User Profile
aliat_IMANAMI
Brass Contributor
Joined 4 years ago
User Widgets
Recent Discussions
Set Up for Active Directory Backup
I came across the following question regarding Backup Setup for Active Directory. “Creating a forest in every location and every forest has 2 DCs and has a 1way trust to Global AD which is inAzure. For the current AD backup, based on their design and current back up. they don't have a 3rd party backup tool. they have a file storage for backup. backup is taken everyday and stored in online and offline storage locations. The backups are stored in the azure cloud as well. So I'm planning to do the system state backup only then the backup path/location would be their file storage and also in VSS. Is this a good setup?” Active Directory (AD)is one of the most critical component of any IT infrastructure. In a Windows-based environment, almost all the applications and tools are integrated with Active Directory for authentication, directory browsing, and single sign-on.Due to this heavy dependency, it is necessary to have a well-defined process for AD Backup.Restoring Active Directory Backup should be the LAST option for any Disaster Recovery. As above question got 2 DC's in each forest so for a single Domain Controller failure, the recommended option is to demote the Domain Controller, wait for few hours to replicate the demotion, and then promote it back again. There is no need to restore Active Directory Backup to recover a single Domain Controller. The most common and recommended approach for AD Backup is theSystem State Backup of Domain Controller. A System State Backup of Domain Controller includes following: Sysvol Active Directory Database and related files. DNS Zones and records (Only for AD Integrated DNS) System Registry. Call Registration database of Component Service. System Start up files. You can use a third party tool if required. However, the Windows Server Backup (WBADMIN) tool that comes bundled with all versions of Windows Servers is just fine for this purpose. Lastly, the recommendation is to take daily scheduled backup. Preferred Backup Pattern in Active Directory & Azure AD One preferred backup pattern isFirst Full Backup > 14 Incremental Backups > 1 Full backup > 14 Incremental Backups > 1 Full backup > 14 Incremental Backups...and so on.Adding Distributed COM Users group in the built-in groups for AD
I came across this question from one of my connections in my network. "A user was added to the Distributed COM Users group in thebuilt-in groups for ADhowever it seems to be doing nothing for allowing that user to access dcom on the servers. Isn't the point of the built-in groups is that they are already defaulted to the correct permissions and setup on object in the AD structure? Is there a way to test? An effective access on an OU with that group was done and it was all denied. Is this the right way to test those particular permissions" I suggested thefollowing: As the added users are not able to access the dcom server. In that case it is good to check the dcom remote access permissions in the component services. Remote access and local access should be enabled. If it is not then any user part of distributed com users group will not be able to access the dcom servers. Let me what are your thoughts on this. Thanks.Efficient Ways to Implement Zero Trust Security in IAM
One of the efficient ways that Zero Trust Security can be integrated into an Organizations IAM infrastructure is as follows: Initiate Authentication for Users who can send emails to groups Initiate Filtration for Users who have access to sending emails to groups Introduce Strict Group Membership Moderation Policies Adopt Workflow Orchestration Make Attestation of Active Directory and Azure AD Groups Simpler Make Group Permission Verification Process Streamlined and SimplerResolution of Active Directory Replication Error 8606 &1988
Scenario DC is Virtualized inVMware, I got it restored from Veeam backup, meaning it is not in the current state, that causedActive DirectoryBroken, how could I get it fixed? I forced replication between 2 DCs it failed. Here and there wegotseveralPCs thathave the error: “The trust relationship between this Workstation and the primary Domain failed” Based on above use case, identified certain errors. Investigation Sofirst,a piece of advicethat,youshould never restore a domain controller in a multi-domain controller environment.Instead, you should stand up a new DC and start replication, it will take time but will replicate from a fully healthy DC. Thenwe ran thebelow command-letsand collected the logs for review. Dcdiag/v /c /d /e /s:%computername% >C:\dcdiag.log repadmin/showrepl>C:\repl.txt ipconfig /all > C:\dc1.txt ipconfig /all > C:\dc2.txt ipconfig /all > C:\problemworkstation.txt Errors Observed in DC Diagnostic Report & Replication Summary We found following two errors in DC diagnostic report and Replication summary: Active Directory Replication Error 8606:Insufficient attributes were given to create an object. Active Directory Replication Error 1988:The local domain controller has attempted to replicate the