Enable Firefox Windows Single Sign-On using Intune

Enable Firefox Windows Single Sign-On using Intune

Comments 3 comments

One reason you may want to enable Windows SSO within Firefox, is so that your users on Azure AD or Hybrid joined machines can log into Microosft 365 services, such as Outlook, without having to re-authenticate. In this post, I will show you how to leverage Intune and custom configuration profiles to configure Firefox to enable Windows SSO.

Prerequisites

  • Firefox ADMX file located here
  • Intune
  • Mozilla Firefox version 91 or newer
  • Intune Administrator
  • Test Machine with a valid Intune License

Create the Policy

  1. Navigate to the Intune admin portal
  2. Go to Devices > Windows > Configuration profiles > + Create profile
  3. Under ‘Platform‘ select Windows 10 and later. For ‘Profile type‘ select Templates, and then select a Custom template.
  4. Give you new configuration policy a good name and description so other administrators will understand what it does without having to view the configuration
Continue...
Allow Non-Admin Users to Manage Their Desktop Icons Using Intune

Allow Non-Admin Users to Manage Their Desktop Icons Using Intune

Comments 1 comment

Many IT organizations do not allow their end users to be local administrators on company endpoints, and for good reason. But one issue I have ran across is that some applications install an icon on the public desktop (C:\Users\Public\Desktop) and the end user is unable to delete the icon as it requires administrative rights. Using PowerShell, we can modify the ACL of the public desktop folder and allow our non-admin users to delete these shortcuts.

Copy the PowerShell script below and save it somewhere we can reference it later. This script modifies the permissions for the folder ‘C:\Users\Public\Desktop’ and adds the ‘authenticated users‘ entity to it with the ‘modify’ permission.

$folderPath = "C:\Users\Public\Desktop"
$acl = Get-Acl $folderPath
$user = New-Object System.Security.Principal.SecurityIdentifier('S-1-5-11')
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule ($user,"Modify", "ContainerInherit,ObjectInherit", "None", "Allow")
$acl.SetAccessRule($rule)
Set-ACL $folderPath $acl

Open a web browser and navigate to Intune.Microsoft.com > Devices > Scripts and Add a … Continue...

Fix Issue with Connecting Managed Google Play to Intune (We couldn’t connect to that service)

Fix Issue with Connecting Managed Google Play to Intune (We couldn’t connect to that service)

Comments 5 comments

Recently, I was connecting Google Play to Intune and ran across an issue that I did not see documented anywhere. I spent a great deal of time pulling my hair out trying to figure out where the disconnect was. I was at the intune portal (intune.microsoft.com) and went to Devices > Android > Android enrollment and clicked Managed Google Play to connect Google Play to Intune.

The Google Play window would pop up and I would sign into my account. In the top right corner you can see my account is signed in. I would click the Re-Enroll button (of if its your first time you would click Enroll or Sign-In)

I would get a redirection window that would hang for 15-20 seconds.

Until it ultimately failed with the following error:

Try that again using a different browser
We couldn’t connect to that service, likely because of settings put in
Continue...
Set Google as Default Search Engine for Microsoft Edge using Intune

Set Google as Default Search Engine for Microsoft Edge using Intune

Comments 0 Comment

Using an Intune Settings Catalog we can change Microsoft Edge’s default search engine from Bing! to Google Chrome.

  1. Navigate to the Intune admin portal at intune.microsoft.com
  2. On the left pane, click Devices
  3. In the Devices Overview page, click Configuration Profiles found under the Policy
  4. Click + Create Profile
  5. Under Platform, select Windows 10 and later. And under Profile Type, select Settings catalog
  6. Give your new policy a proper name and description and then click Next
  7. In the Settings Catalog search for Microsoft Edge and then select Microsoft Edge\Default search provider
  8. Select the following four (4) settings:
    1. Configure the new tab page search box experience
    2. Default search provider name
    3. Default search provider url
    4. Enable the default search provider
  9. Enable the four new settings and configure the following
    1. Default Search provider search URL: https://www.google.com/search?q={searchTerms}
    2. Default search provider name: Google
    3. New tab page search box experience: Address bar
  10. On the next page configure
Continue...
Improve your Azure Multi-Factor Authentication Notifications

Improve your Azure Multi-Factor Authentication Notifications

Comments 2 comments

Recently, Uber appeared to be hacked in what is called a MFA Fatigue attack. The attacker continuously sent MFA requests to an end user hoping they would accidentally approve one of them. Microsoft has several items to help prevent MFA fatigue attacks that you can configure and enable for your end users. Traditionally, MFA notifications are push notifications where a user can either accept or deny the request. Some improvements to this have been multiple number options where the end user must select one of four numbers that is presented on the screen they are logging into. The problem with this is that leaves a 1 in 4 chance an accidental selection may result in unauthorized access.

Configure Fraud Alerts

Fraud Alerts allow your users to report fraud if they receive a two-step verification request that they didn’t initiate and automatically block their account from sign-on.

Go to the Azure … Continue...

