User Profile
BilalelHadd
Iron Contributor
Joined 5 years ago
User Widgets
Recent Discussions
Re: Unable to create a dynamic membership rule using OR conditional
Hi sof_brad, I am unsure if your question was answered, but the strings you are using are not supported. You can find an overview of the supported properties in this Microsoft Learn page: https://learn.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-dynamic-membership#supported-properties I hope this helps and that you found another way to archive the above.639Views0likes0CommentsRe: Issues with MS Office Logging me out of documents shared via Sharepoint on Mac
Hi rkoopmans, Have you tried clearing the cache and data for all these Microsoft Office for Mac applications? To ensure it resolves your issue, try renaming the folders mentioned in the Support article instead of deleting them in case of a rollback. https://support.microsoft.com/en-gb/office/uninstall-office-for-mac-eefa1199-5b58-43af-8a3d-b73dc1a8cae3 Renaming these three folders should also be enough; these are the most important folders. These can be found under the ~/Library/Group Containers/ folder: UBF8T346G9.ms UBF8T346G9.Office UBF8T346G9.OfficeOsfWebHost Good luck, and keep us posted!1.1KViews0likes0CommentsRe: find users access on the azure portal
First, I recommend that you restrict access to the Azure AD portal for ANY user. And yes, Guest users can also access the Azure AD Portal and see a list of all users if you haven't restricted this. You can do this by browsing the Azure Portal > clicking on User settings > and choosing to Restrict access to the Azure AD administration portal. To answer your question, can you verify that someone is logged into the Azure Portal? To do this, browse the Azure Portal > Choose Sign-in logs and create a filter > Application contains Azure Portal. Good luck!11KViews0likes1CommentRe: Impossible to login my business account
Hi iboxmsft, It could be me, but I think I am missing something. How did you connect the OneDrive for Business with the Microsft e-mail you created earlier? You lost me there. (Step 1) If you know the primary e-mail address you've used in the past to sign in, you should do a password reset. If that's not possible, something might be missing, and you don't use the username for OneDrive. You could check the username if you still have the OneDrive app running on your client. When configuring 2FA, they will always ask to add additional information (backup e-mail address, phone number, etc.).2.3KViews0likes1CommentRe: Workaround for signing in to AADJ devices with an expired password when using PTA
Hi Ryan Steele, Are you aware of the new Microsoft Entra feature called Lifecycle workflows? It's currently in preview, but this should help you in the future with the joiner-mover and leaver process. It can automate tasks like sending an e-mail before the start date of a new hire with a Temporary Access Pass which will be activated on a specific date you configure. This can help a user massively in the onboarding process. My recommendation, for now, would be, as you already mentioned in an earlier comment, option A. Always let the users configure their authentication methods when they use their new accounts. This will combine configuring the authentication methods and help change the passwords for users. Since your devices are AADJ joined, There is also a possibility to log in with a Temporary Access Pass on AADJ joined device. I have written a blog post about it. You can search on Google for Temporary Access Pass (bilalelhaddouchi). I am not allowed to share any external blog posts. Good luck!6.6KViews1like0CommentsRe: How can I use "Windows Hello for Business" as passwordless sign-in on my laptop?
Please make sure that the devices are AAD joined. When they are, ensure that the configuration profile, as shown in the screenshot, is assigned to the devices. Regarding your question, It won't be registered as an authentication method if they haven't set up Windows Hello for Business. Small reminder, as stated yesterday, the WhFB trust type only impacts how the device authenticates to on-premises AD. So don't forget to do your research.4.7KViews0likes1CommentRe: How can I use "Windows Hello for Business" as passwordless sign-in on my laptop?
You're completely correct regarding the link that I've shared. Did you also think of the apps and services that need to authenticate (with SSO, e.g.)? Password-less goes further than only logging in with strong authentication. For accessing legacy apps and services, I would recommend the Hybrid Cloud Trust. If you are sure that all apps and services are SSO compatible, then you should be fine. Could you share a screenshot with the configuration profile you've created for WhFB?4.8KViews0likes3CommentsRe: How can I use "Windows Hello for Business" as passwordless sign-in on my laptop?
Of course. Visit the following link: https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust?tabs=intune It should point you in the right direction. Following these steps requires no PKI infrastructure.4.8KViews0likes5CommentsRe: How can I use "Windows Hello for Business" as passwordless sign-in on my laptop?
