TagMicrosoft

Azure AD Connect sync issues

Now and then we get errors in our Azure AD Connect syncronization, or that said – my customers get errors.

And every now and then there is a error wich are not easy to spot what can be wrong.

In this case the sollution was not that easy – but when you think of it, it makes kind of sense sort of.

So this is the Error i got.

Other Error 
onmicrosoft.com 
Description 
Error Details 
pro perty 
Error Type 
Last Attem pted At 
Related Articles: 
Attribute 
o 
x 
The object failed synchronization. For more information, please see the error details. If the problem continues and 
cannot be fixed, please contact Microsoft Support. 
Value 
WorkflowException 
12/17/2019, PM 
1. Azure AD Connect: Troubleshooting Synchronization Errors 
user Principal Name 
Object GUID 
Synchronization Status 
Details 
Attribute Value 
0625<71 
On premises AD only 
52fde7d7eab1

Looking into Azure AD Connect it throwed a error on syncronization.

After some investigation back and forth i with the GUID who did not match the Azure AD Sync error – i found out that a deleted group was configured as a licensing group within Azure AD. Therefor when it was deleted from On-prem AD it could not be deleted in Azure AD since it still was in use.

By removing it from the license sku it removed it self on next sync.

How do I know all my users are enabled for and using MFA?

More and more organizations is taking advantage of using MFA for their users and there is no reason for them not to since it`s free for all Office 365 users and also for all Azure AD users if you are not using the Office 365 services. But after you enable it for your users, are you sure everyone is enabled?

You may have seen at the Secure Score that not all users are registred for MFA, and if you do so you have users with no MFA! So these users may be victims for bruteforce attacks so it`s super important to remediate all users to see how everything is configured! Some of the users with no MFA maybe legit and should not have it.

So let`s dig into the materials for a second or two.

First thing is that there is a “Secure Score” check for MFA registered users that will show you how many of your users which are not registered (if any)

If you have any users in that list it would not show who the users are so we need to go deeper in the material to retreive this status.

So to get the list of users who don`t have setup MFA you need to run this PowerShell command with the AzureAD PowerShell module loaded.

Connect-MsolService

Get-MSOLUser -all | where {$_.StrongAuthenticationMethods.methodtype -eq $null} | Select Displayname,UserPrincipalName,BlockCredential,LastPasswordChangeTimestamp,UserType |Out-GridView

And now that we have found all users we can check them out why they don`t use MFA and make sure that they use it 🙂

Further on we can check what method users are using when authenticating with MFA. For this I use this script located in Technet PowerShell archives HERE

If you have deployed MFA the Conditional Access way (recommended) you will see that the MFA status on all user are set to “Disabled” but the method is set to what the user are using.

Have checking status on your users! 🙂

Ignite – some of the news I got first day

So! Day one at Ignite is over and what a day! A lot of new features, services and everything.

But Imust say, arriving from Norway – EVERYTHING IS SO BIG here in USA!

Anyhow – Here is a short summary from me of some (few) new features and services that where unvailed at the keynotes and some sessions

There are much more also that I did not cover in this post!

Azure Arc

Azure Synapse Analytics

Power Automate (Flow)

  • MS Flow is getting new name
  • Gives you ability to create autmations against applications which are missing API`s

Power Virtual Agents

  • Bot or “Chat” agent on websites
  • Together with Power Automate you can fill contacts schemes from a chat on a website directly into your on-prem crm system (which are missing API)

Microsoft 365

  • Project Cortex
    • Based on AI
    • Creates a Enterprise wiki automatically with the use of AI
    • Creates a “Knowledege” card on word shortnings and links you to the “Knowledge Center”
    • Greate for new employees or just as a company wiki
  • MS Stream uses AI to remove background noice on videos
  • MS Teams uses AI to remove backgrouds or bluring them
  • Fluid Framework
    • Collaboration between Outlook, MS Teams chat, PowerPoint ++
  • Office.com is more important for end-users than ever – a onestop for all services
  • Office.com gets ability to be customized with themes, company branding etc.
  • OneDrive gets filesize increased to 100GB pr. file
  • All files in OneDrive now has Delta-sync

SharePoint

  • In Search you now can edit resultspage and configure how the result is presented
  • SharePoint Homesites is in GA
  • Content Auditing
    • Highligt of changes in versions
    • Scheduled publishing of pages
    • Multi-lingual support
  • SharePoint Spaces goes Public preview arround q1 2020 (somehow togheter with Edge Chromium)
  • Modern term-store

Security & Compliance

  • Unified labes is even more unified
    • Labeled Teamsites, MS Teams and files are now the same
    • Auto labeling si based on content on a complete site
  • Information barrier
    • Based on classifications (labels) you can block out a whole department or group of people from certain areas
    • That said, Finance investors can get blocked out from the auditors filespaces for exapmle.

Edge Chromium

  • Browser in GA Q1 2020
  • Will get a Fast Track “track” to help companies embrace it

Managed Meeting Rooms

  • Monitoring of equipment in the rooms like monitors, cameras, microphones etc.
  • In Private preview right now!

On my way to Ignite!

