April 26, 2023 Azvise

10 tips to improve your administrative accounts posture in Azure AD

General Introduction

As I speak to more and more customers about the matter, I notice that a lot of companies have a questionable security posture regarding their administrative accounts. For example, many admins are using their “daily-runner” account as privileged administrators for their tenants, or synchronizing their domain admins to privileged roles in Azure AD. In general, a lot of admin accounts aren’t getting the care they deserve.

Losing privileged access is a big deal and it’s happening more and more often. Clearly, attackers love targeting privileged accounts because they give them quick and broad access to a company’s important assets, leaving a lot of defences behind.

I decided to write this article to highlight some of the controls that should be implemented in our tenants to improve our admin accounts posture, as privileged access management should be one of our top security priorities. These points have been aggregated after a lot of discussions with colleagues and experts on the topic and with the help of best practices from Microsoft Docs.

The 10 tips list

As a best practice, administrator accounts should be:

Separate from your daily-runner account. Collaboration tasks should not be done from the administrative accounts. While it’s of course not convenient, admins should get used to handling multiple accounts for different permission levels.
Cloud-only. Your Azure AD administrator accounts should be different to your on-premises admins, and should not be synchronized from the on-premises Active Directory. This is because if one’s identity gets breached, the attackers would have easy access to both Azure AD and AD.
Mailbox-less. The easy way to implement this is by not assigning admins licenses. You should enable a forward from your admin account to your daily driver account, or a dedicated mailbox/distribution list assigned to an unprivileged user.
Using phishing-resistant authentication methods. FIDO2 keys should be your primary way of accessing your admin accounts. If FIDO2 keys or similar methods are unavailable to you, you should have at least MFA active on your account with number matching and additional details active. Ideally, you should also restrict access to your resources to only allow access from known devices.
Reviewed periodically. Periodically analyse the list of admins, and remove excessive permissions. There are a lot of cool tools that can help you out with this, or you can script your own.
Microsoft suggests analysing these roles first, then moving to the other administrative accounts: Global Administrator, Privileged Role Administrator (they are a click away from being Global Admins), Exchange Administrator, and SharePoint Administrator. Remove guest admins where applicable.
Protected by Identity Protection. Identity Protection automatically scans your sign-ins and blocks the user if anything strange is going on. You can also configure it to force the user to do a self-service password reset.
PIM-enabled. You should have administrative privileges only when you require them. Having admin privileges active on an account 24/7 without a specific reason is not the best idea. Moreover, whenever you enable your PIM roles, you get an email, to keep everything under control.
Backed up by one or two emergency accounts. If bad things happen, you should still be able to access your tenant. Emergency access administrators help you with that. You should also consider activating a rule to alert you when this admin gets used. Here is a cool guide to create passwordless emergency admins with FIDO2 Keys: https://janbakker.tech/break-glass-accounts-and-azure-ad-security-defaults/
Logged constantly. Configure logging for your tenant by exporting the Azure AD logs to a Log Analytics workspace. Alerts should be configured for risky actions (like modifying a conditional access policy). Also, check if you have enabled the Unified Audit Logs: https://azvise.com/2021/10/26/office-365-enable-unified-audit-logs/
Protected with Conditional Access Policies. This is a very broad topic, but make sure that at least the following apply. Those policies can be created quickly using Conditional Access policies templates: Require phishing-resistant multifactor authentication for admins, Securing security info registration, block legacy authentication, require multifactor authentication for Azure management, Require compliant or hybrid Azure AD joined device for admins, Block access for unknown or unsupported device platform, No persistent browser session. Of course, before activating this policies, be really careful to test things out and exclude the emergency account(s).

Additional points:

Use precise Administrative roles. Of course, using highly privileged accounts it’s convenient, as you have only to activate one role to manage everything. But if you assign people the correct permissions they need for their daily job, a lot of headaches can be prevented. Check out this documentation page to ease the pain of finding the right role to assign:
https://learn.microsoft.com/en-us/azure/active-directory/roles/delegate-by-task
Consider Privileged Access Workstations. Having PAWs for Admin roles can help a lot with your security posture. PAWs can be configured on Azure AD with device filtering rules in Conditional Access Policies. For example the CAP may require: When all admins, except for the emergency access administrator, access all apps, block access unless they are using specified devices, filtered by device ID.
These PAWs should be AAD joined, and are usually for Global Admins and Privileged Role Administrators. Also, having Bitlocker on at least this machines is a must.
Spoofing device IDs with Powershell is sadly possible at the moment, but it’s kinda hard and not one of the first things that attackers will do. As always, a lot of this depends on your security risk acceptance level.
If you want to drill down on PAWs, this article might be useful: https://learn.microsoft.com/en-us/security/privileged-access-workstations/privileged-access-devices
If you have an on-premises AD, you should really look into improving your AD security, as your AAD security and your AD security are tightly correlated. A tiering model for Active Directory is really useful to better manage your forests, and implementing Defender for Identity gives you a whole new level of analysis and reaction on what’s going on. This won’t be discussed here, but there are plenty of resources to get started with this. Also, again, don’t sync your on-prem administrators to Azure AD. You should have some level of filtering from on-prem to Azure AD, such as filtering by OU or by AD attributes.
Also not discussed here, as Azure permissions are a whole topic by themselves, but you should really be analyzing Azure privileged permissions and keeping everything under control.

Link to Microsoft docs, and additional reads:

Securing privileged access

Ensure separate user accounts and mail forwarding for Global Administrator accounts

Enterprise access model

Token Protection

February 21, 2023February 23, 2023 Azvise

Temporary Access Pass sign in was blocked due to User Credential Policy

General introduction

Temporary Access Pass is a time-limited passcode that allows users to register passwordless methods or recover access to their accounts without knowing their password. It is enabled via an authentication method policy that you can configure in Azure Active Directory. Apart from being time-limited, the TAP can also be configured for one-time use only. This can either be configured on the authentication methods policy so that every TAP created will be one time only (not the best idea at the moment) or at the creation of the TAP on the user authentication methods page.

The issue

The “Temporary Access Pass sign in was blocked due to User Credential Policy” issue is caused by the fact that the user has already used the TAP, and it was configured not to be valid for a second login. To fix this, modify the policy and allow for multi-use TAPs (if it’s not already enabled) then issue a new TAP.

While it makes sense from a general prospective to enable it for one-time use only at the policy level, this is usually impractical. For example, if you are using Autopilot, you’ll be requested to enter your credentials twice before configuring Windows Hello for Business. The first time, you’ll be asked for it at the enrollment phase, and the second time when logging into the user account for the first time. A one-time use TAP policy will create issues in this case. It’s also very common for users to mistakenly log off before configuring a passwordless method. If they do, you’ll need to issue a second TAP. For these reasons, it makes sense to allow a stricter lifetime but allow it to be used multiple times in that timeframe.

Modify the Temporary Access Pass policy:

Open authentication methods, then Temporary Access Pass. Authentication Methods | AAD
From here, go into Configure. If it’s already set to no, then proceed to the next step. If it’s set to yes then click on Edit.

From here, click on Require one-time use, and set it to no. Then save.

Issue a multi-use TAP:

Head into All Users | Azure AD, then select the user you want to issue the TAP to.
Click on Authentication Methods, then Add authentication method.
From the dropdown list, select Temporary Access Pass. Make sure One-time use is on No, then click on Add
Send the user the new TAP

February 15, 2023February 15, 2023 Azvise

How to enable and disable Security Defaults

General introduction

Security Defaults are one of the ways to establish a fundamental identity security baseline for your tenant. Security defaults are a set of security settings to help you protect your organization from the most common security threats. They can be enabled on a tenant with just one click. Well, two, if you count the save button. These settings are aimed at small and medium businesses that might not have an IT team with the knowledge or resources to manually set the standard for their environment.

