|
I'm trying to get Windows Hello for Business up and running, we have a hybrid AD setup, but there's no trust--I have to fall back to password because Windows Hello can't talk with the domain. To fix this I'm trying to get our MSP to do Cloud Kerberos trust deployment but they think users won't be able to sign in based on this last bullet from the guide:  I don't understand the ramifications of this, is this just talking about domain-joining? First login of the day or for some gross ticket validity period? I searched around but can't tell how big of a deal this would be for users.
|
#
?
Aug 3, 2023 22:37
|
|
|
|
| # ? May 15, 2024 00:38 |
|
|
I read that as there being some one time sync happening behind the scenes on first login, maybe the system registering something on the AD computer object that gets pushed up to Azure AD. I don't have much experience with HfB, but my coworker set it up for a different complex scenario and I spent a fair amount of time with him digging through docs and Woof, it is some complex poo poo.
|
|
#
?
Aug 3, 2023 23:23
|
|
|
We're in the middle of rolling out WHfB via Kerb Cloud Trust and it's been going really well, but we've been doing it for existing users on existing workstations. I'm assuming the unsupported scenario is for a first time login to a device. Specifically step E of the process here https://learn.microsoft.com/en-us/w...-kerberos-trust quote:The Kerberos security support provider, hosted in lsass, uses metadata from the Windows Hello for Business key to get a hint of the user's domain. Using the hint, the provider uses the DClocator service to locate a 2016 domain controller. After locating an active 2016 domain controller, the Kerberos provider sends the partial TGT that it received from Azure AD to the domain controller. The partial TGT contains only the user SID and is signed by Azure AD Kerberos. The domain controller verifies that the partial TGT is valid. On success, the KDC returns a TGT to the client. Kerberos returns the TGT to lsass, where it's cached and used for subsequent service ticket requests. Lsass informs Winlogon of the success authentication. Winlogon creates a logon session, loads the user's profile, and starts explorer.exe. I'm assuming that if there is no line of site to a DC, it can't get the full TGT and doesn't load the logon session. I don't know if we've tested this in our environment, as we're just having existing folks enroll on their workstations. We generally have line of site to a DC in our environment as well.
|
|
#
?
Aug 4, 2023 16:28
|
|
|
Hed posted:I'm trying to get Windows Hello for Business up and running, we have a hybrid AD setup, but there's no trust--I have to fall back to password because Windows Hello can't talk with the domain. Think you're going to have to pilot this and see, the actual config takes a few minutes. You could really do with not being Hybrid joined if you can at all avoid it.
|
|
#
?
Aug 4, 2023 17:38
|
|
|
Thanks, everyone, I will just try it and find outThanks Ants posted:Think you're going to have to pilot this and see, the actual config takes a few minutes. You could really do with not being Hybrid joined if you can at all avoid it. I really don't understand why we still have a traditional VM sitting as a DC at all, I've been told it's because we have a file server. I want to move to Azure files but there were some excuses why we couldn't last summer. We just need a few SMB shares, nothing fancy. edit: are you saying we should be full Azure AD or traditional? I read what you're saying about Hybrid having shortcomings, just curious if you think one extreme or the other is better
|
|
#
?
Aug 4, 2023 17:43
|
|
|
Go full Azure AD Joined on the workstations if you can. They should still be able to access most on prem resources if everything is setup properly. That's on our roadmap for next year, along with moving to full intune management and a few other things. I'm on our AD team, not the workstation team so I'm not involved much, but I think we have 1 potential on prem resource that may block moving to full AADJ that they're working on removing. https://learn.microsoft.com/en-us/azure/active-directory/devices/device-sso-to-on-premises-resources Found specific wording about the first time sign in on hybrid AADJ devices. "For hybrid Azure AD joined devices, users must perform the first sign-in with new credentials while having line of sight to a DC"
|
|
#
?
Aug 4, 2023 18:13
|
|
|
Hed posted:edit: are you saying we should be full Azure AD or traditional? I read what you're saying about Hybrid having shortcomings, just curious if you think one extreme or the other is better I'm saying keep AD around if you're unsure whether you can go full cloud, but laptops that you deploy 1:1 should be Azure AD joined and nothing else. Manage them through Intune. On-prem AD is fine for file servers, and cloud Kerberos trust will allow all those devices to connect to them even if people are logging in with a PIN/face/fingerprint.
|
|
#
?
Aug 4, 2023 18:33
|
|
|
The Fool posted:I used to support an accounting app that needed admin access and access to a mapped drive I just want to say how hard this speaks to my heart tehinternet fucked around with this message at 03:11 on Aug 6, 2023 |
|
#
?
Aug 6, 2023 03:08
|
|
|
Thanks everyone, I got my MSP to set up the hybrid trust and it works. I’m going to roll out hello to everyone over the next weeks. My next big question mark will be how well Hello login will translate to people logging into Azure VMs over RDP. I imagine they’ll still use normal creds. At least most execs and finance & accounting team doesn’t do that.
|
|
#
?
Aug 6, 2023 03:14
|
|
|
I've taken over an account creation process and I've been working at automating parts of it. An E3 license is assigned by placing the user into an AAD group. We then manually set the Send As and Full Access rights for the individual mailbox. Off-hand, is there a way I can make the latter happen just by adding them to that first AAD group? I figure there's always a Powershell script if necessary but I wanted to streamline as much as possible. I've started looking into this but am coming up short on Google
|
|
#
?
Aug 7, 2023 14:10
|
|
|
I don't know about Exchange Online, but in on-prem you can add (universal) groups to the Full Access and Send As permissions. The limitation when doing that, still on-prem, is that users don't get the mailbox added to the property on their AD object that tells Outlook to automatically open the mailbox.
|
|
#
?
Aug 7, 2023 14:26
|
|
|
nielsm posted:I don't know about Exchange Online, but in on-prem you can add (universal) groups to the Full Access and Send As permissions. The limitation when doing that, still on-prem, is that users don't get the mailbox added to the property on their AD object that tells Outlook to automatically open the mailbox. Yeah, it's hybrid so there's all sorts of moving parts. I figured that if E3 is set via AAD, there's gotta be a similar function available for mailbox control. But just trying to see if anyone had a lead before I finally find the best search terms.
|
|
#
?
Aug 7, 2023 18:46
|
|
|
Boywhiz88 posted:I've taken over an account creation process and I've been working at automating parts of it. I think for mailbox permissions to groups it has to be a mail enabled group. For license assignments I recommend leveraging dynamic AAD groups as much as you can. It's made my life a heck of a lot easier but obviously everyone's environment/requirements are different
|
|
#
?
Aug 7, 2023 22:53
|
|
|
snackcakes posted:For license assignments I recommend leveraging dynamic AAD groups as much as you can. It's made my life a heck of a lot easier but obviously everyone's environment/requirements are different Dynamic Entra ID (  ) groups are the way to go for sure, if at all possible.
|
|
#
?
Aug 13, 2023 19:56
|
|
|
Hed posted:Thanks everyone, I got my MSP to set up the hybrid trust and it works. It looks like Hello for Business doesn't work with RDP when using Cloud Kerberos Trust. People get certificate errors and have to fall back to passwords. It sounds like we could do NDES but we just set up CKT for this. Here's a microsoft post talking about it.
|
|
#
?
Aug 15, 2023 19:36
|
|
|
snackcakes posted:For license assignments I recommend leveraging dynamic AAD groups as much as you can. It's made my life a heck of a lot easier but obviously everyone's environment/requirements are different I just did something like this and it is 100% the way to go. It might take a bit to figure out your rule syntax (the basic rule editor is nearly useless) but one you have a framework in place you suddenly stop having to worry about a lot of things that you did manually before.
|
|
#
?
Aug 17, 2023 00:16
|
|
|
Number19 posted:I just did something like this and it is 100% the way to go. It might take a bit to figure out your rule syntax (the basic rule editor is nearly useless) but one you have a framework in place you suddenly stop having to worry about a lot of things that you did manually before. Just don't get too big, tenants have a limit of 5000 dynamic groups.
|
|
#
?
Aug 17, 2023 04:32
|
|
|
Is there any way to get rid of an account in this list? I never want to sign in to this tenant using the "connected to windows" account. Greasemonkey script or browser addon would also be fine.
|
|
#
?
Aug 17, 2023 08:00
|
|
|
Fairly sure there’s a Chrome and Edge policy that you can disable single sign-on with, I’ll have a look when I am not phone posting.
|
|
#
?
Aug 17, 2023 11:31
|
|
|
If it's a policy it needs to apply to a single profile only, I'm afraid, so that's probably not going to work.
|
|
#
?
Aug 17, 2023 11:53
|
|
|
doesnt work this way anymore The Fool fucked around with this message at 14:31 on Aug 17, 2023 |
|
#
?
Aug 17, 2023 14:26
|
|
|
I recently started a new job and I've been asked to get us set up with an Azure subscription so we can create VMs and do some WUfB reporting. We currently have a perfectly functioning (ha) Azure AD tenant, so that part is already squared away, it's the subscription part that is stumping me. According to MS documentation here: https://learn.microsoft.com/en-us/windows/deployment/update/wufb-reports-prerequisites we've got everything but the Azure subscription. I went through the process of creating a free one, but that one seems to be associated with my individual account, as in my email address and info appears in the billing section and that's not what I want since I aint paying the bill. I've got global admin rights in our tenant so that shouldn't be a problem. When I log into the Azure portal I see the 'Subscriptions' link and I see the option to add a sub there, but when I click it...it has my name and email for the billing and wants me to add a credit card. Does everyone just use a company CC when setting these up? We have a CSP (CDW), am I supposed to go through them? I managed our Azure stuff at my old job but the subscriptions were already set up when I got there so I've never actually had to do this portion before. Is there something else I'm missing here?
|
|
#
?
Aug 24, 2023 03:25
|
|
|
You pay via credit card or ask your csp to set up billing via them (probably not worth it until you get to thousands/mon). Basically someone gets to collect a lot of points on their cc. Direct billing from MS to the company doesn't happen until you bill a lot.
|
|
#
?
Aug 24, 2023 03:48
|
|
|
It can be worth contacting MS to see if they'll help you with quickstartor fast-track stuff and get set up with a reseller for proper billing. We go through SHI for all of ours. MS will throw free resources at you to help you spend more money in their cloud.
|
|
#
?
Aug 24, 2023 04:16
|
|
|
if you have an ea you should be able to get an azure subscription(s) added to it
|
|
#
?
Aug 24, 2023 05:21
|
|
|
I'm exploring lifting and shifting a legacy file server to Azure vs replacing the on-prem hardware. The last time I did this was many years ago, when you would just spin up a windows VM and have the same file server but virtual. What's my best bet these days, Azure files or something else? Maybe 10-15TB of data, lots of individual files accessed but not a lot of data movement, it's all pictures and spreadsheets.
|
|
#
?
Aug 24, 2023 05:28
|
|
|
sporkstand posted:I recently started a new job and I've been asked to get us set up with an Azure subscription so we can create VMs and do some WUfB reporting. Call your CDW person and they'll hook you up.
|
|
#
?
Aug 24, 2023 05:29
|
|
|
Silly Newbie posted:I'm exploring lifting and shifting a legacy file server to Azure vs replacing the on-prem hardware. The last time I did this was many years ago, when you would just spin up a windows VM and have the same file server but virtual. What's my best bet these days, Azure files or something else? Maybe 10-15TB of data, lots of individual files accessed but not a lot of data movement, it's all pictures and spreadsheets. Don't do it
|
|
#
?
Aug 24, 2023 06:03
|
|
|
Silly Newbie posted:I'm exploring lifting and shifting a legacy file server to Azure vs replacing the on-prem hardware. The last time I did this was many years ago, when you would just spin up a windows VM and have the same file server but virtual. What's my best bet these days, Azure files or something else? Maybe 10-15TB of data, lots of individual files accessed but not a lot of data movement, it's all pictures and spreadsheets. It just something hosting a shared drive? If it's just pictures and spreadsheets just through it in a SharePoint Library.
|
|
#
?
Aug 24, 2023 06:43
|
|
|
Microsoft invoice us for our Azure usage and we pay on 30 day terms, and we only use a few hundred £ a month of resources. This does put the continued uptime of your stuff in the hands of a finance team though, if you have ones who take the piss with payment terms for cash flow reasons then you need a boss who can make noise until they stop doing that.
|
|
#
?
