Modern Active Directory – An update to PSHTML-AD-Report

Modern Active Directory – An update to PSHTML-AD-Report

Comments 0 Comment

This is a guest blog by Mehdi Dakhama, you can check out his blog here. He has transformed and improved upon PSHTML AD Report.

About

This document presents the Modern Active Directory project, which aims to bring a more modern view on your Active Directory, whether to view key indicators or to perform advanced searches in a simple way.

With this PowerShell module that accesses your Active Directory in read-only mode, you can view and query your directory from a Web page. This directory status is generated on demand by executing a command or automatically so that you receive a daily report by e-mail.

Current Reporting and Limitations

Default console limits

By default, two consoles (DSA and DSAC) are proposed to administer the DA. These consoles have not evolved for several years and they are limited in terms of functionality. Moreover, the installation of these consoles requires administrator … Continue...

Set-ADUser: Dealing with Null Values when Importing a CSV; Working with Parameters and Properties that don’t Accept Empty Strings

Set-ADUser: Dealing with Null Values when Importing a CSV; Working with Parameters and Properties that don’t Accept Empty Strings

Comments 2 comments

Recently, I set out on populating a test Active Directory environment from a production environment. This included populating Active Directory Users and Computers with my users from production. I figured I could quickly export my users from production to a CSV file, include any properties I wanted to import over to the test environment, and then create the new users based on the CSV file using New-ADUser and Set-ADUser respectably. Quickly, I realized that I had a problem. I couldn’t just import the CSV file and have it iterate through each user because some parameters do not accept null values, meaning if I am calling the parameter, it wants a value, no exceptions. This is the same for LDAP properties as well that use the Replace parameter.

The Instance Parameter

The first possible fix I found, was the use of the Instance parameter. The Instance parameter will change properties of … Continue...

Migrate your Runbooks in Azure Automation to Managed Identities

Migrate your Runbooks in Azure Automation to Managed Identities

Comments 1 comment

Microsoft has recently announced that on September 30th, 2023, Azure Automation RunAs accounts, including Classic Run As accounts, will be retired so you will need to migrate your runbooks to managed identities for authentication. Managed Identities provide the same functionality as a RunAs accounts, plus:

  • Secure authentication to any Azure service that supports Azure Active Directory (Azure AD) authentication.
  • Minimized management overhead with easy access to resources.
  • Simplified runbooks with no requirement to use multi-line code.

Review your Automation Accounts

The first item that must be done, is to review your Automation Accounts within Azure to see which one, if any, are using RunAs or Classic RunAs Accounts. In Azure go to Automation Accounts. In the screenshot below we can see that I have a total of four (4) different automation accounts that span three (3) resource groups, and two (2) Azure subscriptions.

If I click an Automation Account and … Continue...

Enable Firefox Windows Single Sign-On using Intune

Enable Firefox Windows Single Sign-On using Intune

Comments 0 Comment

One reason you may want to enable Windows SSO within Firefox, is so that your users on Azure AD or Hybrid joined machines can log into Microosft 365 services, such as Outlook, without having to re-authenticate. In this post, I will show you how to leverage Intune and custom configuration profiles to configure Firefox to enable Windows SSO.

Prerequisites

  • Firefox ADMX file located here
  • Intune
  • Mozilla Firefox version 91 or newer
  • Intune Administrator
  • Test Machine with a valid Intune License

Create the Policy

  1. Navigate to the Intune admin portal
  2. Go to Devices > Windows > Configuration profiles > + Create profile
  3. Under ‘Platform‘ select Windows 10 and later. For ‘Profile type‘ select Templates, and then select a Custom template.
  4. Give you new configuration policy a good name and description so other administrators will understand what it does without having to view the configuration
Continue...
Allow Non-Admin Users to Manage Their Desktop Icons Using Intune

Allow Non-Admin Users to Manage Their Desktop Icons Using Intune

Comments 0 Comment

Many IT organizations do not allow their end users to be local administrators on company endpoints, and for good reason. But one issue I have ran across is that some applications install an icon on the public desktop (C:\Users\Public\Desktop) and the end user is unable to delete the icon as it requires administrative rights. Using PowerShell, we can modify the ACL of the public desktop folder and allow our non-admin users to delete these shortcuts.

Copy the PowerShell script below and save it somewhere we can reference it later. This script modifies the permissions for the folder ‘C:\Users\Public\Desktop’ and adds the ‘authenticated users‘ entity to it with the ‘modify’ permission.

$folderPath = "C:\Users\Public\Desktop"
$acl = Get-Acl $folderPath
$user = New-Object System.Security.Principal.SecurityIdentifier('S-1-5-11')
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule ($user,"Modify", "ContainerInherit,ObjectInherit", "None", "Allow")
$acl.SetAccessRule($rule)
Set-ACL $folderPath $acl

Open a web browser and navigate to Intune.Microsoft.com > Devices > Scripts and Add a … Continue...

