|
mllaneza posted:And the idiot is in charge of developing licensing schemes for Microsoft. code:
If it's just what we paid for, our VAR seems to have never dealt with anything like this, and we did buy it originally from a different VAR company (but the same team (we stayed with them)), and maybe that's the issue.... And even though I've been working on Windows since the last century, I've never worked with this feature/role ... so I'm a stupid newbie on this. I actually don't think I have ever called M$ support for anything to do with a Server feature issue. So it's a first for me. Pity me or chortle if you like... thanks if you can throw me a bone.
|
# ? Mar 26, 2024 19:33 |
|
|
# ? May 21, 2024 18:41 |
|
Where do you get the key and where are you applying it? We have a volume license agreement negotiated with MS and processed through a 3rd party vendor so our keys and downloads are in the m365 admin portal. In there are lots of different keys for different purposes. We used to use KMS but now use AD-based activation where the key is stored in AD and anything that is domain joined is automatically licensed appropriately. If you're trying to activate individual systems in the OS by hand, IIRC you need to use the "MAK" key. That key is good for multiple, but limited activations and that count would show in the admin portal. Also, keep it safe and don't let it leak, that is very bad. I agree it is fairly cursed system even compared to other deep level cursed MS features. The activation hotline tends to be very helpful though they can probably tell you what's wrong but couldn't help with you procuring the correct thing.
|
# ? Mar 26, 2024 19:51 |
|
Just taking stabs because I've stood up a few KMS hosts before. I have never used the GUI for it because it makes me uneasy, mostly because it gives vibes of starting over from scratch each time. I usually just use the various slmgr commands from an elevated command prompt. If the key types are messing you up, make sure you attempt to register the CSVLK on the host and the GVLK on the clients. Also keep in mind you need a fairly new OS version on the host if you are activating server 2022 keys. For the MS Office products which still use keys, those usually need a small support pack installed.
|
# ? Mar 26, 2024 22:43 |
|
What do you all do about employees who refuse to use their personal phones (understandable) for Azure MFA? Do you use some type of hardware fob?
|
# ? Mar 27, 2024 15:03 |
|
At my job management decided it's like wearing shoes to the office. If you want to work remote, using your personal phone for MFA is required. Or you're required to be on site 5 days a week.
|
# ? Mar 27, 2024 15:07 |
|
kiwid posted:What do you all do about employees who refuse to use their personal phones (understandable) for Azure MFA? Do you use some type of hardware fob? We have one user who does not own a smartphone, and she was given a Yubikey.
|
# ? Mar 27, 2024 15:14 |
|
GreenNight posted:At my job management decided it's like wearing shoes to the office. If you want to work remote, using your personal phone for MFA is required. Or you're required to be on site 5 days a week. We're such a relaxed environment, HR would never go for it but I like this idea. Sir Bobert Fishbone posted:We have one user who does not own a smartphone, and she was given a Yubikey. Are Yubikey's reusable, as in if the employee leaves I can somehow reassign it to another user?
|
# ? Mar 27, 2024 15:17 |
|
Yup yup. Also I do vaguely remember there is an upper limit of hardware MFA tokens EntraID will allow for your tenant. Maybe that's out of date knowledge, but I think it was talked about here or maybe the InfoSec thread fairly recently. Doesn't sound like it will be a problem for you, but something to be aware of.
|
# ? Mar 27, 2024 15:20 |
|
Another question I suppose. We have two locations that are in the middle of nowhere and the only ISP available other than Starlink is a PTP wireless provider that does double-nat and doesn't provide static IPs. It's been a nightmare for site-to-site VPN but FortiGate's dial-up VPN has gotten us by. However, this means I can't setup these locations as trusted locations for MFA. What are my options here? Now that you mentioned Yubikey, I'm considering just using these for the general use PCs and leave the Yubikey plugged in 24/7. Is there an alternative?
|
# ? Mar 27, 2024 15:20 |
|
Internet Explorer posted:Yup yup. Also I do vaguely remember there is an upper limit of hardware MFA tokens EntraID will allow for your tenant. Maybe that's out of date knowledge, but I think it was talked about here or maybe the InfoSec thread fairly recently. Doesn't sound like it will be a problem for you, but something to be aware of. Thanks for that tip. We have about ~100 PCs across the company but only like 50 are user PCs while the rest are for plant controls. It kinda sucks to be honest but it is what it is. I'm not worried about MFA for users but rather we can't have MFA prompting for the general use accounts.