If you are currently using Conditional Access Policies, Security Defaults are probably not for you. In more complex environments, going the Conditional Access way can be trickier to manage but provide more benefits, such as the ability to require access from known and compliant devices. Also, Conditional Access Policies require Azure Active Directory Premium P1, and only some organizations are licensed for it.

If you wish to learn more about Conditional Access, I wrote a post about it:

https://azvise.com/2023/01/03/what-are-conditional-access-policies-in-azure-ad/

Security Defaults are now activated by default in all the newly created tenants since October 2019, and Microsoft is rolling them out to existing tenants who don’t have Conditional Access Policies enabled.

What Security Defaults will do is:

Requiring users to register for MFA using the Authenticator app. Users will have 14 days to comply before being required to do so.
Requesting MFA for both users and administrators, especially when a user accesses privileged portals.
Block legacy authentication protocols which can’t support MFA.

How to enable Security Defaults

Access the Azure AD properties with an admin account by clicking on the following link, or navigating through the portal to Properties: Azure AD Properties | Azure Portal
Click on Manage Security Defaults at the bottom of the page
Set the Security Defaults to Enabled
Save

How to disable Security Defaults

Access the Azure AD properties with an admin account by clicking on the following link or navigating through the portal to Properties: Azure AD Properties | Azure Portal
Click on Manage Security Defaults at the bottom of the page
Set the Security Defaults to Disabled
Provide a reason for disabling Security Defaults
Save

Notes

If you wish to learn more about Security Defaults, refer to the following documentation page:

Security Defaults | Microsoft Docs

January 30, 2023February 15, 2023 Azvise

Scale AKS HCI control plane and worker nodes

In Azure Kubernetes Service (AKS) on Azure Stack HCI, you can increase the resources available to your node pool by changing the size of virtual machines in a node pool or expanding the node count. The node count can also be increased with autoscaling methods.

The worker nodes can be scaled using the command Set-AksHciNodePool, while the Set-AksHciCluster scales the control plane.

I’ll be going over scaling both using PowerShell in the following guide. You’ll need to open a PowerShell session on one of the Azure Stack HCI nodes to follow along. Replace the parameter values as needed.

Notes

As of January 2023, the scaling of the management cluster (the one created by AKS HCI automatically) is currently not supported.
At the time of writing, the “-vmsize” argument used with Set-AksHciNodePool is not documented in the command docs (Set-AksHciNodePool | Microsoft Docs) but is only referenced in this article: Scale up a worker node | AKS HCI Docs

Scale the Control Plane

Now we’ll scale up the current cluster. You’ll see the control plane VM size under ControlPlaneVmSize.

Get-AksHciCluster -name akshci01

Status                : {ProvisioningState, Details}
ProvisioningState     : Deployed
KubernetesVersion     : v1.23.8
PackageVersion        : v1.23.8
NodePools             : linuxnodepool
WindowsNodeCount      : 0
LinuxNodeCount        : 4
ControlPlaneNodeCount : 1
ControlPlaneVmSize    : Standard_D2s_v3
AutoScalerEnabled     : False
AutoScalerProfile     :
LoadBalancer          : {VMSize, Count, Sku}
Name                  : akshci01

You’ll only be allowed to scale up the control plane to the available VM sizes. To get which sizes are availabe, use Get-AksHciVmSize.

Get-AksHciVmSize

VmSize CPU MemoryGB
------ --- --------
Default 4 4
Standard_A2_v2 2 4
Standard_A4_v2 4 8
Standard_D2s_v3 2 8
Standard_D4s_v3 4 16
Standard_D8s_v3 8 32
Standard_D16s_v3 16 64
Standard_D32s_v3 32 128
Standard_DS2_v2 2 7
Standard_DS3_v2 2 14
Standard_DS4_v2 8 28
Standard_DS5_v2 16 56
Standard_DS13_v2 8 56
Standard_K8S_v1 4 2
Standard_K8S2_v1 2 2
Standard_K8S3_v1 4 6

In this example we’ll scale up to a D4s_v3.

Set-AksHciCluster -name akshci01 -controlPlaneVmSize Standard_D4s_v3

Status                : {ProvisioningState, Details}
ProvisioningState     : Deployed
KubernetesVersion     : v1.23.8
PackageVersion        : v1.23.8
NodePools             : linuxnodepool
WindowsNodeCount      : 0
LinuxNodeCount        : 4
ControlPlaneNodeCount : 1
ControlPlaneVmSize    : Standard_D4s_v3
AutoScalerEnabled     : False
AutoScalerProfile     :
LoadBalancer          : {VMSize, Count, Sku}
Name                  : akshci01

Now that we have scaled up the control plane, we can scale the control plane node count. The default is 1. If you scale up the control plane, it will become highly available and will not accept any scale down back to 1 node⚠️

Set-AksHciCluster -name akshci01 -controlPlaneNodeCount 3

Status                : {ProvisioningState, Details}
ProvisioningState     : Deployed
KubernetesVersion     : v1.23.8
PackageVersion        : v1.23.8
NodePools             : linuxnodepool
WindowsNodeCount      : 0
LinuxNodeCount        : 4
ControlPlaneNodeCount : 3
ControlPlaneVmSize    : Standard_D4s_v3
AutoScalerEnabled     : False
AutoScalerProfile     :
LoadBalancer          : {VMSize, Count, Sku}
Name                  : akshci01

Scale worker nodes

Now we’ll do the same thing we did for the control plane with the worker nodes. Here we’ll get the default VM size for the cluster.

Get-AksHciNodePool -clusterName $aksclustername

Status : {Phase, Details}
ClusterName : akshci01
NodePoolName : linuxnodepool
Version : v1.23.8
OsType : Linux
NodeCount : 2
VmSize : Standard_K8S3_v1
Phase : Deployed
AutoScalerEnabled : False

You’ll only be allowed to scale up the worker nodes to the available VM sizes. To get which sizes are availabe, use Get-AksHciVmSize.

Get-AksHciVmSize

VmSize CPU MemoryGB
------ --- --------
Default 4 4
Standard_A2_v2 2 4
Standard_A4_v2 4 8
Standard_D2s_v3 2 8
Standard_D4s_v3 4 16
Standard_D8s_v3 8 32
Standard_D16s_v3 16 64
Standard_D32s_v3 32 128
Standard_DS2_v2 2 7
Standard_DS3_v2 2 14
Standard_DS4_v2 8 28
Standard_DS5_v2 16 56
Standard_DS13_v2 8 56
Standard_K8S_v1 4 2
Standard_K8S2_v1 2 2
Standard_K8S3_v1 4 6

Now that we know which sizes are supported, we can scale up the cluster nodes. All preexistent nodes will be scaled up ⚠️

Set-AksHciNodePool -ClusterName "akshci01" -name "linuxnodepool" -vmsize "Standard_DS13_v2"

Status : {Phase, Details}
ClusterName : akshci01
NodePoolName : linuxnodepool
Version : v1.23.8
OsType : Linux
NodeCount : 2
VmSize : Standard_DS13_v2
Phase : Deployed
AutoScalerEnabled : False

Now that we have scaled up, we can scale the workload node count. The current node count depends on what you have set during setup.

Set-AksHciNodePool -clusterName "akshci01" -name linuxnodepool -count 4


Status            : {Phase, Details}
ClusterName       : akshci01
NodePoolName      : linuxnodepool
Version           : v1.23.8
OsType            : Linux
NodeCount         : 4
VmSize            : Standard_DS13_v2
Phase             : Deployed
AutoScalerEnabled : False

January 21, 2023March 1, 2023 Azvise

How to configure passwordless in Azure AD connected environments

General Introduction

As we all know, passwords are a weak link in our identity processes. But, contrary to what we believe, your password length is not the main enemy when talking about Azure AD, as long as your passwords are not simple. Instead, the main enemy is that passwords can be easily gathered and reused from phishing attacks or breaches.

