Tim D'Annecy


tdannecy@gmail.com

#Azure #DNS #security #Exchange

Your organization may have a primary domain that's used for sending and receiving email (e.g. bill@company.com), but you may also have other domains that aren't used for email routing (company.net, companywebsite.com). You or another administrator may have setup SPF, DMARC, and DKIM records for these externally facing domains that handle email, but there is still a risk of email spoofing attacks on your non-sending domains.

Without SPF, DMARC, and DKIM records in your DNS, there's a potential for anyone to send email as if it comes from your domain. This can cause you a huge headache as an administrator to clean up and organizations can lose brand trust from customers if they receive these emails.

To prevent this spoofing attack, all you need to do is add 3 records to your DNS config for each domain. These records are used by the recipient's email server to verify whether the sender is authenticated to use the domain. If the record check fails, the message is rejected and the recipient doesn't receive the email.

Read more...

#PowerShell #AzureAD

After a domain migration or other large organizational change, you may need to update hundreds of staff at the same time with manager information in Azure AD.

This can be a huge pain to do it through the GUI and there's an easier way to do it with PowerShell and a CSV file.

Read more...

#AVD #Azure

One of the most important pieces of an Azure Virtual Desktop rollout is to add a TXT record in your DNS service. This will allow users to discover their email address when they sign in to the Azure Virtual Desktop client for the first time.

Read more...

#Azure #PowerShell

A company I work with is looking to reduce the cost of their Azure environment. After a quick look, I noticed that they have a number of VMs that are running 24/7 and are not used all the time. Some of these VMs are user-facing and only need to be online during business hours during the week. Other VMs are used for batch jobs and are only used once or twice day. The rest of the time they sit idle, consuming resources and costing money.

Adding some logic to the VMs to start and stop them at certain times of the day can reduce your Azure spend and is easy to implement.

Read more...

#Windows #Azure #AVD

Recently, a company I work with requested a way for users to access a web app that they were hosting on-premises, but didn't want to open up connections to the app to the internet. The app is out of support from the vendor and can't be opened outside of their secure network.

We planned to allow access to the app by instructing users to connect over a VPN, but we found this would be a hassle for users, as they would need to install the VPN client, connect to the VPN, and then launch a browser to access the app. In this case, the site also requires IE11 with a custom extension to be installed. These requirements just to access a single site really made it a headache for users and the Helpdesk received regular tickets from staff who had issues accessing the site.

Instead of the VPN approach, we deployed a Microsoft Edge shortcut in Azure Virtual Desktop. This approach has advantages because it allows users to launch a browser window and jump onto the network that the Host Pool is connected to. If you have your networking configured correctly in Azure, you can access internal sites and apps without going over the internet directly from the client PC. This also allows you to control the browser version and other settings that are configured in the Host Pool. If paired with Intune policies, you can define the browser settings and extensions that are available to users and require certain sites to open in Internet Explorer Compatibility Mode. This could be helpful if you have a legacy app that only works in IE11 and requires a specific extension to be installed.

In this post, I'll show you how to deploy a Microsoft Edge shortcut in Azure Virtual Desktop.

Read more...

#Windows #Azure #AVD #Intune

UPDATE: On April 18, 2023, Microsoft released a Public Preview of the new Azure Virtual Desktop app in the Microsoft Store. This should fix the issues noted in this post. Download the new app here: http://aka.ms/AVDStoreClient

I recently had an issue with an Azure AD Joined host pool in Azure Virtual Desktop where users could not successfully login using their Azure AD credentials.

In our environment, both the client computer and the Azure Virtual Desktop host computer are Azure AD Joined. The user was able to log in to their Azure AD Joined computer, but when they tried to log in to the Azure Virtual Desktop host computer, they would get an error message:

Couldn't connect. Something went wrong when we tried to connect. If this keeps happening, ask your admin or tech support for help. Error code: 0x9735 Extended error code: 0x0 Activity ID: {e194ae11-b2ed-4d33-9520-c1d5ed140000}

Screenshot of error message

Read more...