|
# ? Mar 27, 2024 15:22 |
|
kiwid posted:Another question I suppose. We have two locations that are in the middle of nowhere and the only ISP available other than Starlink is a PTP wireless provider that does double-nat and doesn't provide static IPs. It's been a nightmare for site-to-site VPN but FortiGate's dial-up VPN has gotten us by. However, this means I can't setup these locations as trusted locations for MFA. What are my options here? Now that you mentioned Yubikey, I'm considering just using these for the general use PCs and leave the Yubikey plugged in 24/7. Is there an alternative? You could route traffic over the tunnel so they present the static IP from whatever office the tunnel terminates at, obviously puts more strain on that connection and adds some latency. that's just the first thing that popped into my head, wouldn't be the best solution but could be a temporary measure.
|
# ? Mar 27, 2024 16:52 |
|
kiwid posted:Are Yubikey's reusable, as in if the employee leaves I can somehow reassign it to another user? They are, yes. But they are also not all that expensive and we treat them as a consumable. If someone get a Yubikey from us, it's theirs forever. You can't stop them from using it for non-work accounts once they have it so it just becomes a personal item for them and we don't want it back. They are also great and I wish I could get more people to take them. I use them for all my daily and admin accounts and it's so much easier to use.
|
# ? Mar 27, 2024 22:05 |
|
The limit was to do with tokens on a Yubikey IIRC and not how many hardware tokens an Entra tenant can support. And yes, they are £30 or something along those lines, you might have a handful of employees who request a token, just treat it as disposable. For your double-NAT site you probably want to tunnel them out to somewhere with real internet service, either as part of a wider SD-WAN project or just these sites on an ad-hoc basis, because otherwise you will struggle with stuff like VoIP in future. There's a provider here that you can buy "ISP" service from without the actual connection part, you build an L2TP tunnel and get to use their static IP ranges, people use it with things like 5G modems. https://www.aa.net.uk/broadband/l2tp-service/ Thanks Ants fucked around with this message at 22:34 on Mar 27, 2024 |
# ? Mar 27, 2024 22:27 |
|
Number19 posted:They are also great and I wish I could get more people to take them. I use them for all my daily and admin accounts and it's so much easier to use. I still prefer to use my fingerprint with hello for business to sign into my devices but the Yubikey is amazing for privileged accounts, especially when sessions constantly glitch out and need a new sign-in the last couple weeks.
|
# ? Mar 27, 2024 22:37 |
|
Thanks Ants posted:The limit was to do with tokens on a Yubikey IIRC and not how many hardware tokens an Entra tenant can support. And yes, they are £30 or something along those lines, you might have a handful of employees who request a token, just treat it as disposable. Huh. Maybe I misunderstood on more than one occasion because after briefly looking now I don't see any mention of it online.
|
# ? Mar 27, 2024 22:42 |
|
Internet Explorer posted:Huh. Maybe I misunderstood on more than one occasion because after briefly looking now I don't see any mention of it online. I remember reading the same post. You’re not going crazier. No clue which thread though.
|
# ? Mar 29, 2024 15:56 |
|
Haha, thank you for that. Maybe we're both going crazy.
|
# ? Mar 29, 2024 16:55 |
|
Internet Explorer posted:Yup yup. Also I do vaguely remember there is an upper limit of hardware MFA tokens EntraID will allow for your tenant. Maybe that's out of date knowledge, but I think it was talked about here or maybe the InfoSec thread fairly recently. Doesn't sound like it will be a problem for you, but something to be aware of. hell yeah, a rare opportunity that I get to answer one of IE's questions for a change. There's no limit to how many hardware tokens you can use in Microsoft Azure Active Directory Entra Identity Management Suite Portal 4 Biznis Online. There was briefly a technical limit in the early AAD days that was lifted rapidly in response to (1) MS throwing hard behind passwordless auth (2) expanding/coalescing higher impact level govcloud offerings into the tenant tiers you see today. citation: ms product managers
|
# ? Mar 29, 2024 17:27 |
|
You love to see it. Thank you goon!
|
# ? Mar 29, 2024 17:30 |
|
Got up early to complete the "remove domain names from accounts, drop domains from M365 tenant, add to new tenant, update domains on objects at destination" dance. Made even worse because it's an AD synced tenant . Anyway it went well so I'm taking the rest of the day off. M365 is so ubiquitous now that tenant-to-tenant migration must be more common than people migrating in for the first time from baby's first email server, I wish MS would just let everybody have the cool enterprise migration features that they hide behind EAs, including the bit where the same domain can be in two places at once.
|
# ? Apr 11, 2024 16:06 |
|
Please let me know if there is a better thread to ask this in. I am guessing the answer is already "no" based on all of my googling looking for solutions. I'm a professor and I am looking for a light project management system for my students to use for their capstone class for tracking their tasks. Last year I was using Trello. I was also having them use Clockify to track their time per task. I was also using Microsoft OneNote for them to build their design wiki on since Microsoft got rid of their Wiki tool right before the class was going to start and I scrambled to find something else. I'm trying to consolidate where we do our work this year so it can be better integrated. We're a Microsoft campus so I am moving to use more of their tools since its free for students. I've been informed about Loop insteead of OneNote which seems like it will be perfect my my purposes. I am also looking at using Planner instead of Trello. The big issue is if there is a native app I can use for the time tracking. I can still use clockify if I need to. The nice thing it does is if you install the chrome plugin for it, a little stopwatch appears on the task cards for them to click start and click stop. I can't seem to find anything built into the Microsoft Ecosystem that will do this. Worse comes to worse, we'll continue with clockify, but I figured I'd ask if anyone was aware of anything.
|
# ? Apr 26, 2024 15:16 |
|
Microsoft Project?
|
# ? Apr 26, 2024 20:11 |
|
Thanks Ants posted:Got up early to complete the "remove domain names from accounts, drop domains from M365 tenant, add to new tenant, update domains on objects at destination" dance. Made even worse because it's an AD synced tenant . Anyway it went well so I'm taking the rest of the day off. What do you mean? It's impossible to have a DNS Record register in two different tenants. One has to be authoritative by design. The EA or Enterprise Admin portal is just for really big companies that have additional abstractions on top of Azure Subscriptions like Departments and Cost Centers.
|
# ? Apr 27, 2024 00:48 |
|
Microsoft Project is one of the ones we don't have.
|
# ? Apr 27, 2024 01:49 |
|
Alterian posted:Please let me know if there is a better thread to ask this in. I am guessing the answer is already "no" based on all of my googling looking for solutions. You can drop Planner directly into Loop workspaces, it's slick. Doesn't look like there's any time tracking available as yet though.
|
# ? Apr 27, 2024 05:45 |
|
Gucci Loafers posted:What do you mean? It's impossible to have a DNS Record register in two different tenants. One has to be authoritative by design. The EA or Enterprise Admin portal is just for really big companies that have additional abstractions on top of Azure Subscriptions like Departments and Cost Centers. You can't usually have the same domain active on two M365 tenants at once, there's a private preview for enterprise customers that lets this happen and then one tenant routes mail to the other if the user isn't found there.
|
# ? Apr 27, 2024 10:09 |
|
Thanks Ants posted:You can't usually have the same domain active on two M365 tenants at once, there's a private preview for enterprise customers that lets this happen and then one tenant routes mail to the other if the user isn't found there. areyoufuckingserious I just we just spenthundredsofthousandsofdollars workingaroundthisproblemforasituatiojwecouldhavejustwaitedout I am goingtokillgod
|
# ? Apr 27, 2024 10:28 |
|
I will become the joker so Microsoft was talking out its rear end that it couldn't do this for years and years and years, they just needed a sufficiently large (presumably defense industrial base) customer with split tenant impact level requirements at significant enough scale that this absolutely had to be rolled out or they would go with someone else I am going to find God, and I'm going to choke him Potato Salad fucked around with this message at 10:42 on Apr 27, 2024 |
# ? Apr 27, 2024 10:33 |
|
It was called cross-tenant domain sharing when they announced it in 2022, it all went very quiet since then and I wish I could find the MS Learn page that referenced it being a private preview again
|
# ? Apr 27, 2024 11:09 |
|
Potato Salad posted:areyoufuckingserious I just we just spenthundredsofthousandsofdollars workingaroundthisproblemforasituatiojwecouldhavejustwaitedout I am goingtokillgod Wow, it was real at one point but has since removed from the public roadmap.
|
# ? Apr 27, 2024 20:58 |
|
Thanks Ants posted:You can't usually have the same domain active on two M365 tenants at once, there's a private preview for enterprise customers that lets this happen and then one tenant routes mail to the other if the user isn't found there. Do you got a link to this? Edit: nevermind, I see your other reply. Goddamn. We need this.