The most common attacks, for example, phishing, password spray and credential stuffing, all rely on the fact that your password is either given by the user to the attacker, guessed because it was really simple, or already exposed to attackers because of previous breaches in 3rd parties attacks. Also, in the case of password spray, Azure AD has functions in play to drastically reduce the speed of password spray attacks and increase the time attackers spend guessing a password.

Regarding why your passwords mostly don’t matter, Alex Weinert, Director of Identity Security at Microsoft, wrote a wonderful article way back in 2019 that I suggest you read:

Your Pa$$word doesn’t matter | Tech Community

But, if you still need to start modernizing your application log-in processes, and most applications in your environment rely only on either Active Directory or Active Directory Federation Services, please still consider a more complex password. In this case, the standard is usually set at 15+ characters, as when a password is created of more than 14 characters, you don’t store the LM hash for it. Of course, you can also disable LM hashes with GPOs, but most places aren’t doing it.

The aim of this post, though, is to discuss Azure AD-connected systems, applications, and cloud-only environments.

If you haven’t heard of it, you can either natively attach most applications to Azure AD or use Azure AD Application Proxy. Azure AD Application Proxy allows Azure AD to take the reins by letting it manage the authentication and access to the on-premises legacy applications.

MFA does put a patch on the issue of passwords. For now, if everyone had (preferably strong) MFA on their accounts, the compromises would go way down, as the attackers’ costs would go way up. But, as we said, MFA is a patch, not a permanent fix.

For example, many companies still rely on legacy authentication methods, which do not support MFA, or there are cases where MFA gets “skipped” with the use of man-in-the-middle attacks (such as the ones that can be conducted using evilginx2). While it’s not really a “skip”, it’s functionally a bypass of MFA functions.

Image taken from https://github.com/kgretzky/evilginx2

While passwordless methods are more secure and convenient, you should know that there is a better and worse ranking.

For example, adopting passwordless using the Microsoft Authenticator still puts you at risk of being phished with men-in-the-middle attacks, such as the ones we talked about before, and logging into Windows devices with the Authenticator is not supported at the moment.

Suppose you have a Conditional Access Policy that requires devices to be compliant. In that case, the Authenticator makes more sense as a passwordless method, as you add an additional layer of verification before accessing your company data.

Because FIDO2 Keys are not supported on mobile devices, the Microsoft Authenticator is still the best passwordless option for iOS and Android devices. It’s also a very common method for MacOS and Linux users.

As a side note, most of the time, instead of signing in with the Authenticator, on mobile you’ll be able to select “Sign-in options” and be presented with the option of signing in from another device, such as a desktop, where you’ll be able to use FIDO keys.

You can check out the state of FIDO2 Keys support on mobile devices on this page: FIDO2 Keys compatibility | Microsoft Docs

We’ll discuss the other two passwordless methods in the next chapter.

Windows Hello for Business and FIDO2 security keys

Windows Hello for Business and FIDO2 keys directly communicate with the service you are authenticating to. As such, they can only initiate the login flow if you are connected to the right page. And while this is already placing them up in the ranks, they can also provide access to Windows devices from the lock screen.

It’s worth noting that while Windows Hello for Business needs setup on every machine, FIDO2 keys can attach directly to the Azure AD user, making it way easier to use if the user is not always connected to the same device, as it happens with front-line workers. This happens because FIDO2 security keys store the credentials on the key, unlike Windows Hello for Business, where the key pair is bound to the TPM.

It’s also worth noting that Windows Hello for Business can (with some complex deployment options) also integrate with on-prem resources. One such use case is using Hello for Business with certificates to allow integration with the RDP protocol:

Deploy certificates for remote desktop (RDP) sign-in | Microsoft Docs

Here is a small table that recaps what methods are available, based on device type.

Device	FIDO2 security keys	Windows Hello for Business
Windows device
iOS mobile device	Not applicable	Not applicable
Android mobile device	Not applicable	Not applicable
MacOS device	Edge/Chrome	Not applicable

While we are on the topic, you can configure users with a one-time-use Temporary Access Password to make users passwordless from day one, but the topic will be discussed further down.

A very useful page to plan your passwordless implementation is the following. It guides you through a wizard that proposes the best options for your use case depending on what your users use.

Passwordless Setup | Microsoft Admin Center

While not discussed here, Azure AD Certificate-based authentication is also a strong and phishing-resistant passwordless method. Since it's now natively integrated into Azure AD, it makes a lot of sense for companies that used to rely on ADFS to achieve the same passwordless result.

Enable FIDO2 security keys

To enable users to use FIDO2 keys, first sign in to the Authentication methods page, then click on FIDO2 Security Key:

Authentication Methods | Entra

From the menu, select “Enable“, then either “All users” if you want the entire organization to be able to use FIDO2 keys or scope the deployment to a specific group. You may also scope the feature to “All users” but exclude a specific group of people.

Under “Configure“:

You’ll generally want to leave “Allow self-service set up” set to “Yes“. This allows people to set up their keys.
“Enforce attestation” to “Yes“, as it allows to verify the quality and certifications of the key.
Enforce key restrictions to “No“, as it allows you to set which FIDO keys are allowed by the org and what keys are not.

Save and end the setup.

Register a FIDO2 key

Before registering a FIDO2 key, the user will be prompted to setup MFA. If you want the user to directly use FIDO2 keys as an authentication method, you can create a Temporary Access Password for them. This will skip the MFA prompt and let the user configure directly the key.
To create a TAP, follow this guide: Configure a Temporary Access Password | Entra

For this tutorial I’ll be using a YubiKey 5 NFC.

Log in to https://mysignins.microsoft.com/security-info. Logging in Private Mode might mess up some of the process. Ensure you are using a normal browser page.
- If you are using Temporary Access Passwords, the user will be prompted to use it to authenticate.
- If the user had MFA configured, the user will be able to configure the FIDO2 keys directly
- If the user is authenticating with password-only, the user will be prompted to configure MFA as an additional step.
Click Security Info. In this case the user had MFA configured, so we can go straight to FIDO2 keys.

Click on “Add method“, then “Security key”.
Click on either “USB device” or “NFC device”. In my case, using a YubiKey 5 NFC, I’ll select USB, since I have it attached to the device. Note that this is just for registration, any method can be used for signing in after registration.

Insert the key, then press “Next“.

You will be redirected to a browser prompt, asking you to create a passkey. Select “External security key or built-in sensor“

If prompted, accept the following pop-up.

Create a PIN for your Security Key, then perform the gesture, such as touching the sensor.

Now give the key a name, so that you may recognize it. I generally suggest the ” Vendor + model” naming convention.

Click Done.
Now if you log-off, you’ll be able to test out the new key.

Once you are done with the setup, try signing in with the key. To do that:

Access office.com or any other portal, then select “Sign-in options“.

Select “Sign in with Windows Hello or a security key“. This might come up as just “Sign in with a security key“.

Attach your Security Key, then insert your PIN

Perform the gesture, such as touching the sensor.

If all went well, you’ll access the portal.

Before starting, please be aware that for sign-in in Windows, you’ll need the machine to be at least version 1903. There are no requirement on the join type, as FIDO2 keys can be used for both Azure AD Joined devices and Hybrid-AAD Joined devices.

Enable with Intune for all users

To use FIDO2 keys on Windows devices for all users in your tenant:

Either click on the following link, or access Intune, then click on “Enroll devices”, “Windows Hello for Business”. Windows devices enrollment | Intune
Click on Use security keys for sign-in, and set it to Enabled.

