Hello Readers, Due to Covid-19 Microsoft has been offering free training online for the AZ-900 exam. There have been a number of sessions in recent months and the uptake as been so high Microsoft has now added more sessions throughout June, July and August:
Head over to the following URL where you can sign up for the events today.
This has been on my To-Do list for such a long time and because of Covid-19 I have finally found the hours required to get this done. A while back I received two Yubico and never got around to testing them 🙁 naughty I know. So let’s look at Yubico;
Microsoft and Yubico have been created a path for a passwordless future for organizations of all shapes and sizes. With a technology standard called FIDO2 and U2F which Yubico co-authored with, Microsoft and Google. Yubico became a founding member of the FIDO Alliance.
How does it all work, I hear you
The Yubikey supports multiple methods for authentication, enabling and the same key to be used across services and applications. With an out of the box native integration for the Microsoft environment provides a rapid deployment.
The user plugs the FIDO2 security key into their computer.
Windows detects the FIDO2 security key.
Windows sends an authentication request.
Azure AD sends back a nonce.
The user completes their gesture to unlock the private key stored in the FIDO2 security key’s secure enclave.
The FIDO2 security key signs the nonce with the private key.
The primary refresh token (PRT) token request with signed nonce is sent to Azure AD.
Azure AD verifies the signed nonce using the FIDO2 public key.
Azure AD returns PRT to enable access to on-premises resources.
Microsoft has decided to run a number of multiple full day virtual training events on the Fundamentals of Azure! This is excellent news for all those affected by Covid19 as there is no excuse not to attend 🙂 also in attending the attend your will receivey a free Microsoft Exam voucher so you can go take the AZ-900 Exam from home.
The course details are as followed;
To create your vision for tomorrow, you need to understand what the cloud can do for you and your company today. Microsoft Azure Virtual Training Day: Fundamentals explains cloud-computing concepts, models, and services, covering topics such as public, private, and hybrid cloud as well as infrastructure as a service, platform as a service, and software as a service.
Common cloud concepts
Benefits of Azure
Strategies for transitioning to Azure cloud
Azure computing, networking, storage and security basis
Did you know that Enforce Cloud Password Policy for Password Synced Users exists? and that it is also disabled by default. This means that any user that you sync using Azure Active Directory Connect will not have an expiration timer set against their account. This can be a nightmare for an organization that has strict password policies.
So let’s switch it on and get all your synced users applied
First of all, you will need to run the following command after you have ran Connect-MsolService
Delivering your corporate applications can be a nightmare if you dont have a enterprise delivery solution like System Center or 3rd party mechanism.
So let’s see how Azure Blob Storage and Microsoft Intune can address this issue by using a storage location and PowerShell script.
Azure Storage Account
One of the requirements for this solution is an Azure Storage Account within your Azure subscription, this account will be used for storing the applications which you would like to roll out to your Windows 10 desktops that are managed using Microsoft Intune.
Specify the required settings within the Basic tab for creating a Storage Account.
Using the default settings as shown below
Click Review and Create Click Create
Configuring Storage Account with required Applications
Click Container Specify the Name Select Conditioner (anonymous read access for containers and blobs) under Public Access Level
Select your container Select Upload Select the files you want to upload Modify the block size if it’s less than the size of the files you are uploading Select Upload
Once the files are upload they all have a unique url which is used to identify the file as shown below.
The PowerShell Script!!!
I have created a PowerShell script that is available on GitHub and should be self-explanatory.
Step 1 – Download all the required files into C:\_Build Step 2 – Run installer files Step 3 – Run additional Powershell scripts (Optional) Step 4 – Remove C:\_Build Step 5 – Create RegKeys (Optional)
Did you know that you could prevent unauthorized access to your Microsoft Cloud applications with Conditional Access? When speaking with a customer recently I had been asked is it possible to prevent external access to their Cloud apps and the answer to that is yes. The customer didn’t want their staff accessing corporate data from their home laptops/desktops so in order to action this we will now switch over to the Microsoft Endpoint Manager Admin Portal.
In recent times I have started to become a bit of an “expert, well I will use that word loosely” for Windows 10. Hybrid Azure AD Join is becoming a very popular option for a lot of the clients that I am currently working with and pops up all the time in discussions about “Modern Management” of Windows 10. I have experienced a few highs and lows when implementing Hybrid Azure AD Join and want to share that knowledge I have gain over the past 6 months.
What is Hybrid Azure AD Join?
Hybrid Azure AD Join is where your Windows 10 device is connected to your local Active Directory Domain and synchronized using Azure Active Directory Connect (AADC) to Azure AD.
Why would you do this?
This enables you to manage your Windows 10 devices from Microsoft Intune and leverage the offers from the cloud. Most organizations today have the required Microsoft subscriptions to implement Microsoft Intune but are unaware of how to start their journey.
What do I need for Hybrid Azure AD Join in a Managed Domain?
Azure Active Directory Connect version 1.1.819 or greater
Devices must be able to connect to the following URLs
All Computer Objects from your on-premises Active Directory must be within the sync scope
Service Connection point (SCP) is created for device registration (Completed via running AADC)
Implementing Hybrid Join for your organization
We are now going to run through the steps required to gear up your environment for Hybrid Join, first of all we are going to create the SCP using AADC. When you launch AADC you see “Configure device options”, select this option and proceed
In this section you will receive the following Overview of what can be configured and in this case, we are looking at Hybrid Azure AD Join only.
Hybrid Azure AD Join enables devices in your Active Directory forest to register with Azure AD for access management. Computers in your organization will automatically discover Azure AD using a service connection point (SCP) object that is created in your Active Directory Forest.
Device writeback is a prerequisite for enabling on-premises conditional access using AD FS and Windows Hello for Business. Device writeback synchronizes all devices registered in Azure AD back to on-premises. The device are synchronized to a device container that is created in your Active Directory forest.