|
# ? Apr 29, 2024 17:42 |
|
We are a Microsoft 365 Shop (University), with Entra ID P2, E5 Licensing and we use DUO for our main MFA provider because of all the disparate systems we integrate with. We are on the cusp of requiring SSPR registration ( its been optional and we have about 50% adoption rate ), and we are taking the opportunity to shave down our Authentication options. We are trying to get rid of:
The wrinkle that has reared its head is the new Authentication Methods policy page that will be forced sometime in September 2025. We use DUO as a conditional access policy and then SSPR for password reset, so the "MFA" parts of 365 for us are completely disabled. It appears right now that the new Auth Methods pane is really busted and kinda bullshit, so I am writing all of this from a "as of this writing". Once the new Auth methods pane is fully migrated the user doesn't get prompted for SSPR registration any longer. It would just require an MFA registration if I turned on a campaign which if my 365 Trial is to be believed, has a broken disable button after I turn it on, or its just reverting at "Cloud Speed". ( I have two M365 trials going to test out these changes because no way in hell am I just hitting the button and hoping for the best). Oh and best part, regardless if I have MS Authenticator set to NO, but have Software OATH Tokens set to TRUE, it still uses the add Microsoft Authenticator pane which I think is just how MS is rolling. The more I dig into it the more turbo hosed it feels. So from all of this I have a couple of determinations.
ptier fucked around with this message at 20:42 on Apr 30, 2024 |
# ? Apr 30, 2024 20:37 |
|
I don't envy you having to provide the end user support/documentation for someone who has MS Authenticator that only exists to do password recovery but no MFA prompts come via it, and in the meantime you can't evaluate MFA strength since Duo has no way to tell Entra what method you used.
|
# ? Apr 30, 2024 20:44 |
|
Thanks Ants posted:I don't envy you having to provide the end user support/documentation for someone who has MS Authenticator that only exists to do password recovery but no MFA prompts come via it, and in the meantime you can't evaluate MFA strength since Duo has no way to tell Entra what method you used. Yea, its really becoming a pain the butt.
|
# ? Apr 30, 2024 21:05 |
|
Thanks Ants posted:I don't envy you having to provide the end user support/documentation for someone who has MS Authenticator that only exists to do password recovery but no MFA prompts come via it, and in the meantime you can't evaluate MFA strength since Duo has no way to tell Entra what method you used. Praise Allah! https://techcommunity.microsoft.com/t5/microsoft-entra-blog/public-preview-external-authentication-methods-in-microsoft/ba-p/4078808 TL:DR 3rd party MFA providers will be given a 1st class auth method treatment soon! So I'm just gonna wait.
|
# ? May 6, 2024 20:15 |
|
ptier posted:Yea, its really becoming a pain the butt. Does anyone have any experience with transitioning to the new Graph SDK from the AzureAD/MSOnline PS modules? We have a bunch of scripts that reference an user-provided credential at runtime to connect and run commands as the user and the -credential flag no longer seems to be an option, and the alternatives are way overkill and will be almost impossible to manage for our userbase. Aunt Beth fucked around with this message at 05:22 on May 8, 2024 |
# ? May 8, 2024 05:18 |
|
use az cli instead, the azure ps modules are garbage
|
# ? May 8, 2024 08:18 |
Giving the help desk access to the CLI instead of converting the MSO script that cleared the 2fa for a user is not really helpful. Given that, can't really help. I run all mine with my own context. You could setup an enterprise app with the graph permissions scoped.
|
|
# ? May 8, 2024 12:01 |
|
Submarine Sandpaper posted:Giving the help desk access to the CLI instead of converting the MSO script that cleared the 2fa for a user is not really helpful. This is what we have ended up doing. Little boiler plate in the beginning of the script. The only thing I don't like / makes me not put it in "the wild" is that the secret is in the script. Could do a new one for each person... but we are transitioning to an integration platform where we are just going to turn all the scripts into forms. Its a long process but will get us further away from day to day powershell, which I find a bonus for all of our helpdesk staff unless they want to play and then they can learn with some training wheels.
|
# ? May 8, 2024 15:23 |
|
|
# ? May 21, 2024 18:41 |
|
Could you put the keys into the windows credential store using your MDM platform per user and have your script refer to this?
|
# ? May 8, 2024 15:38 |