|
lol internet. posted:I'm just doing some testing. I have gotten through the image creation and deployment.. My company builds new images with updates (and any new or updates apps required ). We then flag current VMs as retired and deploy new VMs. After a few days, we remove the old VMs. Because of they way tags are updated by the deployment template, we have to do some of this in the pipeline code, but it was to much hassle. To expand on my cost statements, we are using non-persistent pooled VMs with profiles managed by fslogix. For our use case, it turns out we need high usage of a VM type before it has better per user cost than W365, and we endlessly run into applications and usage compatibility issues with Terminal Server that stymie that. There are some things coming up ( heavily revised app attach feature set ) that should help, but we aren’t there right now.
|
# ? Sep 27, 2023 11:33 |
|
|
# ? May 23, 2024 23:41 |
|
Feels like there's a lot of outdated documentation out there, but is it not possible to use fslogix style profiles across a pooled set of virtual desktop hosts in Azure without ADDS? If you're all AzureAD top to bottom, you're out of luck?
|
# ? Sep 27, 2023 21:30 |
|
A director requested the ability for staff to have a dial-in number for Teams meetings and from what I can tell, this was made free last year, I just need to purchase the free license (that’s called dial-out) and assign to users. I tested it on my account and it seemed to work no problem. Is there anything I need to be careful of before assigning licenses out? Like a way for somebody to accidentally rack up charges?
|
# ? Sep 29, 2023 02:54 |
|
Cyks posted:A director requested the ability for staff to have a dial-in number for Teams meetings and from what I can tell, this was made free last year, I just need to purchase the free license (that’s called dial-out) and assign to users. Similar scenario and question from me. I need to accomplish the same thing, but when I try to purchase the required free license, I get a message stating that I'm not eligible to purchase it :| Any ideas?
|
# ? Oct 7, 2023 16:23 |
|
sporkstand posted:Similar scenario and question from me. I need to accomplish the same thing, but when I try to purchase the required free license, I get a message stating that I'm not eligible to purchase it :| Do you have any of the following licenses already? Enterprise: Microsoft 365 E3, Office 365 E3, Office 365 E1 Frontline: Microsoft 365 F3, Microsoft 365 F1, Office 365 F3 SMB: Microsoft 365 Business Basic, Business Standard, Business Premium If so, do you have them direct through Microsoft or through a CSP? If it's through a CSP you'll probably need to buy the license through them even though it's free.
|
# ? Oct 7, 2023 17:47 |
|
snackcakes posted:Do you have any of the following licenses already? That's kinda what I figured. We buy our O365 E3 licenses through a CSP I'll reach out to them next week. Thanks.
|
# ? Oct 7, 2023 18:07 |
|
Dug into this further (probably 20 hours of work on this), the patches were a red herring. For some reason when a Windows 365 Enterprise PC deploys it doesn't have CredGuard enabled, or it has it enabled but isn't doing anything with it yet - I'm fairly sure MS are enabling this at the host level as there seems to be no admin-controllable options relating to it. CredGuard enables itself after a period of time and a reboot of the guest instance, which happened to line up perfectly with the things hitting a maintenance window and applying updates, and the cumulative updates and CU previews all needed reboots. Looks like this app is really bad and was trying to do unconstrained Kerberos delegation which CredGuard won't let happen, so it was failing.
|
# ? Oct 12, 2023 15:57 |
|
Is there a way to prevent standard users from creating subscriptions within an Azure tenant? We've had a few incidences lately where random employees have created subscriptions and we're looking to prevent that. I've already set AllowAdHocSubscriptions to false but that seems to have no effect. I've talked to our SIEM (ArcticWolf) to see if they can at least alert on this, but they can't...because they can only do monitoring per subscription, not at the management group level. I've restricted access to the Azure portal for non-admin users as well.
|
# ? Oct 14, 2023 19:32 |
|
There definitely is, because we limit it, but I don't know off hand how it's done exactly. I think there's an RBAC role for creating subscriptions, maybe everybody is in a group that has that role assigned?
