|
Azure Files works but your client has to be an Azure AD joined device using an account synced from on-prem AD, and you need to do the cloud Kerberos trust stuff
|
# ¿ Aug 25, 2023 17:13 |
|
|
# ¿ May 14, 2024 23:15 |
|
If it relies on file locking then no
|
# ¿ Aug 25, 2023 23:21 |
|
I don't know why printing at this point isn't just sending a PDF to the device along with some API calls to tell the printer what tray to use and if it should be duplexing or whatever. Compute power is so cheap that there shouldn't be any need for the print driver to do much.
|
# ¿ Sep 13, 2023 14:59 |
|
I'm having my rear end kicked by a Kerberos problem at the moment. Scenario is client devices that are Azure AD joined, off a synced AD domain running on Server 2019. This domain has a two way trust with the AD domain of a parent company, who host an app on IIS that uses Windows authentication. This app is a bit of a black box and the contacts at this parent company are not hugely helpful because it works for them (all their clients are in the same domain as the servers, we're the only ones with a trust relationship). This setup has been working for two years. My issue is that there is something in KB5030219 and (KB5029351 which it supersedes) that stop this authentication flow working, the IIS app just returns an error that NT AUTHORITY\ANONYMOUS LOGON is trying to log in, and if I compare the klist output pre and post-update then after the update I am missing a ticket granting ticket with the DELEGATION flag - the TGT with the PRIMARY cache flag is there, as are the tickets for the trusted domain. Domain controllers (Server 2019) are all up to date. I have Windows Hello for Business cloud Kerberos trust enabled and working, though it makes no difference if a client device is logged in via Hello or a password, I have the same problems each time. Does this happen to match anything that is commonly known as a problem, or should I go with the approach of getting a MS professional support ticket created while at the same time beating these people for doing integrated Windows auth still?
|
# ¿ Sep 19, 2023 22:45 |
|
How does the shared mailbox have a voicemail box? Is there a Teams Phone license assigned to it for some reason?
|
# ¿ Sep 25, 2023 22:41 |
|
Dug into this further (probably 20 hours of work on this), the patches were a red herring. For some reason when a Windows 365 Enterprise PC deploys it doesn't have CredGuard enabled, or it has it enabled but isn't doing anything with it yet - I'm fairly sure MS are enabling this at the host level as there seems to be no admin-controllable options relating to it. CredGuard enables itself after a period of time and a reboot of the guest instance, which happened to line up perfectly with the things hitting a maintenance window and applying updates, and the cumulative updates and CU previews all needed reboots. Looks like this app is really bad and was trying to do unconstrained Kerberos delegation which CredGuard won't let happen, so it was failing.
|
# ¿ Oct 12, 2023 15:57 |
|
Silly Newbie posted:Weirdly complicated situation and ask. Do you mean registered? If they are devices you manage (which they are since they are domain joined) then would approaching this by having one domain Azure AD join through GPO, and set the other two domains to prevent people doing an Azure AD join?
|
# ¿ Oct 19, 2023 22:44 |
|
I think you'd be better off using conditional access to restrict access to Outlook/OneDrive, you can't really restrict people from doing an Azure AD Register
|
# ¿ Oct 20, 2023 17:45 |
|
What you'll find is that Conditional Access is a licensed feature that you have to use to take away access - you can't set things up to be along the lines of "no access unless conditional access evaluates things and grants it", but As much as I dislike Microsoft's business practises I don't think it's viable to operate an M365 organisation without access to at least the Entra ID P1 features.
|
# ¿ Oct 20, 2023 18:06 |
|
It might be worth looking at Cloud Sync which can sync multiple unconnected ADs into AAD and using that to sync the devices, and then seeing if conditional access works. I'd try and avoid AAD Hybrid but it could work alright for this application if your plans longer term were to ditch the domain join as hardware is refreshed.
|
# ¿ Oct 20, 2023 21:24 |
|
I think autopilot can stop Hello enrolment as well which if you're doing this at OOBE might be the way to go
|
# ¿ Oct 24, 2023 11:57 |
|
Moving the user to passwordless is probably the easiest way to solve this issue.
|
# ¿ Nov 29, 2023 15:13 |
|
If this means what I think it means I am going to become engorged. This gives Microsoft at least five get-outs on annoying poo poo they'll do to Edge in the future. Edit: Just groups for now https://learn.microsoft.com/en-us/entra/identity/hybrid/cloud-sync/how-to-configure-entra-to-active-directory Thanks Ants fucked around with this message at 22:35 on Dec 15, 2023 |
# ¿ Dec 15, 2023 22:29 |
|
I'd be interested in Azure DNS Private Resolver if they introduced a lower tier for networks that aren't putting 10k queries per second through it
|
# ¿ Dec 16, 2023 18:52 |
|
On the subject of groups, I'm convinced I've seen documentation somewhere that says you can use security groups to grant access to Exchange features like mailbox permissions, but I've never gotten this to work, and the group has always needed to be mail-enabled to work. This would be fine but then you lose the ability to do this with dynamic security groups. Was I reading something that had a typo in, or should it be possible to grant access to things in Exchange using security groups that aren't mail enabled?
|
# ¿ Jan 10, 2024 00:46 |
|
I'd start with cross-tenant synchronisation, which is a less high-touch feature building on top of B2B collaboration https://learn.microsoft.com/en-us/entra/identity/multi-tenant-organizations/cross-tenant-synchronization-overview Whether this works will come down more to whether guest users can access the features you need them to access than the exact method you are using to manage these external users. Thanks Ants fucked around with this message at 22:37 on Jan 10, 2024 |
# ¿ Jan 10, 2024 22:32 |
|
Autopilot is good but Dell still ship Windows images chock full of poo poo so we're just going to switch vendor. Not been impressed with their hardware for a while really.
