If just enabled a Conditional Access Policy blocking legacy authentication to Exchange Online, enabled Security Defaults, or Microsoft disabled it for your tenant, you might see some Apple Mail clients not connecting anymore.
This issue is happening because the profile might be still configured to use Exchange ActiveSync to connect to Exchange Online, and EAS (along with other legacy protocols) will be retired in October 2022.
Apple supports an automatic switch to modern authentication for its profiles, but only if it was freshly configured after iOS 12.
Unfortunately, it seems that backing up and restoring profiles does not trigger the switch to modern auth, so if you moved to a new iPhone and didn’t reconfigure the profile manually, you’ll need to remove and recreate it.
Apple will add support for the automatic migration to modern auth in iOS 15.6. Once you update your Apple device, the Mail app will use the saved credentials to establish a new authentication flow. From that moment onward, you’ll authenticate to Azure AD (Microsoft online Identity Provider) and get a new OAuth access token. The “old” stored credentials will then be removed. The process is fully transparent to users.
If you just installed the Azure Information Protection on-premises scanner and you are trying to start your first Content Scan Job, you might get that the button “Scan now” is greyed out.
Before attempting to troubleshoot, check that you selected the job below. If you did, try restarting the service “Azure Information Protection Scanner” on the SQL server and refreshing the Azure Content scan job page.
If you still cannot start the scan, try executing the following command on the SQL server, and insert the credentials of the service account:
It’s been a long time since Microsoft released number matching and additional context for the Microsoft Authenticator. These features allow you to quickly improve your MFA posture, adding a new layer of security and preventing accidental approvals. This is also useful to lower the chances of being compromised by MFA fatigue attacks. The feature consists in a map shown on your MFA prompt on your phone that indicates where the MFA request is coming from, the name of the application requesting the MFA challenge, and a box to insert the number that will be shown on screen.
How to enable it
To enable these features follow this link, which will guide you into Azure AD > Security > Authentication methods:
Be sure to activate “Require number matching for push notifications“, “Show application name in push and passwordless notifications” and “Show geographic location in push and passwordless notifications“, then save.
You can scope the features to a selected group of users if you want to test them out and go for a gradual rollout. This is done by selecting “Select group” and adding the group for which you want to enable the feature.
Check out this article if you are looking for a communication to send out to users before rolling out the features:
There are a couple of ways to enable an automatic classification of files in SharePoint. The first one, more complete from a customization point of view, is to use a File Policy in Defender for Cloud Apps. The second one (the newer and less recommended one, to be fully released Q3/Q4 2022) is to use a Default Sensitivity Label in SharePoint Online.
If you are looking at how to enable file monitoring and file policies, follow this guide:
File Policy in Defender for Cloud Apps
To create a policy that automatically matches and labels files in the root folder and the subfolders, follow the steps below:
Create a broad filter. I’ve set it as “App equals SharePoint Online” for this example.
Under “Apply to”, specify the root folder where the policy should start to apply.
Apply the governance action “Apply sensitivity label”, and select your label. Check the box below if you wish MDCA to override all user-defined labels. This will override older labels set on docs in the site and new ones defined at document creation.
Save the policy
Suppose you would like a policy to automatically apply labels to all the files and subfolders recursively from a root folder onward in SharePoint or OneDrive. In that case, you might think you can use the “Files matching all of the following” filter. Unfortunately, this won’t work, as it will not match recursively on the files contained in the subfolders.
Default Sensitivity labels in Sharepoint Online
Once you enable SharePoint to process labels, you can configure a default label for document libraries. This will ensure that any new or newly modified files get the specified label.
The feature will not apply to documents not opened since setting the default label or if the file has a higher priority label applied. Therefore, I would recommend, for the moment, using PowerShell or MDCA (as shown above) before setting the default label.
The feature will also not work if you have “User access to content expires” set anything other than Never or if you use Double Key Encryption.
Also, please note that PDFs are not currently getting labelled using this method, but I expect this to change before Q4 2022. Please refer to the docs for further updates, depending on when you are reading this:
Click on Labels, then “Turn on now” under “Your organization has not turned on the ability to process content in Office online files that have encrypted sensitivity labels applied and are stored in OneDrive and SharePoint. You can turn on here, but note that additional configuration is required for Multi-Geo environments.”
Open your SP document library, then on the top right corner click settings (the “gear” icon), then “Library settings“.
Select your default label, then click “Save“.
Allow some time between enabling the feature and looking for the library setting, as you probably won’t find the feature right away; you’ll have to wait up to 24 hours.
