|
or don't run scripts that require elevated permissions in user environments
|
![]() |
|
![]()
|
# ? Jun 10, 2024 19:43 |
|
Ugh yeah the deprecation of the msonline PS commands and only allowing graph api calls has been a nightmare. Just getting a list of users with a filter has been troublesome and commands that are supposed to work return nothing. Not to mention the ps app needing admin consent.
|
![]() |
|
Submarine Sandpaper posted:Giving the help desk access to the CLI instead of converting the MSO script that cleared the 2fa for a user is not really helpful. az cli has like a dozen authentication options, including WAM which might allow for: Thanks Ants posted:Could you put the keys into the windows credential store using your MDM platform per user and have your script refer to this? my preference for this kind of thing is to have the scripts run remotely, and just provide an interface to trigger them using whatever task running tool you want from ADO to rundeck to whatever
|
![]() |
|
ptier posted:This is what we have ended up doing. Little boiler plate in the beginning of the script. The only thing I don't like / makes me not put it in "the wild" is that the secret is in the script. Could do a new one for each person... but we are transitioning to an integration platform where we are just going to turn all the scripts into forms. Its a long process but will get us further away from day to day powershell, which I find a bonus for all of our helpdesk staff unless they want to play and then they can learn with some training wheels. The Fool posted:az cli has like a dozen authentication options, including WAM which might allow for:
|
![]() |
|
Aunt Beth posted:We’ve moved towards institutionalizing the day to day powershell in Powershell Universal UIs, it’s such an extensible platform for $500/year we get so much value out of it That is really cool! Wish I had seen that like 5 years ago. For us, we have so many integrations we need to make between a ton of different systems an integration platform was the next step for us and using powershell to do advanced processing in AD was the main thing we need it for.
|
![]() |
|
It’s so good. And the scheduling engine it incorporates is so much better than task scheduler. Plus being able to create API endpoints has been very valuable too, we use it a lot to more or less function as a SQL stored procedure, you call the endpoint, pass it URL parameters, it runs a DB query using MSSQL powershell and returns JSON. But the UI I built that allows group and role management and other level 0/1 task delegation across both our on prem AD and Azure AD has been by far the most valuable.
|
![]() |
|
Boogalo posted:Ugh yeah the deprecation of the msonline PS commands and only allowing graph api calls has been a nightmare. I hate it all so much. A “solution” to a nonexistent problem.
|
![]() |
|
ptier posted:This is what we have ended up doing. Little boiler plate in the beginning of the script. The only thing I don't like / makes me not put it in "the wild" is that the secret is in the script. Could do a new one for each person... but we are transitioning to an integration platform where we are just going to turn all the scripts into forms. Its a long process but will get us further away from day to day powershell, which I find a bonus for all of our helpdesk staff unless they want to play and then they can learn with some training wheels. Can’t you keep the secret in Azure key vault then call it securely from your script with headless auth to lessen issues with having the secret in the script
|
![]() |
|
yes you can
|
![]() |
|
tehinternet posted:Can’t you keep the secret in Azure key vault then call it securely from your script with headless auth to lessen issues with having the secret in the script Yes, and now I know a thing. I will admit I did not dig into it much just because it was not going to be the solution we used anyways. So, yea, don't pay attention to the goon behind the curtain.
|
![]() |
|
Is it recommended to have a M365 global administrator that is excluded from conditional access policies with a strong password that never logs in and is just there in case you lock yourself out? Secondly, do you still use a separate admin account if you're using MFA and CA?
|
![]() |
|
kiwid posted:Is it recommended to have a M365 global administrator that is excluded from conditional access policies with a strong password that never logs in and is just there in case you lock yourself out? Yes, this is called a break-glass account and is usually tied to some alerting so that a bunch of alarms go off if it ever gets used. quote:Secondly, do you still use a separate admin account if you're using MFA and CA? Yes. Fairly standard separation of concerns. Separate privileged accounts should also have MFA and CA.