Fix Issue with Connecting Managed Google Play to Intune (We couldn’t connect to that service)

Fix Issue with Connecting Managed Google Play to Intune (We couldn’t connect to that service)

Comments 1 comment

Recently, I was connecting Google Play to Intune and ran across an issue that I did not see documented anywhere. I spent a great deal of time pulling my hair out trying to figure out where the disconnect was. I was at the intune portal (intune.microsoft.com) and went to Devices > Android > Android enrollment and clicked Managed Google Play to connect Google Play to Intune.

The Google Play window would pop up and I would sign into my account. In the top right corner you can see my account is signed in. I would click the Re-Enroll button (of if its your first time you would click Enroll or Sign-In)

I would get a redirection window that would hang for 15-20 seconds.

Until it ultimately failed with the following error:

Try that again using a different browser
We couldn’t connect to that service, likely because of settings put in
Continue...
Set Google as Default Search Engine for Microsoft Edge using Intune

Set Google as Default Search Engine for Microsoft Edge using Intune

Comments 0 Comment

Using an Intune Settings Catalog we can change Microsoft Edge’s default search engine from Bing! to Google Chrome.

  1. Navigate to the Intune admin portal at intune.microsoft.com
  2. On the left pane, click Devices
  3. In the Devices Overview page, click Configuration Profiles found under the Policy
  4. Click + Create Profile
  5. Under Platform, select Windows 10 and later. And under Profile Type, select Settings catalog
  6. Give your new policy a proper name and description and then click Next
  7. In the Settings Catalog search for Microsoft Edge and then select Microsoft Edge\Default search provider
  8. Select the following four (4) settings:
    1. Configure the new tab page search box experience
    2. Default search provider name
    3. Default search provider url
    4. Enable the default search provider
  9. Enable the four new settings and configure the following
    1. Default Search provider search URL: https://www.google.com/search?q={searchTerms}
    2. Default search provider name: Google
    3. New tab page search box experience: Address bar
  10. On the next page configure
Continue...
Improve your Azure Multi-Factor Authentication Notifications

Improve your Azure Multi-Factor Authentication Notifications

Comments 0 Comment

Recently, Uber appeared to be hacked in what is called a MFA Fatigue attack. The attacker continuously sent MFA requests to an end user hoping they would accidentally approve one of them. Microsoft has several items to help prevent MFA fatigue attacks that you can configure and enable for your end users. Traditionally, MFA notifications are push notifications where a user can either accept or deny the request. Some improvements to this have been multiple number options where the end user must select one of four numbers that is presented on the screen they are logging into. The problem with this is that leaves a 1 in 4 chance an accidental selection may result in unauthorized access.

Configure Fraud Alerts

Fraud Alerts allow your users to report fraud if they receive a two-step verification request that they didn’t initiate and automatically block their account from sign-on.

Go to the Azure … Continue...

Block Outdated Operating Systems with Microsoft Defender for Cloud Apps (Cloud App Security)

Block Outdated Operating Systems with Microsoft Defender for Cloud Apps (Cloud App Security)

Comments 0 Comment

In this write up I will be configuring Microsoft Defender for Cloud Apps (old name is Cloud App Security) and Conditional Access to block outdated operating systems from accessing Microsoft 365 services within my tenant.

 

Licensing

First thing you want to figure out, is licensing. You must have a license that enables “Microsoft Defender for Cloud Apps Discovery” and not “Microsoft Defender for Cloud Apps.” At the time of writing EM+S E5 sku will not work but Microsoft 365 E5 Security sku will. You will also need Azure Active Directory Premium P2 license.

Setting up Conditional Access

Once we have the proper licensing we need to route applications to Microsoft Defender for Cloud Apps. In the Azure Portal, go to Conditional Access and create a new Policy.

Assignments

In my assignments, I selected all users and excluded my break-glass account.

Cloud Apps or Actions

Next, I selected the Office … Continue...

Connect to Exchange Online PowerShell with an Azure Managed Identity

Connect to Exchange Online PowerShell with an Azure Managed Identity

Comments 0 Comment

Recently the Exchange Online Module v2 came out with support for connecting to Exchange Online via a managed identity. The module has several parameters:

  1. ManagedIdentity
  2. ManagedIdentityAccountId
  3. Organization

When using the ManagedIdentity parameter you must also call the Organization parameter which is the initial, or ‘.onmicrosoft’ domain.

What You Will Need

  • PowerShell
  • Az PowerShell Module (install-module az)
  • The Microsoft Graph SDK (install-module Microsoft.Graph

Create the Managed Identity, Permissions, and Runbook

Connect to Azure

First thing we must do is connect to Azure using the Az module. Open a PowerShell window and run

Connect-AzAccount

Create a Resource Group

After we are connected we need to create a Resource Group to house everything. In my example I will create a new Resource Group in the Central US region.

$rgname = "rg-exchangeautomation"
$location = "centralus"
New-AzResourceGroup -Name $rgname -Location $location

Create the Automation Account

Next, we need to create the Automation Account that runs … Continue...