|
# ? Oct 15, 2023 05:45 |
Your RBAC must be a dumpster fire if that’s even possible. Don’t permission everyone as owner/contributor at the MG level, grant permissions on the subscriptions people are supposed to have access to. There are particulars between MCAs and EAs and straight PAYG too but still can’t imagine how ‘random’ employees are creating subscriptions Edit: you might see MSDN subs people are creating too but those aren’t problematic really unless you’ve overpermissioned people i am a moron fucked around with this message at 15:49 on Oct 15, 2023 |
|
# ? Oct 15, 2023 15:46 |
|
Thanks, I'll take a look at roles and related RBAC stuff tomorrow. I just started this job 3 months ago and I'm finding all kinds of messed up poo poo security-wise so it wouldn't surprise me at all.
|
# ? Oct 15, 2023 16:47 |
It’s a PITA so I feel for you. You’ll have to check all the group memberships where RBAC has been assigned as well. If it’s all individual assignments it’s easier but also more lol-worthy
|
|
# ? Oct 15, 2023 17:04 |
|
The best is when you find rando AWS tenants that are running production workloads for customers and the dude left a year ago.
|
# ? Oct 15, 2023 17:47 |
|
mllaneza posted:Lucky me, there's a good chance I'll get some training and hands on experience with Intune before layoffs knock me out. intune is a full rear end job if you're spinning iOS, MacOS, Windows, and Android plates. Once you dial it in the only challenge is keeping your packages up to date.
|
# ? Oct 19, 2023 05:22 |
|
Weirdly complicated situation and ask. I've got three on prem domains in play, and one cloud side. I'd like to make a conditional access policy that only computers joined to one of these domains can become registered devices in Azure (and thus have outlook and OneDrive sync to them). Full azure AD is out for the moment, but I can also control access via requiring an installed app if that's a possibility. Can it be done via standard conditional access policy, do I need to dig into Intune, is it impossible, or other answer? I tried googling for this but the results are a mishmash spread over the last ten years of MS changing how poo poo works.
|
# ? Oct 19, 2023 06:12 |
|
incoherent posted:intune is a full rear end job if you're spinning iOS, MacOS, Windows, and Android plates. Once you dial it in the only challenge is keeping your packages up to date. One of my current projects is evaluating InTune for the lab environment and comparing it to KACE, which we currently use for proactive support, reporting, and security patching. The proactive stuff is taking advantage of a KACE feature called Custom Inventory Objects. Those run any single command line command, batch or PowerShell, and store it as a field in the database. I can do things like have every machine run 'wmic diskdrive get status' at every check-in and alert if the phrase "fail" shows up. You can stretch "one command line statement" out a lot if you're willing to get liberal with semicolons in PowerShell. I think I have 5 in a check on the size of a specific folder I wanted to report on. We're gonna spend a couple of quarters on this and I'm gonna and up reporting that they complement each other, but there's no compelling reason to ditch our on-prem AD until Global wants to move the whole company. LOL, that can wait until I retire.
|
# ? Oct 19, 2023 06:44 |
|
Silly Newbie posted:Weirdly complicated situation and ask. Do you mean registered? If they are devices you manage (which they are since they are domain joined) then would approaching this by having one domain Azure AD join through GPO, and set the other two domains to prevent people doing an Azure AD join?
|
# ? Oct 19, 2023 22:44 |
|
Thanks Ants posted:Do you mean registered? If they are devices you manage (which they are since they are domain joined) then would approaching this by having one domain Azure AD join through GPO, and set the other two domains to prevent people doing an Azure AD join? Essentially I'm looking to prevent devices that don't belong to a domain I control from being registered to a user in azure. Or, from another angle, stop people from configuring outlook and OneDrive on their home computers or random customer vms.
|
# ? Oct 20, 2023 02:44 |
|
I think you'd be better off using conditional access to restrict access to Outlook/OneDrive, you can't really restrict people from doing an Azure AD Register
|
# ? Oct 20, 2023 17:45 |
|
Thanks Ants posted:I think you'd be better off using conditional access to restrict access to Outlook/OneDrive, you can't really restrict people from doing an Azure AD Register this azure ad register is really meant to allow the end user to create a token when they log into some app or service that makes your life easier. don't gently caress with it (and I don't think you can, I'm not aware of any web hooks that would let you interrupt the registration process) It would be much better to have some kind of affirmative control around the applications that matter to you. don't want somebody checking mail on a non-corporate-owned device? Create that as a conditional access rule for joined-only and bam, you're done. Far more straightforward, responsive, and affirmative than trying to juggle gatekeeping the myriad ways a device can be registered
|
# ? Oct 20, 2023 17:58 |
|
What you'll find is that Conditional Access is a licensed feature that you have to use to take away access - you can't set things up to be along the lines of "no access unless conditional access evaluates things and grants it", but As much as I dislike Microsoft's business practises I don't think it's viable to operate an M365 organisation without access to at least the Entra ID P1 features.