|
![]() |
|
I have: standard synced account (t2) elevated synced account with local windows admin on servers and sql and access to some azure resources (t1) GA cloud only account (t0) unsynced to M365 AD domain admin account (t0) test admin (t1) test standard (t2) exclude from conditional access sure, but leave MFA on if possible and have alerts on it. I would have to doublecheck our break glass M365 GA unsynced (t0) accounts, I believe they are MFA on but we multi registered our MS authenticators so both my boss and I can get in. There are two accounts. We have an alert on them that pings us if they get logged into at all. I do not remember where the password is I should check ![]() Hybrid AD/exchange is fun ![]() Oh yeah this doesn't count our 2nd prod tenant for a specific thing and the dev tenant ![]() Boogalo fucked around with this message at 02:30 on May 14, 2024 |
![]() |
|
How do you have MFA enabled on an account without CA? I think I tried this today with a test account and it still logs in without prompting MFA. Do you use the legacy per-user MFA to enforce it? edit: also holy poo poo that's a lot of accounts.
|
![]() |
You can set a MFA tenant security policy and/or set on the user object iirc.
|
|
![]() |
|
I have: Standard user account, has MFA, no elevated permissions Cloud admin account, has MFA, has contributor on all of our subscriptions plus admin access on a couple of external services, can PIM for User Admin, Application Admin, and Role Admin Domain admin, no mfa but requires a jump box, not synced to entra, but I only need to use this like once a year With PIM and CA, I definitely look sideways at environments with a bunch of distinct accounts these days.
|
![]() |
|
In the past I've seen GA without any CA but I think that's.... not wise If anything two GA break-glass accounts with MFA and using FIDO2 Key with a Yubi Key and PIN is perfect.
|
![]() |
|
Next question. Does anyone use device filtering in conditional access policies? If so, am I supposed to use the Device ID or the Object ID? ![]() The policy says "DeviceID", but it didn't work until I added the Object ID. ![]()
|
![]() |
|
Not an answer to your question, but when working with application registrations and enterprise apps I can never keep straight if I'm supposed to use the application id, or the object id of the application registration or the enterprise app. It feels like it's different every time and the documentation isn't clear.
|
![]() |
|
Never mind, I removed the Object ID and it was still working. I then removed the Device ID and it stopped working. I added back the Device ID and it started working again. Seems it was one of those things where I should have waited 15 minutes for the change.The Fool posted:Not an answer to your question, but when working with application registrations and enterprise apps I can never keep straight if I'm supposed to use the application id, or the object id of the application registration or the enterprise app. It feels like it's different every time and the documentation isn't clear. I agree, I've been developing an intranet app that uses M365 oauth/saml and there are actually 3 IDs. Application, Object, and Tenant. I was using the wrong ID combinations for a little bit. Confusing.
|
![]() |
|
"Waiting 15 minutes" is always the way with a lot of this M365 stuff. Especially when you're doing stuff in Teams and PSTN.
|
![]() |
|
Thanks Ants posted:"Waiting 15 minutes" is always the way with a lot of this M365 stuff. Especially when you're doing stuff in Teams and PSTN. We call it "cloud time" around these parts. Especially with Intune and waiting for policies to apply. Out of 16 PCs, 12 will do it right away and then 4 will take like half a day because CLOUD TIME!
|
![]() |
|
Found that with Exchange Online authentication policies, sometimes you make the policy change a few minutes before it's due to refresh anyway, other times it takes four hours.
|
![]() |
|
Has anyone here actually deployed Copilot for Microsoft 365 or have had their end users actually use all the fancy new AI stuff? Or Teams Premium? Was it worth it? How did it go?
