Category: Azure

  • Enforced MFA on the Azure Portal and Emergency Access (breakglass) Accounts

    Enforced MFA on the Azure Portal and Emergency Access (breakglass) Accounts

    An emergency access (or break-glass) account is a key design consideration of your M365/Entra tenant. This would be an account that would bypass MFA and you would store the very long and unique credentials offline somewhere. This would be used in the case of configuration breakages that would lock out all your other admins or…

  • Conditional Access Authentication Strengths

    Newly released to Conditional Access in Azure AD is the “Authentication Strengths” settings. These allow you to control the strength of the authentication you need to be used for that conditional access rule. Before this feature was available you had the option of allowing access with no second factor, MFA as a second factor (any…

  • MFA and End User Impacts

    This article will look at the various different MFA settings found in Azure AD (which controls MFA for Office 365 and other SaaS services) and how those decisions impact users. There is lots on the internet on enabling MFA, and lots on what that looks like for the user – but nothing I could see…

  • Decommission ADFS When Moving To Azure AD Based Authentication

    I am doing a number of ADFS to Azure AD based authentication projects, where authentication is moved to Password Hash Sync + SSO or Pass Through Auth + SSO. Once that part of the project is complete it is time to decommission the ADFS and WAP servers. This guide is for Windows 2012 R2 installations…

  • SSL Inspection and Office 365

    Lots of cloud endpoint URL’s break service flow if you enable SSL Inspection on the network devices between your client and the service. My most recent example of this Enterprise State Routing in Windows 10. Microsoft have a list of URLs for the endpoints to their service, where they are categorised as Default, Allow or…

  • Installing and Updating Microsoft AntiMalware in Azure

    The Microsoft AntiMalware agent is a virtual machine extension in Azure that adds support for build in antimalware management within your virtual machines hosted in Azure. The agent can be added easily when you are creating a new VM, which we will show first below using the resource manager model, but also can be added…

  • Azure MFA 503 Error When Authenticating

    If you have installed version 7 of Azure MFA Server on-premises (7.0.0.9 or 7.0.2.1 at the time of writing) and have enabled IIS authentication with Forms Based authentication and the Native App, but when you need to authenticate you are presented with a 503 DLL error. The reason for this is that version 7 removed…

  • Upgrading Azure Multi-Factor Authentication Server

    A new version of Azure MFA Server was released at the end of March 2016, version 7.0.0.9. This provides an in place upgrade to the previous version 6.3.1.1. This version is based on .NET 4.5 and not .NET 2.0, which is the big change in the product, along with new end user functionality in the…

  • Installing Azure Multi-Factor Authentication and ADFS

    I have a requirement to ensure that Office 365 users external to the network of one of my clients need a second factor of authentication when accessing Office 365 resources from outside the corporate network. The free Multi-Factor Authentication (MFA) feature of Office 365 will not distinguish between network location so we need to enable…

  • Configuring ExpressRoute With NRP Errors

    I had a scenario where when I ran Get-AzureRmExpressRouteServiceProvider in a new Azure tenant I would get the following error in PowerShell. Get-AzureRmExpressRouteServiceProvider : Subscription a4ca03ea-42e4-4a18-a50f-79bcc53907e4 is not registered with NRP.At line:1 char:1+ Get-AzureRmExpressRouteServiceProvider+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~    + CategoryInfo          : CloseError: (:) [Get-AzureRmExpressRouteServiceProvider], CloudException    + FullyQualifiedErrorId : Microsoft.Azure.Commands.Network.GetAzureExpressRouteServiceProviderCommand This is one of the required cmdlets in configuring…

  • Password Writeback Errors

    I had been struggling with password writeback testing and was coming across the following set of errors, and found that searching for them uncovered nothing online. So I wrote this blog to remind me and help you solve these issues. These errors are all visible in the Application log of the Event Viewer. User Restrictions…

  • Configuring Sync and Writeback Permissions in Active Directory for Azure Active Directory Sync

    [Last updated 9th November 2022 – note that Microsoft now include this functionality in their own product as written at https://learn.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-adsyncconfig#set-adsyncexchangehybridpermissions] [Last updated 11th November 2019 – added support for Exchange Server automapping support, which was announced during Microsoft Ignite 2019 and will be supported in the first half of calendar year 2020. This is…

  • Managing Office 365 Groups With Remote PowerShell

    Announced during Microsoft Ignite 2015, there are now PowerShell administration cmdlets available for the administration of the Groups feature in Office 365. The cmdlets are all based around “UnifedGroups”, for example Get-UnifiedGroups. Create a Group Use New-UnifiedGroup to do this. An example would be New-UnifiedGroup -DisplayName “Sales” -Alias sales –EmailAddress sales@contoso.com The use of the…

  • How To Change Your Office 365 App Password

    If you are enabled for Multi-Factor Authentication (MFA) in Office 365 then you will need an App Password for some applications that do not support MFA. The user interface for creating a new App Password is well hidden in Office 365 (its not on the Password page for example). Post updated in 2016 to take…

  • Exchange OWA and Multi-Factor Authentication

    This article is now out of date Multi-factor authentication (MFA), that is the need to have a username, password and something else to pass authentication is possible with on-premises servers using a service from Windows Azure and the Multi-Factor Authentication Server (an on-premises piece of software). The Multi-Factor Authentication Server intercepts login request to OWA,…

  • Windows RRAS VPN and Multi Factor Authentication

    This blog post covers the steps to add Multi Factor Authentication (MFA) to Windows RRAS server. Once this is enabled, and you sign in with a user enabled for MFA in Azure Multi-Factor Authentication Server (an on-premises server) you are required to answer your phone before you can connect over the VPN. That is, you…

  • Creating Mailboxes in Office 365 When Using DirSync

    This blog post describes the process to create a new user in Active Directory on-premises when email is held in Office 365 and DirSync is in use. With DirSync in use the editable copy of the user object is on-premises and most attributes cannot be modified in the cloud. Creating the User Open Active Directory…

  • An “Inexpensive” Exchange Lab In Azure

    This blog post centres around two scripts that can be used to quickly provision an Exchange Server lab in Azure and then to remove it again. The reason why the blog post is titled “inexpensive” is that Azure charges compute hours even if the virtual machines are shut down. Therefore to make my Exchange lab…

  • Creating an Azure VPN with a Draytek Router

    The Microsoft Azure cloud operating system can be connected to your network by way of a virtual private network or VPN. Azure lists some supported devices and provides configuration scripts for them, but does not include the Draytek range of devices. Draytek devices are common in the small business market and for techy home users.…