Add or remove a user from a Conditional Access Policy (CAP) – Azure AD

Conditional Access Policies (CAPs) are identity-driven policies that govern user access to resources. We can summarize them as if statements that govern what will be requested, enforced or blocked.

In most organizations, the CAPs govern the enforcement of MFA, the block of logins using legacy protocols, and requiring a compliant device to access company resources.

All policies “think” at the user level.

It is advisable to make changes to CAPs only if you have a basic understatement of the service, since you could risk blocking access to the tenant for all users. In order to learn more, refer to the following documentation:


Azure AD Conditional Access documentation – Microsoft Entra | Microsoft Learn

Some quick notes:

  • It’s a good idea to manage exclusions using Groups. This way, you won’t have to directly modify the policy every time.
  • Since many policies are scoped to include all users, you’ll have to handle exceptions with the “exclude” feature.

To add or remove a user:

  • Log in to Conditional Access – Microsoft Azure
  • Select the desired policy
  • If you intend to add a user to the policy, click on the blue link under “Users or workload identities”, then “Include,” and click the blue link under “Users and groups”.
  • Select or search for the desired user, then click “Select.”
  • If you want to exclude a user, click on the blue link under “Users or workload identities”, then “Exclude,” and click on the blue link just below “Users and groups.” The same user selection screen shown in the previous step will open. Search for and select the user, then click “Select.”

Once done, save using the “Save” button at the end of the page. If the policy is in “Report-only” or “Off“, the flow is not active.

Get all users of an Azure AD Group and add them to another one – Powershell

The following script will get all the members of an Azure AD group and add them to another group. You’ll just need to know the name of the two groups.

The source group will be called Group1 and the destination Group2.

# Replace Group1Name with the name of your source group and Group2Name with the name of the destination one. Everything else will be done automatically

$Group1 = "Group1Name"
$Group2 = "Group2Name"


$group1ObjectID = Get-AzureADGroup -Filter "Displayname eq '$group1'" | Select objectid -ExpandProperty ObjectID
$group2ObjectID = Get-AzureADGroup -Filter "Displayname eq '$group2'" | Select objectid -ExpandProperty ObjectID

$membersGroup1 = Get-AzureADGroupMember -ObjectId $group1ObjectID -All $true

foreach($member in $membersGroup1)
{
    $currentuser = Get-AzureADUser -ObjectId $member.ObjectId | select objectid
    Add-AzureADGroupMember -ObjectId $group2ObjectID -RefObjectId $currentuser.objectid

}
Get-AzureADGroupMember -ObjectId $group2ObjectID -All $true

Unfortunately, your password contains a word, phrase or pattern that makes it easily guessable. – Azure AD

Suppose you or a user reset a password, and one of the following errors comes up. In that case, it means that either you are using a guessable password or that somebody in your organization has enabled Password Protection in your environment, and you are using a banned word.

  • Unfortunately, your password contains a word, phrase or pattern that makes it easily guessable. Please try again with a different password.
  • “Unable to update the password. The value provided for the new password does not meet the length, complexity, or history requirements of the domain.”

If you are a user, please try a more complex password to circumvent the error. Substituting @ with A, 1 with I, and other widespread ways of changing up a common word will not be counted as “not including a common word”.

If you are an admin, please note the following about this feature. Users often create passwords that use common words based on personal interests or easily rememberable things (e.g. cities, sports teams, celebrities, months, etc.). These passwords are strongly vulnerable to dictionary-based attacks. Azure AD Password Protection, which works either in a “cloud-only” mode or can also synchronize to on-prem, provides a global and custom-banned password list. The global one is maintained directly by Microsoft; the custom one can be modified by the Microsoft 365 / Azure AD admins.

To access the feature settings, click on this link: Password Protection settings | Azure AD

Delete a user profile in Azure Virtual Desktop – AVD

To remove a user profile in Azure Virtual Desktop, you must first be sure that the user is logged off. If you are unsure on how to do it, follow the guide below.

After you’ve checked this, you got two options based on the type of profile architecture you chose to implement.

