-
Decommission ADFS When Moving To Azure AD Based Authentication
I am doing a number of ADFS to Azure AD based authentication projects, where authentication is moved to Password Hash Sync + SSO or Pass Through Auth + SSO. Once that part of the project is complete it is time to decommission the ADFS and WAP servers. This guide is for Windows 2012 R2 installations […]
-
Hardware Tokens for Office 365 and Azure AD Services Without Azure AD P1 Licences
A recent update to Azure AD Premium 1 (P1) licence has been the use of hardware tokens for multi-factor authentication (MFA). This is excellent news if your MFA deployment is stuck because users cannot use phones on the shop floor or work environment or they do not want to use personal devices for work activities. […]
-
Token2 Hardware OAuth Tokens and Azure AD Access
This blog post walks through the process of logging into Azure AD resources (Office 365, other SaaS applications registered in Azure AD and on-premises applications that utilise Azure AD App Proxy). First step is to order your desired hardware. For this article we are looking at the devices manufactured by Token2 (www.token2.com). These include credit […]
-
Read Only And Attachment Download Restrictions in Exchange Online
Microsoft have released a tiny update to Exchange Online that has massive implications. I say tiny in that it take like 30 seconds to implement this (ok, may 60 seconds then). When this is enabled, and below I will describe a simple configuration for this, your users when using Outlook Web Access on a computer […]
-
Improving Password Security In the Cloud and On-Premises
Passwords are well known to be generally insecure the way users create them. They don’t like “complex” passwords such as p9Y8Li!uk%al and so if they are forced to create a “complex” password due to a policy in say Active Directory, or because their password has expired and they need to generate a new one, they […]
-
Azure AD Single Sign-On Basic Auth Popup
When configuring Azure AD SSO as part of Pass-Through Authentication (PTA) or with Password Hash Authentication (PHA) you need now (since March 2018) to only configure a single URL in the Intranet Zone in Windows. That URL is https://autologon.microsoftazuread-sso.com and this can be rolled out as a registry preference via Group Policy. Before March 2018 […]
-
Customizing ADFS To Match Azure AD Centered User Experience
Back in December 2017 the User Experience (UX) for Azure AD login changed to a centered (or centred, depending upon where in the world you speak English) login page with pagination. Pagination is where you enter the username on one screen and the password on the next. This was covered in new Azure Active Directory […]
-
Configuring Hybrid Device Join On Active Directory with SSO
The instructions from Microsoft at https://docs.microsoft.com/en-us/azure/active-directory/device-management-hybrid-azuread-joined-devices-setup are missing some of the steps on setting up hybrid device join to Azure AD. This is a complete list of steps when Pass-Thru auth with SSO is enabled on the domain. Enable SSO – this is covered elsewhere. You can also do hybrid device join on a federated […]
-
Azure AD SSO and Disabled Computer Accounts
When you set up Azure AD SSO, the Azure AD Connect application creates a computer account called AZUREADSSOACC. Do not disable this account, or SSO stops working. I’ve had a few clients in the past week disable this when generally disabling all the computer accounts that have not logged in for X days. Therefore if […]
-
AADConnect Password Reset Date Sync Issues
Got this error the other day at a client and found nothing listed on Internet search for it, which of course means only I have this issue! But even so, lets get to see what it means and how to fix it. The error turned up in the AADConnect tool and it reported sync-generic-failure on […]
-
Azure MFA 503 Error When Authenticating
If you have installed version 7 of Azure MFA Server on-premises (7.0.0.9 or 7.0.2.1 at the time of writing) and have enabled IIS authentication with Forms Based authentication and the Native App, but when you need to authenticate you are presented with a 503 DLL error. The reason for this is that version 7 removed […]
-
OU Filtering in AADConnect–What They Grey Boxes Mean
So I had the chance to check this today. If you do OU filtering in the DirSync tools you will get an OU structure with various grey boxes in it. Here is an example: It appears that both and are options in the sync tool. You get the first (grey with a tick ) if […]
-
Remote Desktop And Login With AzureAD Account
If you join a Windows 10 PC to Azure AD and then try and login to that PC over remote desktop you are in for a barrel of laughs! Or not! The way to get it to work is as follows: Ensure that Windows 10 PC is running Version 1511 or later (type WinVer from […]
-
Upgrading Azure Multi-Factor Authentication Server
A new version of Azure MFA Server was released at the end of March 2016, version 7.0.0.9. This provides an in place upgrade to the previous version 6.3.1.1. This version is based on .NET 4.5 and not .NET 2.0, which is the big change in the product, along with new end user functionality in the […]
-
Password Writeback Errors
I had been struggling with password writeback testing and was coming across the following set of errors, and found that searching for them uncovered nothing online. So I wrote this blog to remind me and help you solve these issues. These errors are all visible in the Application log of the Event Viewer. User Restrictions […]
-
Configuring Sync and Writeback Permissions in Active Directory for Azure Active Directory Sync
[Last updated 9th November 2022 – note that Microsoft now include this functionality in their own product as written at https://learn.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-adsyncconfig#set-adsyncexchangehybridpermissions] [Last updated 11th November 2019 – added support for Exchange Server automapping support, which was announced during Microsoft Ignite 2019 and will be supported in the first half of calendar year 2020. This is […]