What are Conditional Access Policies in Azure AD

What are Conditional Access Policies? Conditional Access Policies (CAPs) are identity-driven policies that govern user access to resources based on certain conditions. We can summarize them as if statements that govern what will be requested, enforced or blocked. As identity has become a key focus for security efforts, it’s essential to manage it in the best way possible. All policies “think” at the user level and are enforced after a user has completed the first…

What’s SMS Authentication and how to enable it in Azure AD

What’s Text Message Authentication SMS-based authentication allows users to log in without needing to remember their username and password. After enabling the feature for an account, users can enter their phone number at the login prompt instead of their username. They will then receive an authentication code via text message that they can use to complete the login.  This service is often mistaken for SMS-based Multi-factor Authentication, but they are…

What is Microsoft Purview Customer Key?

Microsoft Pureview Customer Key (or Customer Key for short) is an encryption service mainly aimed at resolving regulatory issues with the adoption of Microsoft 365. This is the product you need in the Microsoft Cloud environment if you have a regulatory requirement to have ownership and control over the keys used to encrypt data at rest. Microsoft 365 already provides volume-level encryption through Bitlocker and Distributed Key Manager (DKM), but…

Add or remove a user from a Conditional Access Policy (CAP) – Azure AD

What are Conditional Access Policies? Conditional Access Policies (CAPs) are identity-driven policies that govern user access to resources. We can summarize them as if statements that govern what will be requested, enforced or blocked. In most organizations, the CAPs govern the enforcement of MFA, the block of logins using legacy protocols, and requiring a compliant device to access company resources. All policies “think” at the user level. It is advisable…

Enable file monitoring for Office 365 in Defender for Cloud Apps – DCA

Before enabling file monitoring in Defender for Cloud Apps, be sure to have the appropriate licensing assigned. To follow these steps, you’ll need the following: Please note that you’ll have to create a file policy as soon as you enable the feature. If you don’t create a file policy in the first seven days, the feature will be disabled. First, log into the Defender for Cloud Apps portal: Defender for…

Get all users of an Azure AD Group and add them to another one – Powershell

The following script will get all the members of an Azure AD group and add them to another group. You’ll just need to know the name of the two groups to make it work. In the code shown below, the source group will be called Group1Name and the destination one Group2Name.

Unfortunately, your password contains a word, phrase or pattern that makes it easily guessable. – Azure AD

Suppose you or a user reset a password, and one of the following errors comes up. In that case, it means that either you are using a guessable password or that somebody in your organization has enabled Password Protection in your environment, and you are using a banned word. If you are a user, please try a more complex password to circumvent the error. Substituting @ with A, 1 with I, and…

Delete a user profile in Azure Virtual Desktop – AVD

To remove a user profile in Azure Virtual Desktop, you must first be sure that the user is logged off. If you are unsure on how to do it, follow the guide below. After you’ve checked this, you got two options based on the type of profile architecture you chose to implement. If you are unsure about which type of user profile solution you use, you can log in to…

This application contains sensitive information and can only be accessed from devices or client applications that meet management compliance policy – Azure AD

This error message results from the application of a Conditional Access Policy on your tenant that blocks users from accessing cloud resources using a non-compliant device. The compliance state of a device is evaluated by Intune. To check which compliance policies you have active in your environment, head to: Compliance Policies | Intune To resolve the issue, either fix the device’s compliance state or exclude the user from the Conditional…

This application contains sensitive information and can only be accessed from domain joined devices – Azure AD

This error message results from the application of a Conditional Access Policy on your tenant that blocks users from accessing cloud resources without a hybrid-joined device. A Hybrid-joined device is an AD-joined client which gets synchronized to Azure AD via Azure Active Directory Connect (AD Connect). This process enables you to make the device visible to Azure AD and lets you manage it with Intune. If you are looking to…

Online Mailbox cannot be created because an on-premise one already exists – Exchange Online