Targeted Intune deployment

To target specific device groups to enable the credential provider, use the following custom settings via Endpoint Manager:

Open the following link, or go into Devices, then Configuration Policies. Configuration profiles | Intune
Select Create a profile, then click on Windows 10 and later, Templates, Custom.
Name it however you prefer, preferably specifying FIDO Keys in the title.
After clicking Next, configure the next as follows:
- Name: Whatever you want, I chose FIDO2 for Windows Sign-in
- OMA-URI: ./Device/Vendor/MSFT/PassportForWork/SecurityKey/UseSecurityKeyForSignin
- Data Type: Integer
- Value: 1

Once you are done, configure the Assignments, then complete the wizard.

Enable with Group Policy

If you are not using Intune, you can enable the feature using GPOs. In this case only Hybrid Azure AD Joined devices are supported. Once you have created the GPO, the setting is located under Computer Configuration \ Administrative Templates \ System \ Logon. Next, click on Turn on security key sign-in, and set the policy to Enabled.

Force sync on a single device

If you want to test things out after applying the Intune policies, run the following command from your local PowerShell or force sync from Intune. Both will sync your settings with Intune.

Get-ScheduledTask | where {$_.TaskName -eq 'PushLaunch'} | Start-ScheduledTask

Windows Hello for Business deployment for AAD joined devices

An option for configuring WHfB is by using Intune device enrollment. The settings are placed under Windows enrollment settings and only allow scoping to all users.

If you want to do it more granularly, you can deploy a configuration policy that will do the trick. Note that the configuration policy has more options, such as “PIN recovery” and “Certificate for on-premise resources”.

For reference, you can also create GPOs and configure hybrid and on-premises services to deploy Windows Hello for Business, but that won’t be discussed in this article as it would be worth a dedicated article.

For all users

Either click on the following link, or access Intune, then click on “Enroll devices”, “Windows Hello for Business”. Windows devices enrollment | Intune
Click on Use security keys for sign-in, and set it to Enabled. Enabled will configure WHfB for all devices. Not configured will be used if you still want to use the feature but you don’t want Intune to manage it.
Review the image below and use it freely as a template for the settings. This is one of the better defaults I’ve come up with, but some settings will depend on your organization’s standards. One note, it’s generally a good idea to require TPM if your devices support it.

For specific groups

Open the following link, or go into Devices, then Configuration Policies. Configuration profiles | Intune
Select Create a profile, then click on Windows 10 and later, Templates, Identity protection.

Give the policy a name, then click Next
As before, this is one of the better defaults I’ve come up with, but some settings will depend on your organization’s standards.

Once you are done, configure the Assignments, then complete the wizard.

Force sync on a single device

If you want to test things out after applying the Intune policies, run the following command from your local PowerShell or force sync from Intune. Both will sync your settings with Intune.

Get-ScheduledTask | where {$_.TaskName -eq 'PushLaunch'} | Start-ScheduledTask

Conclusion

I hope this post was useful to you. If you spot any mistakes, feel free to reach out to me on Twitter or Linkedin.

Sources and additional reads

Various Microsoft Docs, in particular:

https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-passwordless-security-key

https://learn.microsoft.com/en-us/azure/active-directory/standards/memo-22-09-multi-factor-authentication

https://learn.microsoft.com/en-us/mem/intune/protect/windows-hello

The Yubico reference guide:

Click to access User_Enablement_Guide.pdf

January 3, 2023February 9, 2023 Azvise

What are Conditional Access Policies in Azure AD

What are Conditional Access Policies?

Conditional Access Policies (CAPs) are identity-driven policies that govern user access to resources based on certain conditions. We can summarize them as if statements that govern what will be requested, enforced or blocked. As identity has become a key focus for security efforts, it’s essential to manage it in the best way possible.

All policies “think” at the user level and are enforced after a user has completed the first form of authentication, such as entering their username and password. As such, an attacker could understand if the credentials are correct even if there are blocks dictated by CAPs that might block access based on various signals.

Conditional access policies are implemented using Azure Active Directory, which is the cloud-based identity and access management service that is part of Microsoft 365. As of right now, Azure Active Directory (or Azure AD for short) is being integrated into the newly created Entra product family.

It’s important to note that Conditional Access Policies will manage not only native Microsoft apps such as SharePoint, Teams, the Azure Portal, etc. but also all SaaS applications connected to Azure AD and all on-premises applications managed through Azure AD Application Proxy.

This can simplify the management of identities, as, for example, the user will have their MFA methods set in Azure AD, and they’ll be requested on all connected apps in Azure AD for which you have set Azure AD as the identity provider.

In most organizations, the CAPs enforce requirements such as the enforcement of MFA, the block of logins using legacy protocols and requiring a compliant device to access company resources.

It is advisable to create or make changes to CAPs only if you have a basic understatement of the service and always operate with caution since you could risk blocking access to the tenant for all users.

Please consider implementing an emergency administrator before starting with Conditional Access, and exclude it from all the policies. Read more regarding this here:

Manage emergency access accounts in Azure AD

All Conditional Access policies must grant a user access before they can access a cloud app. If one of the CAP blocks the sign-in, the request will be denied. Note that if in the same policy you both include and exclude a user, the user will be excluded.

I wrote a post on how to check which policy is blocking a user sign-in. If you are curious, you can check it out here:

https://azvise.com/2022/05/24/how-to-check-which-conditional-access-policy-is-blocking-a-user-log-in/

If you are creating a new policy, it can be set to “Report-only” mode first. This will allow you to use insights and reporting workbooks to evaluate the impact of the policy before you go on to apply it to everyone in the organization by turning it “On”. Alternatively, you can keep the policy inactive by setting it to “Off”. Please note that a certificate request might pop up on Macs or mobile devices if you require a check for Intune compliance in the policy, even if it’s in report mode.

Licenses and Security Defaults

As Conditional Access Policies require Azure Active Directory Premium P1, only some organizations are going to be able to use them. If you are not licensed for it, you use Security Defaults to establish a basic security baseline for your tenant. Security Defaults are now activated by default in all the newly created tenants. What Security Defaults will do is:

Requiring every user to register for MFA. Once enabled, users will have 14 days to register before being required to do so.
Requesting MFA for both standard users and administrators, especially when a user accesses privileged portals.
Block legacy authentication protocols which can’t support MFA.

Templates and JSON

There is currently a set of recommended policies that you can deploy right away by clicking on “New policy from template” at the following link:

Conditional Access Policies | Azure AD

The templates are categorized in:

Secure foundation
Zero Trust
Remote work
Protect administrator
Emerging threats

While the templates are a very quick and easy way to start with CAPs, please exercise extreme caution. Even though they are created in report-only, they will not, for example, create a break glass admin and exclude it by default. If you mess up, you might end up locked out. Also note that it’s best to exclude users from CAPs using groups so that you don’t have to modify the policies constantly, which might end up in errors.

A cool new feature is the ability to implement CAPs using JSON templates. You’ll be able to export the policies you have created and be able to import them back in case anything happens.

To learn more, refer to the following documentation:

Azure AD Conditional Access documentation – Microsoft Entra | Microsoft Learn

December 13, 2022February 9, 2023 Azvise

What’s SMS Authentication and how to enable it in Azure AD

What’s Text Message Authentication

SMS-based authentication allows users to log in without needing to remember their username and password. After enabling the feature for an account, users can enter their phone number at the login prompt instead of their username. They will then receive an authentication code via text message that they can use to complete the login.

This service is often mistaken for SMS-based Multi-factor Authentication, but they are not the same.

This authentication method makes it easier for frontline workers to access applications and services. It’s not recommended to enable this feature for users who could use other passwordless methods or a combination of credentials + MFA. It’s also important to note that the desktop Office apps do not support SMS-based auth. Therefore, you can only use the web app version of the apps and only by logging in via office.com. You also cannot use the mobile version of the apps, except for Teams, Company Portal and Microsoft Azure.

If you decide to enable the feature, you should consider limiting and standardizing the frontline worker’s permissions to what’s necessary.

