User Profile
woelki
Iron Contributor
Joined 6 years ago
User Widgets
Recent Discussions
Double entries in userCertificate avoids Hybrid Join
Hey guys, I have an interesting situation at a customer. He utilizes a third party MFA provider while being on a federation. That means new computers never will have a registered state. For users it is mandatory that theirs clients have fulfilled the Hybrid Join to use M365 apps, what can be a real pain. So the Automatic-Device-Join task has to create the userCertificate on the OnPremises computer object, before it can be synchronized to Entra. Here comes the issue. In some cases we see that some computers will create two userCertificate entries. This situation will lead to an inconstistent Hybrid Join. I already tried to remove one of the certificates, but for me it is impossible to recognize which is the right one. Only solution for me was to remove both entries under userCertificate and let the Automatic-Device-Join task create a new one. Afterwards the Hybrid Join will work. I want to understand, which process or scenario might create the double userCertificate entries?Allow password change only on VPN
Hey guys, currently I'm supporting a customer who got a lot of remote workers which are not often in the office. I realized that there are a lot of password issues. The cloud journey of the customer just has begun. So there is a hybrid, but Intune is not a topic yet. They have SSPR activated, and the users use different option to change their passwords, either with Ctrl + Alt + Del or directly via MySecurityInfo. Unfortunately this leads to having two passwords, if the clients are not connected to VPN. So a resetted password would effect M365 services and On-Premises infrastructure, but not the password of the local device, because this one would keep the cached device password while not having connection to local AD. For sure you can solve this with an operational order and just tell the users that they should only change their password while being on VPN, but I would prefer to manage this with a technical solution. One idea would be to remove the password change feature for Ctrl + Alt + Del (hopefully via GPO) and add a Conditional Access policy which should only allow the SSPR while being on VPN. It's just my personal brainstorming. Is this feasible, or how would you deal with this, if your device are not directly joined to Entra? Thanks in advance.Hybrid confusion after linked mailbox deletion
Hey guys, I got a tricky one, hopefully I can explain it in the needed detail. So I'm in the project of consolidating several organizations in one forest, one domain. I'm just referring to company A and B including target domain C. So company A got an Exchange hybrid deployment in a dedicated forest. The smaller company B (different forest) decommissioned their Exchange server and received linked mailboxes at company A. Not that complicated yet, but the admins have been confused now, because the linked mailbox accounts and the original accounts have been synchronized. Over the years the knowledge was lost. No we are going to build up target domain C. The linked mailbox accounts of company B have been deleted. The original accounts and clients have been migrated to target C and the objects are synchronized with the most recent information to Entra. So now the mailboxes of company B cannot be managed in Exchange Online, because they are synchronized (Consistency-Guid has been transferred), but the on-premise object has not the proper Exchange information. I know in general you can execute Enable-Remotemailbox again on a provisioned mailbox in order to link it again to an on-premise object, but this only works in the forest, where the local Exchange Server is homed. Is there an easier solution than deploying a second hybrid server in target C?Improve user experience after client migration
Hi guys, hopefully this is the best hub, but as it is hybrid related I think this should match. I am currently migrating a customer where we are consolidating several AD domains into one. With Quest Migration Manager for AD we are moving accounts and clients. On the Quest side, everything works great so far, but we have some problems to make the whole migration process even cleaner for the user. The user accounts are already pre-migrated and are not a problem. When the client is migrated, we just set an attribute on the user account so that the AAD Connect knows that it should now synchronize it from the new domain. However, we have some problems with the client. The move to the new domain works cleanly and naturally, a lot of GPOs are fetched now from the new domain controllers. The biggest challenge, however, is the Workplace or the hybrid join. The device still has to be synced to the cloud, the user has of course just logged in and wants to work. However, the workplace join is not yet complete at this point and the user receives a lot of MFA pop-ups from the Federated MFA provider Authpoint. It has been shown that if some time passes by and the user restarts again, the Workplace Join works and the user no longer receives multiple MFA Auth requests. Have you had similar experiences with on-premise client migrations with M365 connection? Would it be best to prevent the Workplace Join in the new domain for the time being? Best regards, woelkiRole for managing Out-of-Office in admin center
Hey guys, we are just empowering our helpdesk to handle more tasks. We want them to set out of office replies in a smooth way. I know how to do this via powershell, OWA or the Exchange Admin Center. In Exchange the role "User Options" is needed for that. But this will not activate this option in the admin center. Is there a less privileged role than GA or Exchange admin which can manage this OOF setting? Kind regards, woelkiPartial offboarding - restrict file access
Hi there, we have a customer who wants to execute a partial offboarding for an employee. It looks like they want to split up with him, but the decision is not made, yet. So they want to restrict the whole file access for him, but he should be still able to use email. Hey shall not be able to use OneDrive, Teams, SharePoint and so on. If I'm correct if you disable OneDrive for him, other employees are still able to share files with him, right? So I guess the most important thing would be to remove the Office Online service plan. So he should not be able to open shared files. But to be on the safe side, we could simply remove everything excluding the Exchange Online Plan, right? What do you think? Kind regards, woelkiComfortable way to access local intranet