This issue is mainly present if you are trying to migrate from Exchange on-prem to Exchange Online and you’re not going with the hybrid route. The “double mailbox” way consists in having an online mailbox and a local one, and manually (or automatically using tools) migrating the content online. The issue is that, if you are synchronizing your on-prem AD with Azure AD, you are most probably including your msExchMailboxGUID…

Enable Modern Authentication for Outlook 2013

Since Microsoft will soon start to turn off Basic Authentication for Exchange Online, you’ll have to enable Modern Authentication client-side if you still have some machines running Outlook 2013 and want them to connect to Office 365. This is quickly done by adding some registry keys. Modern authentication is already enabled by default in Office 2016 and later versions. This process will activate the Modern Authentication workflow for all the apps…

Restrict access to Azure Management apps – Azure AD

If we want to restrict access to the Azure management services for non-privileged users, we can now create a Conditional Access Policy that allows us to do so. To create a Conditional Access Policy, we’ll need Azure Active Directory Plan 1 or higher, which is either bought standalone, or can be found most notably inside Microsoft 365 Business Premium, or the Microsoft 365 Enterprise plans (E3, E5) On the other…

Additional Context and Number Matching User Guide – MFA

I wanted to publish the following article, which is how I would notify my users of the upcoming activation of Additional Context and Number Matching in their MFA requests. If instead you are looking for a guide on how to enable Additional Context and Number Matching, follow the guide linked below. Feel free to use the message below as your own. The images are taken from a wonderful article by…

Find stale Enterprise Applications – Azure AD

If you just blocked users from registering applications, or you are just analyzing your Enterprise applications, you may find that there is a lot of work ahead of you. First, you may want to find if there are applications with no user assigned. Then you may wonder if there are applications without sign-ins in the last 30 days. To ease your work, you may find it useful to query all…

Microsoft Secure Score not updating

The Microsoft Secure score is a useful page to get an idea of the general improvement areas you should monitor and approach in your tenant. When you make a change to reflect one of the improvement actions, you might have to wait up to 48 hours to get the points in the portal. If you have waited the 48 hours (generally, it’s 24 hours, but the job might fail), check…

Secure Teams, a step by step hardening guide

This is a brief and introductory guide on what you may want to configure and change in a basic hardened Teams environment. Please consider that these are just general recommendations, and what works for a company may not be the best for another one. This is especially true when it comes to setting up collaboration services. Keep in mind that your Teams security is only as good as your identity…

Unblock at-risk user – Azure AD

If a user can’t access your tenant and forwards the following message to you, here are the steps on how you can solve it. Your account is blocked We’ve detected suspicious activity on your account. Sorry, the organization you are trying to access restricts at-risk users. Please contact your admin. The unblock is done by either resetting the user password or clearing the user risk once you have assessed that…

How to check which Conditional Access Policy is blocking a user log-in – Azure AD

If you have Conditional Access Policies in place to block certain log-ins, you might get that a user will contact you because their sign-in request is being blocked. Probably both you and the user don’t know which policy is making the log-in fail, since it’s not specified in the error message. The usual error message is something along the lines of: “Your sign-in was successful, but does not meet the…

User blocked due to risk on home tenant – Azure AD

If you just enabled Azure AD Identity Protection for your entire tenant, you might get some complaints from guest users, saying that their sign-in was blocked. If you got a similar issue, but the user is not a guest but a member of your organization, follow this guide Unblock at-risk users – Azure AD. You cannot remediate the user risk of a guest. If you try to look for a guest user…

Enable idle session timeout for Microsoft 365

In the last few days, Microsoft implemented a timeout feature for the Microsoft 365 portal and the Office web apps. The aim is to disconnect a user if no activity is received. This will go on to become a global setting: “Idle session timeout for Microsoft 365 web apps will eventually replace current idle timeout settings in Outlook Web App (OWA) and SharePoint Online (SPO)”. This feature is not tab…

