|
I would think there might a be lower level role like Helpdesk Admin but I don't think you can do for a specific user with a specific group. Unless you got really creative with Administrative Units or some such thing which might work but it's gonna be a bit of research and testing.
|
#
?
Feb 6, 2024 08:45
|
|
|
|
| # ? Apr 29, 2024 04:17 |
|
|
I've used SharePoint lists and a script as the poor man's HCM
|
|
#
?
Feb 6, 2024 13:45
|
|
|
|
|
#
?
Feb 6, 2024 13:59
|
|
|
Potato Salad posted:I've used SharePoint lists and a script as the poor man's HCM It’s what I had to do to track our job title based permissions. Our infrastructure guys are a couple decades behind the curve and don’t really give a poo poo (I respect it, but it makes everything else harder), so yeah. Is what it is.
|
|
#
?
Feb 6, 2024 14:22
|
|
|
With M365 NCE licensing, do you guys buy a buffer of licenses for the year or do you just commit to your exact license count then do month-to-month for new employees until the renewal period comes up?
|
|
#
?
Feb 13, 2024 16:44
|
|
|
Commit to what is needed, add additional annual licenses if the head count changes, use the spare license if someone leaves and it takes a couple of weeks for a new person to join. If the company is losing people at a rate where the cost of the unused licenses is a problem then there are bigger problems, so it's just not worth worrying about. If you have actual seasonal cycles in headcount then month-to-month makes sense for them, but otherwise it's annual. Whoever sells you your licensing should be able to co-term any new annual licenses with your current anniversary date. https://learn.microsoft.com/en-us/partner-center/align-subscription-end-dates
|
|
#
?
Feb 13, 2024 18:41
|
|
|
Thanks Ants posted:Commit to what is needed, add additional annual licenses if the head count changes, use the spare license if someone leaves and it takes a couple of weeks for a new person to join. If the company is losing people at a rate where the cost of the unused licenses is a problem then there are bigger problems, so it's just not worth worrying about. Awesome, thanks.
|
|
#
?
Feb 13, 2024 18:47
|
|
|
Despite requiring number matching/strong MFA, I’ve had a couple of recent alerts of unauthorized logins that bypassed MFA (looks like session stealing) that were thankfully blocked by a foreign country CA. Course, that’s super easy to bypass and I have no idea if or how many got around it. Think it’s about time to cut off access from any device that’s not AD joined and limit mobile devices to teams and outlook only.
|
|
#
?
Feb 24, 2024 02:23
|
|
|
Helping a customer with some secure score remediation. Defender for Cloud Apps says "Ensure that mobile devices are set to never expire passwords." The implementation instructions helpfully suggest going into Intune and removing any policies that set a password expiration. This customer has been on Intune for a while, so there's a shitload of policies and I can't see anything in there that looks like it might set that. Is there anything I can query that can tell me what MDfCA has seen in Intune that's generated the recommendation? I've tried advanced hunting and azure monitor but I might be either too dumb for this or the necessary log passthrough might not be enabled.
|
|
#
?
Feb 28, 2024 04:24
|
|
|
Spyderizer posted:This customer has been on Intune for a while, so there's a shitload of policies and I can't see anything in there that looks like it might set that. Is there anything I can query that can tell me what MDfCA has seen in Intune that's generated the recommendation? I've tried advanced hunting and azure monitor but I might be either too dumb for this or the necessary log passthrough might not be enabled. Quasi-related question from someone still in an onpremAD environment... Is there a gpresults equivalent for Microsoft's cloud GPO thingy? Any way to get a report of what policies an endpoint is getting from InTune et al?
|
|
#
?
Feb 28, 2024 04:36
|
|
|
This might be a place to start - https://doitpsway.com/get-a-better-intune-policy-report-part-3-final
|
|
#
?
Feb 28, 2024 04:48
|
|
|
Dumb question time: I'm building onboard and offboarding tools for my org and not going to license the EntraID governance licenses (which are a rip off). Can I just do the things that license does by just manually assigning User-Lifecycleinfo.ReadWrite.All to the PowerApps account? I couldn't find any documentation such a thing. Seems like a grey-area workaround tbh.
|
|
#
?
Feb 29, 2024 00:59
|
|
|
All staffers affected by an upcoming reorg have disappeared from the GAL and the team calendars. We are assuming this has to do with some M365 shenanigans. Anyone know what this could be? In AD nothing is changed yet.
|
|
#
?
Mar 3, 2024 17:09
|
|
|
There a button to export entra configs? Would be real useful for establishing baseline config.
|
|
#
?