  • If the profiles are stored locally, you can proceed to remove them as you’d do in standard W10 machine.
  • If you are using FSLogix, which is the recommended way to handle them, you can proceed to remove the user folder from the Azure File Share.

If you are unsure about which type of user profile solution you use, you can log in to a standard user account (preferably the one you wish to remove) and follow the guide below.

If you fall under the first option, log into the AVD instance/instances with an admin user account, open “Run“, then type netplwiz.exe and click enter. This will open the Advanced User Accounts Control Panel. From there, you’ll get a list of all the users. Next, click on the user profile you’d like to delete and click “Remove”. You’ll have to repeat this procedure for all the AVD hosts in your environment.

If you are running FSLogix, log into the Azure File Share hosting your profiles, then locate the user folder you wish to delete. Usually, the format is either %username%%sid% or “%sid%%username%, depending on whether you have added the FlipFlopProfileDirectoryName registry in the FSLogix configuration (FlipFlopDirectoryName | AVD). Once you have found it, open it, and delete the VHD/ VHDX stored inside, as per the screenshot below. After the VHD deletion has been completed, delete the user profile folder.

This application contains sensitive information and can only be accessed from devices or client applications that meet management compliance policy – Azure AD

This error message results from the application of a Conditional Access Policy on your tenant that blocks users from accessing cloud resources using a non-compliant device. The compliance state of a device is evaluated by Intune. To check which compliance policies you have active in your environment, head to:

Compliance Policies | Intune

To resolve the issue, either fix the device’s compliance state or exclude the user from the Conditional Access Policy.

To fix the compliance state, head into All Devices | Intune, click on the impacted device, and then “Device Compliance“. From there, you can see which policy makes the device not compliant and which setting is “at fault”.

If you are looking to understand which Conditional Access Policy is blocking the user, check out this guide:

To learn more, visit: Get started with device compliance | Intune 

To drill down on this type of Conditional Access Policy control, check out this link:

Conditional Access: Require compliant or hybrid Azure AD joined device

This application contains sensitive information and can only be accessed from domain joined devices – Azure AD

This error message results from the application of a Conditional Access Policy on your tenant that blocks users from accessing cloud resources without a hybrid-joined device. A Hybrid-joined device is an AD-joined client which gets synchronized to Azure AD via Azure Active Directory Connect (AD Connect). This process enables you to make the device visible to Azure AD and lets you manage it with Intune.

If you are looking to understand which Conditional Access Policy is blocking users, check out this guide:

If this block has been triggered, you are probably synchronizing AD-joined devices to Azure AD. If the user is accessing the portal from an on-premise joined device, check if you are synchronizing said device and consider adding it to the right OU / add the right attribute to let it sync.

Once you are done, and the device is hybrid joined (or you’ve excluded the user from the CAP), the user will be able to access the resources.

Please note that the “Hybrid join check” type of access control is usually paired with a device compliance check. So expect a possible further block related to this. To learn more, visit: Get started with device compliance | Intune  or read my article:

To drill down on this type of Conditional Access Policy, check out this link:

Conditional Access: Require compliant or hybrid Azure AD joined device

Restrict access to Azure Management apps – Azure AD

If we want to restrict access to the Azure management services for non-privileged users, we can now create a Conditional Access Policy that allows us to do so.

To create a Conditional Access Policy, we’ll need Azure Active Directory Plan 1 or higher, which is either bought standalone, or can be found most notably inside Microsoft 365 Business Premium, or the Microsoft 365 Enterprise plans (E3, E5)

On the other hand, if we just need to restrict access to Azure AD, we have the option to do so from the User Settings in the Azure AD portal:

User Settings | Azure AD

By creating the following Conditional Access Policy, we will restrict users from accessing these apps:

  • Azure portal
  • Azure Resource Manager provider
  • Classic deployment model APIs
  • Azure PowerShell
  • Azure CLI
  • Azure DevOps
  • Azure Data Factory portal
  • Azure Event Hubs
  • Azure Service Bus
  • Azure SQL Database
  • SQL Managed Instance
  • Azure Synapse
  • Visual Studio subscriptions administrator portal

First, open the following link, or go into your Conditional Access Policies:

Conditional Access Policies | Azure AD

Then, under “Users or workload identities“, select all users, and exclude the admin roles you currently use in your organization. You could also create a security group with all admin users as members and then exclude it from the policy.

