|
or don't run scripts that require elevated permissions in user environments
|
#
?
May 8, 2024 16:18
|
|
|
|
| # ? May 28, 2024 01:46 |
|
|
Ugh yeah the deprecation of the msonline PS commands and only allowing graph api calls has been a nightmare. Just getting a list of users with a filter has been troublesome and commands that are supposed to work return nothing. Not to mention the ps app needing admin consent.
|
|
#
?
May 8, 2024 16:48
|
|
|
Submarine Sandpaper posted:Giving the help desk access to the CLI instead of converting the MSO script that cleared the 2fa for a user is not really helpful. az cli has like a dozen authentication options, including WAM which might allow for: Thanks Ants posted:Could you put the keys into the windows credential store using your MDM platform per user and have your script refer to this? my preference for this kind of thing is to have the scripts run remotely, and just provide an interface to trigger them using whatever task running tool you want from ADO to rundeck to whatever
|
|
#
?
May 8, 2024 16:52
|
|
|
ptier posted:This is what we have ended up doing. Little boiler plate in the beginning of the script. The only thing I don't like / makes me not put it in "the wild" is that the secret is in the script. Could do a new one for each person... but we are transitioning to an integration platform where we are just going to turn all the scripts into forms. Its a long process but will get us further away from day to day powershell, which I find a bonus for all of our helpdesk staff unless they want to play and then they can learn with some training wheels. The Fool posted:az cli has like a dozen authentication options, including WAM which might allow for:
|
|
#
?
May 9, 2024 03:35
|
|
|
Aunt Beth posted:We’ve moved towards institutionalizing the day to day powershell in Powershell Universal UIs, it’s such an extensible platform for $500/year we get so much value out of it That is really cool! Wish I had seen that like 5 years ago. For us, we have so many integrations we need to make between a ton of different systems an integration platform was the next step for us and using powershell to do advanced processing in AD was the main thing we need it for.
|
|
#
?
May 9, 2024 13:47
|
|
|
It’s so good. And the scheduling engine it incorporates is so much better than task scheduler. Plus being able to create API endpoints has been very valuable too, we use it a lot to more or less function as a SQL stored procedure, you call the endpoint, pass it URL parameters, it runs a DB query using MSSQL powershell and returns JSON. But the UI I built that allows group and role management and other level 0/1 task delegation across both our on prem AD and Azure AD has been by far the most valuable.
|
|
#
?
May 10, 2024 01:16
|
|
|
Boogalo posted:Ugh yeah the deprecation of the msonline PS commands and only allowing graph api calls has been a nightmare. I hate it all so much. A “solution” to a nonexistent problem.
|
|
#
?
May 10, 2024 02:50
|
|
|
ptier posted:This is what we have ended up doing. Little boiler plate in the beginning of the script. The only thing I don't like / makes me not put it in "the wild" is that the secret is in the script. Could do a new one for each person... but we are transitioning to an integration platform where we are just going to turn all the scripts into forms. Its a long process but will get us further away from day to day powershell, which I find a bonus for all of our helpdesk staff unless they want to play and then they can learn with some training wheels. Can’t you keep the secret in Azure key vault then call it securely from your script with headless auth to lessen issues with having the secret in the script
|
|
#
?
May 12, 2024 03:38
|
|
|
yes you can
|
|
#
?
May 12, 2024 03:44
|
|
|
tehinternet posted:Can’t you keep the secret in Azure key vault then call it securely from your script with headless auth to lessen issues with having the secret in the script Yes, and now I know a thing. I will admit I did not dig into it much just because it was not going to be the solution we used anyways. So, yea, don't pay attention to the goon behind the curtain.
|
|
#
?
May 13, 2024 19:18
|
|
|
Is it recommended to have a M365 global administrator that is excluded from conditional access policies with a strong password that never logs in and is just there in case you lock yourself out? Secondly, do you still use a separate admin account if you're using MFA and CA?
|
|
#
?
May 14, 2024 01:52
|
|
|
kiwid posted:Is it recommended to have a M365 global administrator that is excluded from conditional access policies with a strong password that never logs in and is just there in case you lock yourself out? Yes, this is called a break-glass account and is usually tied to some alerting so that a bunch of alarms go off if it ever gets used. quote:Secondly, do you still use a separate admin account if you're using MFA and CA? Yes. Fairly standard separation of concerns. Separate privileged accounts should also have MFA and CA.
|
|
#
?