Block Outdated Operating Systems with Microsoft Defender for Cloud Apps (Cloud App Security)

Block Outdated Operating Systems with Microsoft Defender for Cloud Apps (Cloud App Security)

Comments 0 Comment

In this write up I will be configuring Microsoft Defender for Cloud Apps (old name is Cloud App Security) and Conditional Access to block outdated operating systems from accessing Microsoft 365 services within my tenant.

 

Licensing

First thing you want to figure out, is licensing. You must have a license that enables “Microsoft Defender for Cloud Apps Discovery” and not “Microsoft Defender for Cloud Apps.” At the time of writing EM+S E5 sku will not work but Microsoft 365 E5 Security sku will. You will also need Azure Active Directory Premium P2 license.

Setting up Conditional Access

Once we have the proper licensing we need to route applications to Microsoft Defender for Cloud Apps. In the Azure Portal, go to Conditional Access and create a new Policy.

Assignments

In my assignments, I selected all users and excluded my break-glass account.

Cloud Apps or Actions

Next, I selected the Office … Continue...

Connect to Exchange Online PowerShell with an Azure Managed Identity

Connect to Exchange Online PowerShell with an Azure Managed Identity

Comments 5 comments

Recently the Exchange Online Module v2 came out with support for connecting to Exchange Online via a managed identity. The module has several parameters:

  1. ManagedIdentity
  2. ManagedIdentityAccountId
  3. Organization

When using the ManagedIdentity parameter you must also call the Organization parameter which is the initial, or ‘.onmicrosoft’ domain.

What You Will Need

  • PowerShell
  • Az PowerShell Module (install-module az)
  • The Microsoft Graph SDK (install-module Microsoft.Graph

Create the Managed Identity, Permissions, and Runbook

Connect to Azure

First thing we must do is connect to Azure using the Az module. Open a PowerShell window and run

Connect-AzAccount

Create a Resource Group

After we are connected we need to create a Resource Group to house everything. In my example I will create a new Resource Group in the Central US region.

$rgname = "rg-exchangeautomation"
$location = "centralus"
New-AzResourceGroup -Name $rgname -Location $location

Create the Automation Account

Next, we need to create the Automation Account that runs … Continue...

Creating a Microsoft 365 Automated Off-boarding Process with SharePoint, Graph API, and PowerShell

Creating a Microsoft 365 Automated Off-boarding Process with SharePoint, Graph API, and PowerShell

Comments 0 Comment

In this write-up I will be creating a basic off-boarding automation that uses SharePoint as the front end, and PowerShell, the Graph API, and Azure Runbooks as the back-end. HR will input the users UPN or Email, offboard date/time, and a forwarding address to forward email to. Once the off-boarding datetime is within 1hr the automation will check the user in Azure AD to ensure its valid, the forwarding user is valid in Azure AD, document in SharePoint the users e-mail address, any and all licenses, and all group memberships. After that, it will proceed with the off-boarding where it will remove all licenses from the user, remove all group memberships, and forward email to our forwarding user. It will log everything back to SharePoint where one can review it.

Off-Boarding Stages

Pending

In Pending we have just submitted our user and the automation has not seen it, or it … Continue...

Office 365 / Exchange Online Mailbox Size Report Including Mailbox Free Space with PowerShell

Office 365 / Exchange Online Mailbox Size Report Including Mailbox Free Space with PowerShell

Comments 1 comment

I wanted to create an automated alert that would notify me of Office 365 mailboxes that were approaching full, and found a terrific PowerShell reporting script by Ruud (LazyAdmin.nl). If you have not checked out his blog, stop reading now and head on over there. There is a ton of great scripts and write ups! The script connects to your Office 365 environment and exports the following:

  • Display name
  • Primary Email address
  • Mailbox type
  • Last user action time
  • Total mailbox size
  • Mailbox Free Space (NEW!)
  • Deleted item size
  • Item Count
  • Deleted Item Count
  • Issue Warning Size
  • Prohibit Send Receive Quota (max mailbox size)
  • Archive size (if the user has an archive)
  • Archive Item Count
  • Archive Mailbox Free Space (NEW!)
  • Archive Deleted Item Count
  • Archive warning quota
  • Archive quota

 

Shared Mailboxes

It also allows you to filter the mailbox type that you want to gather results for. By … Continue...

Auto Delete Message From Yammer Community with PowerShell

Auto Delete Message From Yammer Community with PowerShell

Comments 0 Comment

I was recently tasked with clearing out a Yammer Communities auto-welcoming posts. If you are not familiar with auto-welcoming posts, Yammer used to automatically post a message whenever someone joined a community. It looked something like this, “Bradley Wyatt joined the Lazy Administrator network. Take a moment to welcome Brad.

Thankfully, Microsoft removed this feature so your community is not littered with auto welcoming messages anymore. But, if your community existed prior to this change you may be faced with hundreds, if not thousands of these posts that you may want to remove.

  1. Register a New App so we can interface with the Yammer API
  2. Next, click “Generate a developer token for this application.” Save the token for later as you will need it.
  3. Next, navigate to the Yammer Admin page and click “Export Network Data” under Content and Security.
  4. Select the date range you want
Continue...