following object from the following source domain controller. This object is not present on the local domain controller because it may have been deleted and already garbage collected. Logging Conditions for Error 8606 Upon further research, we found out thatError 8606 is logged when the following conditions are true: A source domain controller sends an update to an object (instead of an originating object create) that has already been created, deleted, and then reclaimed by garbage collection from a destination domain controller's copy of Active Directory. The destination domain controller was configured to run in strict replication consistency. Cause of Error 8606 The error is caused by one of the following: A permanently lingering object whose removal will require admin intervention. A transient lingering object that will correct itself when the source domain controller performs its next garbage-collection cleanup. Introduction of the first domain controller in an existing forest and updates to the partial attribute set are known causes of this condition. An object that was undeleted or restored at the cusp of tombstone lifetime expiration. Key Points to Remember for Troubleshooting Error 8606 When you troubleshoot 8606 errors, think about the following points: Although error 8606 is logged on the destination domain controller, the problem object that is blocking replication resides on the source domain controller. Additionally, the source domain controller or a transitive replication partner of the source domain controller potentially did not inbound-replicate knowledge of a deleted tombstone lifetime number of days in the past. Remember to search for potentially lingering objects by object GUID versus DN path so that objects can be found regardless of their host partition and parent container. Searching byobjectguidwill also locate objects that are in the deleted objects container without using the deleted objects LDAP control. The NTDS Replication 1988 event identifies only the current object on the source domain controller that is blocking incoming replication by a strict mode destination domain controller. There are likely additional objects "behind" the object that is referenced in the 1988 event that is also lingering. The presence of lingeringobjects on a source domain controllerprevents or blocks strict mode destination domain controllers frominbound replicating"good" changes that exist behind the lingering object in the replication queue. Because of the way that domain controllers individually delete objects from their deleted object containers (the garbage-collection daemon runs every 12 hours from the last time each domain controller last started), the objects that are causing 8606 errors on destination domain controllers could be subject to removal in the next garbage-collection cleanup execution. Lingering objects in this class are transient and should remove themselves in no more than 12 hours from problem start. The lingering object in question is likely one that was intentionally deleted by an administrator or application. Factor this into your resolution plan, and beware of reanimating objects, especially security principals that were intentionally deleted. Resolution Resolution For our need,to check the replication status in between only 2 DCs (The affected one and a healthy one),we have also tried disabling “Strict Replication Consistency”that prevents destination domain controllers from replicating in lingering objects, but it is highly recommended not to disable “Strict Replication Consistency”,there can be a risk that lingering objects could be replicated to a domain controlleror many where this setting is not enabled. Reference Microsoft Documentation for enabling this setting: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc... As an actual fix, we must have to remove the lingering objects from the recovered DC for the smooth replication.While many methods exist to remove lingering objects, there aretwoprimary tools commonly used: Lingering Object Liquidator (LoL) and repadmin.exe. Lingering Object Liquidator (LoL) The easiest method to clean up Lingering Objects is to use theLoL. TheLoLtool was developed to help automate the cleanup process against an Active Directory Forest. The tool is GUI-based and can scan the current Active Directory Forest and detect and cleanup lingering objects. The tool is available onMicrosoft Download Center. Repadmin.Exe The following command in REPADMIN.EXE can remove lingering objects from directory partitions: Repadmin.Exe /RemoveLingeringObjects Repadmin / RemoveLingeringObjects can be used to remove lingering objects from writable and read-only directory partitions on source domain controllers. The syntax is as follows: c:\>repadmin /removelingeringobjects<Dest_DSA_LIST> <Source DSA GUID> <NC> [/ADVISORY_MODE] Where: <Dest_DSA_LIST>is the name of a domain controller that contains lingering objects (such as the source domain controller that is cited in the NTDS Replication 1988 event). <Source DSA GUID>is the name of a domain controller that hosts a writable copy of the directory