User Profile
Skipster311-1
Iron Contributor
Joined 4 years ago
User Widgets
Recent Discussions
Single forest GCC high azure ad connect
Hello We are about to setup an Azure GCC high tenant. We are in the initial stages of discussion around what is the best identity model to use. Currently we have one Active Directory forest. We sync objects from onprem to Azure Commercial, and we use ADFS for federation with the Azure commercial tenant. Devices in commercial tenant are either hybrid azure join or azure ad joined. I know devices can only be a member of one Azure tenant, so my question is what is the best course of action regarding syncing users to the GCC high tenant? Should i stand up a new AD forest, migrate users from commercial forest to GCC high forest and then sync to Azure GCC high? or for the users that need to sync to GCC high should i disjoin there device from commercial, change the upn for these users , so they sync to GCC high azure? I want to try and avoid setting up an additional forest for this, but i'm trying to understand how this can work using one AD forest?CA policy Chrome browser iphone
Hello I have a user that is getting a failed login because non supported browser. The user is using iPhone iOS 14.6 and chrome browser version "Chrome Mobile iOS 92.0.4515". The user is trying to access exchange online application. When i look at the azure sign-in logs for the request. I see "530001 browser not supported". I can also see from looking at the sign-in logs that MFA was successfully completed. When i click on "Conditional Access" I see a policy that is reporting as "Failure", and its "Grant Controls" that is not being satisfied . The policy is configured as below. I'm a little stumped on why "Grant Controls" is not being satisfiedwhen the device is compliant, and the user is successfully passing mfaPHS remote users change password
Hello all We are currently in a hybrid PHS environment. We have SSPR turned on and its working. What i am trying to understand is how do we get "work from home users" to update their password? If they never log into the onprem domain, then the flag“DisablePasswordExpiration” will never be removed from the Azure AD account. Any advice is greatly appreciated .CA policy Intune non compliant device
Hello I have the following requirement. Can this be done using one CA policy, if so can i get an example? If a user does not enroll in Intune, we want to block them from accessing mail via integrated app (iOS Mail, Android Mail, etc) and also Outlook for iOS/Android but allow access to Teams?PIM not getting mfa prompt
Hello all I have enabled PIM for Azure AD roles. Below you can see we are requiring mfa when activating the GA role. I am noticing that after the time expires on the role, when i go back in to activate the role i am not getting prompted for mfa. I even restarted my device opened the browser and i wasnt prompted when i elevated. Any suggestions on why this is happening is appreciatedon-prem ldap vs. Azure AD Domain services
Hello all We have some on-prem servers and applications that point directly to on-prem domain controllers for ldaps bind's. I want to know if using Azure Domain Services is a viable option? So instead of pointing the onprem app\server to an onprem DC, i would point the connection to FQDN name of azure ad domain services. Just like to get some thoughts on this from anyone who has built this out? Thank yousync account expires to azure ad
Hello I understand azure ad has not knowledge of "account expiration" , however i am being asked to sync this attribute to azure ad. I need this attribute to be useable for applications like MS Flow. If i just configure the attribute to sync will it be readable or do i need to create a custom sync rule so the attribute and value are useable in azure ad ?script enable litigationhold
Hello I have the below script. The script brings back the correct users, but when i go to enable litigationhold, its enabling it for all users, and i want to enable it for only the users that currently are set to $false for lithold Any help is greatly appreciated $pimserviceaccount = "admin.shofmann@mycompany.onmicrosoft.com" $adminpassword = "01000000d08c9ddf0115d1118c7a00c04fc297eb0100000084b78e199e1c3b478efd799c7aab6a910000000002000000000003660000c0000000100000000d19998b9fdab9ec1f44820c65de76fd0000000004800000a000000010000000dce05d1d250d5882967e46b97ecbd0c218000000ab0ceed45aa0a431a0137017b3479b6a6ea8e9694b41327714000000d1b19a01c628ceffedd753a5e2b53d0cd90fb930" $secureString = ConvertTo-SecureString -String $adminpassword $cred = New-Object -TypeName PSCredential -ArgumentList $pimserviceaccount, $secureString $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $cred -Authentication Basic -AllowRedirection Import-PSSession $Session -DisableNameChecking #Import-Module msonline #connect-msolservice -credential $cred $Lithold = Get-MsolUser -all:$true | Where-Object {($_.licenses).AccountSkuId -match "SPE_E5" -or ($_.licenses).AccountSkuId -match "EXCHANGEARCHIVE_ADDON" -or ($_.licenses).AccountSkuId -match "SPE_F1" -or ($_.licenses).AccountSkuId -match "SPE_F5_SECCOMP"} |select UserPrincipalname $lithold |ForEach-Object {Get-Mailbox -Identity $_.userprincipalname} | Where-Object {$_.litigationholdenabled -eq $false} $Lithold |ForEach-Object {set-mailbox -identity $_.userprincipalname -litigationholdenabled:$true}getting prompted for credentials
Hello I am using the below script to connect to exchange online and msolservice. When i run the script i am not prompted for credentials when connecting to exchange online, however i do get prompted for credentials when connecting to msolservice. I dont understand why i am getting prompted when connecting to msolservice ? $pimserviceaccount = "admin.mycompany.onmicrosoft.com" $adminpassword = "01000000d08c9ddf0115d1118c7a00c04fc297eb0100000084b78e199e1c3b478efd799c7aab6a910000000002000000000003660000c0000000100000000d19998b9fdab9ec1f44820c65de76fd0000000004800000a000000010000000dce05d1d250d5882967e46b97ecbd0c218000000ab0ceed45aa0a431a0137017b3479b6a6ea8e9694b41327714000000d1b19a01c628ceffedd753a5e2b53d0cd90fb930" $secureString = ConvertTo-SecureString -String $adminpassword $cred = New-Object -TypeName PSCredential -ArgumentList $pimserviceaccount, $secureString $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $cred -Authentication Basic -AllowRedirection Import-PSSession $Session -DisableNameChecking Import-Module msonline connect-msolservice -credential $cred