Outlook requires app password for connecting to Exchange Online

Even if most people use modern authentication for connecting with Exchange Online, some users still have to use app passwords to enable connections from Outlook. For tenants created after August 2017, modern authentication is enabled by default, but some admins have it turned off. To enable modern authentication for Exchange Online, follow these steps: Click on Modern authentication | Microsoft.com or go to admin.microsoft.com, then Settings, Org Settings, Modern authentication.Select…

Apple Mail not working after disabling Legacy Authentication – Exchange Online

If just enabled a Conditional Access Policy blocking legacy authentication to Exchange Online, enabled Security Defaults, or Microsoft disabled it for your tenant, you might see some Apple Mail clients not connecting anymore. This issue is happening because the profile might be still configured to use Exchange ActiveSync to connect to Exchange Online, and EAS (along with other legacy protocols) will be retired in October 2022. Apple supports an automatic…

Scan now is greyed-out in Azure Information Protection – AIP

If you just installed the Azure Information Protection on-premises scanner and you are trying to start your first Content Scan Job, you might get that the button “Scan now” is greyed out. Before attempting to troubleshoot, check that you selected the job below. If you did, try restarting the service “Azure Information Protection Scanner” on the SQL server and refreshing the Azure Content scan job page. If you still cannot…

Enable number matching and additional context with Microsoft Authenticator – Azure AD

It’s been long since Microsoft released number matching and additional context for the Microsoft Authenticator. These features allow you to quickly improve your passwordless or MFA approach, adding a new layer of security and preventing accidental approvals. This is also useful to lower the chances of being compromised by MFA fatigue attacks. To enable these features follow this link, which will guide you into Azure AD, Security, then Authentication methods:…

Automatically apply Sensitivity Labels to files and libraries – Microsoft Pureview

There are a couple of ways to enable an automatic classification of files in SharePoint. The first one, more complete from a customization point of view, is to use a File Policy in Defender for Cloud Apps. The second one (the newer and less recommended one, to be fully released Q3/Q4 2022) is to use a Default Sensitivity Label in SharePoint Online. If you are looking at how to enable…

How to download the disk of an Azure VM – Azure

Since Azure introduced the option to download the OS disk of a VM directly, you don’t need anymore to traffic around to download the unmanaged disk (or go with the snapshot route).Here are some easy steps to directly download the disk of your Windows / Linux VM.Please note that a Sysprep is advised if you need to use the disk as a template to create new VMs. Go to the…

ResourceNotTopLevel error when trying to move resources – Azure

When you transfer Azure resources between subscriptions, you might get the following error: “ResourceNotTopLevel”. This is caused by the fact that you only have to select top-level resources for the move, and the dependencies will be moved automatically. For example, say you selected both a Network Watcher Extension and the relative VM you want to move. You will just need to move the VM object, and the extension will come…

Automatically clean up inactive Guest users – Azure AD

Using Azure AD Access Reviews (available with AAD P2), you can automatically remove users from your tenant who haven’t had access in a specified number of days. In this guide, we will implement the access review step by step. This is a great way to clean up your tenant automatically and can be scheduled. WARNING: The procedure used to clean up only users who didn’t have access in the last…

Enable Unified Audit Logs – Office 365

Unified Audit Log is one of the essential features for tracking down every action done across the tenant. The logs are kept for 90 days by default, but you can extend them using special addons. If you want to check whether the logging is enabled on your tenant, connect to Exchange Online with PowerShell. Once connected, you can check the status. If you get “True” as a result, the logging…

Cancel downloaded updates in Windows Server

If the server has downloaded automatically an update (such as the SharePoint ones), which you don’t want to install, try following these steps to delete the queue: Open an elevated PowerShell, then run the following command Open an elevated PowerShell, then run the following commands to make a backup of the folders we’re going to delete. Check that the backup has been created, then proceed to delete the content of…

Add / remove the requirement to apply a sensitivity label to documents and emails – Microsoft Information Protection