If you are curious why you should prioritize other methods over phone-based auth, consider reading this always relevant article by Alex Weinert:

It’s Time to Hang Up on Phone Transports for Authentication – Microsoft Community Hub

Critical Considerations

SMS-based authentication isn’t compatible with Azure Multifactor Authentication.
The only mobile apps that support SMS-auth are Teams, Company portal and Azure.
The users will need to use the web version of the Office apps and log in via office.com.
You’ll have to set up phone numbers for each account before the users can sign in.
A phone number can only be associated with one user.
If you have alternatives to phone-based auth methods, use them.

General Requirements

PERMISSIONS:

Being a Global Admin for the tenant

LICENCES:

Each user enabled for the feature must have one of the following:
- Microsoft 365 F1 or F3
- Azure Active Directory Premium P1 or P2
- Enterprise Mobility + Security (EMS) E3 or E5 or Microsoft 365 E3 or E5
- Office 365 F3

Tips

You can assign phone numbers to users using PowerShell for an easier setup experience.

How to enable the feature

Create a group with the users that’ll need to authenticate using SMS.
Open Authentication Methods | Azure AD
Click on SMS (Preview). The feature is not in preview anymore, even if the portal states so at the moment of writing this guide.

Click on “Yes” under “Enable”, then “Select groups”, and select the group you created in the first step. Complete the step by clicking “Select” and “Save”.

To set a phone number, go into All Users | Azure AD, then select a member of the group you created in the first step.
Go into “Authentication methods”, then click “Add authentication method”. From there, select “Phone number” and insert the phone number the user will use to sign in, then click “Add”.

You can also add an authentication method via PowerShell:

# Replace the variables with the user you wish to add the auth method to and phone number you wish to assign

$User = "user@example.com"
$PhoneNumber = "+1 111111111"

Install-module Microsoft.Graph.Identity.Signins
Connect-MgGraph -Scopes UserAuthenticationMethod.ReadWrite.All
Select-MgProfile -Name beta

New-MgUserAuthenticationPhoneMethod -UserId $User -phoneType "mobile" -phoneNumber $PhoneNumber

# Get the phone number of the user

Get-MgUserAuthenticationPhoneMethod -UserId $User

If you need to script this for multiple users, you can refer to the code below.

This script assumes you created a CSV file in “C:\” named contacts.csv, and that the CSV file has a column named UserName and a column named PhoneNumber. If your CSV file has different column names, you will need to update the script accordingly.

# Install the modules and login to Graph

Install-module Microsoft.Graph.Identity.Signins
Connect-MgGraph -Scopes UserAuthenticationMethod.ReadWrite.All
Select-MgProfile -Name beta

# Import the CSV file containing names and phone numbers

$contacts = Import-Csv -Path "C:\contacts.csv"

# Loop through each user and add their phone number for authentication
# If you changed the column names, replace these placeholders with the actual column names from the CSV file


foreach ($contact in $contacts)
{
    $User = $contact.UserName
    $PhoneNumber = $contact.PhoneNumber
    New-MgUserAuthenticationPhoneMethod -UserId $User -phoneType "mobile" -phoneNumber $PhoneNumber
}

To learn more, refer to the following links:

SMS-based Authentication | Microsoft Docs

SMS-based Authentication – S upported apps | Microsoft Docs

November 14, 2022February 9, 2023 Azvise

Add or remove a user from a Conditional Access Policy (CAP) – Azure AD

What are Conditional Access Policies?

Conditional Access Policies (CAPs) are identity-driven policies that govern user access to resources. We can summarize them as if statements that govern what will be requested, enforced or blocked.

In most organizations, the CAPs govern the enforcement of MFA, the block of logins using legacy protocols, and requiring a compliant device to access company resources.

All policies “think” at the user level.

It is advisable to make changes to CAPs only if you have a basic understatement of the service, since you could risk blocking access to the tenant for all users. In order to learn more, refer to the following documentation:

Azure AD Conditional Access documentation – Microsoft Entra | Microsoft Learn

General considerations

It’s a good idea to manage exclusions using Groups. This way, you won’t have to directly modify the policy every time.
Since many policies are scoped to include all users, you’ll have to handle exceptions with the “exclude” feature.

How to add or remove a user

Log in to Conditional Access – Microsoft Azure
Select the desired policy
If you intend to add a user to the policy, click on the blue link under “Users or workload identities”, then “Include,” and click the blue link under “Users and groups”.

Select or search for the desired user, then click “Select.”

If you want to exclude a user, click on the blue link under “Users or workload identities”, then “Exclude,” and click on the blue link just below “Users and groups.” The same user selection screen shown in the previous step will open. Search for and select the user, then click “Select.”

Once done, save using the “Save” button at the end of the page. If the policy is in “Report-only” or “Off“, the flow is not active.

October 10, 2022February 9, 2023 Azvise

Unfortunately, your password contains a word, phrase or pattern that makes it easily guessable. – Azure AD

Suppose you or a user reset a password, and one of the following errors comes up. In that case, it means that either you are using a guessable password or that somebody in your organization has enabled Password Protection in your environment, and you are using a banned word.

Unfortunately, your password contains a word, phrase or pattern that makes it easily guessable. Please try again with a different password.

“Unable to update the password. The value provided for the new password does not meet the length, complexity, or history requirements of the domain.”

If you are a user, please try a more complex password to circumvent the error. Substituting @ with A, 1 with I, and other widespread ways of changing up a common word will not be counted as “not including a common word”.

If you are an admin, please note the following about this feature. Users often create passwords that use common words based on personal interests or easily rememberable things (e.g. cities, sports teams, celebrities, months, etc.). These passwords are strongly vulnerable to dictionary-based attacks. Azure AD Password Protection, which works either in a “cloud-only” mode or can also synchronize to on-prem, provides a global and custom-banned password list. The global one is maintained directly by Microsoft; the custom one can be modified by the Microsoft 365 / Azure AD admins.

To access the feature settings, click on this link: Password Protection settings | Azure AD

September 27, 2022February 9, 2023 Azvise

Delete a user profile in Azure Virtual Desktop – AVD

To remove a user profile in Azure Virtual Desktop, you must first be sure that the user is logged off. If you are unsure on how to do it, follow the guide below.

Disconnect a user session in Azure Virtual Desktop (AVD) – PowerShell

After you’ve checked this, you got two options based on the type of profile architecture you chose to implement.

If the profiles are stored locally, you can proceed to remove them as you’d do in standard W10 machine.
If you are using FSLogix, which is the recommended way to handle them, you can proceed to remove the user folder from the Azure File Share.

If you are unsure about which type of user profile solution you use, you can log in to a standard user account (preferably the one you wish to remove) and follow the guide below.

Check whether you are using an FSLogix profile in Azure Virtual Desktop – AVD

If you fall under the first option, log into the AVD instance/instances with an admin user account, open “Run“, then type netplwiz.exe and click enter. This will open the Advanced User Accounts Control Panel. From there, you’ll get a list of all the users. Next, click on the user profile you’d like to delete and click “Remove”. You’ll have to repeat this procedure for all the AVD hosts in your environment.

If you are running FSLogix, log into the Azure File Share hosting your profiles, then locate the user folder you wish to delete. Usually, the format is either %username%%sid% or “%sid%%username%, depending on whether you have added the FlipFlopProfileDirectoryName registry in the FSLogix configuration (FlipFlopDirectoryName | AVD). Once you have found it, open it, and delete the VHD/ VHDX stored inside, as per the screenshot below. After the VHD deletion has been completed, delete the user profile folder.

May 24, 2022February 9, 2023 Azvise

How to check which Conditional Access Policy is blocking a user log-in – Azure AD

General Introduction

If you have Conditional Access Policies in place to block certain log-ins, you might get that a user will contact you because their sign-in request is being blocked. Probably both you and the user don’t know which policy is making the log-in fail, since it’s not specified in the error message.