Mar 18, 2024 17:04
|
|
|
Defenestrategy posted:There a button to export entra configs? Would be real useful for establishing baseline config. I think what you're looking for is called Desired State Configuration
|
|
#
?
Mar 18, 2024 18:04
|
|
|
Boogalo posted:I think what you're looking for is called Desired State Configuration This seems like its specifically for vms not Entra, I'd like to pull a json or something that just has all the buttons I pushed for stuff like conditional access policies, groups, password management blah blah.
|
|
#
?
Mar 18, 2024 18:11
|
|
|
Defenestrategy posted:This seems like its specifically for vms not Entra, I'd like to pull a json or something that just has all the buttons I pushed for stuff like conditional access policies, groups, password management blah blah. I posted while still looking for the correct link but finally founds it again. https://microsoft365dsc.com/user-guide/get-started/introduction/ Why the first results are always azure vm dsc i dunno. search sucks these days.
|
|
#
?
Mar 18, 2024 18:57
|
|
|
Boogalo posted:I posted while still looking for the correct link but finally founds it again. This looks exactly what I'm looking for, although I am really annoyed and yet unsurprised there just isn't a button in an azure blade somewhere that does this.
|
|
#
?
Mar 18, 2024 20:38
|
|
|
I've got an issue that's starting to drive me crazy. I have a tenant where I allow sharing from OneDrive to "Anyone". SharePoint sites are internal only, but OneDrive can go out for vendor and customer collaboration etc. It's in my sharing policies for OneDrive in the SharePoint admin center and there are no more restrictive policies in play. I've got a small subset of users who can't share anonymous links. Their OneDrive manage sharing setting in the admin center is set to allow this. Anyone seen that before?
|
|
#
?
Mar 18, 2024 22:12
|
|
|
As a solo admin, I've just now been able to move everyone over from Business Standard to Business Premium licensing. I'm going through
|
|
#
?
Mar 21, 2024 14:14
|
|
|
kiwid posted:As a solo admin, I've just now been able to move everyone over from Business Standard to Business Premium licensing. I'm going through As in what are best practices or how to setup mfa?
|
|
#
?
Mar 21, 2024 15:15
|
|
|
Put your own account / an admin account into its own security group that you exclude from Conditional Access policy while you are getting up to speed with it so you don't lock yourself out. Make excessive use of the "What if" feature.
|
|
#
?
Mar 21, 2024 15:29
|
|
|
Thanks Ants posted:Put your own account / an admin account into its own security group that you exclude from Conditional Access policy while you are getting up to speed with it so you don't lock yourself out. Make excessive use of the "What if" feature. Related, make sure you have a "break glass" account that is excluded from MFA.
|
|
#
?
Mar 21, 2024 15:37
|
|
|
Defenestrategy posted:As in what are best practices or how to setup mfa? Yes.
|
|
#
?
Mar 21, 2024 15:53
|
|
|
kiwid posted:Yes. https://www.cmu.edu/iso/compliance/800-171/index.html is currently what the us government will eventually want to see out of everyone, it isn't all encompassing as far as controls go, but I feel if you're able to tick off all of the physical controls in 800-171 you're in good shape.
|
|
#
?
Mar 21, 2024 16:14
|
|
|
There's also Security Defaults, which work pretty well for a baseline of security if you don't want/need to get into managing a bunch of CA policies, etc. Works well for smaller businesses with simpler needs, so it's not for all situations.
|
|
#
?
Mar 21, 2024 17:30
|
|
|
sporkstand posted:There's also Security Defaults, which work pretty well for a baseline of security if you don't want/need to get into managing a bunch of CA policies, etc. Works well for smaller businesses with simpler needs, so it's not for all situations. I need to avoid security defaults because we have email accounts for operators that use "general use" PCs throughout our plants. I need CA to avoid ever prompting MFA with anything that is on-site. Unless, do you guys know of a better way?
|
|
#
?
Mar 22, 2024 00:14
|
|
|
kiwid posted:I need to avoid security defaults because we have email accounts for operators that use "general use" PCs throughout our plants. I need CA to avoid ever prompting MFA with anything that is on-site. Are you still going to enable MFA for them just to play it safe? You can have a separate policy that prompts for MFA except for trusted locations. Assuming you have static IP addresses
|
|
#
?
Mar 22, 2024 00:34
|
|
|
snackcakes posted:Are you still going to enable MFA for them just to play it safe? You can have a separate policy that prompts for MFA except for trusted locations. Assuming you have static IP addresses Correct. We'll enable MFA for these general use accounts then just setup trusted locations to never prompt it.
|
|
#
?
