|
Sickening posted:If that is true that is huge. They are basically conceding a metric poo poo ton in licensing fees to present a more secure product. https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-security-defaults Limitations: must be turned on for entire tenant, must use ms authenticator app, comes with a number of other default settings that may not work for your environment at this time
|
# ? Nov 6, 2019 16:13 |
|
|
# ? May 23, 2024 22:01 |
|
The Fool posted:https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-security-defaults Can you still turn it on for everyone and then exempt people based on network and or group memberships?
|
# ? Nov 6, 2019 16:20 |
|
Doesn’t look like it, it seems all or nothing. If you want that kind of control you’ll need to pay.
|
# ? Nov 6, 2019 16:43 |
|
The Fool posted:Doesn’t look like it, it seems all or nothing. Eh, that is kind of poo poo then. Even the basic mfa you can turn on with an office 365 license is better than that. Boooooooooooooooooooo
|
# ? Nov 6, 2019 16:55 |
|
...MFA in Azure is (or was) a non-free addon? LOL? That seems shocking and amazingly poo poo in 2019.
|
# ? Nov 6, 2019 18:35 |
|
In addition to the new free option, it’s also free for admin accounts. Otherwise it is a part of AzureAD P1 with an add on option if you don’t get P1
|
# ? Nov 6, 2019 18:39 |
|
Someone should setup a site line sso.tax to shame them into including it. P1 is included with an E3 license though, so most people are already probably licensed for it. I think
|
# ? Nov 6, 2019 18:50 |
|
skipdogg posted:P1 is included with an E3 license though, so most people are already probably licensed for it. I think Unless something changed this week, P1 is included in E5 but not E3
|
# ? Nov 6, 2019 18:56 |
|
skipdogg posted:Someone should setup a site line sso.tax to shame them into including it. Is that really true though? I don't see p1 in the Service plan details of an e3. I mean it could be, but p1 are shown to be seperate licenses in my portal.
|
# ? Nov 6, 2019 18:58 |
|
Y’all are right. It’s not included. It’s part of the EMS bolt on if that’s still a thing.
|
# ? Nov 6, 2019 19:29 |
|
skipdogg posted:Y’all are right. It’s not included. It’s part of the EMS bolt on if that’s still a thing. Its part of the Microsoft365 E3 license which is just O365 E3 and EMS rolled up into one package which is nice if you need Windows 10 Enterprise and P1.
|
# ? Nov 6, 2019 19:43 |
|
gently caress Microsoft licensing
|
# ? Nov 6, 2019 19:46 |
|
The Fool posted:gently caress Microsoft licensing Me, every year I renew our SA agreement. Switching everything to per core licensing for Windows Server has been the biggest pain in my rear end. It was bad enough when they made the switch for SQL.
|
# ? Nov 6, 2019 19:57 |
|
My on prem environment isn’t even that complicated. It takes like 15 minutes to do an audit and send it to my var who takes care of everything else. It’s all these different license tiers and addons and packages for the cloud services that annoys me. I am constant worried that I’m leaving money on the table because I don’t have the right combination of license tier and addons.
|
# ? Nov 6, 2019 20:00 |
|
The Fool posted:SSO was pushed quite a bit yesterday and this bullshit makes me very angry. Well isn't this list interesting. Glad to see someone, somewhere is calling out this bs.
|
# ? Nov 7, 2019 20:29 |
|
As lovely as charging for SSO is, that's one of the things I'm sure absolutely has a quantifiable cost in terms of support resources to deal with people that don't have the first loving clue about how any of it works trying to stumble through a config and blowing up everything in the process.
|
# ? Nov 8, 2019 15:58 |
|
H2SO4 posted:As lovely as charging for SSO is, that's one of the things I'm sure absolutely has a quantifiable cost in terms of support resources to deal with people that don't have the first loving clue about how any of it works trying to stumble through a config and blowing up everything in the process. I am confident that none of those companies are really offering you any real support resources to help you in SSO. I am pretty sure it all left to you to figure out.
|
# ? Nov 8, 2019 16:27 |
|
And if you do have issues with setting up the their sso the regular support people don’t know anything and just upsell you on professional services to set it up for you.
|
# ? Nov 8, 2019 17:00 |
|
I've seen it both ways. Some companies will tell you to go piss up a rope and others will actually help, just like some customers actually understand what they're trying to accomplish and others are drastically out of their element. I've had to be the third wheel on more than a few of those calls.
|
# ? Nov 8, 2019 19:16 |
|
Sickening posted:I am confident that none of those companies are really offering you any real support resources to help you in SSO. I am pretty sure it all left to you to figure out. Asana do not give a single poo poo if you have SSO issues, and can't seem to figure out where the 7-day session limit is coming from: hint - it's not Azure.
|
# ? Nov 8, 2019 21:08 |
|
SSO can die in a fire
|
# ? Nov 9, 2019 03:54 |
|
PUBLIC TOILET posted:SSO can die in a fire why?
|
# ? Nov 9, 2019 04:18 |
|
That sure is an opinion you can have I guess
|
# ? Nov 9, 2019 04:29 |
|
this opinion is brought to you by lastpass ask us about our corporate discounts
|
# ? Nov 9, 2019 06:49 |
|
Thanks Ants posted:Yeah I don't get it either. I assume for companies that are actually in a hybrid Exchange setup it's complicated, but for people who just have a synced AD surely just get on and write that stuff back. The guy I talked to at the Exchange booth said he really hoped he didn’t have to still be having this conversation again next year and that it’s currently on the azure ad team (but is in active development).
