User Profile
KalimanneJ
Iron Contributor
Joined 7 years ago
User Widgets
Recent Discussions
New Teams Patching Process?
Is there an option to install the new Teams systemwide so there are not separate copies in every user profile like Teams classic? I know there is a “machine wide” installer for Teams classic, but it still puts separate copies of Teams in each user profile. These makes patching security vulnerabilities a nightmare because every user with a profile on the PC has to sign in and launch Teams to update all the copies on a single PC. Is there are different update process to more easily and reliably apply monthly updates to the new Teams?GCC Sandbox Tenant for testing changes outside of production tenant?
Microsoft has a developer program that offers a licensed tenant designed for Azure development work and testing, but it is not relevant to GCC work. There will be many features that will be enabled in this tenant that will work differently or not be available at all for GCC tenants. We already have a GCC tenant, but it is not safe to “test” in our live tenant. We can add a second directory for testing, but then it has no licensing. So, we would not be able test anything requiring licensing and we are not able to purchase licensing just for testing. Is there a process to get no cost licensing for a secondary GCC tenant used for development and testing? Since the test tenant doesn’t physically need to be in the GCC cloud and only needs to act like at GCC tenant, is there any method to use the existing developer Azure tenant program and configure it to function like a real GCC tenant would?Re: What is the roadmap for FIDO2 passthrough from Hyper-V host to VM?
I don’t see anywhere there that they are recommending against the SAW being a physical machine. That link has a story that talks about them internally deploying proprietary customized, very locked down laptops with both the SAW and their everyday machine running as VMs on it. It does not seem applicable to everyone else. The base host laptop has to be locked down at least as much as a SAW would be or it will become a source of compromise and would make the SAW VM running on it also subject to compromise. With that setup, you are running 3 operating systems that need management and patching, plus the laptop has to be powerful enough to run the local OS plus 2 additional copies of Windows as VMs and have licensing to do that. Does not look practical!Re: What is the roadmap for FIDO2 passthrough from Hyper-V host to VM?
Where are you seeing this “current” recommendation that a PAW should be a VM? I have only seen Microsoft recommending VMs for creating a lab environment for testing. They have always recommended that the PAW be on a locked down physical device and you run a VM or have a separate device for your non-admin use. They recommended that the PAW be physical so that a compromised VM host doesn’t compromise the virtualized PAW. They have always said to not sign-in to a higher privileged device from a lower privileged device.FIDO2 Office 365 and Windows Hello For Business Sign-in?
I saw that this was in preview a year ago. https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/bg-p/Identity Is logging into Windows 10 Hybrid joined systems using FIDO security keys now working? What about signing into Office 365 desktop apps, mobile apps and web apps with FIDO security keys?Passwordless authentication from unmanaged devices?
I see that we could enable Windows Hello for Business for company-owned, Hybrid AD Joined Windows 10 devices with would allow users to log into their PC with PIN, face or fingerprint and then get SSO into Office 365 apps as well as local AD resources (network shared drives, printers etc..). However, what about contractors (with hybrid AD user accounts in our domain and Office 365 tenant) using their own laptops both on the corporate office network and remotely? These laptops will be managed by their employer, so we cannot manage them with Intune or any other MDM since their employer is already managing them. We will provide them with third party MFA such as Duo Security for the Hybrid AD tenant using ADFS. So, we want these users to be able to access the resources using MFA and some kind of passwordless authentication rather than type in their AD password. Since they can't use Windows Hello For Business with our resources, what passwordless authentication options are available for them to access Office 365 apps from our Office 365 tenant (Exchange Online OWA, using the Outlook 365 desktop app or Outlook 2016 desktop app, Teams, Skype For Business Online, SharePoint Online, One Drive For Business etc,)? What about passwordless authentication to on prem AD resources such as shared network drives and network printers? Also, mobile apps for iOS and Android such as Exchange Active Sync email and Office mobile apps (Outlook for iOS and Android, Skype For Business, OneDrive For Business, SharePoint, Teams etc,)? Will certificate based authentication work with all these options? What about using FIDO keys? Which passwordless options will work best when the devices can't be managed via MDM?Outlook For iOS and Android Government Community Cloud Poor Experience