Device writeback requires the Active Directory Schema version to be Windows 2012 R2 (level 69) or higher
You can confirm that the SCP has been created by launching ADSI Edit and browse to the location displayed below.
Now we have configured Active Directory we need to create a new GPO that configures the Windows 10 device to AutoEnroll into Azure AD. First of all we need the correct GPO templates installed in your SYSVOL, these templates can be download by the below URL.
This post will explain how to merge an on-premise AD user objects with an already existing Azure AD user using hard-match with the sourceAnchor/immutableID property. I have recently experience this issue with a customer who was merging their contoso.com addresses to their fabikam.com Azure AD account.
As you can imagine this isnt a simple process but with the power of PowerShell and good old fashion “I can” attitude, this merger was a complete success.
Before we continue I would like to state that there are two methods that Azure AD Connect will use to match existing users; – Soft-Match – Hard-Match
When you install Azure AD Connect and you start synchronizing, the
Azure AD sync service (in Azure AD) does a check on every new object and
try to find an existing object to match. There are three attributes
used for this process: userPrincipalName, proxyAddresses, and sourceAnchor/immutableID.
Soft-Match will use the properties userPrincipalName and proxyAddresses to match existing users.
Hard-Match will use the property sourceAnchor/immutableID. You can only select which property is used as sourceAnchor during the installation of Azure AD Connect as described in their documentation.
If the selected sourceAnchor is not of type string, then Azure AD Connect Base64Encode the attribute value to ensure no special characters appear.
By default, Azure AD Connect (version 1.1.486.0 and older) uses objectGUID as the sourceAnchor attribute. ObjectGUID is system-generated.
So we only have to set the immutableID property of the existing user in our Azure AD to the Base64 encoded string of the ObjectId of the user in our on-premise AD. If you already synchronized your Active Directory then you probably have two users with the same name in your Azure AD. Just follow the following steps to finally merge these users:
You have to execute the following PowerShell commands on the machine with your on-premise AD and the Azure PowerShell commands via the Azure Cloud Shell.
In my scenario, I had a customer that the Email Address on the Active Directory Account didn’t match the PrimarySMTPAddress in Azure AD, however, the PrimarySMTPAddress in Exchange was correct. So I need to match both objects using the PrimarySMTPAddress from Exchange And Azure to set the ImmutableID. I create a PowerShell to gather PrimarySMTPAddress from Exchange along with the required information from Active Directory
If you have synced users and have duplicate accounts you will need to remove these before looking at continuing. A simple way of doing this changing the OU you have synced which has caused the duplicate or you can use the Azure Portal
But if you love PowerShell the following command is also possible as well.
Remove-AzureADUser -ObjectId <objectid>
3. Get Azure AD User ObjectID
One of the key requirements for this post is that we require the ObjectID of the Azure Active Directory account we are looking to match against. The following PowerShell command prints a list of all users with their ObjectId and exports to your desktop.
Set-AzureADUser -ObjectID $user.ObjectId -ImmutableID $user.ImmutableID
Write-Host $user.PrimarySMTPAddress,"with ObjectID"$user.ObjectId," has been set with ImmutableID",$user.ImmutableID
6. Start AD Sync
You can now resync the OUs which had all the user accounts and hard matching will be completed using the newly set ImmutableID.
Leveraging your Azure subscription for Microsoft Intune massively reduces the requirements for on-premises infrastructure. In this post I will show you how to use Azure Blob Storage to provide the Lock Screen and Desktop background all with the power of the Microsoft Cloud.
First up you will need to create a storage account within your Azure subscription.
Specify the following; – Resource Group – Storage Account Name – Location (Europe) UK South
Once the storage account has successful created, you will need to go to the resource
Go to “Containers” Create new “Container” Specify the name of the Container Specify the Public Access level as “Blob” Then click ok
Click on your new “Container”
Click Upload You will need to upload your required .jpg file
Click on the uploaded file and you will be provided a URL which can be used
Provide the URL into your required destination for example Lock Screen as shown below
As you can see from below my Lockscreen and Desktop backgrounds are what I have specifed.
In this example I have local Active Directory with AAD Connect installed one of the Azure Region, which sync users and password hash to Office 365. I have now decided to migrate the authentication from local Active Directory to Office 365 and decommission on-premises Active Directory.
In order to transition from on-premises “Synced Identity” to “In Cloud Identity”, we will need to complete the following process.
When deactivating Directory Sync it may take up to 72 hours before it can reenable depending on the size of your production network. All users will keep their current password but all synchronized objects are removed from Azure AD, please keep this in mind.
To check if you can reenable Directory Sync you will need to run Get-MSLCompanyInformation. This will show you the detailed information. and the last four fields are the most important in this scenario as this will indicate if Directory Sync can be reenabled as the status is False. DirectorySynchronizationEnabled LastDirSyncTime LastPasswordSyncTime PasswordSynchronizationEnabled
In my scenario, Directory Sync was able to be reactivated after 8 hours. The customer I was working with accepted the potential risk in order to complete this work.
Sign into the AAD Connect Server and Sync the Delta
The following command performs a sync of all AD Objects before attempting to convert into Cloud Only.
Turn off AAD Connect Sync
The following command turns off Azure Active Directory Connector while we perform all the following tasks. In this post I have outlined all steps which can be taken to convert AD Users account into Cloud Only.
Set-MsolDirSyncEnabled -EnableDirSync $false
Convert Single User to Cloud Only
The following command converts a single user into a Cloud Only account
All that is left now is to log in as one of the converted users to prove Single Sign-On is working and logon as a Global Admin into Office 365 to check the sync status of the users has a pretty cloud for “In-Cloud”