Since Azure introduced the option to download the OS disk of a VM directly, you don’t need anymore to traffic around to download the unmanaged disk (or go with the snapshot route). Here are some easy steps to directly download the disk of your Windows / Linux VM. Please note that a Sysprep is advised if you need to use the disk as a template to create new VMs.
Go to the VM, and stop it.
Click on “Disks” then on he OS Disk.
Click on “Disk Export“, then in the field, enter a higher number (es. 30600) so that you have plenty of time to download the disk. Once done, click “Generate URL“.
When you transfer Azure resources between subscriptions, you might get the following error: “ResourceNotTopLevel“.
This is caused by the fact that you only have to select top-level resources for the move, and the dependencies will be moved automatically.
For example, say you selected both a Network Watcher Extension and the relative VM you want to move. You will just need to move the VM object, and the extension will come with the server.
Example of an error code:
"message": "Identifier '/subscriptions/0000000000000000000/resourceGroups/MoveResource/providers/Microsoft.Compute/virtualMachines/VMtobeMoved/extensions/AzureNetworkWatcherExtension' is not a top level resource. Please include only the top-level resource for this child resource in the move request. A child resource would be moved along with its associated top-level resource.\""
From the error code, you’ll get that you just have to move the following resource, being the top-level one:
Using Azure AD Access Reviews (available with Azure AD Premium P2), you can automatically remove guest users from your tenant who haven’t had access in a specified number of days. In this guide, we will implement the access review step by step.
This is a great way to clean up your tenant automatically and can be scheduled.
NOTE: The procedure used to clean up only users who didn’t have access in the last 30 days. This has now been expanded to support a variable number of days (ex. 60, 90, etc).
Step by step guide
As a prerequisite, you’ll need to create a dynamic group in AAD, which will contain all guest users who can log in to the tenant:
To create the group, go to AAD Groups, then click on “New Group”.
Select Group Type as “Security“, give the group a name, and select “Membership type” as “Dynamic User“.
Under “Dynamic user members”, click on “Add dynamic query“.
The query you will want to create is:
(user.userType -eq "Guest") and (user.accountEnabled -eq true)
You can create this group also using Powershell, and pasting this command after installing the Graph module.
The accountEnabled attribute lets you filter for users who can log in. Since the access review will deactivate the account for 30 days before deleting it permanently, this way we’ll filter only for the guest users active in the tenant and not the ones ready to be automatically deleted.
Once done, click on “Create”.
To create the access review, open this link, then follow the steps listed below:
Select “Teams + Groups” under “Select what to review”, “Select Teams + groups” under “Select review scope”, under “Group” enter your group, then click on “Guest users only” under “Scope”.
You can then filter only for the guest that did not had access in a specified number of days. This is accomplished using this part of the wizard:
Click on Next, and under “Select reviewers”, click on “Selected user(s) or group(s)“. The person or people that will manually review the users to delete should be selected just below. If not needed, insert an admin and go ahead. I always give at least 3 to 5 days for the reviewers to check if somebody should not be blocked or deleted. If some guest user should always be excluded from the review, you can add an exclusion in the AAD Group membership rules.
In the last paragraph, you’ll want to select auto-apply results to make the automation work. Under “If reviewers don’t respond”, choose “Take recommendations“. The recommendations will be based on whether the user has logged in recently or not. There are no other recommendations that I am aware of at this moment. Under “Action to apply on denied guest users”, select “Block user from signing-in for 30 days, then remove user from the tenant“. Be sure that “No sign-in within 30 days” is selected as reviewer decision helper, as per the image below.
If you want this to be fully automated, deselect “Justification required”.
Once done, click on “Review + create”, give the review a name and click on “Create”.
Now you will automatically have the guest users who haven’t logged in in the specified number of days blocked. After 30 days, the blocked user will be removed from the tenant.
Jef Kazimer wrote a really cool guide on how to remove unredeemed B2B guest from your Azure Active Directory:
You might be asked to run “Enable-OrganizationCustomization” before relaunching the command. You must wait 30 to 60 minutes after sending “Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true” to see it enabled in the portal.
Go to https://compliance.microsoft.com/, then click on “Audit” on the left pane. When you get to the page, click on “Start recording user and admin activity“, then check the status after 30-60 minutes. If it fails, try with PowerShell.
When you select “Require users to apply a label to their email and documents” inside a label policy in Microsoft Information Protection, users will be required to classify the documents they create/modify.
To add this requirement, access the compliance portal and select a label policy you created.