Aug 24, 2023 07:40
|
|
|
The Fool posted:Don't do it We've got another business unit using Azure hosted NetApp and it works fine, may explore going that direction. Crosby B. Alfred posted:It just something hosting a shared drive? If it's just pictures and spreadsheets just through it in a SharePoint Library. Too much institutional culture inertia to make the cut in the time I need. Warranty on the server expires in a couple months, so I need to do some kind of conversion fast, and fast isn't a language these people speak with regard to how they access their data. It's a fight I could win, but it isn't worth it. Also on the table is just giving Dell like $14k for a new physical server that isn't obsolete garbage, which I haven't totally rejected, it's on my budget for the year.
|
|
#
?
Aug 24, 2023 08:32
|
|
|
Does anyone know if it’s possible to create an Azure conditional access policy that blocks Windows desktop Outlook clients but allows IOS and Android.
|
|
#
?
Aug 24, 2023 22:46
|
|
|
Never done it but sounds doable. You can configure CA policies based off windows/Mac/android/iPhone and you can target specific Microsoft apps. Kind of an odd request though and there might be a better way depending on what your goal is. If it is to block outlook on personal PCs but still allow for iPhone and android you may want to consider MAM policies.
|
|
#
?
Aug 24, 2023 23:15
|
|
|
Yes, make a policy with the cloud apps set to only target Exchange Online, then in conditions pick the Windows platform and mobile apps and desktop clients, and change the access control to block. This might stop things that aren't Outlook from accessing Exchange Online data (so something like Teams might break), so test it.
|
|
#
?
Aug 24, 2023 23:15
|
|
|
Silly Newbie posted:Too much institutional culture inertia to make the cut in the time I need. Warranty on the server expires in a couple months, so I need to do some kind of conversion fast, and fast isn't a language these people speak with regard to how they access their data. It's a fight I could win, but it isn't worth it. As far as I remember - Azure Files or using Azure Storage as a file share is meant for applications not necessarily users. It's not going to be that user friendly, you might not have permission control or ability to backup data as much as you'd like.
|
|
#
?
Aug 25, 2023 04:46
|
|
|
Crosby B. Alfred posted:As far as I remember - Azure Files or using Azure Storage as a file share is meant for applications not necessarily users. It's not going to be that user friendly, you might not have permission control or ability to backup data as much as you'd like. Thank you for that, it's the kind of hard to find knowledge that will prevent me from totally loving up. Anyone have recommendations on moving a file server from on prem to Azure, or is it really just same file server but someone else's hardware? No DFS or other distribution requirements or anything, I just don't want to have on prem hardware if I can help it and budgetarily justify it.
|
|
#
?
Aug 25, 2023 05:32
|
|
|
You could just spin a Windows VPN but if it's a shared drive they'll need VPN access.
|
|
#
?
Aug 25, 2023 05:39
|
|
|
If you're Azure AD hybrid, why are people saying no to Azure Files? Does Azure AD Kerberos for hybrid identities not fix this? I have been out of that world since that was released. But as far as I know that means no VPN or visibility to a domain controller needed for end users to use a file share with NTFS permissions. https://learn.microsoft.com/en-us/azure/storage/files/storage-files-active-directory-overview
|
|
#
?
Aug 25, 2023 06:19
|
|
|
So far i've only heard microsoft championing the Azure kerberos feature for AVD profile disks. But, it's perfectly acceptable solution imo. here is a demo with our bald headed azure god, john savill https://www.youtube.com/watch?v=fevwz8O954A edit: but it's still going to be WAY pricer than dumping all into sharepoint. I know it's off the table, but you should run the numbers. incoherent fucked around with this message at 06:44 on Aug 25, 2023 |
|
#
?
Aug 25, 2023 06:27
|
|
|
|
| # ? May 15, 2024 00:38 |
|
|
Internet Explorer posted:If you're Azure AD hybrid, why are people saying no to Azure Files? Does Azure AD Kerberos for hybrid identities not fix this? I have been out of that world since that was released. But as far as I know that means no VPN or visibility to a domain controller needed for end users to use a file share with NTFS permissions. If you don't need a VPN... maybe this would work? But still... SharePoint, OneDriver, etc. is a way better solution.
|
|
#
?
Aug 25, 2023 06:45
|
|