partition that contains lingering objects to which the domain controller in <Dest_DSA_LIST> has network connectivity. The DC to be cleaned up (first DC specified in the command) must be able to connect directly to port 389 on the DC that hosts a writable copy of the directory partition (specified second in the command). <NC>is the DN path of the directory partition that is suspected of containing lingering objects, such as the partition that is specified in a 1988 event. Monitoring Active Directory Replication Health Daily If error 8606 / Event 1988 was caused by the domain controller's failing to replicate Active Directory changes in the last tombstone lifetime number of days, make sure that Active Directory replication health is being monitored on a day-to-day basis going forward. Replication health may be monitored by using a dedicated monitoring application or by viewing the output from the one inexpensive but effective option to run "repadmin/showrepl* /csv" command in a spreadsheet application such as Microsoft Excel. Thus, keeping tabs on Active Directory Health overall is significant. In order to do that, its important for an IT Professional to have an understanding of How to define Active Directory Health?Active Directory Back Up - The 3-2-1 Backup Rule
Full system backup is a good option when the setup is small and bare-metal hardware is used for the Windows system roles, and in this case of failure, hardware requires full system backup and restore. I would advise to go for a full backup periodically (weekly or bi-weekly) and a minimum backup set for each server daily (System State) for only Active directory with keeping the below steps in mind. If your setup on each location is small, I would recommend that you have at least 2 domain controllers on each site. The 3-2-1 Backup Rule The 3-2-1 backup rule is an easy-to-remember acronym for a common approach to keeping your data safe in almost any failure scenario. The rule is: Keep at least three (3) copies of your data, and store two (2) backup copies on different storage media, with one (1) of them located offsite. · At a minimum, back up two domain controllers in each domain (for large environments, with multiple DCs in each site), one of which should be an operations master role holder (excluding the relative ID (RID) master, which should not be restored). Note that backup data from a domain controller can only be used to restore that domain controller. You cannot use a backup of one domain controller to restore another. · You should backup your FSMO role holders and use that backup when restoring the whole AD environment after a disaster. However, in case of a single DC failure, you should not restore this DC from backup, instead, you should simply install a fresh new server and promote it as a Domain Controller. This approach ensures AD database integrity and avoids any chances of conflicts that may occur because of the restoration. · At least one domain controller in a domain must be backed up. It is obvious that if you have just one domain controller in your infrastructure, you should back up this DC. If you have more than one domain controller, you should back up at least one of them. You should back up the domain controller that has FSMO (Flexible Single Master Operation) roles installed. If you have lost all domain controllers, you can recover a primary domain controller (containing FSMO roles), and deploy a new secondary domain controller, replicating changes from the primary DC to the secondary DC. · A backup that is older than the tombstone lifetime set in Active Directory is not a good backup. At a minimum, perform at least two backups within the tombstone lifetime. The default tombstone lifetime is 60 days. Active Directory incorporates the tombstone lifetime into the backup and restores process as a means of protecting itself from inconsistent data.Resolution of Active Directory Replication Error 8606 &1988
Scenario DC is Virtualized inVMware, I got it restored from Veeam backup, meaning it is not in the current state, that caused Active Directory Broken, how could I get it fixed? I forced replication between 2 DCs it failed. Here and there wegotseveralPCs thathave the error: “The trust relationship between this Workstation and the primary Domain failed” Based on above use case, identified certain errors. Investigation Sofirst,a piece of advicethat,youshould never restore a domain controller in a multi-domain controller environment.Instead, you should stand up a new DC and start replication, it will take time but will replicate from a fully healthy DC. Thenwe ran thebelow command-letsand collected the logs for review. Dcdiag/v /c /d /e /s:%computername% >C:\dcdiag.log repadmin/showrepl>C:\repl.txt ipconfig /all > C:\dc1.txt ipconfig /all > C:\dc2.txt ipconfig /all > C:\problemworkstation.txt Errors Observed in DC Diagnostic Report & Replication Summary We found following two errors in DC diagnostic report and Replication summary: Active Directory Replication Error 8606: Insufficient attributes were given to create an object. Active Directory Replication Error 1988: The local domain