Hey guys, I have a very special question today. We are just onboarding a new customer to Office 365. He already owns a tenant and is synchronizing AD accounts. But the general O365 enrollment will not start before January 2020. But he is keen on evaluating Intune. He provided some requirements he wants to be able to manage. For example Exchange OnPrem, which is possible partly. But the interesting thing is the intranet. Currently they are utilizing a Typo3 intranet and they are not planning to migrate this SharePoint. Furthermore their current MDM solution XenMobile from Citrix is providing a sandbox. When the users start the sandbox application a VPN connection is created automatically so that they are able to browse the intranet. I bet there a similar customer scenarios where they want to keep their intranet locally. What would be the best solution to enter their intranet in a smooth way? Kind regards, woelkiOATH hardware token - seed file upload processing
Hi there, I have some questions about the uploading behaviour regarding OATH hardware token seed files. https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-oath-tokens#oath-hardware-tokens-preview I guess there is a lack of information. Is it possible to add a hardware token to several tenants? It seems that there will be no error, but it looks like while processing a new uploaded file, the processing will not come to an end. Furthermore I'm wondering how additional new tokens should be added. Should I upload my CSV "master" file again with the new tokens added, or is it ok to upload a new file only with the new tokens? Nevertheless, I have not been able to upload further files. The notifications about the current processing status are not helpful, in most cases they show 0 failures, 0 success. Can anyone shed some light into this case? BTW: Some additional information I figuered out. If you started the MFA registration via TAP (temporary access pass) via aka.ms/mysecuritysignins you are allowed to add a FIDO2 token directly without have a backup telephone numer added. But you are always enforced to have a backup phone number whilst having an OATH hardware token assigned, even if you are eligible to start the registration via TAP.Use 3rd party federation Service with Microsoft conditional access?
Hi there, a customer of us is in a pilot period of utilizing a 3rd party federation service. To be exact the FortiAuthenticator is installed On-Premises and should handle the MFA process. So we already changed the domain status with Set-MsolDomainAuthentication to federated for a specific domain. The customer and we know that there are certain limitations regarding conditional access. But I don't find a solid documentation about this. Is no conditional access possible at all, or just regarding conditional access policies enforcing MFA? The goal would be (if possible) that a user should meet the compliant device or hybrid joinded device state after he authenticated with the FortiAuthenticator. Thanks in advance. Kind regards, woelkiRe: Updating unattended EWS scripts using modern auth
OK, like I have discovered, the PartnerAccessToken does not really work for EWS. It seems the only possibility is to use the Get-MsalToken. But in first line it is interactive. How can I get it turn to unattended? # Provide your Office 365 Tenant Id or Tenant Domain Name $TenantId = "contoso.onmicrosoft.com" # Provide Azure AD Application (client) Id of your app. # You should have configured the Delegated permission "EWS.AccessAsUser.All" in the app. $AppClientId="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" $MsalParams = @{ ClientId = $AppClientId TenantId = $TenantId Scopes = "https://outlook.office.com/EWS.AccessAsUser.All" } $MsalResponse = Get-MsalToken @MsalParams $EWSAccessToken = $MsalResponse.AccessToken Import-Module 'C:\Program Files\Microsoft\Exchange\Web Services\2.2\Microsoft.Exchange.WebServices.dll' # Proivde the mailbox id $MailboxName ="email address removed for privacy reasons" $Service = [Microsoft.Exchange.WebServices.Data.ExchangeService]::new() # Use Modern Authentication $Service.Credentials = [Microsoft.Exchange.WebServices.Data.OAuthCredentials]$EWSAccessToken # Check EWS connection $Service.Url = "https://outlook.office365.com/EWS/Exchange.asmx" $Service.AutodiscoverUrl($MailboxName,{$true}) # EWS connection is Success if no error returned. What I have done now:Updating unattended EWS scripts using modern auth
Hi there, a lot of possibilities about phasing out legacy authentication have been discussed here. But I still have a lack of information or let's say I want to find the most comfortable and most secure possibility for my customers. Step-by-Step guide guide for powershell usage even unattended, but only in EXO V2 module But if your scripts contain EWS connections you have to initialize a different way of authentication. So I found the following option using MSAL, unfortunately this does not work in unattended mode. Connect EWS API with Modern Authentication using PowerShell And then there is the possibility using the secure application model. Secure application model I got this working now, the creation of the token for the first time has to be done interactively and the token only lasts for 90 days. I read the hint for securely saving the token to the Azure KeyVault, but how do I do this and how can I re-call this token? Is there even a better way of refreshing the token manually? Is this now the new go-to solution for unattended EWS scripts, or do you have a even better solution?Work account not added automatically - SSO not working with ADFS
Hi there, we have a customer who has a synchronized AD. They use ADFS for Authentication and SSO, but SSO does not seem to work smoothly. My guess is that the employee think SSO is working in some cases, because the have saved cookies or have active tokens. Wehen I want to recreate the issue with a simpe call of portal.office.com I'm always redirected to the ADFS Site URL and I have to enter the password. I checked the account information in the Windows 10 device I cannot see an added work account. Shouldn't the Office 365 work account automatically be added here? So what is missing here? Kind regards, ChristianLicense needed for MFA with hardware token?
