Changing AAD after domain migration
Looking for some guidance on reconfiguring our Azure AD connect tool. Some background: We recently underwent a domain migration where we moved from older 2012 AD boxes to newer 2019 boxes. Internally our domain has changed from an .edu domain to a .local domain, however externally everything remains the same. We’ve migrated all our users and groups using ADMT, and their attribute did NOT change, they retain the same samaccountname, UPNs, email addresses, mS-DS-ConsistencyGuid, etc. If I try to reinstall the AAD tool using the exported settings it pulls the old .edu domain as that is what it’s set to sync, when we’d like it to pull from our .local AD servers now instead. When I run through the Customize Sync Options wizard I can add the .local forest to the connected directories option (if I use the /skipLDAP command), and it allows me to go through the wizard with no issue. Before I continue with this process, I figure I’d see if I could get some questions answered: Our anchor is mS-DS-ConsistencyGuid, and they are the same on both domains, so if I go ahead and connect the .local forest, will it still create a new account still or will it simply make the connection with the current 365 account/mailbox? (Mailboxes/Exchange are in 365, we do not use on-prem exchange.) Would it be easier to just completely uninstall the Azure AD tool, and re-install it without importing the exported settings? The only reason I’m hesitant to do this is because I’m not all 100% sure on what settings are configured, other than what is shown to me on the View or Export Config settings page. Thanks!Cross-tenant synchronization (Private mode)
Cross-tenant synchronization enables you to automate provisioning identities across tenants in your organization and simplify collaboration within your organization. In addition, automate removing accounts when users don't need access and keep accounts synchronized across tenants. This feature will not appear on all tenants until Microsoft releases it as preview.Migration to Cloud Sync (passwords)
We want to migrate from AAD Connect Sync to Cloud Sync. When provisioning new users we could use temporarily passwords in AAD Connect Sync, through this feature: Set-ADSyncAADCompanyFeature -ForcePasswordChangeOnLogOn $true Is this feature still available in Cloud Sync? If not what is the workaround?
Implementing Azure ADConnect in a live environment
I have been tasked with implementing Azure ADConnect for my company. We currently have 2 locally virtualized domain controllers and are already utilizing Office365 for mail. What would be the easiest way to implement ADConnect while having the least amount of downtime/user interruptions.Double entries in userCertificate avoids Hybrid Join
Hey guys, I have an interesting situation at a customer. He utilizes a third party MFA provider while being on a federation. That means new computers never will have a registered state. For users it is mandatory that theirs clients have fulfilled the Hybrid Join to use M365 apps, what can be a real pain. So the Automatic-Device-Join task has to create the userCertificate on the OnPremises computer object, before it can be synchronized to Entra. Here comes the issue. In some cases we see that some computers will create two userCertificate entries. This situation will lead to an inconstistent Hybrid Join. I already tried to remove one of the certificates, but for me it is impossible to recognize which is the right one. Only solution for me was to remove both entries under userCertificate and let the Automatic-Device-Join task create a new one. Afterwards the Hybrid Join will work. I want to understand, which process or scenario might create the double userCertificate entries?Questions about moving Windows endpoint from locally joined domain to Azure AD
Just a couple questions, when moving a current AD domain joined endpoint (i.e. Windows 10/11 Pro) to Azure AD. 1. Does the user's desktop look/feel change upon their next Azure AD-centric login, versus their previous domain joined profile? 2. If there were previously changes pushed out to the endpoints via local AD Domain GPOs, do those changes still remain on the endpoint machine, even after the cutover to Azure AD? 3. Is there a way to have an Azure AD authenticating machine, while still allowing the machine to access local network SMB shares, if the Azure AD and Local AD domain are in hybrid mode?
Azure AD extension attributes from AD Connect
I'm struggling with finding my data in AAD. We've been running Azure Connect for years to bring the data from our on-prem AD over to our AAD instance. Back last spring, I expanded the scope of the fields we were bringing over; in Azure Connect I configured it to also send the uid from AD, where we were storing a value that I needed for SSO for a specific application. I was able to configure the claims rules for the enterprise application that I configured in AAD to send the value along to the app, and SSO works fine. My problem is where that data is. I'll be referring here mostly to Powershell commands to look at the users. If I run a Get-Azureaduser a user -- I've tried several, all who can successfully use the SSO -- then pipe that along to select to expand the extension properties, the extension property isn't even in the list. The one place I have found it is if I run Get-AzureADApplication | Get-AzureADApplicationExtensionProperty It is in the list of defined extension properties, targetting users. Ideally, I'd like to be able to see the value for a given user from AAD, and set it through Powershell as well. Help? Why doesn't it show up in the extension attributes for our users?
How to use AD Log On To restriction but allow Azure AD Pass-Through Authentication
As the title says I am attempting to utilize the "Log On To..." setting in on-premises AD but still allow users to log onto Azure AD authenticated resources such as Office 365. The test accounts can log into only the specified workstation when the setting is enabled. Which is the expected outcome but when this is enabled and the user attempts to log into anything that authenticates via Azure AD, the authentication fails with "Pass-through Authentication" Succeeded: "False". This totally makes sense but I am required to lock down user account(s) to specific computers and still allow Azure AD Authentication for these same users. Is this even possible without going through group policy which gets messy when you only want certain user accounts on certain machines.
Azure Active Directory connection issue
Hello Everyone, Every time i login to Azure Databases from my ssms it is asking for some type of authentication and i get this below screen pop up. Is there any way i can disable this bc it is asking for APPID/REDIRECTURL before my every single click on SSMS. How to turn this off?