controller has attempted to replicate the following object from the following source domain controller. This object is not present on the local domain controller because it may have been deleted and already garbage collected. Logging Conditions for Error 8606 Upon further research, we found out thatError 8606 is logged when the following conditions are true: A source domain controller sends an update to an object (instead of an originating object create) that has already been created, deleted, and then reclaimed by garbage collection from a destination domain controller's copy of Active Directory. The destination domain controller was configured to run in strict replication consistency. Cause of Error 8606 The error is caused by one of the following: A permanently lingering object whose removal will require admin intervention. A transient lingering object that will correct itself when the source domain controller performs its next garbage-collection cleanup. Introduction of the first domain controller in an existing forest and updates to the partial attribute set are known causes of this condition. An object that was undeleted or restored at the cusp of tombstone lifetime expiration. Key Points to Remember for Troubleshooting Error 8606 When you troubleshoot 8606 errors, think about the following points: Although error 8606 is logged on the destination domain controller, the problem object that is blocking replication resides on the source domain controller. Additionally, the source domain controller or a transitive replication partner of the source domain controller potentially did not inbound-replicate knowledge of a deleted tombstone lifetime number of days in the past. Remember to search for potentially lingering objects by object GUID versus DN path so that objects can be found regardless of their host partition and parent container. Searching byobjectguidwill also locate objects that are in the deleted objects container without using the deleted objects LDAP control. The NTDS Replication 1988 event identifies only the current object on the source domain controller that is blocking incoming replication by a strict mode destination domain controller. There are likely additional objects "behind" the object that is referenced in the 1988 event that is also lingering. The presence of lingering objects on a source domain controller prevents or blocks strict mode destination domain controllers frominbound replicating"good" changes that exist behind the lingering object in the replication queue. Because of the way that domain controllers individually delete objects from their deleted object containers (the garbage-collection daemon runs every 12 hours from the last time each domain controller last started), the objects that are causing 8606 errors on destination domain controllers could be subject to removal in the next garbage-collection cleanup execution. Lingering objects in this class are transient and should remove themselves in no more than 12 hours from problem start. The lingering object in question is likely one that was intentionally deleted by an administrator or application. Factor this into your resolution plan, and beware of reanimating objects, especially security principals that were intentionally deleted. Resolution Resolution For our need,to check the replication status in between only 2 DCs (The affected one and a healthy one),we have also tried disabling “Strict Replication Consistency”that prevents destination domain controllers from replicating in lingering objects, but it is highly recommended not to disable “Strict Replication Consistency”,there can be a risk that lingering objects could be replicated to a domain controlleror many where this setting is not enabled. Reference Microsoft Documentation for enabling this setting: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc816938(v=ws.10)?redirectedfrom=MSDN As an actual fix, we must have to remove the lingering objects from the recovered DC for the smooth replication.While many methods exist to remove lingering objects, there aretwoprimary tools commonly used: Lingering Object Liquidator (LoL) and repadmin.exe. Lingering Object Liquidator (LoL) The easiest method to clean up Lingering Objects is to use theLoL. TheLoLtool was developed to help automate the cleanup process against an Active Directory Forest. The tool is GUI-based and can scan the current Active Directory Forest and detect and cleanup lingering objects. The tool is available onMicrosoft Download Center. Repadmin.Exe The following command in REPADMIN.EXE can remove lingering objects from directory partitions: Repadmin.Exe /RemoveLingeringObjects Repadmin / RemoveLingeringObjects can be used to remove lingering objects from writable and read-only directory partitions on source domain controllers. The syntax is as follows: c:\>repadmin /removelingeringobjects<Dest_DSA_LIST> <Source DSA GUID> <NC> [/ADVISORY_MODE] Where: <Dest_DSA_LIST> is the name of a domain controller that contains lingering objects (such as the source domain controller that is cited in the NTDS Replication 1988 event). <Source DSA GUID> is