|
# ? Nov 10, 2019 02:13 |
|
Did you go talk to the Azure AD guys so they can blame the Exchange folk?
|
# ? Nov 10, 2019 20:03 |
|
The azure ad guys only ever wanted to talk about password hash sync.
|
# ? Nov 10, 2019 20:24 |
|
Anyone have any suggestions on a good email to SMS relay service? We've got a group that setup some critical stuff using the carrier relay services which are not reliable. (lol Verizon)
Maneki Neko fucked around with this message at 20:39 on Nov 13, 2019 |
# ? Nov 13, 2019 19:56 |
|
If you have the right sort of skills in house then build something on Twilio. If you already use AWS then hooking up a Lambda action triggered on an SES email receive event to call the Twilio API and send an SMS shouldn't be too much work.
|
# ? Nov 13, 2019 21:44 |
|
Thanks Ants posted:If you have the right sort of skills in house then build something on Twilio. If you already use AWS then hooking up a Lambda action triggered on an SES email receive event to call the Twilio API and send an SMS shouldn't be too much work. I normally loath to recommend someone roll a half-assed solution in house, but the Twilio API is actually super easy to work with and the use case is simple enough that it shouldn't be a big deal.
|
# ? Nov 13, 2019 21:47 |
|
I agree, but my experience with other services has been that they are less reliable and provide fewer opportunities to see where the email-to-SMS failed, as well as running on 15 year old servers and firing off a bunch of ASP scripts. Unless you're going full PagerDuty of course, Twilio has always worked well for us.
|
# ? Nov 13, 2019 21:53 |
My work has a bunch of shared PCs that users log into periodically. These are old Win7 machines that we are swapping out with Win10 PCs. What's the best way to transfer data from user profiles over? I seem to recall there being issues if you just move the user's folder over to a new PC without first logging them in to create that. We do have network shares for each user, would that be the best way to do that? I'd love if there was a way to automate this because I have a dozen PCs like this to do.
|
|
# ? Nov 13, 2019 22:07 |
user profiles both exist in the registry and on the file server, so yeah, without the registry marker if you just copy c:\users to \\new\c$\users you'll have issues at log-in. You can copy the contents of their user profile to a network location and then via GP set that to that network location. Redirect is in user/policies/windows templates/folder redirection or something similar. roaming profiles (I hate these don't use) are at computer/policies/admin templates/system/user profiles/set roaming profiles or something.
|
|
# ? Nov 13, 2019 22:12 |
|
cage-free egghead posted:My work has a bunch of shared PCs that users log into periodically. These are old Win7 machines that we are swapping out with Win10 PCs. Use this tool: https://www.forensit.com/move-computer.html
|
# ? Nov 13, 2019 22:15 |
|
I've been putting off enabling SAML on Aruba Central for a while since the documentation appeared to be quite poo poo, but one of the HPE guys put together a video that walks you through the whole thing and it's honestly one of the best I've seen purely for the amount of material that is covered in the ~20 mins or so that it runs for. Everything works perfectly and it saved a lot of messing around with attributes. https://www.youtube.com/watch?v=BIP0iBXFRAk
|
# ? Nov 13, 2019 22:35 |
The Fool posted:Use this tool: https://www.forensit.com/move-computer.html I literally just came across this and started trying out the free version. It's taking a bit longer than I'd hope via USB3 for just one profile but it may be the best way to automate this
|
|
# ? Nov 13, 2019 23:06 |
|
H2SO4 posted:I've seen it both ways. Some companies will tell you to go piss up a rope and others will actually help, just like some customers actually understand what they're trying to accomplish and others are drastically out of their element. I've had to be the third wheel on more than a few of those calls. Why wouldn’t you want customers to use SSO for products or services? That has got to be one of the worst business decisions I’ve ever heard of in my entire IT Career. Having to remember dozens of credentials is absolutely mind boggling and I can’t even fathom how much we’ve spent on just resetting passwords.
|
# ? Nov 14, 2019 03:47 |
|
cage-free egghead posted:We do have network shares for each user, would that be the best way to do that? I'd love if there was a way to automate this because I have a dozen PCs like this to do. If you've got AD, a longer term solution would be to set up security groups for all major shares, configure automapping in group policy management, and use item-level targeting to only have it map for users in those security groups. We've gotten so many fewer calls asking to map $Drive since I set it up, and it's another thing we have to think less about during our migration. New or existing user needs access to $Drive? Add them to the applicable security group and forget about it.
|
# ? Nov 14, 2019 04:14 |
|
I have 2 old domain controllers that are still active servers. They've been demoted from domain controllers, but seemingly not 100%. I can't use the ntdsutil tool to connect to them, and I had to remove them in AD sites. There's a lot of entries in DNS but when I remove them, they refresh back in a few seconds. Any ideas?
|
# ? Nov 14, 2019 13:47 |
|
|
# ? May 23, 2024 22:01 |
klosterdev posted:If you've got AD, a longer term solution would be to set up security groups for all major shares, configure automapping in group policy management, and use item-level targeting to only have it map for users in those security groups. We've gotten so many fewer calls asking to map $Drive since I set it up, and it's another thing we have to think less about during our migration. We've got network shares mapped for each user for their own "personal" space to save files, which I believe is handled automagically by AD through each of their domain accounts, so that's not a huge concern. I was able to get USMT working, I thought I needed MDT or SCCM in our prem but turns out you can just use a new computer as a destination for the file store. The biggest thing is to figure out how to make this as seamless as possible but our user's use some janky rear end programs that I'm not too thrilled to have to reinstall.
|
|
# ? Nov 14, 2019 18:58 |