When you select “Require users to apply a label to their email and documents” inside a label policy in Microsoft Information Protection, users will be required to classify the documents they create/modify. To add this requirement, access the compliance portal and select a label policy you created. https://compliance.microsoft.com/informationprotection?viewid=sensitivitylabelpolicies Then click “Edit policy” and go straight into “Settings”. Select “Require users to apply a label to their emails and documents”, then save the label policy.…

Force Azure File Sync tiering

If you are encountering issues with Azure File Sync, or you just want to force the process so that you can free some space now, follow the commands shown below: If you want to get some logs out of the operation for troubleshooting, send these commands in a separate PowerShell window before launching the script above: You can terminate the command once the sync is concluded and get the logs…

Disconnect a user session in Azure Virtual Desktop (AVD) – PowerShell

Prerequisites: The Microsoft.RDInfra.RDPowerShell module, the Az PS module First, install the RDInfra module: Then proceed by installing the Az module and logging in: Once you are logged in you can run the following script to disconnect a specific user session:

Force Outlook to connect to Office 365

If you have an internal Exchange server powered on, and you have migrated to Office 365, you might see some Outlook clients (2016/365) having issues. To try to fix the issue and force the connection to Office 365 instead of the internal server, you can try adding this registry key: Path: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\AutoDiscover Value: ExcludeScpLookup Type: DWORD Data: 1 This way, the domain-joined clients will not be able to ask Active…

Repair / troubleshoot a Linux VM – Azure

If you encounter a boot or disk error with a VM, you need to get the OS disk into another VM to troubleshoot the issue. The command we will run into Azure Cloud Shell is az vm repair create. To create a troubleshooting VM, follow these steps: Open Azure Cloud Shell in bash or install Azure CLI in your bash environment.Run the following command: az vm repair create -g “resourcegroupname” -n “VMname”…

Exchange API missing for Veeam modern auth in Azure AD

If you are looking for the Exchange API to configure modern authentication for Veeam, you’ll find that it is no longer present under “Request API Permissions” -> “Microsoft API”. Instead, what you want to do is go into “APIs my organization uses” under the “Request API Permissions”, then search for “Office 365 Exchange Online”. It’s basically the same thing, only a bit harder to find, as the search doesn’t show…

Configure a SLES VM for Azure Site Recovery

To configure a VM for Azure Site Recovery we’ll need to configure the Microsoft Azure Linux Agent and enable the console. The VM will automatically get the DHCP network settings that it will need to get an IP from Azure. First, add the repository and install the agent: SLES 12 SP3: SLES 12 SP4 SLES 15 SLES 15 SP1 SLES 15 SP2 Then enable automatic updates for the agent: Go…

ASR Kernel modules fail to load while installing the Mobility Service (VMware) – Azure

If some kernel modules fail to load (such as in the example below) while installing the Mobility Service agent, please check: If the kernel is supported in your Configuration Server versionIf secure boot is enabled Check the following page to see if the kernel version is supported: https://docs.microsoft.com/en-us/azure/site-recovery/vmware-physical-azure-support-matrix#ubuntu-kernel-versions If it’s supported try launching the following command: If it’s enabled you should get something along the lines of: Please note that…

ASR Data change rate is beyond supported limits

If you see the event “Data change rate beyond supported limits” in the ASR replicated items logs, you probably need to change the disk type of your managed disks for that Virtual Machine. I would advise waiting a bit to check if the error disappears or remains consistent. To change the disk size go to:

Cannot enable protection for a VM in ASR “This operating system isn’t supported in Azure”

If you get the following error, please check if the OS and kernel versions are supported: https://docs.microsoft.com/en-us/azure/site-recovery/vmware-physical-azure-support-matrix If they are supported, you can install manually the agent on the VM. If it doesn’t work, try checking if the VM in VMware is configured as “Other (64-bit)” in the guest OS version. If it is, you should change the version to the specific Linux distribution you got installed. Mind that the…

