If just enabled a Conditional Access Policy blocking legacy authentication to Exchange Online, enabled Security Defaults, or Microsoft disabled it for your tenant, you might see some Apple Mail clients not connecting anymore.
This issue is happening because the profile might be still configured to use Exchange ActiveSync to connect to Exchange Online, and EAS (along with other legacy protocols) will be retired in October 2022.
Apple supports an automatic switch to modern authentication for its profiles, but only if it was freshly configured after iOS 12.
Unfortunately, it seems that backing up and restoring profiles does not trigger the switch to modern auth, so if you moved to a new iPhone and didn’t reconfigure the profile manually, you’ll need to remove and recreate it.
UPDATE 16.06.2022:
Apple will add support for the automatic migration to modern auth in iOS 15.6. Once you update your Apple device, the Mail app will use the saved credentials to establish a new authentication flow. From that moment onward, you’ll authenticate to Azure AD (Microsoft online Identity Provider) and get a new OAuth access token. The “old” stored credentials will then be removed. The process is fully transparent to users.
If you just installed the Azure Information Protection on-premises scanner and you are trying to start your first Content Scan Job, you might get that the button “Scan now” is greyed out.
Before attempting to troubleshoot, check that you selected the job below. If you did, try restarting the service “Azure Information Protection Scanner” on the SQL server and refreshing the Azure Content scan job page.
If you still cannot start the scan, try executing the following command on the SQL server, and insert the credentials of the service account:
It’s been a long time since Microsoft released number matching and additional context for the Microsoft Authenticator. These features allow you to quickly improve your MFA posture, adding a new layer of security and preventing accidental approvals. This is also useful to lower the chances of being compromised by MFA fatigue attacks. The feature consists in a map shown on your MFA prompt on your phone that indicates where the MFA request is coming from, the name of the application requesting the MFA challenge, and a box to insert the number that will be shown on screen.
Image taken from the Microsoft Docs. Link in the notes
How to enable it
To enable these features follow this link, which will guide you into Azure AD > Security > Authentication methods:
Be sure to activate “Require number matching for push notifications“, “Show application name in push and passwordless notifications” and “Show geographic location in push and passwordless notifications“, then save.
You can scope the features to a selected group of users if you want to test them out and go for a gradual rollout. This is done by selecting “Select group” and adding the group for which you want to enable the feature.
Additional notes
Check out this article if you are looking for a communication to send out to users before rolling out the features:
There are a couple of ways to enable an automatic classification of files in SharePoint. The first one, more complete from a customization point of view, is to use a File Policy in Defender for Cloud Apps. The second one (the newer and less recommended one, to be fully released Q3/Q4 2022) is to use a Default Sensitivity Label in SharePoint Online.
If you are looking at how to enable file monitoring and file policies, follow this guide:
Create a broad filter. I’ve set it as “App equals SharePoint Online” for this example.
Under “Apply to”, specify the root folder where the policy should start to apply.
Apply the governance action “Apply sensitivity label”, and select your label. Check the box below if you wish MDCA to override all user-defined labels. This will override older labels set on docs in the site and new ones defined at document creation.
Save the policy
Suppose you would like a policy to automatically apply labels to all the files and subfolders recursively from a root folder onward in SharePoint or OneDrive. In that case, you might think you can use the “Files matching all of the following” filter. Unfortunately, this won’t work, as it will not match recursively on the files contained in the subfolders.
Default Sensitivity labels in Sharepoint Online
Once you enable SharePoint to process labels, you can configure a default label for document libraries. This will ensure that any new or newly modified files get the specified label.
The feature will not apply to documents not opened since setting the default label or if the file has a higher priority label applied. Therefore, I would recommend, for the moment, using PowerShell or MDCA (as shown above) before setting the default label.
The feature will also not work if you have “User access to content expires” set anything other than Never or if you use Double Key Encryption.
Also, please note that PDFs are not currently getting labelled using this method, but I expect this to change before Q4 2022. Please refer to the docs for further updates, depending on when you are reading this:
Click on Labels, then “Turn on now” under “Your organization has not turned on the ability to process content in Office online files that have encrypted sensitivity labels applied and are stored in OneDrive and SharePoint. You can turn on here, but note that additional configuration is required for Multi-Geo environments.”