May 14, 2024 02:05
|
|
|
I have: standard synced account (t2) elevated synced account with local windows admin on servers and sql and access to some azure resources (t1) GA cloud only account (t0) unsynced to M365 AD domain admin account (t0) test admin (t1) test standard (t2) exclude from conditional access sure, but leave MFA on if possible and have alerts on it. I would have to doublecheck our break glass M365 GA unsynced (t0) accounts, I believe they are MFA on but we multi registered our MS authenticators so both my boss and I can get in. There are two accounts. We have an alert on them that pings us if they get logged into at all. I do not remember where the password is I should check  They were set up according to MS's M365 best practices. Fun thing about that is having the break glass accounts puts us over the recommended maximum number of assigned GA accounts so its impossible for us to pass both recommended controls.Hybrid AD/exchange is fun  Oh yeah this doesn't count our 2nd prod tenant for a specific thing and the dev tenant 
Boogalo fucked around with this message at 02:30 on May 14, 2024 |
|
#
?
May 14, 2024 02:17
|
|
|
How do you have MFA enabled on an account without CA? I think I tried this today with a test account and it still logs in without prompting MFA. Do you use the legacy per-user MFA to enforce it? edit: also holy poo poo that's a lot of accounts.
|
|
#
?
May 14, 2024 02:23
|
|
|
You can set a MFA tenant security policy and/or set on the user object iirc.
|
|
#
?
May 14, 2024 02:41
|
|
|
I have: Standard user account, has MFA, no elevated permissions Cloud admin account, has MFA, has contributor on all of our subscriptions plus admin access on a couple of external services, can PIM for User Admin, Application Admin, and Role Admin Domain admin, no mfa but requires a jump box, not synced to entra, but I only need to use this like once a year With PIM and CA, I definitely look sideways at environments with a bunch of distinct accounts these days.
|
|
#
?
May 14, 2024 05:23
|
|
|
In the past I've seen GA without any CA but I think that's.... not wise If anything two GA break-glass accounts with MFA and using FIDO2 Key with a Yubi Key and PIN is perfect.
|
|
#
?
May 14, 2024 07:07
|
|
|
Next question. Does anyone use device filtering in conditional access policies? If so, am I supposed to use the Device ID or the Object ID?  The policy says "DeviceID", but it didn't work until I added the Object ID. 
|
|
#
?
May 14, 2024 14:46
|
|
|
Not an answer to your question, but when working with application registrations and enterprise apps I can never keep straight if I'm supposed to use the application id, or the object id of the application registration or the enterprise app. It feels like it's different every time and the documentation isn't clear.
|
|
#
?
May 14, 2024 14:56
|
|
|
Never mind, I removed the Object ID and it was still working. I then removed the Device ID and it stopped working. I added back the Device ID and it started working again. Seems it was one of those things where I should have waited 15 minutes for the change.The Fool posted:Not an answer to your question, but when working with application registrations and enterprise apps I can never keep straight if I'm supposed to use the application id, or the object id of the application registration or the enterprise app. It feels like it's different every time and the documentation isn't clear. I agree, I've been developing an intranet app that uses M365 oauth/saml and there are actually 3 IDs. Application, Object, and Tenant. I was using the wrong ID combinations for a little bit. Confusing.
|
|
#
?
May 14, 2024 15:10
|
|
|
"Waiting 15 minutes" is always the way with a lot of this M365 stuff. Especially when you're doing stuff in Teams and PSTN.
|
|
#
?
May 14, 2024 16:10
|
|
|
Thanks Ants posted:"Waiting 15 minutes" is always the way with a lot of this M365 stuff. Especially when you're doing stuff in Teams and PSTN. We call it "cloud time" around these parts. Especially with Intune and waiting for policies to apply. Out of 16 PCs, 12 will do it right away and then 4 will take like half a day because CLOUD TIME!
|
|
#
?
May 14, 2024 18:21
|
|
|
Found that with Exchange Online authentication policies, sometimes you make the policy change a few minutes before it's due to refresh anyway, other times it takes four hours.
|
|
#
?
May 14, 2024 18:35
|
|
|
Has anyone here actually deployed Copilot for Microsoft 365 or have had their end users actually use all the fancy new AI stuff? Or Teams Premium? Was it worth it? How did it go?
|
|
#
?