|
![]() |
|
This is probably a really stupid question, but I am fumbling my way through Power Automate for the first time in conjunction with Microsoft Forms, also for the first time. I am doing this for another group because they don't know how, because I am an idiot. Basically, I need users to fill out a form, and then I need to email the responses in the form to an email address. I do not particularly care about the formatting of the response data, it will be read by a human. This seems like a very basic use case, but for some reason I seem to be the only person on Earth trying to do this. If that is because this is a stupid way to do what I need, I am happy to hear suggestions for alternatives as well. Most of what I see available is just to let you know that someone answered your form, which is not what I need. I do not care about persistence of any of this data past the email. I need a single form to handle a few types of requests, which is easy enough to do in Forms with branching. (They do not have a table widget, which seems really weird to me, but I can live with a bunch of text fields even though I hate it.) So you choose the type of request you need to make, you enter the details, and you click Submit, and you never see any of the other stuff in the form that you didn't choose. This part works fine. Currently what I have rigged up, which does not work, is the flow "Send an email to responder when response submitted in Microsoft Forms." After a few false starts, it seemed to like what I had done and didn't pre-report any errors. The flow consists of [When a new response is submitted] -> [Get response details] -> [Condition True] -> [Send an email (V2)]. (There is also a "Condition False" branch with no actions, I have no idea why that exists.) When I test the form, the flow fails with the error "Attachment content cannot be null or empty." Okay, I mean, I understand that it is expecting an attachment and not getting one, but I have no idea how to fix that. I would think that the issue lies in the "Get response details" step, but I have zero familiarity with this and no idea what it should look like. The default, once the form is selected, is "triggerOutputs()?['body/resourceData/responseId']". That seems reasonable enough to me, it looks like it gets the data from the form. The weird part of this is that this is a publicly available flow template, featured prominently, yet it doesn't do what it says on the label. I'm happy to make whatever adjustments I need, but I'm completely at sea.
|
![]() |
|
Gucci Loafers posted:Has anyone here actually deployed Copilot for Microsoft 365 or have had their end users actually use all the fancy new AI stuff? Or Teams Premium? Out of a customer base of around 200, we've had one enquiry about Copilot and they went off the idea when they learned that they'd have to commit to a year and pay up-front for it. We've had a couple of people ask about Teams Premium for the meeting recap feature but I sort of think if you cannot attend all the meetings you're being invited to or have so many that there's no time to take notes and deal out action points then it's a problem you need to solve by having fewer meetings. The MS partner briefings about Copilot in all its various guises talk about selling it, nobody has yet joined the call and demonstrated a use case for it. I'll remain very ![]() Thanks Ants fucked around with this message at 16:28 on May 21, 2024 |
![]() |
|
Copilot in my experience has given me several "oh wow" moments when playing with it. I see value in it (although more so future value, it's being rapidly developed rn), although mostly for business administration and managers. The coolest thing I've seen it do so far is when I tried asking Copilot to explain the value of our product, it combed through several documents that were marked as visible to the entire organization and gave me a summary of the product using information I didn't even know about. Another cool trick it can do is create entire beautifully formatted PowerPoint presentations from fairly simple prompts. Email coaching is also pretty cool, it can read tone and suggest how to make the email better. (eg it pointed out that a sample email I submitted wasn't assertive enough) It can do a lot rn, and with the speed that features are being added to it I'm super excited to see where it is in a year once it's had more time in the oven. Remember that Teams was also only kind-of useful post-launch and look at where it is now.
|
![]() |
|
We gave a copilot license to a handful of employees who would not shut up about it and their feedback was “it’s alright I guess?” We haven’t talked about it in months and all interest died down two weeks after it became available. I’m sure it’s easy to justify 30 bucks a month of productivity savings but also there’s a lot I’d love to do with $30/user of opex spending so I’m fine with not pushing it.
|
![]() |
|
klosterdev posted:Copilot in my experience has given me several "oh wow" moments when playing with it. I see value in it (although more so future value, it's being rapidly developed rn), although mostly for business administration and managers. The coolest thing I've seen it do so far is when I tried asking Copilot to explain the value of our product, it combed through several documents that were marked as visible to the entire organization and gave me a summary of the product using information I didn't even know about. Another cool trick it can do is create entire beautifully formatted PowerPoint presentations from fairly simple prompts. Email coaching is also pretty cool, it can read tone and suggest how to make the email better. (eg it pointed out that a sample email I submitted wasn't assertive enough) These features are very cool and the most interesting parts of Copilot to me so far, but the advanced features do require categorizing and tagging of your data for access control. If your org is a mess a lot of the power is going to be lost at best, and at worst you are going to leak data to the wrong internal resources.
|
![]() |
|
ptier posted:We call it "cloud time" around these parts. Especially with Intune and waiting for policies to apply. Out of 16 PCs, 12 will do it right away and then 4 will take like half a day because CLOUD TIME! That makes sense, legacy AD was like that too, make a change and wait at least 15 minutes. Although on our network it's not 25% of endpoints take half a day, it's 25% never pick up a new GPO at all.