Open your SP document library, then on the top right corner click settings (the “gear” icon), then “Library settings“.
Select your default label, then click “Save“.
Allow some time between enabling the feature and looking for the library setting, as you probably won’t find the feature right away; you’ll have to wait up to 24 hours.
Since Azure introduced the option to download the OS disk of a VM directly, you don’t need anymore to traffic around to download the unmanaged disk (or go with the snapshot route). Here are some easy steps to directly download the disk of your Windows / Linux VM. Please note that a Sysprep is advised if you need to use the disk as a template to create new VMs.
Go to the VM, and stop it.
Click on “Disks” then on he OS Disk.
Click on “Disk Export“, then in the field, enter a higher number (es. 30600) so that you have plenty of time to download the disk. Once done, click “Generate URL“.
When you transfer Azure resources between subscriptions, you might get the following error: “ResourceNotTopLevel“.
This is caused by the fact that you only have to select top-level resources for the move, and the dependencies will be moved automatically.
For example, say you selected both a Network Watcher Extension and the relative VM you want to move. You will just need to move the VM object, and the extension will come with the server.
Example of an error code:
{
"code": "ResourceNotTopLevel",
"message": "Identifier '/subscriptions/0000000000000000000/resourceGroups/MoveResource/providers/Microsoft.Compute/virtualMachines/VMtobeMoved/extensions/AzureNetworkWatcherExtension' is not a top level resource. Please include only the top-level resource for this child resource in the move request. A child resource would be moved along with its associated top-level resource.\""
}
From the error code, you’ll get that you just have to move the following resource, being the top-level one:
It’s good to remember that if dependent resources are distributed across different resource groups, you’ll first have to move them into one resource group and then attempt the migration.
Using Azure AD Access Reviews (available with Azure AD Premium P2), you can automatically remove guest users from your tenant who haven’t had access in a specified number of days. In this guide, we will implement the access review step by step.
This is a great way to clean up your tenant automatically and can be scheduled.
NOTE: The procedure used to clean up only users who didn’t have access in the last 30 days. This has now been expanded to support a variable number of days (ex. 60, 90, etc).
Step by step guide
As a prerequisite, you’ll need to create a dynamic group in AAD, which will contain all guest users who can log in to the tenant:
To create the group, go to AAD Groups, then click on “New Group”.
Select Group Type as “Security“, give the group a name, and select “Membership type” as “Dynamic User“.
Under “Dynamic user members”, click on “Add dynamic query“.
The query you will want to create is:
(user.userType -eq "Guest") and (user.accountEnabled -eq true)
You can create this group also using Powershell, and pasting this command after installing the Graph module.
The accountEnabled attribute lets you filter for users who can log in. Since the access review will deactivate the account for 30 days before deleting it permanently, this way we’ll filter only for the guest users active in the tenant and not the ones ready to be automatically deleted.
Once done, click on “Create”.
To create the access review, open this link, then follow the steps listed below:
Select “Teams + Groups” under “Select what to review”, “Select Teams + groups” under “Select review scope”, under “Group” enter your group, then click on “Guest users only” under “Scope”.
You can then filter only for the guest that did not had access in a specified number of days. This is accomplished using this part of the wizard:
Click on Next, and under “Select reviewers”, click on “Selected user(s) or group(s)“. The person or people that will manually review the users to delete should be selected just below. If not needed, insert an admin and go ahead. I always give at least 3 to 5 days for the reviewers to check if somebody should not be blocked or deleted. If some guest user should always be excluded from the review, you can add an exclusion in the AAD Group membership rules.
In the last paragraph, you’ll want to select auto-apply results to make the automation work. Under “If reviewers don’t respond”, choose “Take recommendations“. The recommendations will be based on whether the user has logged in recently or not. There are no other recommendations that I am aware of at this moment. Under “Action to apply on denied guest users”, select “Block user from signing-in for 30 days, then remove user from the tenant“. Be sure that “No sign-in within 30 days” is selected as reviewer decision helper, as per the image below.
If you want this to be fully automated, deselect “Justification required”.
Once done, click on “Review + create”, give the review a name and click on “Create”.
Now you will automatically have the guest users who haven’t logged in in the specified number of days blocked. After 30 days, the blocked user will be removed from the tenant.
Additional resources
Jef Kazimer wrote a really cool guide on how to remove unredeemed B2B guest from your Azure Active Directory:
Unified Audit Log is one of the essential features for tracking down every action done across the tenant.
The logs are kept for 90 days by default, but you can extend them using special addons.
If you want to check whether the logging is enabled on your tenant, connect to Exchange Online with PowerShell. Once connected, you can check the status.
You might be asked to run “Enable-OrganizationCustomization” before relaunching the command. You must wait 30 to 60 minutes after sending “Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true” to see it enabled in the portal.
Portal way:
Go to https://compliance.microsoft.com/, then click on “Audit” on the left pane. When you get to the page, click on “Start recording user and admin activity“, then check the status after 30-60 minutes. If it fails, try with PowerShell.
If the server has downloaded automatically an update (such as the SharePoint ones), which you don’t want to install, try following these steps to delete the queue:
Open an elevated PowerShell, then run the following command
Stop-Service -Name "wuauserv"
Open an elevated PowerShell, then run the following commands to make a backup of the folders we’re going to delete.
When you select “Require users to apply a label to their email and documents” inside a label policy in Microsoft Information Protection, users will be required to classify the documents they create/modify.
To add this requirement, access the compliance portal and select a label policy you created.
Then click “Edit policy” and go straight into “Settings”. Select “Require users to apply a label to their emails and documents”, then save the label policy.
Just follow the steps listed before and unselect “Require users to apply a label to their emails and documents” from all the label policies to remove the requirement.
Be aware that the policy may take a while to replicate.
If you are encountering issues with Azure File Sync, or you just want to force the process so that you can free some space now, follow the commands shown below:
#Import the commands
Import-Module "C:\Program Files\Azure\StorageSyncAgent\StorageSync.Management.ServerCmdlets.dll"
#Force the synchronization of the folder you have specified in the sync group
Invoke-StorageSyncCloudTiering -Path <sync_group_path>
If you want to get some logs out of the operation for troubleshooting, send these commands in a separate PowerShell window before launching the script above:
cd C:\
New-Item -ItemType directory -Path C:\AZfslogs
cd "C:\Program Files\Azure\StorageSyncAgent"
Import-Module .\AFSDiag.ps1
Debug-AFS -OutputDirectory C:\AZfslogs -KernelModeTraceLevel verbose -UserModeTraceLevel verbose
You can terminate the command once the sync is concluded and get the logs in the C:\AZfslogs folder.
This way, the domain-joined clients will not be able to ask Active Directory an SCP entry and directly query the AutoDiscover (which should be fine, if you migrated to Office 365, as it’s one of the requirements).
If you are looking for the Exchange API to configure modern authentication for Veeam, you’ll find that it is no longer present under “Request API Permissions” -> “Microsoft API”.
Instead, what you want to do is go into “APIs my organization uses” under the “Request API Permissions”, then search for “Office 365 Exchange Online“.
It’s basically the same thing, only a bit harder to find, as the search doesn’t show up results if you look for “Exchange”.
To configure a VM for Azure Site Recovery we’ll need to configure the Microsoft Azure Linux Agent and enable the console. The VM will automatically get the DHCP network settings that it will need to get an IP from Azure.
If you get this error there is probably something wrong with the user profile. It’s usually either that the VHD / VHDx is locked, or the cached profile is broken.
In the first case sometimes the Windows Session closes down and doesn’t alert FSLogix to unlock the disk. Before you reboot the VM, consider adding the following registry entry:
At times a Windows Session may suffer an inelegant termination, in these cases FSLogix is not provided an appropriate event to trigger the dismount of the VHD(x) file for Profile Container and Office Container. By setting CleanupInvalidSessions to 1, additional FSLogix logic is triggered to make this scenario less likely. Setting CleanupInvalidSessions will cause the functionality to be utilized for both Profile Container and Office Container. KNOWN ISSUE: at this time CleanupInvalidSessions should not be used in conjunction with Cloud Cache when concurrent sessions (e.g utilizing ProfileType/VHDAccessMode) are in use.
If some kernel modules fail to load (such as in the example below) while installing the Mobility Service agent, please check:
If the kernel is supported in your Configuration Server version
If secure boot is enabled
#EXAMPLE using SUSE 15 SP2
exampleserver0:/tmp/ASR # sudo ./install -d /usr/local/ASR/ -r MS -v VmWare -q
All product pre-requisties are met.
Generating the certificate.
[...]
Filter driver kernel module is not loaded. Attempting to load it, please wait...
insmod /lib/modules/[kernelversion]-default/kernel/drivers/char/involflt.ko
Filter driver could not be loaded successfully.
Check the log file /var/log/ua_install.log for detailed diagnostic messages or installation success/failures...
Vx agent installation exit code : 208.
Check the log file /var/log/ua_install.log for detailed diagnostic messages or installation success/failures...
Installer exiting with code: 208
Check the following page to see if the kernel version is supported:
If you see the event “Data change rate beyond supported limits” in the ASR replicated items logs, you probably need to change the disk type of your managed disks for that Virtual Machine.
I would advise waiting a bit to check if the error disappears or remains consistent.
To change the disk size go to:
Disks
Select the disk specified in the error message above
Click on Configuration
Under Account type switch from “Standard HDD” to “Premium SSD” (or “Standard SSD”)
If they are supported, you can install manually the agent on the VM. If it doesn’t work, try checking if the VM in VMware is configured as “Other (64-bit)” in the guest OS version. If it is, you should change the version to the specific Linux distribution you got installed. Mind that the VM must be shut off to change the Guest OS version.
To install manually the agent follow these steps:
Go under %ProgramData%\ASR\home\svsystems\pushinstallsvc\repository in your ASR server and copy the “Microsoft-ASR_UA*_GA*.tar.gz” file specific to your distribution.
Copy the file to the VM. I would recommend creating a specific folder for the file under /tmp
Copy the Conf server passphrase to the server
Unpack the file: tar -xvf Micorosft-ASR_UA_yourfile.tar.gz
Run the following command as root: ./install -d /usr/local/ASR -r MS -v VmWare -q
Register the mobility service to the Conf server: /usr/local/ASR/Vx/bin/UnifiedAgentConfigurator.sh -i ConfserverIP -P /var/passphrase.txt
If you replicate a Linux VM right away you might end up with the serial console not working. This could be especially an issue if you have your network interfaces set as static and you have to change the IP addresses.
To enable the Serial Console you have to log into your on-premise Linux VM and run the following:
systemctl start serial-getty@ttyS0.service
systemctl enable serial-getty@ttyS0.service
Wait until the changes will be replicated, then connect directly from the Azure Console.
If you get “System error 2 has occurred” when starting WAS (Windows Activation Services) and you also cannot start W3SVC (World Wide Web Publishing Service), try the following:
Open Regedit.msc
Go into HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WAS\Parameters
Locate the NanoSetup DWORD
Delete the NanoSetup DWORD
Open an elevated command prompt and run “net start was” and “net start W3SVC”
Copy the outlk16.admx file to %systemroot%\PolicyDefinitions\
Based on the language folders you see in your WVD host copy the outlk16.adml file from the admx\xx-xx folder to the relative folder in %systemroot%\PolicyDefinitions\
Open gpedit.msc
Go to User Configuration > Administrative Templates > Microsoft Outlook 2016 > Account Settings > Exchange > Cached Exchange Mode.
Set “Use Cached Exchange Mode for new and existing Outlook profiles” to Disabled
To check whether you are using an FSLogix profile in an AVD session enter the AVD instance, then browse to the following folder:
C:/Program%20Files/FSLogix/Apps
Open frxtray.exe and open the System Tray as shown in the following picture:
Right-click on the frxtray icon and click open:
From here you can see that we get “Profile status: Active”, which indicates that we are using an FSLogix profile. If you are using a local profile you will get a yellow light on the traffic light and a warning message.
1. Package Microsoft.LanguageExperiencePackit-IT_19041.3.7.0_neutral__8wekyb3d8bbwe was installed for a user, but not provisioned for all users. This package will not function properly in the sysprep image.
2. SYSPRP Failed to remove staged package Microsoft.LanguageExperiencePackit-IT_19041.49.150.0_neutral__8wekyb3d8bbwe. Failed to remove apps for the current user.
To fix this kind of errors, mainly found in Azure Virtual Desktop implementations with custom languages, you must manually delete the app that was provisioned just for your current user, and that is crashing your sysprep attempts.
To fix the issue, take a snapshot of the client, then remove the provisioned app package:
Azvise 