Under “Cloud apps or actions”, click on “Selected apps”, then “Microsoft Azure Management“.

Finish up by selecting “Block access” under the Grant Access Controls.

From now on, all users except the admins will be blocked from accessing Azure management services.

Additional Context and Number Matching User Guide – MFA

I wanted to publish the following article, which is how I would notify my users of the upcoming activation of Additional Context and Number Matching in their MFA requests.

If instead you are looking for a guide on how to enable Additional Context and Number Matching, follow the guide linked below.

Feel free to use the message below as your own. The images are taken from a wonderful article by Tony Redmond. Please replace them with your own.

─────────────────────────────────────────────────────────

From [replace with activation date] forward, you will be asked to enter additional details in your MFA (Multi-factor authentication) prompts. 

On your PC screen, you will be presented with a number, and you will be asked to enter this same number inside of your MFA request on your phone to complete the approval.  

You will also get a map that will show the location where the request was made from. This must be taken as a general indication and it’s not always going to be your exact location, since Internet providers are not bound to route your connection from a point closest to you.  

Please deny and report immediately to the IT department if you receive a request that was not done by you, or you do not recognize the location you are being shown. 

PC Screen view and smartphone view 

                                                   

Find stale Enterprise Applications – Azure AD

If you just blocked users from registering applications, or you are just analyzing your Enterprise applications, you may find that there is a lot of work ahead of you.

First, you may want to find if there are applications with no user assigned. Then you may wonder if there are applications without sign-ins in the last 30 days.

To ease your work, you may find it useful to query all applications for these fields and get the output in a CSV.

This script is freely based on Ravenswood PoC code, with the intent of helping out and refining it a bit.

First, head to Enterprise Applications | AAD and click “Download (Export)”, then download the CSV.

This is done via the portal and not via PowerShell for practicality, since at the moment, to get the same exact filters (e.g. “Microsoft Applications”, “Enterprise Applications”, etc.) that you get on the portal, you would have to query Graph.

Then save this script:

	$AllApplications=Import-Csv .\EnterpriseAppsList.csv
	$applications=$allapplications | where {$_.applicationtype -ne "Microsoft application"}
	ForEach($Application in $Applications){ 
   #Retrieve the objectid and signin logs, format the user assigned to the app 
	$app=Get-AzureADServicePrincipal -all $true | where {$_.objectid -eq $application.id}
    $Log = Get-AzureADAuditSignInLogs -All $true -filter "appid eq '$($App.AppID)'" 

	$userassigned = Get-AzureADServiceAppRoleAssignment -ObjectId $App.ObjectId | Select ResourceDisplayName,PrincipalDisplayName
	$format=$userassigned.gettype()
	if($format.basetype.name -eq "Object"){ 
	$userassigned=[string]$userassigned	
	}
	

    #Create a custom object for output 

    [PSCustomObject]@{ 

        ApplicationName = $App.DisplayName 

        ApplicationID = $App.AppID 

        SignIns = $Log.count
	 
	Users = $userassigned.count
    } 
    Start-Sleep 5
}

And finally, launch it:

.\StaleApplicationAnalysis.ps1 | Export-csv StaleApplicationCleanup.csv

The output will be along these lines, with an additional column for the App ID:

If you happen to find any optimization, feel free to let me know, and I’ll update the post.

Microsoft Secure Score not updating

The Microsoft Secure score is a useful page to get an idea of the general improvement areas you should monitor and approach in your tenant.

When you make a change to reflect one of the improvement actions, you might have to wait up to 48 hours to get the points in the portal.