Enroute! I`m on my way to Orlando as we speak (write). I`m so exited to meet the HUGE community which are present at Microsoft Ignite and can`t wait to meet friends and new people in the community. That said there are mucho to-do this week!

I`m arriving my hotel late Sunday and preparing to head into OCCC EARLY to try to get a space for Sataya`s keynote in The Hub at OCCC.

Game plan!

  • Get my luggage
  • Check in at MS Ignite at Orlando airport (rumors says there is almost no queue there)
  • Grab an Uber straight to the hotel
  • Go to sleep fast
  • Get up early and head directly over to OCCC
  • Enjoy Ignite! 🙂

That said – i have thought about how to store, use and structure all the information and knowledge i get this week.

My plan is to use One Note for taking notes on stuff from sessions and all over – Use Microsoft To-Do to add task that i need to follow up on and LinkedIn for connecting with all the great community people and ofcourse use Twitter to follow the great speakers and people i meet at the conference.

Ignite is 7 days away – it’s a problem!!

Well.. it’s not that big of a problem, or yes it is! There is to many sessions I want to be at at the same time. As a first timer at Ignite this will be alot of fun and i’m looking forward to meet alot of people and learn much new stuff!

So over to the problem, I have added all the sessions i want to experience and i now have up to 8 sessions at the same time at almost all hours theough out the week. So now the work of fixing my schedule for the week. Good thing is that we can watch almost all content on video on demand after the conference 🙂

Even tho its my frist time to ignite, i have some tips!

  1. Arrive early to your sessions
  2. Have some break time between your sessions.
  3. Wear good and comfy shoes
  4. Keep hydrated
  5. Meet people and have fun!

Hope to you at ignite this year!

Get started with MFA – part two

So in the previously post I went through how to activate MFA for Administrator roles i a really simple and effective way.

In this post we will focus on activating MFA for all regular users. And first off all we need to evaluate who should be activated first or should we activate on all users at the same time and do a evaluation on service accounts! If we enable MFA on for example a serivce account used for scan to email on “multi functional printers” or on a mailbox account witch are used on a thirdparty ticketingsystem (POP/IMAP) we could break those service by just enabling MFA on all users.

My recomandation is when you are more then 30 users in your company you should select a few ambasadeurs who is getting the MFA activated first and can therefore be the power users who can help others with the registration if there is any hick-ups (should not be many).

And to activate MFA for end users I highly recomend to use Conditional Access for

  • all users and exclude a AzureAD Group which contains a “Break the glass Admin” and other service accounts.
  • All cloud apps (no exeptions)
  • Grant Access – but require MFA

Easy like that! And It`s a realy quick solution for your company.

Drawback here is that you need “Azure AD Premium P1” licenses to use Conditional Access and a second drawback is that it`s not scored at the Microsoft Secure Score.

Change Default emailadress on Public folder in Office365

The problem:
A public folder in Office 365 Hosted Exchange will be assigned a @onmicrosoft.com address by default. And there is of cource no way of changing this to your primary domain.

Solution:
Conncect to the Windows Azure Active Directory Module for Windows PowerShell using the following commands.
Create a placeholder for your credentials:
$LiveCred = Get-Credential

Popup box will ask for your Office 365 Global Administrator credentials.

Create a placeholder for your Powershell Session towards Exchange Online.
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $LiveCred -Authentication Basic -AllowRedirection

Import your Powershell Session to connect to Exchange Online.
Import-PSSession $Session

Run this command to allow all scripts:
set-executionpolicy unrestricted

Then run the following command to disable the Policy for assigning email Adresses in public folders.
Set-MailPublicFolder -Identity “\” -EmailAddressPolicyEnabled $False

Now, in your Office 365 tennant web admin go to Exchange – Public Folders – Highlight the public folder (email enabled) – Click the pencil (edit) – Click on Email Address – highlight the address you want to use as default – Click pencil – Check the default email address checkbox.
Save, close and test.

Powershell: Exchange – Check database size

Here is a one liner to check the database size for exchange databases.

Start Exchange management shell. Then run the following command:

Get-MailboxDatabase | foreach-object {add-member -inputobject $_ -membertype noteproperty -name mailboxdbsizeinGB -value ([math]::Round(([int64](get-wmiobject cim_datafile -computername $_.server -filter (‘name=”’ + $_.edbfilepath.pathname.replace(“\”,”\\”) + ””)).filesize / 1GB),2)) -passthru} | Sort-Object mailboxdbsizeinGB -Descending | format-table identity,mailboxdbsizeinGB

Source:
http://blogs.technet.com/b/gary/archive/2009/08/11/get-exchange-mailbox-database-size-one-liner-version-2.aspx

Finding Exchange Control Pane in Office 365 with new layout

Lately Microsoft have changed its layout in Office365 and in that same change made it harder to find Exchange Control (ECP) Panel.

At the moment the easiest way to open ECP is to log in to your office 365 Outlook Web Access.
Then, change the url from something like this: https://pod51049.outlook.com/owa/ to this: https://pod51049.outlook.com/ecp/

As you can see you change OWA to ECP and youre in!

© 2020 IdefixWiki

Theme by Anders NorénUp ↑