Update: This tool has a new shortlink: http://aka.ms/aadnetwork
Since the tool passed the 500 download mark a few weeks ago, I’ve started getting more questions (internal and external) about a few of the tests and checks. So, I decided to update/refine them to hopefully provide better guidance.… [ Continue reading ]
Last week, I saw some internal discussion about trying to locate the source of a duplicate object error on-premises. While an advanced administrator will be able to figure it out by looking at the Connector Spaces for connected directories, it’s not necessarily obvious to a lot of people (especially if you’re not experienced with our identity management products).… [ Continue reading ]
In my previous post, I discussed using the new Attack Simulator for crafting phishing campaigns against your users. If you haven’t tried it out yet, I’d heartily recommend it. It’s more fun than a barrel of monkeys.
For this post, we’re going to shift into slightly more traditional attack strategies. … [ Continue reading ]
Over the last few weeks, we’ve released some great new features for Office 365 Advanced Threat Protection users. The Attack Simulator has three core components, each of which I’ll cover in a series:
- Spear Phishing (Credential Harvest)
- Brute Force Password (Dictionary Attack)
- Password Spray Attack
For this post, I want to focus on the Spear Phishing campaign.… [ Continue reading ]
Update: We now have some public documentation available for this as well, so be sure to check there, too! https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-deployment-plans
Imagine this scenario: You’ve been running Active Directory Federation Services (AD FS) since before it was cool, and you’re tired of maintaining that highly available infrastructure (at least 4 servers) and the whole federation thing and its myriad of quirks and drawbacks and headaches (such as alt-id (which is still supported in Pass-through authentication with some caveats, listed below), claims rules, certificates, and the fun of trying to change UPN suffixes from one federated UPN to another).… [ Continue reading ]
A few months ago, I debuted a new tool for AAD Connect deployment (read about it here: AAD Connect Network and Name Resolution Test or download it here: https://gallery.technet.microsoft.com/Azure-AD-Connect-Network-150c20a3) which allows you to test a number of conditions to make sure your server and environment are suitable for deploying AAD Connect.… [ Continue reading ]
Update: I’ve added several additional parts to this tool since it was originally released, including some debug logging, an Azure credential check to ensure that your identity is part of Global Admins, additional cloud endpoint checks, and a more thorough system inventory.… [ Continue reading ]
On the recommendation of my good friend Darryl, I’ve added some things to my AAD Connect permissions tool:
- Better logging of errors. When running the tool for a large organization that had $ characters in its service account names, the tool would report successful but not leave any log files or indicators where things may have happened.
… [ Continue reading ]
I have created a more detailed example of how to do this here: https://www.undocumented-features.com/2018/09/14/fixing-office-365-anonymous-group-write-back-and-external-delivery/
Office 365 Groups are glorious creations. There are, however, some instances where they don’t work as you anticipate (or hope). One of those scenarios is when you are configured in hybrid coexistence with the following scenario:
- Office 365 Group Writeback is enabled (for configuring permissions, see this script)
- RequireSenderAuthenticationEnabled is set to False for an Office 365 group
- Your organization’s MX record is configured to point on-premises
In this scenario, external emails sent to Office 365 groups (via your organization’s MX record pointing on-premises) will be returned with one of our favorite NDRs:
“You do not have permission to send to this recipient.”
This happens because the RequireSenderAuthentication attribute (which maps to msExchRequireAuthToSendTo) written to the synced group object is set to the constant True inside of AAD Connect (as shown in the rule “Out to AD – Group SOAInAAD”):
Which translates to this on written-back group objects:
In order to fix this, you need to either update the rule (Edit | Disable and Make a Copy) or update the msExchRequireAuthToSendTo attribute on the synced group objects if you are keeping your MX pointed on-premises, or update the MX to point to Office 365.… [ Continue reading ]
Since it’s initial creation, I’ve made a few updates to the Advanced AAD Connect permissions tool. The most recent updates:
- 2017-10-11 – delegating write permissions to the CN=adminSDHolder,CN=System container
- 2017-10-05 – delegating write permissions to the ms-DS-ConsistencyGuid property
These two updates should allow for a more complete AAD Connect permissions delegation experience. … [ Continue reading ]
This week, I received an email from a colleague asking if there was a way to work around the default behavior described in https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnectsync-implement-password-synchronization:
Password expiration policy
If a user is in the scope of password synchronization, the cloud account password is set to Never Expire.… [ Continue reading ]
Updated with additional requirements and scenarios, 2017-10-26.
I recently worked with a customer that needed assistance in configuring the additional permissions required for AAD Connect delegation. After chasing down an incredible number of prerequisite information, I decided it would be more helpful to my customer to put together a tool that would help them configure the various permissions delegations.… [ Continue reading ]
From time to time, you may find that you need to selectively filter out users going to Office 365. The easiest way to do it is with a scoping filter. We do have some documents on setting the cloudFiltered attribute in the metaverse to True, but that requires creating new rules. … [ Continue reading ]
Update: I posted roll-back steps at the bottom of the article.
Several months ago, I wrote a blog on Disabling Office 365 Groups. It seems as though we couldn’t leave well enough alone. Such is a price of progress.
I got a new laptop a few weeks ago, and then found myself in the position of helping out a few colleagues this week. … [ Continue reading ]
This afternoon, I ran into a customer with a very interesting configuration–a 300-user department with 15 domain controllers spread among 6 sites.
Which, given our guidance in the past didn’t seem that out of line (redundant domain controllers at each site to process logons).… [ Continue reading ]
Let’s say you’re in one of the following scenarios:
- You need to set up AD FS for a shared hosting environment and won’t have any identities synchronized from the forest where AD FS will be deployed and want to verify that the AD FS infrastructure is working.
… [ Continue reading ]
This afternoon, while configuring AAD Connect for a customer, I ran into a new error when I clicked Install at the end of the installation wizard:
An error occurred executing Configure AAD Sync task: Unexpected exception thrown. Action: PingProvisioningServiceEndPoint, Exception: An error occurred.
… [ Continue reading ]
I just built a tool for a team of consultants to use, and some of the commands require elevation. Rather than relying on telling them it needs to be elevated, I wanted to be able to exit immediately if the session wasn’t so precious time wasn’t wasted.… [ Continue reading ]
A few months ago, I developed a script/tool to use for a rather large customer divesting from an Office 365 Dedicated environment. As part of the exit, they wanted a contact object in their GAL for every user, contact, and distribution list that existed in the source Office 365 environment.… [ Continue reading ]
For those of you that have embarked upon the trek to Office 365, you’ve undoubtedly run (or at least heard of) IDFix. It detects and fixes a number of conditions that will cause the directory sync to report errors.
Today, I want to focus on a tool I wrote for a customer almost 2 years ago that addresses conditions not yet identified or remedied by IDFix. … [ Continue reading ]