If you have waited the 48 hours (generally, it’s 24 hours, but the job might fail), check that the policies you created were configured as recommended in the “implementation” tab, then try the following.

First, check if there is some degradation with the service.

If there isn’t degradation, try changing the Conditional Access Policy (or the security policy you enabled) and see if the secure score catches up.

If it didn’t, or you are in a hurry, click on the recommended action, “Edit status & action plan”, and resolve the suggestion as risk accepted, then wait for the score to update. Once you see that the full points are awarded, revert the change. This procedure should “force” the sync to grant you full points, then change it with the actual value.

If the above failed, contact Microsoft Support and request a manual restart of the job.

Either that will solve it, or in some cases, just waiting a couple more days will fix it.

Unblock at-risk user – Azure AD

If a user can’t access your tenant and forwards the following message to you, here are the steps on how you can solve it.

Your account is blocked

We’ve detected suspicious activity on your account.

Sorry, the organization you are trying to access restricts at-risk users. Please contact your admin.

The unblock is done by either resetting the user password or clearing the user risk once you have assessed that the risk is resolved.

  • If you have AAD Premium P2 (you can check it on the overview page of Azure AD), remediate the user risk by following this link Identity Protection | Risky users. A password reset is usually suggested and will also clear the user’s risk.
  • If you do not have AAD Premium P2, you can reset the user’s password or let them do it by themselves by using Self Service Password Reset (SSPR) if you have configured it. Alternatively, you can also go on this page, and ignore the user risk, once you have assessed that everything is resolved: AAD Risky Users. All these methods will clear the user risk.

Allow 10 – 15 minutes before the user can access again without getting the error reported above.

How to check which Conditional Access Policy is blocking a user log-in – Azure AD

If you have Conditional Access Policies in place to block certain log-ins, you might get that a user will contact you because their sign-in request is being blocked. Probably both you and the user don’t know which policy is making the log-in fail, since it’s not specified in the error message.

The usual error message is something along the lines of: “Your sign-in was successful, but does not meet the criteria to access this resource. For example, you might be signing in from a browser, app or location that is restricted by your admin.” and the standard error code is “BlockedByConditionalAccess” error 53003

To get more details:

  • Click on the failed log-in request
  • Click on “Conditional Access
  • The Policies that have as a result “Failure” and “Grant Controls” set on “Block” are the ones blocking the user.

User blocked due to risk on home tenant – Azure AD

If you just enabled Azure AD Identity Protection for your entire tenant, you might get some complaints from guest users, saying that their sign-in was blocked.

If you got a similar issue, but the user is not a guest but a member of your organization, follow this guide Unblock at-risk users – Azure AD.

You cannot remediate the user risk of a guest. If you try to look for a guest user in Identity Protection | Risky users, you won’t find any.

The user risk is calculated in the “home” tenant, where your user was created, not in the tenant you have guest access / are trying to access. This is also done so that the system may have more insights into user behaviour to calculate the risk.

Now going forward, there are two ways of solving this issue:

  • If the home tenant administrators have AAD Premium P2, they can remediate the user risk by following this link Identity Protection | Risky users. A password reset is usually suggested and will also clear the user’s risk.
  • If they do not have AAD Premium P2, they can reset the user’s password or let the user do it by themselves by using Self Service Password Reset (SSPR), if configured. Alternatively, they can also go on this page, and ignore the user risk, once you have assessed that everything is resolved: AAD Risky Users. All these methods will clear the user risk.

Of course, if you wish, you may disable the user risk policy for guests. This is done by creating a dynamic group in Azure AD containing all the guest (Dynamic security group with a dynamic query of usertype equals guest) and excluding it from the policy.

Scan now is greyed-out in Azure Information Protection – AIP

If you just installed the Azure Information Protection on-premises scanner and you are trying to start your first Content Scan Job, you might get that the button “Scan now” is greyed out.

Before attempting to troubleshoot, check that you selected the job below. If you did, try restarting the service “Azure Information Protection Scanner” on the SQL server and refreshing the Azure Content scan job page.