The usual error message is something along the lines of: “Your sign-in was successful, but does not meet the criteria to access this resource. For example, you might be signing in from a browser, app or location that is restricted by your admin.” and the standard error code is “BlockedByConditionalAccess” error 53003

How to solve

To get more details:

Go to the Sign-in logs page in Azure AD: Azure AD | Sign-in logs
Filter by username or by the field you prefer

Click on the failed log-in request
Click on “Conditional Access“
The Policies that have as a result “Failure” and “Grant Controls” set on “Block” are the ones blocking the user.

April 1, 2022February 13, 2023 Azvise

User blocked due to risk on home tenant – Azure AD

General Introduction

If you just enabled Azure AD Identity Protection for your entire tenant, you might get some complaints from guest users, saying that their sign-in was blocked.

If you got a similar issue, but the user is not a guest but a member of your organization, follow this guide:

https://azvise.com/2022/05/25/unblock-at-risk-user-azure-ad/

You cannot remediate the user risk of a guest. If you try to look for a guest user in Identity Protection | Risky users, you won’t find any.

The user risk is calculated in the “home” tenant, where your user was created, not in the tenant you have guest access / are trying to access. This is also done so that the system may have more insights into user behaviour to calculate the risk.

How to resolve

Now going forward, there are two ways of solving this issue:

If the home tenant administrators have AAD Premium P2, they can remediate the user risk by following this link Identity Protection | Risky users. A password reset is usually suggested and will also clear the user’s risk.
If they do not have AAD Premium P2, they can reset the user’s password or let the user do it by themselves by using Self Service Password Reset (SSPR), if configured. Alternatively, they can also go on this page, and ignore the user risk, once you have assessed that everything is resolved: AAD Risky Users. All these methods will clear the user risk.

Of course, if you wish, you may disable the user risk policy for guests. This is done by creating a dynamic group in Azure AD containing all the guest (Dynamic security group with a dynamic query of usertype equals guest) and excluding it from the policy.

March 1, 2022February 9, 2023 Azvise

Receive an alert on user login – Azure AD

General introduction

Since the best practice in Azure AD is to configure Break-glass administrators to be excluded from a lot of conditional access policies, you probably want to receive an alert if this user logs into the tenant. This admin should not be used for day to day operations, and the authentication methods should be really strong.

How to guide

For this procedure, you’ll need Azure AD Premium P1 or P2.

To receive an alert on a user login you’ll need to export sign-in logs to a Log Analytics workspace, then set up the triggers. We’ll go over the steps in this guide:

Open the Log Analytics page
Click on “Create“.
Select the subscription, resource group and choose a name and region for the LAW instance.

Click on “Review + Create”, then on “Create”.
Go to Diagnostics Settings | Azure AD

Click on “Add diagnostic setting”.
Select “SignInLogs” and “Send to Log Analytics workspace”.
Select the Log workspace you just created.
Give the diagnostic setting a name.
Click “Save”.

Go to AAD | All Users
Click on the user you want to get alerts for, and copy the User Principal Name.

Open your Log Analytics workspace.
Go to “Alerts”, then “+ Create”, “Alert rule”.
Under “Condition“, select “Add”.
Select “Custom log search”.

In the text box, insert the following code, personalizing it for your UPN:

SigninLogs
| project UserPrincipalName 
| where UserPrincipalName == "demo@azdemoenv.onmicrosoft.com"

Under “Alert logic”, select “Operator” Greater than 0, with “Frequency of evaluation” 5 minutes.
If you want to get alerts as soon as possible, set the frequency of evaluation to 1 minute.

Click on “Next”.
Create an Action Group, or select your existing one.
To create one, click on “Add action groups”, select the subscription, resource group, and give the Action Group a name and display name.
Select the type of notification you want to get. In my example, I’ve selected an email and SMS.

Click “Ok”, and give the notification a name.
Click on “Review + create”, you will have the chance to test it out before pushing it in production.
Once you are happy with your rule, click “Create”.

If your tenant is not big, this alert will only cost a couple of bucks. However the bigger cost may come from storing all the sign-in logs. If the logs are under 5 GB, there will not be any charge, if it goes up from there you’ll have to pay for storage fees:

Azure Monitor Pricing

December 15, 2021February 10, 2023 Azvise

Enable number matching and additional context with Microsoft Authenticator – Azure AD

General Introduction

It’s been a long time since Microsoft released number matching and additional context for the Microsoft Authenticator. These features allow you to quickly improve your MFA posture, adding a new layer of security and preventing accidental approvals. This is also useful to lower the chances of being compromised by MFA fatigue attacks.
The feature consists in a map shown on your MFA prompt on your phone that indicates where the MFA request is coming from, the name of the application requesting the MFA challenge, and a box to insert the number that will be shown on screen.

Image taken from the Microsoft Docs. Link in the notes

How to enable it

To enable these features follow this link, which will guide you into Azure AD > Security > Authentication methods:

Authentication methods | Azure AD

From here, click “Microsoft Authenticator“.

Click “Yes” under “ENABLE“, then on “Configure“.

Be sure to activate “Require number matching for push notifications“, “Show application name in push and passwordless notifications” and “Show geographic location in push and passwordless notifications“, then save.

You can scope the features to a selected group of users if you want to test them out and go for a gradual rollout. This is done by selecting “Select group” and adding the group for which you want to enable the feature.

Additional notes

Check out this article if you are looking for a communication to send out to users before rolling out the features:

https://azvise.com/2022/07/13/additional-context-and-number-matching-user-guide-mfa/

Here is a link to the Microsoft Documentation:

How to use number matching in multifactor authentication (MFA) notifications – Authentication methods policy

Here is a link to the CISA documentation on the topic:

Implementing Number Matching in MFA Applications | CISA

December 10, 2021December 23, 2021 Azvise

How to download the disk of an Azure VM – Azure

Since Azure introduced the option to download the OS disk of a VM directly, you don’t need anymore to traffic around to download the unmanaged disk (or go with the snapshot route).
Here are some easy steps to directly download the disk of your Windows / Linux VM.
Please note that a Sysprep is advised if you need to use the disk as a template to create new VMs.

Go to the VM, and stop it.

Click on “Disks” then on he OS Disk.
Click on “Disk Export“, then in the field, enter a higher number (es. 30600) so that you have plenty of time to download the disk. Once done, click “Generate URL“.

Click on “Download the VHD file“

December 10, 2021December 23, 2021 Azvise

ResourceNotTopLevel error when trying to move resources – Azure

When you transfer Azure resources between subscriptions, you might get the following error: “ResourceNotTopLevel“.

This is caused by the fact that you only have to select top-level resources for the move, and the dependencies will be moved automatically.

For example, say you selected both a Network Watcher Extension and the relative VM you want to move. You will just need to move the VM object, and the extension will come with the server.

Example of an error code:


{
                "code": "ResourceNotTopLevel",
                "message": "Identifier '/subscriptions/0000000000000000000/resourceGroups/MoveResource/providers/Microsoft.Compute/virtualMachines/VMtobeMoved/extensions/AzureNetworkWatcherExtension' is not a top level resource. Please include only the top-level resource for this child resource in the move request. A child resource would be moved along with its associated top-level resource.\""
            }

From the error code, you’ll get that you just have to move the following resource, being the top-level one:

/subscriptions/0000000000000000000/resourceGroups/MoveResource/providers/Microsoft.Compute/virtualMachines/VMtobeMoved

It’s good to remember that if dependent resources are distributed across different resource groups, you’ll first have to move them into one resource group and then attempt the migration.

November 8, 2021February 9, 2023 Azvise

Automatically clean up inactive Guest users – Azure AD

Using Azure AD Access Reviews (available with Azure AD Premium P2), you can automatically remove guest users from your tenant who haven’t had access in a specified number of days. In this guide, we will implement the access review step by step.