Hi there, a customer of us wants to improve his MFA distribution. Therefore he wants to utilize hardware tokens, but there is no decision for TOTP or FIDO2, yet. Currently the customer utilizes Office 365 E3 licenses for the end users and as the cloud strategy is not yet defined finally, he does not want to buy further "addon" licenses. At present they have deployed basic MFA without Conditional Access. Is it possible to use any kind of hardware tokens without Azure AD Premium P1? Thanks in advance. Best regards, ChristianRe: Set FIDO2 minimum pin length in a hybrid environment
I can tell you something about what I have found ou in the meantime. I had a chat with some 3rd party manufacturers and it looks like the minimum PIN lenght or complexity depends on the FIDO sticks themselves. Unfortunately you cannot manage this with Microsoft builtin management tools. In most cases the standard FIDO sticks from all manufacturers are not able to do this, but the more expensive sticks with FIPS industry standard will let you change your PIN requirements.Export PST from Restore Database
Hi there, I have a critical export question regarding Exchange Server 2016. A customer of us has been affected by ransomware crypto attack. Unfortunately there was no backup and we started nearly from scratch. Exchange hybrid has been created with one half of the users On-Premises and the other half in EXO with empty mailboxes. Afterwards some not encrypted databases have been found. We already set these to clean shutdown state and defined a first recover process. For sure we can restore the mailboxes to the OnPrem users directly. But what about the users which are now in EXO? Actually it is clear that we have to prepare PST which we can upload via AzCopy. But here is the pain point. It seems that there is no possibility to start a New-MailboxExportRequest with a source mailbox located on a restore DB. Please tell me there is a different way than restoring to a temp mailbox, then exporting to PST and lastly uploading to Azure and finally import the PSTs to the EXO mailboxes. Kind regards, woelkiSupported firewall without delivering usernames?
Hi there, currently I'm struggling with the first tests in MCAS. I'm executing the tests in my DEV tenant or in a customer tenant. In both I have no possibility to use Defender for Endpoint. So I'm relying on the firewall logs. So I already tested with the continuous logfile upload via logfile collector. But the results are never sufficient. I already found thetroubleshooting guide for log parsing errors, but it is not helpful for an "internal error". But I wondered, why are there so many firewalls without having the usernames in the Syslog beeing supported by MCAS? Supported firewalls and proxies Shouldn't be the username one of the main criteria to visualize senseful data in MCAS? If you are able to successfully upload firewall data without usernames, how do the results look like? Kind regards, woelkiSet FIDO2 minimum pin length in a hybrid environment
Hi there, we have just established a successful pilot for FIDO2 security key usage with WHfB in a hybrid environment. The key which has been registered in Azure is able to authenticate the user on all cloud apps and at the Windows 10 login screen. For Windows Hello for business we have used the Intune policy which requires a minimum PIN length of six signs (still default), but for our FIDO2 security key it is possible to generate a 4 digit PIN. So it seems the WHfB policy does only affect the Windows 10 client, not the FIDO2 key. Is it possible to enforce a policy which improves the security key requirements? Kind regards, woelkiReceipt of teams notifications after quitting
Hey guys, a customer of us has a strange problems with teams notifications. Some users leave or switch teams, but they still receive email notifications about the different actions in the former team. We tried for some of them to rejoin the former team and turn off the notifications proactively and leave the team afterwards. Unfortunately with no change. How can we solve this behavior? Thanks in advance. Kind regards, woelkiMessagetracking for subject
Hey guys, long story short... I need to search emails with a specific subject. A customer of us just received a bunch of phishing emails. Different sender, different IPs, different recipients, but all of them have the same subject. This is a regular case and I was always able to execute this search On-premises. Please don't tel me there is no possibility anymore in EXO for this. Kind regards, woelki
