User Profile
headburgh
MCT
Joined 10 years ago
User Widgets
Recent Discussions
Re: Ninja Cat Giveaway: Episode 2 | Mastering email authentication and slashing overrides: Part 2
Saw the ninja cat throughout the presentation. Especially liked when it popped out behind a painting. One thing I learned (again) was how to operate the admin submissions since I do it very rarely 😄4.8KViews1like0CommentsRe: Azure AD PIM token lifetimes
Gurdev Singh Hi, the minimum amount of time you can utilize PIM for is 1h. But that doesn´t change my answer to your question. The user in this context would have privileged access for as long as the PIM role would allow him/her. I.e If the Role is configured for 1h, any user with access to that role would be approved for 1h in a privileged role. When the time limit is reached, the rights granted by the privileged role are revoked. https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-change-default-settings?tabs=previous#activations Regards, Viktor4KViews0likes0CommentsRe: Global banned password list
Hi, No, the solution is not language dependant. It simply does not let you have an easy password such as 'Password123' since it would not receive a high enough score and the phrase 'Password' is represented all around hash-dumps. For instance, I live in Sweden and it would not let me choose 'Sommar' (Swedish for summer). https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-password-ban-bad#how-are-passwords-evaluated43KViews2likes0CommentsRe: Azure AD MFA NPS Extension
There is no stand-alone MFA license. It is included in Azure AD Premium. AAD Premium is included in EM+S E3 (P1) and EM+S E5 (P2) or as stand alone licenses for both P1 and P2. Office 365 E1/E3 does not include this. Microsoft 365 E3 does include P1 and E5, P2. https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-licensing Regards, Viktor11KViews0likes0CommentsRe: room/equipment mailbox
Room mailbox would satisfy your needs. The difference between room and equipment could be described as Room, Conference Rooms, Meeting Rooms etc. Equipment could be, a shared car, bicycle, portable video/audio devices. This link describes step-by-step how to create a room mailbox: https://docs.microsoft.com/en-us/exchange/recipients/room-mailboxes?view=exchserver-2019 Regards, Viktor1.6KViews1like0CommentsRe: Is there a graph API equivalent for un hiding user from GAL for Azure AD B2B user
You could use the beta API for Azure Active Directory B2B for this. https://graph.microsoft.com/beta/users/{id of user} PATCH "showInAddressList": true Please note, as it is in Beta it could be hazardous to take a production dependency on /beta APIs. Regards, Viktor5KViews0likes1CommentRe: Azure AD MFA NPS Extension
1. In order to be eligible to use Azure AD MFA NPS Extension you need to licensed for Azure MFA via Azure MFA License "The NPS Extension for Azure MFA is available to customers with licenses for Azure Multi-Factor Authentication (included with Azure AD Premium, EMS, or an MFA stand-alone license). Consumption-based licenses for Azure MFA such as per user or per authentication licenses are not compatible with the NPS extension." There is more information to be found here: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension Regards, Viktor11KViews0likes2CommentsRe: Lost access to B2B organization after tenant migration
If you remove the malfunctioning B2B users you will be able to re-invite these. Been looking into this during the day and from what I´ve found your "new" user is no longer the same user regardless of the email address. https://docs.microsoft.com/en-us/azure/active-directory/b2b/tutorial-bulk-invite this page guides you and your partners on how to perform bulk invites rather than 1-by-1.7KViews0likes0CommentsRe: Replace an expired federation certificate
hemdan875 I helped a customer in august using the guidance in these documents. As to why your Get-FederatedOrganizationIdentifier returns blank I cannot answer out of the box. https://docs.microsoft.com/en-us/previous-versions/office/exchange-server-2010/dd335198(v=exchg.141)?redirectedfrom=MSDN Have you already removed the Federated Domain and Federation Trust running: Remove-FederatedDomain -DomainName <domain> -Force Remove-FederationTrust "Microsoft Federation Gateway" Regards, Viktor5.8KViews0likes0CommentsRe: MFA with Conditional Access Deployment Feedback
takers365 I´ve been asked by a number of customers to use this approach to ease the deployment. Identify public IP ranges and add these to trusted locations and require MFA for every auth not coming from these IP ranges. One of the drawbacks with this approach is that IP-spoofing allows for further passwordspray, bruteforce etc. However, this in mind I think it´s a good place to start your security maturity journey.1.1KViews0likes0CommentsRe: Changing the AAD Connect 'User Principal Name' attribute from mail to userPrincipalName?