|
# ¿ Jan 12, 2024 13:06 |
|
Intune is part of the Modern Workplace loose branding that MS use to describe all their cloud-only endpoint stuff, there's definitely money there if you also get very good with Entra, so things like the SSO integration, provisioning accounts into other applications, conditional access etc.
|
# ¿ Jan 12, 2024 23:04 |
|
, Dell Optimiser is poo poo, all it does it break networking and audio by trying to be helpful. The latest batch of business machines we've had in also had Dell Digital Delivery popping up to remind people to check if they had software purchases with the machine, and 30 day trials of McAfee. The OEMs really do try their hardest to ruin the Windows experience more than Microsoft are capable of.
|
# ¿ Jan 15, 2024 14:50 |
|
It's very rare I encounter software and my reaction is "did this ever get tested" but Optimizer is one of them
|
# ¿ Jan 17, 2024 22:57 |
|
|
# ¿ Feb 6, 2024 13:59 |
|
Commit to what is needed, add additional annual licenses if the head count changes, use the spare license if someone leaves and it takes a couple of weeks for a new person to join. If the company is losing people at a rate where the cost of the unused licenses is a problem then there are bigger problems, so it's just not worth worrying about. If you have actual seasonal cycles in headcount then month-to-month makes sense for them, but otherwise it's annual. Whoever sells you your licensing should be able to co-term any new annual licenses with your current anniversary date. https://learn.microsoft.com/en-us/partner-center/align-subscription-end-dates
|
# ¿ Feb 13, 2024 18:41 |
|
Put your own account / an admin account into its own security group that you exclude from Conditional Access policy while you are getting up to speed with it so you don't lock yourself out. Make excessive use of the "What if" feature.
|
# ¿ Mar 21, 2024 15:29 |
|
You can go a step further and flat out deny the login to those accounts if they aren't coming from your locations. Stops someone setting up MFA and then accessing them externally if they have no reason to.
|
# ¿ Mar 22, 2024 13:15 |
|
This is what my version of that looks like, it's a policy to block access to a specific user group that applies to all locations except the trusted ones This is what the user sees Thanks Ants fucked around with this message at 14:10 on Mar 22, 2024 |
# ¿ Mar 22, 2024 14:07 |
|
The quick option is to replace the domain controllers with Entra Domain Services and leave the VMs domain joined (but joined to the new domain), if you are happy to authenticate from the client side with a username and password. A lot of the Entra sign-in stuff that is there to support legacy environments has a prerequisite of the accounts having to be synced from AD so that the Kerberos proxy stuff can work.
|
# ¿ Mar 25, 2024 20:03 |
|
The limit was to do with tokens on a Yubikey IIRC and not how many hardware tokens an Entra tenant can support. And yes, they are £30 or something along those lines, you might have a handful of employees who request a token, just treat it as disposable. For your double-NAT site you probably want to tunnel them out to somewhere with real internet service, either as part of a wider SD-WAN project or just these sites on an ad-hoc basis, because otherwise you will struggle with stuff like VoIP in future. There's a provider here that you can buy "ISP" service from without the actual connection part, you build an L2TP tunnel and get to use their static IP ranges, people use it with things like 5G modems. https://www.aa.net.uk/broadband/l2tp-service/ Thanks Ants fucked around with this message at 22:34 on Mar 27, 2024 |
# ¿ Mar 27, 2024 22:27 |
|
Got up early to complete the "remove domain names from accounts, drop domains from M365 tenant, add to new tenant, update domains on objects at destination" dance. Made even worse because it's an AD synced tenant . Anyway it went well so I'm taking the rest of the day off. M365 is so ubiquitous now that tenant-to-tenant migration must be more common than people migrating in for the first time from baby's first email server, I wish MS would just let everybody have the cool enterprise migration features that they hide behind EAs, including the bit where the same domain can be in two places at once.
|
# ¿ Apr 11, 2024 16:06 |
|
Gucci Loafers posted:What do you mean? It's impossible to have a DNS Record register in two different tenants. One has to be authoritative by design. The EA or Enterprise Admin portal is just for really big companies that have additional abstractions on top of Azure Subscriptions like Departments and Cost Centers. You can't usually have the same domain active on two M365 tenants at once, there's a private preview for enterprise customers that lets this happen and then one tenant routes mail to the other if the user isn't found there.
|
# ¿ Apr 27, 2024 10:09 |
|
It was called cross-tenant domain sharing when they announced it in 2022, it all went very quiet since then and I wish I could find the MS Learn page that referenced it being a private preview again
|
# ¿ Apr 27, 2024 11:09 |
|
I don't envy you having to provide the end user support/documentation for someone who has MS Authenticator that only exists to do password recovery but no MFA prompts come via it, and in the meantime you can't evaluate MFA strength since Duo has no way to tell Entra what method you used.
|
# ¿ Apr 30, 2024 20:44 |
|
Could you put the keys into the windows credential store using your MDM platform per user and have your script refer to this?
|
# ¿ May 8, 2024 15:38 |
|
"Waiting 15 minutes" is always the way with a lot of this M365 stuff. Especially when you're doing stuff in Teams and PSTN.
|
# ¿ May 14, 2024 16:10 |
|
|
# ¿ May 14, 2024 23:15 |
|
Found that with Exchange Online authentication policies, sometimes you make the policy change a few minutes before it's due to refresh anyway, other times it takes four hours.
|
# ¿ May 14, 2024 18:35 |