the name of a domain controller that hosts a writable copy of the directory partition that contains lingering objects to which the domain controller in <Dest_DSA_LIST> has network connectivity. The DC to be cleaned up (first DC specified in the command) must be able to connect directly to port 389 on the DC that hosts a writable copy of the directory partition (specified second in the command). <NC> is the DN path of the directory partition that is suspected of containing lingering objects, such as the partition that is specified in a 1988 event. Monitoring Active Directory Replication Health Daily If error 8606 / Event 1988 was caused by the domain controller's failing to replicate Active Directory changes in the last tombstone lifetime number of days, make sure that Active Directory replication health is being monitored on a day-to-day basis going forward. Replication health may be monitored by using a dedicated monitoring application or by viewing the output from the one inexpensive but effective option to run "repadmin/showrepl* /csv" command in a spreadsheet application such as Microsoft Excel. Thus, keeping tabs on Active Directory Health overall is significant. In order to do that, its important for an IT Professional to have an understanding of How to define Active Directory Health?Re: ADFS Behavior
osamamansoor I checked and came to a conclusion that you will not be prompted for the password in Teams/OneDrive/Outlook client when ADFS is configured. My previous thought was Client so they may save cached credentials and will try to log in with those or have a different method for authentication, but it is only matter of password sync time to AAD. I actually checked it for within intranet and outside too, both works same ways. My laptop was connected to internet and it was asking for new credentials, even before it was letting me login with cached credentials, but once i am logged in, my all apps used the same credentials automatically.How to Create Multiple Hyper-V VMs via PowerShell
Assuming we want to create multipleHyper-V VMs via PowerShell, Below script thinks that you have VMName list and Creates VM names according to each name which are separated coma and single quoted VM Names in a variable. Pre-requisites Add an ISO file for OS Installation and puts the HDD in to the directory you will mention in $VMLOC variable and assigns existing Hyper-V Switch to all VM’s. Script starts--------- #Below command will load the Hyper-V module for PowerShell. Get-Command -Module Hyper-V # This script creates a Multiple VM's Based on the Names you provided. #Enter the VM names as mentioned below. $VMName = 'Server001','server002' #Enter the ISO File path which contains the Windows Installation files $ISOpath = "D:\library\Windows Server 2008 R2 SP1_x64fre_server_eval_en-us-DVD.iso" #Path of the VM HDD file stored $VMLOC = "d:\test" #Name of virtual switch which will be used in the VMs $VMNet = "vEthernet-ADDC-M2" #Create the VM's Foreach($vm in $VMName) { New-VM -Name $VM -Generation 2 -SwitchName $VMNet New-VHD -Path "$VMLOC\$VM\$vm.vhdx" -Dynamic -SizeBytes 40GB ADD-VMHardDiskDrive -VMName $vm -Path "$VMLOC\$VM\$vm.vhdx" Set-VM $VM -MemoryStartupBytes 1GB Add-VMDvdDrive -VMName $vm -Path $ISOpath Set-VMFirmware -VMName $vm -FirstBootDevice ((Get-VMFirmware -VMName $vm).BootOrder | Where-Object Device -like *DvD*).Device } #Starts all of the VMs and installation of OS will be started. Start-VM -Name $VMName Script Ends------------- The only problem I have faced with this script is by using Microsoft ISO files for OS, which is marked by an end user's input when installation starts, asking for "Press any key to start installation........."Creating Multiple Hyper-V VMs via PowerShell
Assuming we want to create multiple Hyper-V VMs via PowerShell, Below script thinks that you have VMName list and Creates VM names according to each name which are separated coma and single quoted VM Names in a variable. Pre-requisites Add an ISO file for OS Installation and puts the HDD in to the directory you will mention in $VMLOC variable and assigns existing Hyper-V Switch to all VM’s. Script starts--------- #Below command will load the Hyper-V module for PowerShell. Get-Command -Module Hyper-V # This script creates a Multiple VM's Based on the Names you provided. #Enter the VM names as mentioned below. $VMName = 'Server001','server002' #Enter the ISO File path which contains the Windows Installation files $ISOpath = "D:\library\Windows Server 2008 R2 SP1_x64fre_server_eval_en-us-DVD.iso" #Path of the VM HDD file stored $VMLOC = "d:\test" #Name of virtual switch which will be used in the VMs $VMNet = "vEthernet-ADDC-M2" #Create the VM's Foreach($vm in $VMName) { New-VM -Name $VM -Generation 2 -SwitchName $VMNet New-VHD -Path "$VMLOC\$VM\$vm.vhdx" -Dynamic -SizeBytes 40GB ADD-VMHardDiskDrive -VMName $vm -Path "$VMLOC\$VM\$vm.vhdx" Set-VM $VM -MemoryStartupBytes 1GB Add-VMDvdDrive -VMName $vm -Path $ISOpath Set-VMFirmware -VMName $vm -FirstBootDevice ((Get-VMFirmware -VMName $vm).BootOrder | Where-Object Device -like *DvD*).Device } #Starts all of the VMs and installation of OS will be started. Start-VM -Name $VMName Script Ends------------- The only problem I have faced with this script is by using Microsoft ISO files for OS, which is marked by an end user's input when installation starts, asking for "Press any key to start installation........."Re: How to create 10 (multiple) virtual machines using power shell