If you still cannot start the scan, try executing the following command on the SQL server, and insert the credentials of the service account:

$scanner_account_creds= Get-Credential
Start-AIPScannerDiagnostics -onbehalf $scanner_account_creds -Verbose -VerboseErrorCount 50

For further information refer to the following articles:

Troubleshooting your unified labeling on-premises scanner deployment

Start-AIPScannerDiagnostics

How to download the disk of an Azure VM – Azure

Since Azure introduced the option to download the OS disk of a VM directly, you don’t need anymore to traffic around to download the unmanaged disk (or go with the snapshot route).
Here are some easy steps to directly download the disk of your Windows / Linux VM.
Please note that a Sysprep is advised if you need to use the disk as a template to create new VMs.

  • Go to the VM, and stop it.
  • Click on “Disks” then on he OS Disk.
  • Click on “Disk Export“, then in the field, enter a higher number (es. 30600) so that you have plenty of time to download the disk. Once done, click “Generate URL“.
  • Click on “Download the VHD file

ResourceNotTopLevel error when trying to move resources – Azure

When you transfer Azure resources between subscriptions, you might get the following error: “ResourceNotTopLevel“.

This is caused by the fact that you only have to select top-level resources for the move, and the dependencies will be moved automatically.

For example, say you selected both a Network Watcher Extension and the relative VM you want to move. You will just need to move the VM object, and the extension will come with the server.

Example of an error code:


{
                "code": "ResourceNotTopLevel",
                "message": "Identifier '/subscriptions/0000000000000000000/resourceGroups/MoveResource/providers/Microsoft.Compute/virtualMachines/VMtobeMoved/extensions/AzureNetworkWatcherExtension' is not a top level resource. Please include only the top-level resource for this child resource in the move request. A child resource would be moved along with its associated top-level resource.\""
            }

From the error code, you’ll get that you just have to move the following resource, being the top-level one:

/subscriptions/0000000000000000000/resourceGroups/MoveResource/providers/Microsoft.Compute/virtualMachines/VMtobeMoved

It’s good to remember that if dependent resources are distributed across different resource groups, you’ll first have to move them into one resource group and then attempt the migration.

Automatically clean up inactive Guest users – Azure AD

Using Azure AD Access Reviews (available with AAD P2), you can automatically remove users from your tenant who haven’t had access in a specified number of days. In this guide, we will implement the access review step by step.

This is a great way to clean up your tenant automatically and can be scheduled.

WARNING: The procedure used to clean up only users who didn’t have access in the last 30 days. This has now been expanded to support a variable number of days (ex. 60, 90, etc).

As a prerequisite, you’ll need to create a dynamic group in AAD, which will contain all guest users who can log in to the tenant:

  • To create the group, go to AAD Groups, then click on “New Group”.
  • Select Group Type as “Security“, give the group a name, and select “Membership type” as “Dynamic User“.
  • Under “Dynamic user members”, click on “Add dynamic query“.
  • The query you will want to create is:
 (user.userType -eq "Guest") and (user.accountEnabled -eq true)

You can create this group also using Powershell, and pasting this command after installing the Graph module.

Import-Module Microsoft.Graph.Groups

$params = @{
	DisplayName = "Guest_review_dynamicgroup"
	MailEnabled = $false
	MailNickname = "fb7kk308-6"
	SecurityEnabled = $true
	Description = "Group used for the automatic guest removal process"
	GroupTypes = @(
		"DynamicMembership"
	)
	MembershipRule = "(user.userType -eq "Guest") and (user.accountEnabled -eq true)"
	MembershipRuleProcessingState = "On"
}

New-MgGroup -BodyParameter $params

The accountEnabled attribute lets you filter for users who can log in. Since the access review will deactivate the account for 30 days before deleting it permanently, this way we’ll filter only for the guest users active in the tenant and not the ones ready to be automatically deleted.

  • Once done, click on “Create”.