#Netsuite

I recently had a request to make expense reporting easier for a finance department. They wanted an easier way to get their employees' reported expenses into Netsuite and associate them to an expense report without a lot of manual entry. The process they were using required the employee to email receipts to the finance department, then someone would take time out of their day to manually enter the expenses one-by-one into Netsuite. This was a time consuming process and prone to errors.

To make things easier, I created a CSV import that would allow them to import expenses in bulk and then review them before submitting the expense report.

Read more...

#Exchange #AzureAD

Microsoft has announced several times that they are depreciating Basic Authentication for Exchange Online soon, possibly this month (January 2023).

A recent post has information about the deprecation and how to prepare for it.

I wanted to write down how to identify any Basic Authentication usage in your environment from that post and simplify it to just a few clicks. This is a good way to identify any applications that are using Basic Authentication and need to be updated before they get blocked.

Navigate to the Azure AD portal sign in to Azure AD with an account that has Global Administrator permissions.

Select Azure Active Directory > Sign-in logs: Screenshot of Azure AD dashboard

Add some filters in the top bar, specifying the time range you want to search. For Client app select all options that are under the “Legacy Authentication Clients” section of the dropdown:

Screenshot of Azure AD Sign-in logs, dropdown for Legacy Authentication Clients

To filter out the brute force login attempts, change Result type to Success.

This list will give you all of the sign in attempts that are using Basic Authentication. You can then use this list to identify the applications that are using Basic Authentication and update them before they get blocked:

Screenshot of Azure AD Sign-in logs for Basic Authentication

The easiest way to get these logins remediated is to implement an Azure AD Conditional Access policy that blocks or audits Basic Authentication. You can then use this information and contact the application owners or users to get these methods updated.

Discuss...

#Azure

After setting up RedCap in Azure in a previous post, I got a request to add an external person to your RedCap installation. I wanted to document what I did to make it easier for others.

To make user management easier, I created an Assigned Security Group in Azure AD titled “RedCap Users”. I then added the Group assignment to the RedCap app in Azure AD at Enterprise applications > RedCap > Users and groups > Add user/group:

Screenshot of Azure AD Enterprise Applications, Users and groups blade

After I assigned the Group to the app, I invited my external Gmail account to the Azure AD tenant at Users > New user > Invite external user:

Screenshot of Azure AD, new user create button

I added my user information, then added the account to the RedCap users group: Screenshot of Azure AD New User invite, Groups pane

After I added the account, I needed to change the setting in Azure AD to allow external Microsoft accounts to access Redcap. To do this, I needed to change the App Registration Manifest, found in Azure AD > App registrations > RedCap > Manifest.

I changed 2 values from the default:

  • "accessTokenAcceptedVersion": null,"accessTokenAcceptedVersion": 2,
  • "signInAudience": "AzureADMyOrg","signInAudience": "AzureADandPersonalMicrosoftAccount",

Screenshot of Azure AD App, Manifest file Screenshot of Azure AD App, Manifest file

After making these changes, I checked my email and completed the invitation to the Azure AD tenant:

Screenshot of an email from Azure AD inviting a user to a tenant

After going through the signup process, I see the App listed in the My Apps page for my Guest account: Screenshot of Microsoft My Apps page

After clicking through, I was able to setup my RedCap account and was authorized to login:

Screenshot of RedCap Basic User Information Form Screenshot of RedCap Account created notification

My RedCap user account shows up as my email at tdannecy_gmail.com#ext#@DOMAIN.onmicrosoft.com, indicating that I am a Guest/External account in the tenant:

Screenshot of RedCap login information

When I login as a RedCap administrator, I can see my Guest account has been added to the Browse Users list:

Screenshot of RedCap Browse Users page

I hope this was helpful to others. It took me a bit to find the attribute I needed to change in the Manifest to get it working.

Discuss...

#Windows #Intune

A company I'm working with requested an Application Deployment of Word LTSC using a Multiple Activation Key (MAK) purchased through Volume Licensing in their Intune/Endpoint environment.