Recover ASR Configuration server passphrase

To recover your passphrase sign into the configuration server, then open a command line. Change directory using: then to export your passphrase using the following command: Open the file with notepad to get the key:

Install the Azure Linux Agent on Centos 8 – Azure

To install the Azure Linux Agent on Centos 8 follow these steps: dnf install WALinuxAgent Enable the agent to start at boot time and start the service: systemctl start waagentsystemctl enable waagent

Enable Azure Serial Console for replicated Linux VMs – Azure

If you replicate a Linux VM right away you might end up with the serial console not working. This could be especially an issue if you have your network interfaces set as static and you have to change the IP addresses. To enable the Serial Console you have to log into your on-premise Linux VM and run the following: systemctl start serial-getty@ttyS0.service ​ systemctl enable serial-getty@ttyS0.service Wait until the changes will…

Windows – Cannot start WAS and W3SVC

If you get “System error 2 has occurred” when starting WAS (Windows Activation Services) and you also cannot start W3SVC (World Wide Web Publishing Service), try the following: Open Regedit.mscGo into HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WAS\ParametersLocate the NanoSetup DWORD Delete the NanoSetup DWORDOpen an elevated command prompt and run “net start was” and “net start W3SVC”

Change Outlook profiles from one month cache to online in AVD/WVD

Unfortunately, at this time, there is no way to change Outlook profiles from cached mode (1 month retention) to online mode in the Outlook settings. To configure the cache settings in Outlook (2016/365) in a WVD session you need to use Active Directory GPOs or local Group Policies. To use local group policies follow these steps:

Check whether you are using an FSLogix profile in Azure Virtual Desktop – AVD

To check whether you are using an FSLogix profile in an AVD session enter the AVD instance, then browse to the following folder: C:/Program%20Files/FSLogix/Apps Open frxtray.exe and open the System Tray as shown in the following picture: Right-click on the frxtray icon and click open: From here you can see that we get “Profile status: Active”, which indicates that we are using an FSLogix profile. If you are using a…

Sysprep fails due to an app that was installed for a user, but not provisioned for all users

Example errors: 1. Package Microsoft.LanguageExperiencePackit-IT_19041.3.7.0_neutral__8wekyb3d8bbwe was installed for a user, but not provisioned for all users. This package will not function properly in the sysprep image. 2. SYSPRP Failed to remove staged package Microsoft.LanguageExperiencePackit-IT_19041.49.150.0_neutral__8wekyb3d8bbwe. Failed to remove apps for the current user. To fix this kind of errors, mainly found in Azure Virtual Desktop implementations with custom languages, you must manually delete the app that was provisioned just for your…

Error 53 when mounting Azure File Share – Azure

If you get an error 53 when trying to mount an Azure File Share, you got two main issues that might be causing it. Port 445 is blocked To check the effettive connection, and start the troubleshooter, run the following: login-azaccount $ResourceGroupName = “ba-weu-wvd-rg”$StorageAccountName = “baweufslogixsa” $storageAccount = Get-AzStorageAccount -ResourceGroupName $resourceGroupName -Name $storageAccountNameTest-NetConnection -ComputerName ([System.Uri]::new($storageAccount.Context.FileEndPoint).Host) -Port 445 If the error is, on the other hand, NTLMv2 is not enabled, please…

Extend LVM partition after resizing disk – Linux

First, rescan the disk after upgrading its size. Swap out sda for your disk: echo 1>/sys/class/block/sda/device/rescan Then open parted: parted Inside parted send: print It will display the partitions on the disk: Number Start End Size File system Name Flags1 1049kB 2097kB 1049kB bios_grub2 2097kB 1076MB 1074MB ext43 1076MB 644GB 643GB Send resizepart, then insert the partition number you wish to extend. After that insert the new partition size in…