To create the access review, open this link, then follow the steps listed below:

Identity Governance | Access Reviews

  • Click on “New access review“.
  • Select “Teams + Groups” under “Select what to review”, “Select Teams + groups” under “Select review scope”, under “Group” enter your group, then click on “Guest users only” under “Scope”.
  • You can then filter only for the guest that did not had access in a specified number of days. This is accomplished using this part of the wizard:
  • Click on Next, and under “Select reviewers”, click on “Selected user(s) or group(s)“. The person or people that will manually review the users to delete should be selected just below. If not needed, insert an admin and go ahead. I always give at least 3 to 5 days for the reviewers to check if somebody should not be blocked or deleted. If some guest user should always be excluded from the review, you can add an exclusion in the AAD Group membership rules.
  • In the last paragraph, you’ll want to select auto-apply results to make the automation work. Under “If reviewers don’t respond”, choose “Take recommendations“. The recommendations will be based on whether the user has logged in recently or not. There are no other recommendations that I am aware of at this moment. Under “Action to apply on denied guest users”, select “Block user from signing-in for 30 days, then remove user from the tenant“. Be sure that “No sign-in within 30 days” is selected as reviewer decision helper, as per the image below.
  • If you want this to be fully automated, deselect “Justification required”.
  • Once done, click on “Review + create”, give the review a name and click on “Create”.

Now you will automatically have the guest users who haven’t logged in in the specified number of days blocked. After 30 days, the blocked user will be removed from the tenant.

Force Azure File Sync tiering

If you are encountering issues with Azure File Sync, or you just want to force the process so that you can free some space now, follow the commands shown below:

#Import the commands
Import-Module "C:\Program Files\Azure\StorageSyncAgent\StorageSync.Management.ServerCmdlets.dll"

#Force the synchronization of the folder you have specified in the sync group
Invoke-StorageSyncCloudTiering -Path <sync_group_path>

If you want to get some logs out of the operation for troubleshooting, send these commands in a separate PowerShell window before launching the script above:

cd C:\
New-Item -ItemType directory -Path C:\AZfslogs
cd "C:\Program Files\Azure\StorageSyncAgent"
Import-Module .\AFSDiag.ps1
Debug-AFS -OutputDirectory C:\AZfslogs -KernelModeTraceLevel verbose -UserModeTraceLevel verbose

You can terminate the command once the sync is concluded and get the logs in the C:\AZfslogs folder.

Disconnect a user session in Azure Virtual Desktop (AVD) – PowerShell

Prerequisites: The Microsoft.RDInfra.RDPowerShell module, the Az PS module

First, install the RDInfra module:

Install-Module -Name Microsoft.RDInfra.RDPowerShell; Import-Module -Name Microsoft.RDInfra.RDPowerShell

Then proceed by installing the Az module and logging in:

Connect-AzAccount

Once you are logged in you can run the following script to disconnect a specific user session:

Get-RdsUserSession -TenantName "tenantname.onmicrosoft.com" -HostPoolName "HostPoolName" | where { $_.UserPrincipalName -eq "azvise\demouser" } | Invoke-RdsUserSessionLogoff -NoUserPrompt

Repair / troubleshoot a Linux VM – Azure

If you encounter a boot or disk error with a VM, you need to get the OS disk into another VM to troubleshoot the issue.

The command we will run into Azure Cloud Shell is az vm repair create. To create a troubleshooting VM, follow these steps:

  • Open Azure Cloud Shell in bash or install Azure CLI in your bash environment.
  • Run the following command: az vm repair create -g “resourcegroupname” -n “VMname” –verbose
  • Insert admin credentials for the newly created VM into the bash shell
  • Connect to the newly created server and start analyzing the problem

ASR Kernel modules fail to load while installing the Mobility Service (VMware) – Azure

If some kernel modules fail to load (such as in the example below) while installing the Mobility Service agent, please check:

  • If the kernel is supported in your Configuration Server version
  • If secure boot is enabled
#EXAMPLE using SUSE 15 SP2
exampleserver0:/tmp/ASR # sudo ./install -d /usr/local/ASR/ -r MS -v VmWare -q
All product pre-requisties are met.
Generating the certificate.
[...]