|
# ? Oct 20, 2023 18:06 |
|
Silly Newbie posted:Essentially I'm looking to prevent devices that don't belong to a domain I control from being registered to a user in azure. I'm rereading this and I think what you want is to be able to restrict OneDrive and Outlook access to corporate devices. That means you're looking for Joined-only conditional access rules (not registered). I'd even argue you want Intune-only rules if your business is this thoughtful about data access, so that you can enforce things like bitlocker as well.
|
# ? Oct 20, 2023 18:27 |
|
Potato Salad posted:I'm rereading this and I think what you want is to be able to restrict OneDrive and Outlook access to corporate devices. That means you're looking for Joined-only conditional access rules (not registered). I'd even argue you want Intune-only rules if your business is this thoughtful about data access, so that you can enforce things like bitlocker as well. This is correct, but no devices are AzureAD joined. I'm welding four companies together, getting everything off their different on prem domains and into AzureAD is a 2024 task. That's why I was hoping to be able to do something with a CA like "allow outlook if a member of contoso.com or example.local".
|
# ? Oct 20, 2023 21:15 |
|
It might be worth looking at Cloud Sync which can sync multiple unconnected ADs into AAD and using that to sync the devices, and then seeing if conditional access works. I'd try and avoid AAD Hybrid but it could work alright for this application if your plans longer term were to ditch the domain join as hardware is refreshed.
|
# ? Oct 20, 2023 21:24 |
|
Thanks Ants posted:It might be worth looking at Cloud Sync which can sync multiple unconnected ADs into AAD and using that to sync the devices, and then seeing if conditional access works. I'd try and avoid AAD Hybrid but it could work alright for this application if your plans longer term were to ditch the domain join as hardware is refreshed. That's basically the long term plan. Build some back end, then determine a cut date where everything new device goes out azureAD joined and we explain to people how to temporarily authenticate to some legacy domain stuff until it's all converted.
|
# ? Oct 23, 2023 03:27 |
|
Cyks posted:A director requested the ability for staff to have a dial-in number for Teams meetings and from what I can tell, this was made free last year, I just need to purchase the free license (that’s called dial-out) and assign to users. Late reply but the dial out minute pool is the only thing to worry about here and that’s not a charge thing so much as a pool of minutes to use only if someone brings up the dial pad to call someone and conference someone into a teams meeting. I personally never use that but ran across a weird number of scenarios where that became a thing. Toll free conference number usage is the only per minute charge to worry about so unless you set up a toll free number you should be fine (but if you do set up a toll free number be careful as that is super easy to end up with helpdesk levels folks provisioning on accounts if they don’t know about it)
|
# ? Oct 23, 2023 04:07 |
|
How the hell do you disable god damned Windows Hello for Business. Any time I try to join azure ad from the oobe wizard, or use a ppkg to provision the machine, windows will very cheerfully tell me to go gently caress myself, we don't care that you have it disabled in every single place you could find in Intune/Entra/Azure, "Your Organization Requires Hello for Business", then it forces me to make a pin. It's driving me mad, I've followed every stupid 'disable hello' blog post I could find, made several configuration policies, disabled it in the device provisioning page, and this loving laptop just refuses to just let me sign in like normal. I must have factory reset it 10 times today trying to fix this.
|
# ? Oct 24, 2023 05:55 |
|
Have you tried disabling this setting? https://learn.microsoft.com/en-us/windows/client-management/mdm/passportforwork-csp UsePassportForWork Windows may still prompt for local Hello, but that can be disabled from here: https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-devicelock DevicePasswordEnabled PreventEnablingLockScreenCamera But also why would you disable WHFB?
|
# ? Oct 24, 2023 06:43 |
Shared workstations scenario maybe? Support nightmare: "I set up my pin two hours ago and now it's not working!" "Is it the same computer?" "It says Dell on the screen, of course it's the same!"
|
|
# ? Oct 24, 2023 07:05 |
|
nielsm posted:Shared workstations scenario maybe? Support nightmare: "I set up my pin two hours ago and now it's not working!" "Is it the same computer?" "It says Dell on the screen, of course it's the same!" Shared workstations, about a third of my users have a computer they use daily, the rest either use whatever's free that morning, or use a shared kiosk-style machine to check our line of business app. Random warehouse dudes don't get issued a laptop, the belly up to the computer bench and check a manifest online. AreWeDrunkYet posted:Have you tried disabling this setting? I tried adding that first setting to the ppkg in Windows Configuration Designer, and now when the laptop tries to read the package, it completely shits up the machine and needs a factory reset. Fails to apply the security policy, fails to join AD, and just hangs in a bizarre state of constant 1 minute reboots. I'll play with it some more tomorrow, hopefully I'll get something usable so I can put this entire 'imaging new devices' project to bed. Also, is there a good resource for Windows Configuration Designer errors and issues that isn't the MSFT documentation?
|
# ? Oct 24, 2023 07:24 |
|
I think autopilot can stop Hello enrolment as well which if you're doing this at OOBE might be the way to go
|
# ? Oct 24, 2023 11:57 |
|
Meanwhile, I am about a month away from rolling out WHfB to the entire organization. Just need to draft the communications and put in the CR basically. It’s been in pilot since April with what appears to be near 100% adoption rate. Only about 1/3 of the fleet has any biometric capability but every new laptop we buy now has fingerprint/face camera. Then we turn on Okta fastpass for everyone and stop changing passwords altogether because of the layered security approach. Already working through the policy changes to support this.
|
# ? Oct 24, 2023 13:30 |
|
I don’t think I’ve ever solved the WHfB prompt on shard laptops myself but I got around it by only assigning F3 licenses to employees who are not given their own device. They just log on to a shard laptop as guest and sign in to their account in a browser. Works well for what we need but I need to disable sign in as an option still as we keep getting tickets about how they tried to log in and it fails after an hour despite explaining multiple times they can’t do that.
|
# ? Oct 24, 2023 15:29 |
|
I'm gearing up for a 2024 project to convert my org to entra joined and Intune instead of legacy domains, and I've hit a stumbling block. I want to know if what I want is even possible before I chase my tail on it. I'm administratively setting the local Administrators group using an Account Protection policy in Endpoint Security in Intune. I would like the local admins group to consist of one local account controlled by LAPS and also the members of a group in Azure AD. I tried doing a manual policy to include the custom local account that I want and the SID of the azure ad group, and also just calling out azure ad users by domain\username, but I'm not having much luck. Is what I'm looking for possible? Edit - I figured this out, had to use a security policy to modify the name of the built in admin account used with laps. Silly Newbie fucked around with this message at 00:14 on Nov 16, 2023 |
# ? Nov 15, 2023 20:49 |
|
I had to migrate an Enterprise CA from a 2012 server to 2022 the other day. It was surprisingly painless.
|
# ? Nov 16, 2023 01:20 |
|
Azure AD question. I have a user getting locked out of his account because of multiple failed login attempts from other countries. He will never be in those countries, so I want to straight up block and discard those login attempts without it affecting his account here in America. Conditional access only kicks in after a successful authentication, so I can't use that (because the account is never successfully authenticating outside the country, hence the lockout). What is The Right Way way to set this up so that brute force attacks from outside the country always fail, and inside the country is not locked out because of them?
|
# ? Nov 29, 2023 14:53 |
|
afaik there is no way to block sign-ins prior to the authentication with aad locking on failed logins is an outdated practice anyway specifically for this reason
|
# ? Nov 29, 2023 14:59 |
|
Moving the user to passwordless is probably the easiest way to solve this issue.
|
# ? Nov 29, 2023 15:13 |
|
There isn’t any way to force enabling passwordless via authenticator is there? I use to show the steps to enable it back when onboarding groups were smaller but that kind of ran away from me. I know I can do a CA to require it but that’s going to lock people out while I’m more interested in a campaign to get them on it.
|
# ? Nov 29, 2023 19:41 |
|
|
# ? May 23, 2024 23:41 |
|
If this means what I think it means I am going to become engorged. This gives Microsoft at least five get-outs on annoying poo poo they'll do to Edge in the future. Edit: Just groups for now https://learn.microsoft.com/en-us/entra/identity/hybrid/cloud-sync/how-to-configure-entra-to-active-directory Thanks Ants fucked around with this message at 22:35 on Dec 15, 2023 |
# ? Dec 15, 2023 22:29 |