This is a great way to clean up your tenant automatically and can be scheduled.

NOTE: The procedure used to clean up only users who didn’t have access in the last 30 days. This has now been expanded to support a variable number of days (ex. 60, 90, etc).

Step by step guide

As a prerequisite, you’ll need to create a dynamic group in AAD, which will contain all guest users who can log in to the tenant:

To create the group, go to AAD Groups, then click on “New Group”.
Select Group Type as “Security“, give the group a name, and select “Membership type” as “Dynamic User“.

Under “Dynamic user members”, click on “Add dynamic query“.
The query you will want to create is:

 (user.userType -eq "Guest") and (user.accountEnabled -eq true)

You can create this group also using Powershell, and pasting this command after installing the Graph module.

Import-Module Microsoft.Graph.Groups

$params = @{
	DisplayName = "Guest_review_dynamicgroup"
	MailEnabled = $false
	MailNickname = "fb7kk308-6"
	SecurityEnabled = $true
	Description = "Group used for the automatic guest removal process"
	GroupTypes = @(
		"DynamicMembership"
	)
	MembershipRule = "(user.userType -eq "Guest") and (user.accountEnabled -eq true)"
	MembershipRuleProcessingState = "On"
}

New-MgGroup -BodyParameter $params

The accountEnabled attribute lets you filter for users who can log in. Since the access review will deactivate the account for 30 days before deleting it permanently, this way we’ll filter only for the guest users active in the tenant and not the ones ready to be automatically deleted.

Once done, click on “Create”.

To create the access review, open this link, then follow the steps listed below:

Identity Governance | Access Reviews

Click on “New access review“.

Select “Teams + Groups” under “Select what to review”, “Select Teams + groups” under “Select review scope”, under “Group” enter your group, then click on “Guest users only” under “Scope”.

You can then filter only for the guest that did not had access in a specified number of days. This is accomplished using this part of the wizard:

Click on Next, and under “Select reviewers”, click on “Selected user(s) or group(s)“. The person or people that will manually review the users to delete should be selected just below. If not needed, insert an admin and go ahead. I always give at least 3 to 5 days for the reviewers to check if somebody should not be blocked or deleted. If some guest user should always be excluded from the review, you can add an exclusion in the AAD Group membership rules.

In the last paragraph, you’ll want to select auto-apply results to make the automation work. Under “If reviewers don’t respond”, choose “Take recommendations“. The recommendations will be based on whether the user has logged in recently or not. There are no other recommendations that I am aware of at this moment. Under “Action to apply on denied guest users”, select “Block user from signing-in for 30 days, then remove user from the tenant“. Be sure that “No sign-in within 30 days” is selected as reviewer decision helper, as per the image below.

If you want this to be fully automated, deselect “Justification required”.
Once done, click on “Review + create”, give the review a name and click on “Create”.

Now you will automatically have the guest users who haven’t logged in in the specified number of days blocked. After 30 days, the blocked user will be removed from the tenant.

Additional resources

Jef Kazimer wrote a really cool guide on how to remove unredeemed B2B guest from your Azure Active Directory:

Using Azure Automation with Managed Identities to remove unredeemed B2B guests

August 11, 2021October 12, 2022 Azvise

Force Azure File Sync tiering

If you are encountering issues with Azure File Sync, or you just want to force the process so that you can free some space now, follow the commands shown below:

#Import the commands
Import-Module "C:\Program Files\Azure\StorageSyncAgent\StorageSync.Management.ServerCmdlets.dll"

#Force the synchronization of the folder you have specified in the sync group
Invoke-StorageSyncCloudTiering -Path <sync_group_path>

If you want to get some logs out of the operation for troubleshooting, send these commands in a separate PowerShell window before launching the script above:

cd C:\
New-Item -ItemType directory -Path C:\AZfslogs
cd "C:\Program Files\Azure\StorageSyncAgent"
Import-Module .\AFSDiag.ps1
Debug-AFS -OutputDirectory C:\AZfslogs -KernelModeTraceLevel verbose -UserModeTraceLevel verbose

You can terminate the command once the sync is concluded and get the logs in the C:\AZfslogs folder.

June 15, 2021October 12, 2022 Azvise

Disconnect a user session in Azure Virtual Desktop (AVD) – PowerShell

Prerequisites: The Microsoft.RDInfra.RDPowerShell module, the Az PS module

First, install the RDInfra module:

Install-Module -Name Microsoft.RDInfra.RDPowerShell; Import-Module -Name Microsoft.RDInfra.RDPowerShell

Then proceed by installing the Az module and logging in:

Connect-AzAccount

Once you are logged in you can run the following script to disconnect a specific user session:

Get-RdsUserSession -TenantName "tenantname.onmicrosoft.com" -HostPoolName "HostPoolName" | where { $_.UserPrincipalName -eq "azvise\demouser" } | Invoke-RdsUserSessionLogoff -NoUserPrompt

May 4, 2021December 23, 2021 Azvise

Repair / troubleshoot a Linux VM – Azure

If you encounter a boot or disk error with a VM, you need to get the OS disk into another VM to troubleshoot the issue.

The command we will run into Azure Cloud Shell is az vm repair create. To create a troubleshooting VM, follow these steps:

Open Azure Cloud Shell in bash or install Azure CLI in your bash environment.
Run the following command: az vm repair create -g “resourcegroupname” -n “VMname” –verbose
Insert admin credentials for the newly created VM into the bash shell
Connect to the newly created server and start analyzing the problem

April 15, 2021October 12, 2022 Azvise

Exchange API missing for Veeam modern auth in Azure AD

If you are looking for the Exchange API to configure modern authentication for Veeam, you’ll find that it is no longer present under “Request API Permissions” -> “Microsoft API”.

Instead, what you want to do is go into “APIs my organization uses” under the “Request API Permissions”, then search for “Office 365 Exchange Online“.

It’s basically the same thing, only a bit harder to find, as the search doesn’t show up results if you look for “Exchange”.

March 10, 2021December 10, 2021 Azvise

Configure a SLES VM for Azure Site Recovery

To configure a VM for Azure Site Recovery we’ll need to configure the Microsoft Azure Linux Agent and enable the console. The VM will automatically get the DHCP network settings that it will need to get an IP from Azure.

First, add the repository and install the agent:

SLES 12 SP3:

zypper addrepo https://download.opensuse.org/repositories/Cloud:Tools/SLE_12_SP3/Cloud:Tools.repo
zypper refresh
zypper install python-azure-agent

SLES 12 SP4

zypper addrepo https://download.opensuse.org/repositories/Cloud:Tools/SLE_12_SP4/Cloud:Tools.repo
zypper refresh
zypper install python-azure-agent

SLES 15

zypper addrepo https://download.opensuse.org/repositories/Cloud:Tools/SLE_15/Cloud:Tools.repo
zypper refresh
zypper install python-azure-agent

SLES 15 SP1

zypper addrepo https://download.opensuse.org/repositories/Cloud:Tools/SLE_15_SP1/Cloud:Tools.repo
zypper refresh
zypper install python-azure-agent

SLES 15 SP2

zypper addrepo https://download.opensuse.org/repositories/Cloud:Tools/SLE_15_SP2/Cloud:Tools.repo
zypper refresh
zypper install python-azure-agent

Then enable automatic updates for the agent:

vi /etc/waagent.conf

Go to AutoUpdate.Enabled and enable it. It should look like this:

# AutoUpdate.Enabled=y
AutoUpdate.Enabled=y

Restart waagent and enable it:

systemctl restart waagent.service
systemctl enable waagent.service

Enable the serial console, to be able to access the VM even without connection from Azure:

systemctl start serial-getty@ttyS0.service
systemctl enable serial-getty@ttyS0.service

January 21, 2021February 9, 2023 Azvise

The Group Policy Client service failed the sign-in. Access is denied – AVD/WVD

If you get this error there is probably something wrong with the user profile. It’s usually either that the VHD / VHDx is locked, or the cached profile is broken.