May 21, 2024 14:11
|
|
|
This is probably a really stupid question, but I am fumbling my way through Power Automate for the first time in conjunction with Microsoft Forms, also for the first time. I am doing this for another group because they don't know how, because I am an idiot. Basically, I need users to fill out a form, and then I need to email the responses in the form to an email address. I do not particularly care about the formatting of the response data, it will be read by a human. This seems like a very basic use case, but for some reason I seem to be the only person on Earth trying to do this. If that is because this is a stupid way to do what I need, I am happy to hear suggestions for alternatives as well. Most of what I see available is just to let you know that someone answered your form, which is not what I need. I do not care about persistence of any of this data past the email. I need a single form to handle a few types of requests, which is easy enough to do in Forms with branching. (They do not have a table widget, which seems really weird to me, but I can live with a bunch of text fields even though I hate it.) So you choose the type of request you need to make, you enter the details, and you click Submit, and you never see any of the other stuff in the form that you didn't choose. This part works fine. Currently what I have rigged up, which does not work, is the flow "Send an email to responder when response submitted in Microsoft Forms." After a few false starts, it seemed to like what I had done and didn't pre-report any errors. The flow consists of [When a new response is submitted] -> [Get response details] -> [Condition True] -> [Send an email (V2)]. (There is also a "Condition False" branch with no actions, I have no idea why that exists.) When I test the form, the flow fails with the error "Attachment content cannot be null or empty." Okay, I mean, I understand that it is expecting an attachment and not getting one, but I have no idea how to fix that. I would think that the issue lies in the "Get response details" step, but I have zero familiarity with this and no idea what it should look like. The default, once the form is selected, is "triggerOutputs()?['body/resourceData/responseId']". That seems reasonable enough to me, it looks like it gets the data from the form. The weird part of this is that this is a publicly available flow template, featured prominently, yet it doesn't do what it says on the label. I'm happy to make whatever adjustments I need, but I'm completely at sea.
|
|
#
?
May 21, 2024 14:25
|
|
|
Gucci Loafers posted:Has anyone here actually deployed Copilot for Microsoft 365 or have had their end users actually use all the fancy new AI stuff? Or Teams Premium? Out of a customer base of around 200, we've had one enquiry about Copilot and they went off the idea when they learned that they'd have to commit to a year and pay up-front for it. We've had a couple of people ask about Teams Premium for the meeting recap feature but I sort of think if you cannot attend all the meetings you're being invited to or have so many that there's no time to take notes and deal out action points then it's a problem you need to solve by having fewer meetings. The MS partner briefings about Copilot in all its various guises talk about selling it, nobody has yet joined the call and demonstrated a use case for it. I'll remain very  about the whole thing until someone can show it doing a useful task, not pretending that pulling insights out of a perfectly formatted data table containing 30 rows is somehow a breakthrough.
Thanks Ants fucked around with this message at 16:28 on May 21, 2024 |
|
#
?
May 21, 2024 16:25
|
|
|
Copilot in my experience has given me several "oh wow" moments when playing with it. I see value in it (although more so future value, it's being rapidly developed rn), although mostly for business administration and managers. The coolest thing I've seen it do so far is when I tried asking Copilot to explain the value of our product, it combed through several documents that were marked as visible to the entire organization and gave me a summary of the product using information I didn't even know about. Another cool trick it can do is create entire beautifully formatted PowerPoint presentations from fairly simple prompts. Email coaching is also pretty cool, it can read tone and suggest how to make the email better. (eg it pointed out that a sample email I submitted wasn't assertive enough) It can do a lot rn, and with the speed that features are being added to it I'm super excited to see where it is in a year once it's had more time in the oven. Remember that Teams was also only kind-of useful post-launch and look at where it is now.
|
|
#
?
May 21, 2024 16:45
|
|
|
We gave a copilot license to a handful of employees who would not shut up about it and their feedback was “it’s alright I guess?” We haven’t talked about it in months and all interest died down two weeks after it became available. I’m sure it’s easy to justify 30 bucks a month of productivity savings but also there’s a lot I’d love to do with $30/user of opex spending so I’m fine with not pushing it.
|
|
#
?
May 22, 2024 01:58
|
|
|
klosterdev posted:Copilot in my experience has given me several "oh wow" moments when playing with it. I see value in it (although more so future value, it's being rapidly developed rn), although mostly for business administration and managers. The coolest thing I've seen it do so far is when I tried asking Copilot to explain the value of our product, it combed through several documents that were marked as visible to the entire organization and gave me a summary of the product using information I didn't even know about. Another cool trick it can do is create entire beautifully formatted PowerPoint presentations from fairly simple prompts. Email coaching is also pretty cool, it can read tone and suggest how to make the email better. (eg it pointed out that a sample email I submitted wasn't assertive enough) These features are very cool and the most interesting parts of Copilot to me so far, but the advanced features do require categorizing and tagging of your data for access control. If your org is a mess a lot of the power is going to be lost at best, and at worst you are going to leak data to the wrong internal resources.
|
|
#
?
May 22, 2024 05:59
|
|
|
ptier posted:We call it "cloud time" around these parts. Especially with Intune and waiting for policies to apply. Out of 16 PCs, 12 will do it right away and then 4 will take like half a day because CLOUD TIME! That makes sense, legacy AD was like that too, make a change and wait at least 15 minutes. Although on our network it's not 25% of endpoints take half a day, it's 25% never pick up a new GPO at all.
|
|
#
?