Filter driver kernel module is not loaded. Attempting to load it, please wait...
insmod /lib/modules/[kernelversion]-default/kernel/drivers/char/involflt.ko 
Filter driver could not be loaded successfully.
Check the log file /var/log/ua_install.log for detailed diagnostic messages or installation success/failures...
Vx agent installation exit code : 208.
Check the log file /var/log/ua_install.log for detailed diagnostic messages or installation success/failures...
Installer exiting with code: 208

Check the following page to see if the kernel version is supported:

https://docs.microsoft.com/en-us/azure/site-recovery/vmware-physical-azure-support-matrix#ubuntu-kernel-versions

If it’s supported try launching the following command:

mokutil --sb-state

If it’s enabled you should get something along the lines of:

SecureBoot enabled

Please note that SecureBoot is not supported at the moment with VMware DR in ASR:

https://docs.microsoft.com/en-us/azure/site-recovery/vmware-physical-azure-support-matrix#storage

To disable SecureBoot proceed as following:

  • Click on the virtual machine in vSphere (or vCenter)
  • Shut down the VM
  • Click on Edit Settings
  • Go in VM Options, then Boot Options
  • Deselect the Secure Boot check box
  • Click on OK
  • Start the VM



Cannot enable protection for a VM in ASR “This operating system isn’t supported in Azure”

If you get the following error, please check if the OS and kernel versions are supported:

https://docs.microsoft.com/en-us/azure/site-recovery/vmware-physical-azure-support-matrix

If they are supported, you can install manually the agent on the VM. If it doesn’t work, try checking if the VM in VMware is configured as “Other (64-bit)” in the guest OS version. If it is, you should change the version to the specific Linux distribution you got installed. Mind that the VM must be shut off to change the Guest OS version.

To install manually the agent follow these steps:

  • Go under %ProgramData%\ASR\home\svsystems\pushinstallsvc\repository in your ASR server and copy the “Microsoft-ASR_UA*_GA*.tar.gz” file specific to your distribution.
  • Copy the file to the VM. I would recommend creating a specific folder for the file under /tmp
  • Copy the Conf server passphrase to the server
  • Unpack the file: tar -xvf Micorosft-ASR_UA_yourfile.tar.gz
  • Run the following command as root: ./install -d /usr/local/ASR -r MS -v VmWare -q
  • Register the mobility service to the Conf server: /usr/local/ASR/Vx/bin/UnifiedAgentConfigurator.sh -i ConfserverIP -P /var/passphrase.txt

Remove UDR from a subnet with a private endpoint associated – Azure

If you try to remove a UDR from a subnet that contains private endpoints, you may get the following error:

Failed to dissociate subnet 'SubnetName'. Error: Private endpoint network policies cannot be enabled on private endpoint subnet 'FullPathSubnet' .

To resolve run the following command using Azure CLI. Keep the route table parameter blank.

az network vnet subnet update -g MyResourceGroup -n MySubnet --vnet-name MyVNet --route-table ""

Enable Azure Serial Console for replicated Linux VMs – Azure

If you replicate a Linux VM right away you might end up with the serial console not working. This could be especially an issue if you have your network interfaces set as static and you have to change the IP addresses.

To enable the Serial Console you have to log into your on-premise Linux VM and run the following:

systemctl start serial-getty@ttyS0.service ​

systemctl enable serial-getty@ttyS0.service

Wait until the changes will be replicated, then connect directly from the Azure Console.

Change Outlook profiles from one month cache to online in AVD/WVD

Unfortunately, at this time, there is no way to change Outlook profiles from cached mode (1 month retention) to online mode in the Outlook settings.

To configure the cache settings in Outlook (2016/365) in a WVD session you need to use Active Directory GPOs or local Group Policies.