|
![]() |
|
The GPO evaluation cycle is a very well established thing and can be overridden or calculated fairly easily, whereas “cloud time” happens when it wants to happen. I’ll always defend ADDS as the neckbeard I am becoming
|
![]() |
|
kung fu jive posted:These features are very cool and the most interesting parts of Copilot to me so far, but the advanced features do require categorizing and tagging of your data for access control. If your org is a mess a lot of the power is going to be lost at best, and at worst you are going to leak data to the wrong internal resources. Yeah you'll def want to make sure your OneDrive default settings is "specify who you want to share this to" because Copilot can't tell if public to the org data should actually be public to the org.
|
![]() |
|
Aunt Beth posted:The GPO evaluation cycle is a very well established thing and can be overridden or calculated fairly easily, whereas “cloud time” happens when it wants to happen. I’ll always defend ADDS as the neckbeard I am becoming More than that, SCCM has always been described as "taking its own time" but it's literally one of the fastest and most responsive endpoint management systems I've worked with, especially if you commit even a few hours of your time quarterly to maintain the db and optimize your various services hosts. I'm happy about being in Intune these days but I do wish I had more control.
|
![]() |
|
klosterdev posted:Yeah you'll def want to make sure your OneDrive default settings is "specify who you want to share this to" because Copilot can't tell if public to the org data should actually be public to the org. This and a big focus on Purview, sensitivity labels, and DLP. "Configuring" it is really just buying the licensing and applying it for the most part. Enabling it successfully (averting disaster) is applying the data controls so Susan doesn't ask Copilot for a list of all the salaries in the department, get it, and share with everyone (though I would support that), or Larry asking Copilot to tell him about project epsilon which is something he is not authorized to access and Copilot vomits a bunch of data about a planned buyout. Without proper data security this tool can leak data like crazy internally. It can have massive security implications. I'm mostly thinking about larger orgs, but you still want to be mindful if you are on the small / medium biz side of things. On another note, they really need to offer some sort of monthly billing on the SKU though. Kinda ridiculous they are forcing everyone to buy in annually. kung fu jive fucked around with this message at 05:44 on May 23, 2024 |
![]() |
|
Microsoft seem to be caching credentials for "modern" apps in a place that isn't the Credential Store and isn't documented anywhere, and providing no information to anybody including their support teams. How can I clear a list of five stored accounts in the Windows 365 App and Teams (they share the database somehow) to try and get something working again? Nobody knows!
|
![]() |
|
....... they're not using the credential store or the sam? Are they not using the Credential Guard api?
|
![]() |
|
They're spraying stuff into about five different folders in localappdata and the only repeatable way I've found to fix it is to delete the folders and reboot, at which point your PC then says it needs you to log into Entra again. Nothing in credential store, because of course MS would ignore their own best practises.
|
![]() |
|
Thanks Ants posted:They're spraying stuff into about five different folders in localappdata and the only repeatable way I've found to fix it is to delete the folders and reboot, at which point your PC then says it needs you to log into Entra again. Nothing in credential store, because of course MS would ignore their own best practises. God almighty, we're making it so loving easy for criminals lmao
|
![]() |
|
guppy posted:This is probably a really stupid question, but I am fumbling my way through Power Automate for the first time in conjunction with Microsoft Forms, also for the first time. I am doing this for another group because they don't know how, because I am an idiot. Basically, I need users to fill out a form, and then I need to email the responses in the form to an email address. I do not particularly care about the formatting of the response data, it will be read by a human. My first thoughts are a field in the form is set jankily. Are attachments mandatory on the form *or on any branch of the form*? Double check the form top to bottom, check the outputs of the form again when an error is given just in case.
|
![]() |
|
![]()
|
# ? Jun 10, 2024 19:43 |
|
Thanks Ants posted:They're spraying stuff into about five different folders in localappdata and the only repeatable way I've found to fix it is to delete the folders and reboot, at which point your PC then says it needs you to log into Entra again. Nothing in credential store, because of course MS would ignore their own best practises. This sounds like AADBroker BS to me. What does dsregcmd report? What happens if you attempt ‘dsregcmd /forcerecovery’?
|
![]() |