May 22, 2024 06:05
|
|
|
The GPO evaluation cycle is a very well established thing and can be overridden or calculated fairly easily, whereas “cloud time” happens when it wants to happen. I’ll always defend ADDS as the neckbeard I am becoming
|
|
#
?
May 22, 2024 15:35
|
|
|
kung fu jive posted:These features are very cool and the most interesting parts of Copilot to me so far, but the advanced features do require categorizing and tagging of your data for access control. If your org is a mess a lot of the power is going to be lost at best, and at worst you are going to leak data to the wrong internal resources. Yeah you'll def want to make sure your OneDrive default settings is "specify who you want to share this to" because Copilot can't tell if public to the org data should actually be public to the org.
|
|
#
?
May 22, 2024 15:50
|
|
|
Aunt Beth posted:The GPO evaluation cycle is a very well established thing and can be overridden or calculated fairly easily, whereas “cloud time” happens when it wants to happen. I’ll always defend ADDS as the neckbeard I am becoming More than that, SCCM has always been described as "taking its own time" but it's literally one of the fastest and most responsive endpoint management systems I've worked with, especially if you commit even a few hours of your time quarterly to maintain the db and optimize your various services hosts. I'm happy about being in Intune these days but I do wish I had more control.
|
|
#
?
May 23, 2024 03:32
|
|
|
klosterdev posted:Yeah you'll def want to make sure your OneDrive default settings is "specify who you want to share this to" because Copilot can't tell if public to the org data should actually be public to the org. This and a big focus on Purview, sensitivity labels, and DLP. "Configuring" it is really just buying the licensing and applying it for the most part. Enabling it successfully (averting disaster) is applying the data controls so Susan doesn't ask Copilot for a list of all the salaries in the department, get it, and share with everyone (though I would support that), or Larry asking Copilot to tell him about project epsilon which is something he is not authorized to access and Copilot vomits a bunch of data about a planned buyout. Without proper data security this tool can leak data like crazy internally. It can have massive security implications. I'm mostly thinking about larger orgs, but you still want to be mindful if you are on the small / medium biz side of things. On another note, they really need to offer some sort of monthly billing on the SKU though. Kinda ridiculous they are forcing everyone to buy in annually. kung fu jive fucked around with this message at 05:44 on May 23, 2024 |
|
#
?
May 23, 2024 05:42
|
|
|
Microsoft seem to be caching credentials for "modern" apps in a place that isn't the Credential Store and isn't documented anywhere, and providing no information to anybody including their support teams. How can I clear a list of five stored accounts in the Windows 365 App and Teams (they share the database somehow) to try and get something working again? Nobody knows!
|
|
#
?
May 23, 2024 13:17
|
|
|
....... they're not using the credential store or the sam? Are they not using the Credential Guard api?
|
|
#
?
May 23, 2024 13:32
|
|
|
They're spraying stuff into about five different folders in localappdata and the only repeatable way I've found to fix it is to delete the folders and reboot, at which point your PC then says it needs you to log into Entra again. Nothing in credential store, because of course MS would ignore their own best practises.
|
|
#
?
May 23, 2024 15:09
|
|
|
Thanks Ants posted:They're spraying stuff into about five different folders in localappdata and the only repeatable way I've found to fix it is to delete the folders and reboot, at which point your PC then says it needs you to log into Entra again. Nothing in credential store, because of course MS would ignore their own best practises. God almighty, we're making it so loving easy for criminals lmao
|
|
#
?
May 23, 2024 15:26
|
|
|
guppy posted:This is probably a really stupid question, but I am fumbling my way through Power Automate for the first time in conjunction with Microsoft Forms, also for the first time. I am doing this for another group because they don't know how, because I am an idiot. Basically, I need users to fill out a form, and then I need to email the responses in the form to an email address. I do not particularly care about the formatting of the response data, it will be read by a human. My first thoughts are a field in the form is set jankily. Are attachments mandatory on the form *or on any branch of the form*? Double check the form top to bottom, check the outputs of the form again when an error is given just in case.
|
|
#
?
May 23, 2024 15:49
|
|
|
|
| # ? May 28, 2024 01:46 |
|
|
Thanks Ants posted:They're spraying stuff into about five different folders in localappdata and the only repeatable way I've found to fix it is to delete the folders and reboot, at which point your PC then says it needs you to log into Entra again. Nothing in credential store, because of course MS would ignore their own best practises. This sounds like AADBroker BS to me. What does dsregcmd report? What happens if you attempt ‘dsregcmd /forcerecovery’?
|
|
#
?
May 23, 2024 16:26
|
|