To use local group policies follow these steps:

  • Download the following ADMX in your environment: https://www.microsoft.com/en-us/download/details.aspx?id=49030
  • Extract the files
  • Copy the outlk16.admx file to %systemroot%\PolicyDefinitions\
  • Based on the language folders you see in your WVD host copy the outlk16.adml file from the admx\xx-xx folder to the relative folder in %systemroot%\PolicyDefinitions\
  • Open gpedit.msc
  • Go to User Configuration > Administrative Templates > Microsoft Outlook 2016 > Account Settings > Exchange > Cached Exchange Mode.
  • Set “Use Cached Exchange Mode for new and existing Outlook profiles” to Disabled

Error 53 when mounting Azure File Share – Azure

If you get an error 53 when trying to mount an Azure File Share, you got two main issues that might be causing it.

Port 445 is blocked

To check the effettive connection, and start the troubleshooter, run the following:


login-azaccount

$ResourceGroupName = "ba-weu-wvd-rg"
$StorageAccountName = "baweufslogixsa"

$storageAccount = Get-AzStorageAccount -ResourceGroupName $resourceGroupName -Name $storageAccountName
Test-NetConnection -ComputerName ([System.Uri]::new($storageAccount.Context.FileEndPoint).Host) -Port 445

If the error is, on the other hand, NTLMv2 is not enabled, please note that Azure files only supports NTLMv2 (not v1). Set the value of the following key to 3 on your local PC/Server:

HKLM\SYSTEM\CurrentControlSet\Control\Lsa > LmCompatibilityLevel

How to cancel a reservation – Azure

To cancel a reservation you have to have specific permissions on the reservation order. The permissions are not inherited from the subscription, so… contact who created the reservation (or just open a ticket with the Azure Engineers).

Once you have the right account, (or you’ve been given the permissions) go to the reservations tab in the Azure Portal. It’s best to have at least a couple of people who have permissions on the resource. To get to the reservations tab follow the link below:

https://portal.azure.com/#blade/Microsoft_Azure_Reservations/ReservationsBrowseBlade

Select the reservation you want to cancel and click on the name of the resource.

From the top click on “Refund”

Click on return reserved instances once you see the “Refund subtotal” pop up

Please refer to the following docs for additional informations:

https://docs.microsoft.com/en-us/azure/cost-management-billing/reservations/exchange-and-refund-azure-reservations

https://docs.microsoft.com/en-us/azure/cost-management-billing/reservations/manage-reserved-vm-instance#add-or-change-users-who-can-manage-a-reservation

Move resources request is blocked by an Azure Backup job.

Error message:

The move resources request contains resources like “*OsDisk*” that are being backed up as part of a Azure Backup job. Browse the link https://aka.ms/vmbackupmove for information

If you encounter this error check if the VM’s backup is stopped. If it’s stopped you need to remove the istant snapshot that has been created by the system:

  1. Find the location of your virtual machine.
  2. Find a resource group with the following naming pattern: AzureBackupRG_<location of your VM>_1. For example, AzureBackupRG_westus2_1
  3. In the Azure portal, check Show hidden types.
  4. Find the resource with type Microsoft.Compute/restorePointCollections that has the naming pattern AzureBackup_<name of your VM that you're trying to move>_###########.
  5. Delete this resource. This operation deletes only the instant recovery points, not the backed-up data in the vault.
  6. After the delete operation is complete, you can move your virtual machine.

List source: https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/move-limitations/virtual-machines-move-limitations#portal

VM has reported a failure when processing extension ‘joindomain’ – AVD

If you encounter this error while creating a new VM from the host pool wizard, try following these suggestions to solve the issue, or at least drill down on the problem:

  • Check whether you can resolve your domain from your VNET
  • Check what DNS Servers are configured on your VNET, correct accordingly (follow this guide: Change VNet DNS Servers)
  • Check if you have permissions to join the domain using the credentials you provided
  • Check if the specified credentials are correct
  • Check if the domain to join (and the OU), specified in the wizard, is correct (parameters in the JSON: domainToJoinouPathexistingDomainUPNexistingDomainPassword).
  • Try to join a VM to the domain from the same network and subnet

If all the above are met, you should be able to join the VM successfully to the domain. If not, at least you should have more context to further troubleshoot the issue.