Prasad_Raju There can be two types of VMs, on-premises, using Microsoft Hyper V from PowerShell, and VMs on Azure, using Azure shell Creating Multiple Hyper-V VMs via PowerShell Assuming that you want to create multiple Hyper-V VMs via PowerShell, Below script thinks that you have VMName list and Creates VM names according to each name which are separated coma and single quoted VM Names in a variable. Pre-requisites Add an ISO file for OS Installation and puts the HDD in to the directory you will mention in $VMLOC variable and assigns existing Hyper-V Switch to all VM’s. Script starts--------- #Below command will load the Hyper-V module for PowerShell. Get-Command -Module Hyper-V # This script creates a Multiple VM's Based on the Names you provided. #Enter the VM names as mentioned below. $VMName = 'Server001','server002' #Enter the ISO File path which contains the Windows Installation files $ISOpath = "D:\library\Windows Server 2008 R2 SP1_x64fre_server_eval_en-us-DVD.iso" #Path of the VM HDD file stored $VMLOC = "d:\test" #Name of virtual switch which will be used in the VMs $VMNet = "vEthernet-ADDC-M2" #Create the VM's Foreach($vm in $VMName) { New-VM -Name $VM -Generation 2 -SwitchName $VMNet New-VHD -Path "$VMLOC\$VM\$vm.vhdx" -Dynamic -SizeBytes 40GB ADD-VMHardDiskDrive -VMName $vm -Path "$VMLOC\$VM\$vm.vhdx" Set-VM $VM -MemoryStartupBytes 1GB Add-VMDvdDrive -VMName $vm -Path $ISOpath Set-VMFirmware -VMName $vm -FirstBootDevice ((Get-VMFirmware -VMName $vm).BootOrder | Where-Object Device -like *DvD*).Device } #Starts all of the VMs and installation of OS will be started. Start-VM -Name $VMName Script Ends------------- The only problem I have faced with this script is by using Microsoft ISO files for OS, which is marked by an end user's input when installation starts, asking for "Press any key to start installation.........", to bypass this issue, you can go through the below article if needed. https://serverfault.com/questions/353826/windows-boot-iso-file-without-press-any-keyAzure AD: Cross Tenant access requires multiple MFA registration?
It is a requirement for Microsoft Partners to enable MFA for all users in organization, but as far as multi-tenant Azure AD MFA is concerned, Organizations can choose to enable/disable MFA for guests and single users. Mostly organizations select MFA to be enabled for whole Azure AD while setting up tenant, which can be later enabled/disabled for individuals. Let's focus on "Why can a guest's home tenant not send some kind of attestation that MFA is in place on the home user account?" One of the user to above question with in community speaks as follows: “We have lots of our customers in our tenant as guests for Teams channels because we invite the customer primary contact(s) into a channel that has their support engineers present. When we switched on conditional access to enforce MFA on all users the guests got prompted to setup MFA even though they already have MFA on their home account. For the time being I've added an exclusion on our conditional access policy to exclude guests and the dashboard is still saying we're 100% compliant after a few days, but what I'm reading here is that potentially these guest accounts are going to become useless unless all the guests wrestle with adding MFA on every instance they're a guest (which is totally mad). We're not creating another tenant and shoving all our CSP stuff in there, it just adds so much friction and if anything reduces security because right now when someone joins or leaves our organization their Azure AD account sets up and cuts off their access to everything. If we begin having separate accounts in another tenant for CSP you can bet someone is going to forget to cut that off when someone leaves and access carries on until someone notices. We are 100% on board with MFA being required, and I understand requiring MFA on a guest that doesn't reside in another Azure AD tenant (like a random @gmail.com user should be made to setup MFA), but where the user originates from Azure AD and has MFA on their home account, can it be that hard for MSFT to pass some kind of trusted flag across to the guest login that skips MFA if the home account has it?” MY TAKE: I understand requiring MFA on a guest that doesn't reside in another Azure AD tenant (like a random @gmail.com user should be made to setup MFA), but where the user originates from Azure AD and has MFA on their home account, can it be that hard for MSFT to pass some kind of trusted flag across to the guest login that skips MFA if the home account has it? In same thread another user shared a suggestion for this feature to be available, but link may have expired or feature no longer being considered.Re: Azure AD: Cross Tenant access requires multiple MFA registration?