DanielNiccoli it would affect those users who do not have a match on UserPrincipalName and Mail. Thus updating the UserPrincipalName those users in Azure Active Directory. As long as you do not alter the source anchor, you should be fine. Which attribute to you use in the ADFS claim?8.3KViews0likes0CommentsRe: Can FSMO roles be transferred to a non Global Catalog server?
theaxehax as per https://support.microsoft.com/en-us/help/223346/fsmo-placement-and-optimization-on-active-directory-domain-controllers Place the schema master on the PDC of the forest root domain. Place the domain naming master on the forest root PDC. Place the RID master on the domain PDC in the same domain. Legacy guidance suggests placing the infrastructure master on a non-global catalog server. There are two rules to consider: Single domain forest: In a forest that contains a single Active Directory domain, there are no phantoms. Therefore, the infrastructure master has no work to do. The infrastructure master may be placed on any domain controller in the domain, regardless of whether that domain controller hosts the global catalog or not. Multidomain forest: If every domain controller in a domain that is part of a multidomain forest also hosts the global catalog, there are no phantoms or work for the infrastructure master to do. The infrastructure master may be put on any domain controller in that domain. In practical terms, most administrators host the global catalog on every domain controller in the forest. If every domain controller in a given domain that is located in a multidomain forest does not host the global catalog, the infrastructure master must be placed on a domain controller that does not host the global catalog. Hopefully this will help you somewhat in your question. Regards, Viktor1.4KViews1like0CommentsRe: Exclude Azure portal login while creating microsoft account using Office 365
If it were me I'd restrict access to Azure AD portal via Conditional Access (P1 feature) and only exclude those accounts that should have access i.e your global admin and other admin roles in azure.1.5KViews0likes2CommentsRe: Official recommendation to UPN equal to SMTP/email address
Dean_Gross Haven´t found any more in-depth statement. But in the article about Alternate ID there is a note stating: "Microsoft’s recommended best practices are to match UPN to primary SMTP address. This article addresses the small percentage of customers that cannot remediate UPN’s to match." https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configuring-alternate-login-id#applications-and-user-experience-after-the-additional-configuration Hope this helps! Regards, Viktor82KViews1like0CommentsRe: Conditional Access to Proxied Enterprise App by IP only
Deleted Hi, given that you want to configure so that only corporate IPs can connect to the app I would use the guidance from doc: If you need to configure a location condition that applies to all connections made from outside your organization's network: Include All locations Exclude All trusted IPs https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/best-practices#what-you-should-know And the action would then be "Block" to that specific app. Regards, Viktor1.2KViews0likes0CommentsRe: F1 license--Turn On/Off particular service from a plan
Hi, DESKLESSPACK is the SkuID for F1. The services included are: BPOS_S_TODO_FIRSTLINE DESKLESS EXCHANGE_S_DESKLESS FLOW_O365_S1 FORMS_PLAN_K MCOIMP OFFICEMOBILE_SUBSCRIPTION POWERAPPS_O365_S1 SHAREPOINTDESKLESS SHAREPOINTWAC STREAM_O365_K SWAY TEAMS1 YAMMER_ENTERPRISE https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/licensing-service-plan-reference Regards, Viktor2.1KViews0likes0CommentsRe: Active Directory Dynamic Security Group creation
Vinoth_Azure There are no Dynamic Security Groups in Active Directory. In order to accomplish this, I think the most viable option would be a Powershell script determining who are in the given OU/Group and updating the security group accordingly, maybe something like this: Import-Module ActiveDirectory $groupname = PseudoDynamicGroup $users = Get-ADUser -Filter * -SearchBase "ou=desiredUsers,dc=domain,dc=tld" $users = Get-ADGroupMember -Identity "GroupName" foreach($user in $users) { Add-ADGroupMember -Identity $groupname -Member $user.samaccountname -ErrorAction SilentlyContinue } $members = Get-ADGroupMember -Identity $groupname foreach($member in $members) { if($member.distinguishedname -notlike "*ou=desiredUsers,dc=domain,dc=tld*") { Remove-ADGroupMember -Identity $groupname -Member $member.samaccountname } } Kind regards, Viktor55KViews1like1CommentRe: Group Based Licensing - assign using PowerShell?
Jason Dunbar As of now the Powershell and Graph API support for this feature is at read-only. "Full functionality for group-based licensing is available through the Azure portal, and currently PowerShell and Microsoft Graph support is limited to read-only operations. " https://docs.microsoft.com/sv-se/azure/active-directory/users-groups-roles/licensing-ps-examples I agree to this being a must-have in the future! Regards, Viktor1KViews0likes0Comments
Recent Blog Articles
No content to show