In the first case sometimes the Windows Session closes down and doesn’t alert FSLogix to unlock the disk. Before you reboot the VM, consider adding the following registry entry:

CleanupInvalidSessions

Path: HKEY_LOCAL_MACHINE\Software\fslogix\apps\CleanupInvalidSessions

Type: DWORD

Value to set: 1

At times a Windows Session may suffer an inelegant termination, in these cases FSLogix is not provided an appropriate event to trigger the dismount of the VHD(x) file for Profile Container and Office Container. By setting CleanupInvalidSessions to 1, additional FSLogix logic is triggered to make this scenario less likely. Setting CleanupInvalidSessions will cause the functionality to be utilized for both Profile Container and Office Container. KNOWN ISSUE: at this time CleanupInvalidSessions should not be used in conjunction with Cloud Cache when concurrent sessions (e.g utilizing ProfileType/VHDAccessMode) are in use.
https://docs.microsoft.com/en-us/fslogix/profile-container-configuration-reference

In the second case head into C:\Users\ and backup the profile related to the blocked user, then rename it to profilename_local.

January 11, 2021October 12, 2022 Azvise

Change AD account used in AD Connect connector

To change the user account set in Azure AD Connect follow these steps:

Log in to the AD Sync server
Run the “Synchronization Service” from the start menu

Go to the “Connectors” tab
Select the connector relative to your on-premise AD
Right-click it and select “Properties”
Click on “Connect to Active Directory Forest”

Here you will swap your credentials once the user is ready
Go into your AD DS environment and create a new user. It has to be part of the “Domain Users” group
Right-click the domain object (e.g. contoso.com) then “Properties”
Click on “Security”
Add the user account if not present
Click on the account added
Add the “Replicating Directory Changes” and “Replicating Directory Changes All” permissions
Click Apply
Any further permission will depend on which optional features you have enabled in your environment. To check any “special” permissions for the user refer to the following link: https://docs.microsoft.com/it-it/azure/active-directory/hybrid/reference-connect-accounts-permissions#create-the-ad-ds-connector-account
Swap the current user account with the new one we just created in the “Connect to Active Directory Forest” tab on the AD Connect server and click “OK”

December 18, 2020December 23, 2021 Azvise

ASR Kernel modules fail to load while installing the Mobility Service (VMware) – Azure

If some kernel modules fail to load (such as in the example below) while installing the Mobility Service agent, please check:

If the kernel is supported in your Configuration Server version
If secure boot is enabled

#EXAMPLE using SUSE 15 SP2
exampleserver0:/tmp/ASR # sudo ./install -d /usr/local/ASR/ -r MS -v VmWare -q
All product pre-requisties are met.
Generating the certificate.
[...]

Filter driver kernel module is not loaded. Attempting to load it, please wait...
insmod /lib/modules/[kernelversion]-default/kernel/drivers/char/involflt.ko 
Filter driver could not be loaded successfully.
Check the log file /var/log/ua_install.log for detailed diagnostic messages or installation success/failures...
Vx agent installation exit code : 208.
Check the log file /var/log/ua_install.log for detailed diagnostic messages or installation success/failures...
Installer exiting with code: 208

Check the following page to see if the kernel version is supported:

https://docs.microsoft.com/en-us/azure/site-recovery/vmware-physical-azure-support-matrix#ubuntu-kernel-versions

If it’s supported try launching the following command:

mokutil --sb-state

If it’s enabled you should get something along the lines of:

SecureBoot enabled

Please note that SecureBoot is not supported at the moment with VMware DR in ASR:

https://docs.microsoft.com/en-us/azure/site-recovery/vmware-physical-azure-support-matrix#storage

To disable SecureBoot proceed as following:

Click on the virtual machine in vSphere (or vCenter)
Shut down the VM
Click on Edit Settings
Go in VM Options, then Boot Options
Deselect the Secure Boot check box
Click on OK
Start the VM

December 18, 2020October 12, 2022 Azvise

ASR Data change rate is beyond supported limits

If you see the event “Data change rate beyond supported limits” in the ASR replicated items logs, you probably need to change the disk type of your managed disks for that Virtual Machine.

I would advise waiting a bit to check if the error disappears or remains consistent.

To change the disk size go to:

Disks
Select the disk specified in the error message above
Click on Configuration
Under Account type switch from “Standard HDD” to “Premium SSD” (or “Standard SSD”)
Save

December 17, 2020October 12, 2022 Azvise

Cannot enable protection for a VM in ASR “This operating system isn’t supported in Azure”

If you get the following error, please check if the OS and kernel versions are supported:

https://docs.microsoft.com/en-us/azure/site-recovery/vmware-physical-azure-support-matrix

If they are supported, you can install manually the agent on the VM. If it doesn’t work, try checking if the VM in VMware is configured as “Other (64-bit)” in the guest OS version. If it is, you should change the version to the specific Linux distribution you got installed. Mind that the VM must be shut off to change the Guest OS version.

To install manually the agent follow these steps:

Go under %ProgramData%\ASR\home\svsystems\pushinstallsvc\repository in your ASR server and copy the “Microsoft-ASR_UA*_GA*.tar.gz” file specific to your distribution.
Copy the file to the VM. I would recommend creating a specific folder for the file under /tmp
Copy the Conf server passphrase to the server
Unpack the file: tar -xvf Micorosft-ASR_UA_yourfile.tar.gz
Run the following command as root: ./install -d /usr/local/ASR -r MS -v VmWare -q
Register the mobility service to the Conf server: /usr/local/ASR/Vx/bin/UnifiedAgentConfigurator.sh -i ConfserverIP -P /var/passphrase.txt

November 27, 2020October 12, 2022 Azvise

Recover ASR Configuration server passphrase

To recover your passphrase sign into the configuration server, then open a command line.

Change directory using:

cd %ProgramData%\ASR\home\svsystems\bin

then to export your passphrase using the following command:

genpassphrase.exe -v > connection.passphrase

Open the file with notepad to get the key:

Notepad "connection.passphrase"

November 16, 2020December 23, 2021 Azvise

Remove UDR from a subnet with a private endpoint associated – Azure

If you try to remove a UDR from a subnet that contains private endpoints, you may get the following error:

Failed to dissociate subnet 'SubnetName'. Error: Private endpoint network policies cannot be enabled on private endpoint subnet 'FullPathSubnet' .

To resolve run the following command using Azure CLI. Keep the route table parameter blank.

az network vnet subnet update -g MyResourceGroup -n MySubnet --vnet-name MyVNet --route-table ""

General Introduction

The 10 tips list

Link to Microsoft docs, and additional reads:

General introduction

The issue

General introduction

How to enable Security Defaults

How to disable Security Defaults

Notes

Notes

Scale the Control Plane

Scale worker nodes

General Introduction

Windows Hello for Business and FIDO2 security keys

Enable FIDO2 security keys

Register a FIDO2 key

Test the FIDO2 key

Configure security keys as a sign-in option in Windows

Enable with Intune for all users

Targeted Intune deployment

Enable with Group Policy

Force sync on a single device

Windows Hello for Business deployment for AAD joined devices

For all users

For specific groups

Force sync on a single device

Conclusion

Sources and additional reads

What are Conditional Access Policies?

Licenses and Security Defaults

Templates and JSON

What’s Text Message Authentication

Critical Considerations

General Requirements

Tips

How to enable the feature

What are Conditional Access Policies?

General considerations

How to add or remove a user

General Introduction

How to solve

General Introduction

How to resolve

General introduction

How to guide

General Introduction

How to enable it

Additional notes

Step by step guide

Additional resources