It is a requirement for Microsoft Partners to enable MFA for all users in organization, but as far as multi-tenant Azure AD MFA is concerned, Organizations can choose to enable/disable MFA for guests and single users. Mostly organizations select MFA to be enabled for whole Azure AD while setting up tenant, which can be later enabled/disabled for individuals. Let's focus on question"Why can a guest's home tenant not send some kind of attestation that MFA is in place on the home user account?" One of the user to above question with in community speaks as follows: “We have lots of our customers in our tenant as guests for Teams channels because we invite the customer primary contact(s) into a channel that has their support engineers present. When we switched on conditional access to enforce MFA on all users the guests got prompted to setup MFA even though they already have MFA on their home account. For the time being I've added an exclusion on our conditional access policy to exclude guests and the dashboard is still saying we're 100% compliant after a few days, but what I'm reading here is that potentially these guest accounts are going to become useless unless all the guests wrestle with adding MFA on every instance they're a guest (which is totally mad). We're not creating another tenant and shoving all our CSP stuff in there, it just adds so much friction and if anything reduces security because right now when someone joins or leaves our organization their Azure AD account sets up and cuts off their access to everything. If we begin having separate accounts in another tenant for CSP you can bet someone is going to forget to cut that off when someone leaves and access carries on until someone notices. We are 100% on board with MFA being required, and I understand requiring MFA on a guest that doesn't reside in another Azure AD tenant (like a random @gmail.com user should be made to setup MFA), but where the user originates from Azure AD and has MFA on their home account, can it be that hard for MSFT to pass some kind of trusted flag across to the guest login that skips MFA if the home account has it?” MY TAKE: I understand requiring MFA on a guest that doesn't reside in another Azure AD tenant (like a random @gmail.com user should be made to setup MFA), but where the user originates from Azure AD and has MFA on their home account, can it be that hard for MSFT to pass some kind of trusted flag across to the guest login that skips MFA if the home account has it? In same thread another user shared a suggestion for this feature to be available, but link may have expired or feature no longer being considered.Re: ADFS Behavior
Teams online and One drive online will not ask you for password change, as they are being synced but Teams client and OneDrive client will ask you for credentials again as they are clients. For OneDrive you may have to go to Credentials Manager and remove the old credentials and then may sync again for updated changes.Re: ADFS Behavior
osamamansoor Yes, for intranet it can be done by using Windows integrated Authentication enabled in ADFS and in the browser i.e Internet Explorer to avoid being prompted for credentials. Windows integrated authentication can be set for Mozilla Firefox and Chrome also via ADFS power shell command-lets. The ADFS URL should be added to the IE > Security >Intranet zones > sites. This is done because IE > security > Local Intranet > Security Settings > user authentication – logon is configured to use the logged in credentials for Intranet sites. Ensure that IE > advanced > 'Enable Integrated Windows Authentication' is checked. When accessing applications from outside the organization, Form-Based Authentication is being used, because Windows Integrated Authentication can't be used. Mostly for the authentication for the apps both, inside or outside the organization, ADFS can be set for both Windows Integrated Authentication and Form-Based Authentication and users can be presented with both options inside the intranet.Re: Managing members in shared mailboxes "responsible person/owner", similar to distribution lists
Marc Gehri To create/manage a shared mailbox, one should have Global Admin or at least Recipient Management role in Exchange, having Full Access permissions means owner of the Shared Mailbox as they can log in to the mailbox, and do a lot of things, create calendar items; read, view, delete, and change email messages; create tasks and calendar contacts. However, a user with Full Access permission can't send email from the shared mailbox unless they also have Send As or Send on Behalf permission., but cannot send emails from that shared mailbox, nor can change the membership, by creating a separate role for managing only the shared mailbox membershipRe: PowerShell Script for Exporting Members for a List of Security Groups from AAD
Below is the updated script based on feedback: Here is an updated script, It will now only look for the Groups starting with input value. In this case just key in FP3 and it will only bring groups that begin with FP3. Connect-AzureAD $PathCsv = "C:\temp\GroupMembers.csv" $GroupName = Read-Host -Prompt "Enter group Displayname to search" $groups = Get-AzureADGroup -All $true | Where-object {$_.DisplayName -like "$GroupName*"} $groupCount = $groups | measure $count = $groupCount.Count $groupMembers = foreach($group in $groups){ $GroupId = $group.ObjectId $GroupName = $group.DisplayName Write-Progress -Activity "No of Groups found: $count` Fetching members for GroupName: $GroupName" Start-Sleep -Milliseconds 200 Get-AzureADGroupMember -ObjectId $GroupId -All $true | Select-Object -Property @{Name = 'GroupName'; Expression= {$GroupName}}, DisplayName, UserPrincipalName } $groupMembers | Export-Csv -Path $PathCsv -NoTypeInformationRe: Export members for a list of security groups from AAD
filzah Here is an updated Powershell script, It will now only look for the Groups starting with input value. In this case just key in FP3 and it will only bring groups that begin with FP3. Connect-AzureAD $PathCsv = "C:\temp\GroupMembers.csv" $GroupName = Read-Host -Prompt "Enter group Displayname to search" $groups = Get-AzureADGroup -All $true | Where-object {$_.DisplayName -like "$GroupName*"} $groupCount = $groups | measure $count = $groupCount.Count $groupMembers = foreach($group in $groups){ $GroupId = $group.ObjectId $GroupName = $group.DisplayName Write-Progress -Activity "No of Groups found: $count` Fetching members for GroupName: $GroupName" Start-Sleep -Milliseconds 200 Get-AzureADGroupMember -ObjectId $GroupId -All $true | Select-Object -Property @{Name = 'GroupName'; Expression= {$GroupName}}, DisplayName, UserPrincipalName } $groupMembers | Export-Csv -Path $PathCsv -NoTypeInformationRe: On premises synced DL's not showing up in new Address list
exoguru The Update-AddressList cmdlet (or Update-GlobalAddressList) isn't available in Exchange Online PowerShell. If recipients that should appear an address list do not, you need to change the required property value for those users to a temporary value, and then back to the value that's required by the address list. You can update the user property values in the Exchange admin center (EAC) or Exchange Online PowerShell, but it's quicker to do bulk operations in PowerShell." and share link with the procedure mentioned in MS doc. You can also refer to the following documentation. https://docs.microsoft.com/en-us/exchange/address-books/address-lists/manage-address-listsPowerShell Script for Exporting Members for a List of Security Groups from AAD
In order to download the members of 1000 security groups in AAD and to export members (name, email, upn) for a specific list of security groups with name begins with 'FP3' or from a csv file. Simply provide the name with which your group starts. e.g. FP3. The normal limit on returned results is 100 objects, which has been increased to max or "All $True" in this case. Connect-AzureAD $PathCsv = "C:\GroupMembers.csv" $GroupName = Read-Host -Prompt "Enter group name to search" $groups = Get-AzureADGroup-SearchString $GroupName -all $true $groupCount = $groups | measure $count = $groupCount.Count $groupMembers = foreach($group in $groups){ $GroupId = $group.ObjectId $GroupName = $group.DisplayName Write-Progress -Activity "No of Groups found: $count` Fetching members for GroupName: $GroupName" Start-Sleep -Milliseconds 200 Get-AzureADGroupMember -ObjectId $GroupId -All $true | Select-Object -Property @{Name = 'GroupName'; Expression= {$GroupName}}, DisplayName, UserPrincipalName } $groupMembers | Export-Csv -Path $PathCsv -NoTypeInformation -Force Original script: PowerShell script to Export All Azure AD groups Starting with "ABC" name and membership of their groups