If you are encountering issues with Azure File Sync, or you just want to force the process so that you can free some space now, follow the commands shown below:
#Import the commands
Import-Module "C:\Program Files\Azure\StorageSyncAgent\StorageSync.Management.ServerCmdlets.dll"
#Force the synchronization of the folder you have specified in the sync group
Invoke-StorageSyncCloudTiering -Path <sync_group_path>
If you want to get some logs out of the operation for troubleshooting, send these commands in a separate PowerShell window before launching the script above:
New-Item -ItemType directory -Path C:\AZfslogs
cd "C:\Program Files\Azure\StorageSyncAgent"
Debug-AFS -OutputDirectory C:\AZfslogs -KernelModeTraceLevel verbose -UserModeTraceLevel verbose
You can terminate the command once the sync is concluded and get the logs in the C:\AZfslogs folder.
This way, the domain-joined clients will not be able to ask Active Directory an SCP entry and directly query the AutoDiscover (which should be fine, if you migrated to Office 365, as it’s one of the requirements).
To configure a VM for Azure Site Recovery we’ll need to configure the Microsoft Azure Linux Agent and enable the console. The VM will automatically get the DHCP network settings that it will need to get an IP from Azure.
At times a Windows Session may suffer an inelegant termination, in these cases FSLogix is not provided an appropriate event to trigger the dismount of the VHD(x) file for Profile Container and Office Container. By setting CleanupInvalidSessions to 1, additional FSLogix logic is triggered to make this scenario less likely. Setting CleanupInvalidSessions will cause the functionality to be utilized for both Profile Container and Office Container. KNOWN ISSUE: at this time CleanupInvalidSessions should not be used in conjunction with Cloud Cache when concurrent sessions (e.g utilizing ProfileType/VHDAccessMode) are in use.
If some kernel modules fail to load (such as in the example below) while installing the Mobility Service agent, please check:
If the kernel is supported in your Configuration Server version
If secure boot is enabled
#EXAMPLE using SUSE 15 SP2
exampleserver0:/tmp/ASR # sudo ./install -d /usr/local/ASR/ -r MS -v VmWare -q
All product pre-requisties are met.
Generating the certificate.
Filter driver kernel module is not loaded. Attempting to load it, please wait...
Filter driver could not be loaded successfully.
Check the log file /var/log/ua_install.log for detailed diagnostic messages or installation success/failures...
Vx agent installation exit code : 208.
Check the log file /var/log/ua_install.log for detailed diagnostic messages or installation success/failures...
Installer exiting with code: 208
Check the following page to see if the kernel version is supported:
If they are supported, you can install manually the agent on the VM. If it doesn’t work, try checking if the VM in VMware is configured as “Other (64-bit)” in the guest OS version. If it is, you should change the version to the specific Linux distribution you got installed. Mind that the VM must be shut off to change the Guest OS version.
To install manually the agent follow these steps:
Go under %ProgramData%\ASR\home\svsystems\pushinstallsvc\repository in your ASR server and copy the “Microsoft-ASR_UA*_GA*.tar.gz” file specific to your distribution.
Copy the file to the VM. I would recommend creating a specific folder for the file under /tmp
Copy the Conf server passphrase to the server
Unpack the file: tar -xvf Micorosft-ASR_UA_yourfile.tar.gz
Run the following command as root: ./install -d /usr/local/ASR -r MS -v VmWare -q
Register the mobility service to the Conf server: /usr/local/ASR/Vx/bin/UnifiedAgentConfigurator.sh -i ConfserverIP -P /var/passphrase.txt
If you replicate a Linux VM right away you might end up with the serial console not working. This could be especially an issue if you have your network interfaces set as static and you have to change the IP addresses.
To enable the Serial Console you have to log into your on-premise Linux VM and run the following:
systemctl start serial-getty@ttyS0.service
systemctl enable serial-getty@ttyS0.service
Wait until the changes will be replicated, then connect directly from the Azure Console.
To check whether you are using an FSLogix profile in an AVD session enter the AVD instance, then browse to the following folder:
Open frxtray.exe and open the System Tray as shown in the following picture:
Right-click on the frxtray icon and click open:
From here you can see that we get “Profile status: Active”, which indicates that we are using an FSLogix profile. If you are using a local profile you will get a yellow light on the traffic light and a warning message.
1. Package Microsoft.LanguageExperiencePackit-IT_19041.3.7.0_neutral__8wekyb3d8bbwe was installed for a user, but not provisioned for all users. This package will not function properly in the sysprep image.
2. SYSPRP Failed to remove staged package Microsoft.LanguageExperiencePackit-IT_19041.49.150.0_neutral__8wekyb3d8bbwe. Failed to remove apps for the current user.
To fix this kind of errors, mainly found in Azure Virtual Desktop implementations with custom languages, you must manually delete the app that was provisioned just for your current user, and that is crashing your sysprep attempts.
To fix the issue, take a snapshot of the client, then remove the provisioned app package: