status with Conditional Access
Is there any effective way to get a report of the actual MFA state of your users? I mean, the individual MFA state as well as MFA enabled via Conditional Access. It's easy to report on the individual MFA state. You get nice results: Enabled, Disabled, Enforced... However, if MFA is enabled via Conditional Access I can't seem to find an effective way to report on them. Below Powershell snippet is the closest I can get. It will check if MFA is enabled individually. If not, it will check the "StrongAuthenticationMethods.IsDefault" attribute and report on that. But this is not always accurate, because if the "Phone" or "Alternate Phone" are configured in the Azure user object, it will still report it here even if the user is not member of a Conditional Access policy. There is a built-in Azure report for this, but it is completely incorrect. It says that, for instance, I'm not enabled for MFA even though I'm enabled for the last 6 years. Report: https://portal.azure.com/#blade/Microsoft_AAD_IAM/AuthMethodsOverviewBlade Has anyone figured this out yet? $user = get-msoluser -UserPrincipalName yourUserName@contoso.com $StrongAuthenticationMethodsresult = $user.StrongAuthenticationMethods | Select-Object MethodType, IsDefault [PSCustomObject]@{ UserPrincipalName = $user.UserPrincipalName ObjectID = $user.objectid DisplayName = $user.DisplayName AuthEmail = $user.StrongAuthenticationUserDetails.Email AuthPhoneNumber = $user.StrongAuthenticationUserDetails.PhoneNumber PhoneDeviceName = $user.StrongAuthenticationPhoneAppDetails.DeviceName AuthAltPhone = $user.StrongAuthenticationUserDetails.AlternativePhoneNumber State = if ($user.StrongAuthenticationRequirements.State -ne $null) { $user.StrongAuthenticationRequirements.State } elseif ( $user.StrongAuthenticationMethods.IsDefault -eq $true) { "ConditionalAccess ($(($user.StrongAuthenticationMethods| Where IsDefault -eq $True).MethodType))" } else { "Disabled" } PhoneAppNotification = if ($StrongAuthenticationMethodsresult | Where-Object { $_.MethodType -eq "PhoneAppNotification" }) { $true } else { $false } PhoneAppNotificationIsDefault = IF ( ($StrongAuthenticationMethodsresult | Where-Object { $_.MethodType -eq "PhoneAppNotification" }).isDefault -eq "True") { $true } Else { $false } PhoneAppOTP = if ($StrongAuthenticationMethodsresult | Where-Object { $_.MethodType -eq "PhoneAppOTP" }) { $true } else { $false } PhoneAppOTPIsDefault = IF ( ($StrongAuthenticationMethodsresult | Where-Object { $_.MethodType -eq "PhoneAppOTPIsDefault" }).isDefault -eq "True") { $true } Else { $false } TwoWayVoiceMobile = if ($StrongAuthenticationMethodsresult | Where-Object { $_.MethodType -eq "TwoWayVoiceMobile" }) { $true } else { $false } TwoWayVoiceMobileIsDefault = IF ( ($StrongAuthenticationMethodsresult | Where-Object { $_.MethodType -eq "TwoWayVoiceMobileIsDefault" }).isDefault -eq "True") { $true } Else { $false } OneWaySMS = if ($StrongAuthenticationMethodsresult | Where-Object { $_.MethodType -eq "OneWaySMS" }) { $true } else { $false } OneWaySMSIsDefault = IF ( ($StrongAuthenticationMethodsresult | Where-Object { $_.MethodType -eq "OneWaySMSIsDefault" }).isDefault -eq "True") { $true } Else { $false } }Re: Enable MFA with AzureAD Module V2
One year later and still no possibility to enable MFA with the new module. MSOnline is depricated. I do want to move to the new module, but unfortunately not yet possible. There is this case on Github which they closed: https://github.com/MicrosoftDocs/azure-docs/issues/10926 And here is a Uservoice you can vote on: https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/36816202-set-mfa-using-azure-active-directory-powershell-moBitLocker/MBAM Question
Hi, Not really sure where to put this question, so I'll try here. In my LAB I have installed the MBAM server and SQL DB's on a cluster. Reporting services also installed... I can access the MBAM web page without problems. GPO's configured as well. All according to the official documentation. However, after noticing that I can't find any recovery info of my test devices on the MBAM recovery page I wanted to check directly in the database. There are no tables in the Recovery DB at all. I then dropped the Recovery DB and created it again. No errors whatsoever, but the DB still doesn't contain any tables. Also not in the Event Viewer. It all looks fine. But DB remains empty. The Compliance Status DB does contain tablles, but also no data yet. Any ideas?The newest Windows features update is here popup - How to turn off
Hi, Our users are starting to see these popups on their devices: Our devices are managed with SCCM. Why are these popups suddenly appearing? Our users cannot perform this upgrade themselves. Not it's very persistent and it cannot be snoozed anymore. It is incredibly intrusive and unacceptable that Microsoft does this. We have policies in place to get updates from SCCM but this somehow still goes through. Can this be turned off via GPO or reg key? ThanksRe: Turning on Modern Authentication with mixed Outlook versions
An ideal scenario would be that we enable it for the whole organization and nothing would change for all accounts that are already configured. We would then let most of it phase out: -> New users would get Modern Auth -> Existing users receiving new device would get Modern Auth -> We would switch others in batches This would allow us to do it at our own pace without causing a big bang by enabling it for the whole organization. However, I couldn't find any official article that explained this in detail. Nowhere is mentioned what would happen to existing clients and older Outlook versions. And yes, we don't like app password either. Modern Auth would allow us to get rid of it.