Mar 22, 2024 13:08
|
|
|
You can go a step further and flat out deny the login to those accounts if they aren't coming from your locations. Stops someone setting up MFA and then accessing them externally if they have no reason to.
|
|
#
?
Mar 22, 2024 13:15
|
|
|
Thanks Ants posted:You can go a step further and flat out deny the login to those accounts if they aren't coming from your locations. Stops someone setting up MFA and then accessing them externally if they have no reason to. Oh this would be awesome. I wasn't aware I could do this. So I don't even need to setup MFA, I just deny the login if it isn't from a trusted location? That way I can focus only on mobile users MFA?
|
|
#
?
Mar 22, 2024 13:59
|
|
|
This is what my version of that looks like, it's a policy to block access to a specific user group that applies to all locations except the trusted ones This is what the user sees 
Thanks Ants fucked around with this message at 14:10 on Mar 22, 2024 |
|
#
?
Mar 22, 2024 14:07
|
|
|
Excellent, thanks!
|
|
#
?
Mar 22, 2024 14:24
|
|
|
Silly Newbie posted:I've got an issue that's starting to drive me crazy. I have a tenant where I allow sharing from OneDrive to "Anyone". SharePoint sites are internal only, but OneDrive can go out for vendor and customer collaboration etc. It's in my sharing policies for OneDrive in the SharePoint admin center and there are no more restrictive policies in play. I’d check your SharePoint sharing settings in the Sharepoint admin center. OneDrive permissions can be more restrictive but not less restrictive than SharePoint’s. Meaning if something is restricted in SharePoint, it’s restricted in OneDrive as well. Might be some fuckery there
|
|
#
?
Mar 22, 2024 15:13
|
|
|
tehinternet posted:I’d check your SharePoint sharing settings in the Sharepoint admin center. OneDrive permissions can be more restrictive but not less restrictive than SharePoint’s. Meaning if something is restricted in SharePoint, it’s restricted in OneDrive as well. Thanks, I'll re-check that. It's driving my insane that it's only happening to like 5% of my userbase at random.
|
|
#
?
Mar 22, 2024 22:14
|
|
|
The Fool posted:Related, make sure you have a "break glass" account that is excluded from MFA. Also setup alerts for when this account is logged into.
|
|
#
?
Mar 22, 2024 23:21
|
|
|
Silly Newbie posted:Thanks, I'll re-check that. It's driving my insane that it's only happening to like 5% of my userbase at random. The 5% thing made me remember to say to make sure that whatever external domain they’re sharing with is on your global whitelist (if you restrict which domains you allow sharing to).
|
|
#
?
Mar 23, 2024 03:20
|
|
|
This feels like a bonkers questions but my team inherited some infrastructure in Azure that includes an old AD domain running on vms, the only remaining use for it is authenticating logins to domain joined VMs (roughly 10 or so) which are also in Azure. I'd like to kill off the AD domain and just use AzureAD/Entra logins to login to these existing VMs. I've added the extension to the VMs and granted the appropriate role assignments but it also seems like there's a number of CLIENT side requirements for this to work and we totally do not have a functional Entra joined device setup and are never going to (devices are mainly macs and managed through a different tool, Azure only exists to support one specific app) Is there something obvious I'm missing here to get AzureAD/Entra logins working on a VM just as is? Otherwise it seems like my fallback option is just kill off the domain and have people use local accounts for the ~10 or so vms we might need to manage.
|
|
#
?
Mar 25, 2024 19:40
|
|
|
The quick option is to replace the domain controllers with Entra Domain Services and leave the VMs domain joined (but joined to the new domain), if you are happy to authenticate from the client side with a username and password. A lot of the Entra sign-in stuff that is there to support legacy environments has a prerequisite of the accounts having to be synced from AD so that the Kerberos proxy stuff can work.
|
|
#
?
Mar 25, 2024 20:03
|
|
|
|
| # ? Apr 29, 2024 04:17 |
|
|
Thanks Ants is right and this is exactly what Entra Domain Services/AADDS was made for. Basically it spins up two domain controllers in your Azure environment that you can't log into directly. Point your VMs DNS at them and join them to contoso.com or whatever your Azure/Entra custom domain is. Your Entra accounts will sign in as domain\user just like in a traditional AD. No MFA. Install the DNS and ADUC modules on a server and point them at the virtual DCs to manage DNS, group policy, accounts, etc. Edit - I did find a way to regular Entra join windows VMs to sign in with regular Entra credentials, but it's a pain in the rear end, not worth it, and won't work for any other shared resources on the VM like file shares etc.
|
|
#
?
Mar 26, 2024 07:09
|
|