We are finding this to be more trouble than it's worth, starting from the set up experience. Enabling GCC access in iOS requires the unituitive act of going into iOS settings to enable it and the link to enable GCC in Android is almost invisible. Users miss it even when it's on the screen. Why can't a prompt to enable GCC acces be triggered automatically if you enter an email address that is a GCC tenant instead of the setup just failing? The restriction to a single email account is too restrictive because it doesn't allow you to even add another GCC account from the same tenant in the app. We have users who need to access their own GCC account plus a shared GCC mailbox. So, to do their job, they have to use an activesync client instead which makes the iOS app redundant. We are considering getting the "Government Community Cloud Bypass Waiver" to enable the functionality we need, but we don't fully understand everything that involves. If the waiver moves the entire tenant's data to less secure locations, that seems extreme just to make the Outlook app work the way we need it to. Most of our users are using the native iOS and Android active sync mail apps instead because the Outlook app is so restrictive that it isn't even worth using. Some of these settings need to be more configurable by the tenant without going to the drastic measure of having to completely abandon GCC to make a single app work. What can be done to fix this?Re: Set FIDO2 minimum pin length in a hybrid environment
Can you be more specific? Please name some examples of FIDO sticks that let you change PIN requirements and what is the process to actually change the PIN requirements? So, are you saying even these "more expensive sticks" don't have any kind of complex PIN requirement (blocking PINs like 1234 etc.) enabled out of the box by default?Suggested/Recommended Endpoint DLP File Path Exclusions?
Using Endpoint data loss prevention - Microsoft 365 Compliance | Microsoft Docs It says: "You may want to exclude certain paths from DLP monitoring, DLP alerting, and DLP policy enforcement on your devices because they are too noisy or don’t contain files you are interested in. Files in those locations will not be audited and any files that are created or modified in those locations will not be subject to DLP policy enforcement. You can configure path exclusions in DLP settings." Are there particular paths that are suggested for exclusion for DLP scanning similarly to recommendations for excluding certain directories from A/V scanning? What are common paths that are "too noisy" and likely to not contain files you are interested in as mentioned above? For example, to prevent performance problems or other issues, should temp folders, C:\Program Files, C:\Windows, %appdata% etc. be included or excluded from DLP scanning?What needs to be allowed through web proxy to run Hybrid Configuration Wizard?
We are migrating our Exchange management server for hybrid to a new server. The new server has internet access blocked and needs to go through a proxy. What are the URLs and IP addresses that are required to be allowed outbound through the proxy and firewalls to successfully run the Hybrid Configuration Wizard and get the new server set up? There are no on premises mailboxes. The new server is at a different physical location and will have a different host name and IP address.Use single licensing pool across multiple tenants?
Is it possible to assign licenses of any kind (Office 365 or Azure P1/P2) purchased for your tenant to a second tenant? We have a scenario where we want to set up a tenant for testing changes before we apply them to our main tenant. Some of the things we may want to test may require the test users to have P1 or P2 licensing and maybe Office 365 licensing and mailboxes etc.. Instead of paying for separate licensing for users that are not real, can we borrow any extra available licensing from the main tenant to do the testing and then put them back by unassigning them when the tests are validated? Is there another way to get long term licensing for a small number of test user accounts (not a 30 day trial) for this type of testing in a sandbox environment?Re: SignInLogs are not showing in Log Analytics / Azure Monitor
Ben Owens Sergg I am also missing sign-in logs even after waiting 24 hours. Are evaluation trial licensing not supposed to be full featured or is it a bug that Microsoft needs to fix? Are there some extra steps required to test setting up email alerts for sign-in activity (breakglass account etc.) when using P1/P2 trial licensing?