IdFix – Pre AdConnect assessment for your on-prem AD

IdFix is a tool to discover and remediate identity problems pre synchronization to Azure Active Directory. To use IdFix you will need: A domain joined computer / serverA user account with at least read access to the AD objects The process is really straightforward. Get IdFix from here: https://raw.githubusercontent.com/Microsoft/idfix/master/publish/setup.exe Install and open IdFix, then click on “Query”. After the process has been completed you will be shown all the problems…

Enable Known Folder Move using regedit – OneDrive

Known Folder Move is a “new” functionality in OneDrive that enables you to seamlessly recreate the same user experience across multiple devices . Expecially useful in a Windows Virtual Desktop / VDI environment, it automatically syncs all the “Known Folders” (Desktop, Documents, Pictures etc.) when a user logs in. To enable it via Registry Editor you’ll first have to get your tenant ID. Find it here under “Directory ID”: https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Properties…

How to cancel a reservation – Azure

To cancel a reservation you have to have specific permissions on the reservation order. The permissions are not inherited from the subscription, so… contact who created the reservation (or just open a ticket with the Azure Engineers). Once you have the right account, (or you’ve been given the permissions) go to the reservations tab in the Azure Portal. It’s best to have at least a couple of people who have…

Project Freta

Project Freta is a newly announced offer from Microsoft, which aims at discovering any malware or rootkit running on Linux systems, by conducting memory forensic analysis automatically. The analysis is conducted at no cost and is very easy to extrapolate the data, democratizing the forensic process. Project Freta was designed and built with survivor bias at its core. It is a security project designed from first principles to drive the…

Move resources request is blocked by an Azure Backup job.

Error message: The move resources request contains resources like “*OsDisk*” that are being backed up as part of a Azure Backup job. Browse the link https://aka.ms/vmbackupmove for information If you encounter this error check if the VM’s backup is stopped. If it’s stopped you need to remove the istant snapshot that has been created by the system: List source: https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/move-limitations/virtual-machines-move-limitations#portal

VM has reported a failure when processing extension ‘joindomain’ – AVD

If you encounter this error while creating a new VM from the host pool wizard, try following these suggestions to solve the issue, or at least drill down on the problem: Check whether you can resolve your domain from your VNETCheck what DNS Servers are configured on your VNET, correct accordingly (follow this guide: Change VNet DNS Servers)Check if you have permissions to join the domain using the credentials you…

Microsoft Assessment and Planning (MAP) Toolkit – Minimum user requirements to run a scan

To scan the servers / PCs using the MAP Toolkit, you will need an AD user with administrative privileges on all the components to scan. This will be enough if you need a report of what’s installed on a series of servers/clients, their roles, and all “local” related queries, or basic AD queries. For Exchange related queries, you will need an Exchange Admin or Domain Admin.Please refer to the following…

Enable SMTP AUTH for a mailbox – Office 365

If you try to set up a printer / external device with SMTP you might encounter an authentication error. This is caused by the fact that Microsoft now disables SMTP AUTH for the tenant and the new mailboxes created on Office 365 by default. To enable SMTP AUTH for a mailbox follow this steps: Go into UsersClick Active UsersSelect the userClick MailClick Manage email appsEnable Authenticated SMTP by flagging it…

Error opening directory /mnt in Azure Storage Explorer for Linux

When you try to upload files in Azure Storage Explorer from the /mnt or /media partition, you get a permission denied error. The error is related to the snap version of Azure Storage Explorer. This is a common error with snap applications. To fix, from snap, enter Azure Storage Explorer, then click Permissions. From there enable “Read/write files on removable storage devices”

Activate Azure Update Management for on premise servers using Log Analytics

Requirements:i. Log Analytics workspaceii. Azure Automation Account From the Log Analytics Workspace, click Connect a data sourceSave the Workspace ID and Workspace keyInstall the agent on the server, providing the Workspace ID and Key found in the workspace Go into the automation account, then from the left into update managementEnable update management on the VM by clicking on “Click to manage machines” You can then see the missing updates and…