Welcome! Kiril You are missing some critical steps to make use of WhFB. Rather than setting up a complicated PKI infrastructure, I recommend configuring Cloud Trust. Especially when your devices are Azure AD joined only. Many articles and blogs are available on configuring a Windows Hello for Business Cloud Trust. This would also enable you to access network drives and shares with WhFB. I hope this helps!4.9KViews0likes7CommentsRe: How can I use "Windows Hello for Business" as passwordless sign-in on my laptop?
Dear Kiril, I am missing some context. Did you successfully set up any form of trust (e.g., Cloud, Key, or certificate trust? When stating Windows Hello for Business and Password-less, I assume you already have this setup. Could you confirm? Also, there is a tenant-wide setting for WhFB. Which one did you configure? You can find the setting under the Intune Portal > Windows Devices > Windows enrollment > Windows Hello for Business. Don't set this feature to Disabled. Even if you would create a Configuration profile, this policy won't enable Windows Hello for Business.4.9KViews0likes9CommentsRe: Conditional Access Policies, Guest Access and the "Microsoft Invitation Acceptance Portal"
Unfortunately, not yet; Microsoft has given the feature request the label "planned." I have no idea when they will release this. https://feedback.azure.com/d365community/idea/1365df89-c625-ec11-b6e6-000d3a4f078913KViews0likes0CommentsRe: Password Expiration notification
Hi Bryan_George, Passwords are so not 2022. You have just opened a can of worms 🙂 I would suggest you read the blog post that I have created in the past. Google the following "Comply your AD password expiration policy with Azure AD." That should help you. I am not a fan of password expiration policies; I am more the type of administrator that prefers password-less authentication and sets the password expiration policy to "never." By default, AAD uses a password expiration of 90-days. You can see the setting by browsing the admin center > settings > org settings > security & privacy > Password expiration policy. There are enough online scripts that could help you send an e-mail to a user whose password expires. Hint; use the following Google search term: Password-Expiration-Notifications.ps1 Good luck, and If you have any other questions, shoot 😉32KViews0likes1CommentRe: Login with AAD account to Windows10 PC
Hi dragnevdrg365, How did you Azure AD join the devices? Did you wipe the device completely? And then used the Autopilot service (including uploading the hardware hash). Or did you add the account to the Work or School account setting within Windows?1.8KViews0likes0CommentsRe: Can't see contosohotels directory to switch although I am a member of the same.
Dear owaisosha1234, How is the access configured for your Microsoft account? Are you added as a guest within the directory? I know that Microsoft works on a feature that allows a company to remove you as a guest from a directory/tenant. So it could be that your account can't access the directory. If that's not the case, you could check the sign-in logs. Good luck!926Views0likes0CommentsRe: Azure AD Connect Failed Automatic Upgrade 1.6.16.0 to 2.1.16.0
There seems to be something wrong with the account that's being used. Microsoft already addressed this in the Azure AD release notes: "We fixed a bug where auto-upgrade fails when the service account is in "UPN" format." source: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-version-history Try to use the SamAccountName instead of UPN. I hope this helps you to get in the right direction.5.4KViews0likes2CommentsRe: Merge AD admin to AAD global admin
Lesson number 1, never sync administrator accounts from AD to AAD. That could allow cyber attackers to hop from one on-premise to the cloud. (And believe me, it happens often) 1. Create new Cloud-only admin accounts for every administrator 2. Stop synching the OU where the admins are located 3. Limit the privileges for admins and use Privileged Identity management (think about your Identity Governance) 4. Create two break-the-glass accounts for emergency purposes 5. Enable MFA for ALL admins except the break-the-glass accounts 6. Create a policy that blocks sign-in on the two break-the-glass accounts except from trusted locations. Good luck, and I hope this answers your question.1.1KViews1like0CommentsRe: OneDrive no Access.... which CA blocks access
Does the user get an MFA prompt when he tries to sign in with his credentials? It looks like OneDrive tries to authenticate with legacy authentication instead of Modern Authentication. You could also temporarily add the user to the exclusion and check the behavior.1.7KViews0likes0CommentsRe: filter for dynamic group that is intersection of two other groups
Hi fomar2130, Please keep in mind that this feature has some limitations yet. Read more about the limitations on this official Microsoft docs page: https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-dynamic-rule-member-of Below you will find the needed query to create a Dynamic group with members of Group A and Group B as members for the newly created Dynamic group: user.memberof -any (group.objectId -in ['ObjectIDGroupA', 'ObjectIDGroupB'])3.2KViews1like0Comments
Recent Blog Articles
No content to show