To deploy Office LTSC, I needed to have the MAK key in hand before starting this process, as you'll need it when zipping up the .intunewin package.

To keep things clean, I'm building my package at C:\temp\package

Create an XML configuration for installation using the Office Customization Tool

Open the Office Customization Tool page and begin defining your settings for deployment:

Screenshot of the Office Customization Tool

  • Products and releases

    • Architecture: 64-bit

    • Products: Select the products that you want to deploy.

    • Office Suites: I selected Office LTSC Standard 2021 - Volume License

    • Update Channel:

    • Select the update channel: Office LTSC 2021 Perpetual Enterprise

  • Language

  • Installation

    • Installation options

    • Where do you want to deploy Office from? Office Content Delivery Network (CDN)

    • Show installation to user: Off

    • Shut down running applications: Off

  • Update and upgrade

    • Update and upgrade options

    • Where do you want to deploy updates from? Office Content Delivery Network (CDN)

    • Automatically check for updates On

    • Upgrade options

    • Uninstall any MSI versions of Office, including Visio and Project Off

    • For uninstalled MSI versions of Office, install the same languages Off

    • Automatically upgrade to the selected architecture On

  • Licensing and activation

    • Automatically accept the EULA On

    • Product Key

    • Office LTSC Standard 2021 – Volume License MAK and paste in your 25-character key value here.

    • Product activation

    • User based

  • General

    • Customize as needed.
  • Application preferences

    • Customize as needed.

Save this XML file at C:\temp\package\install.xml

Here is the contents of my file to just install Word and allow regular updating:

<Configuration ID="f42ea3d0-d7a4-46bf-8a49-594df9549b6f">
  <Add OfficeClientEdition="64" Channel="PerpetualVL2021" MigrateArch="TRUE">
    <Product ID="Standard2021Volume" PIDKEY="XXXXX-XXXXX-XXXXX-XXXXX-XXXXX">
      <Language ID="en-us" />
      <ExcludeApp ID="Excel" />
      <ExcludeApp ID="OneDrive" />
      <ExcludeApp ID="OneNote" />
      <ExcludeApp ID="Outlook" />
      <ExcludeApp ID="PowerPoint" />
      <ExcludeApp ID="Publisher" />
      <ExcludeApp ID="Teams" />
    </Product>
  </Add>
  <Property Name="SharedComputerLicensing" Value="0" />
  <Property Name="FORCEAPPSHUTDOWN" Value="FALSE" />
  <Property Name="DeviceBasedLicensing" Value="0" />
  <Property Name="SCLCacheOverride" Value="0" />
  <Property Name="AUTOACTIVATE" Value="1" />
  <Updates Enabled="TRUE" />
  <Display Level="None" AcceptEULA="TRUE" />
</Configuration>

Create an XML configuration for uninstallation

Open Notepad or another text editor like VS Code and create an XML file at the location C:\temp\package\uninstall.xml

Add the following information:

<Configuration>
    <Display Level="None" AcceptEULA="True"/>
    <Property Name="FORCEAPPSHUTDOWN" Value="True"/>
    <Remove>
        <Product ID="Standard2021Volume"> </Product>
    </Remove>
</Configuration>

Be sure to change your Product ID to match what you have in your install.xml file that was generated by the Office Customization Tool:

Screenshot of VS Code

Create an .intunewin package

To perform the next steps, you will need to download two apps, the Office Deployment Tool (ODT) and the Microsoft Win32 Content Prep Tool.

Install the Office Deployment Tool (ODT)

  1. Download the ODT from Microsoft's website and run the application: https://www.microsoft.com/en-us/download/details.aspx?id=49117
  2. You will need to select a destination to extract the files. I'm using C:\temp\
  3. When the extraction is complete, you should have 5 files in the folder: Windows File Explorer, Office Deployment Tool files
  4. Move the setup.exe file to C:\temp\package\setup.exe

Use the Win32 Content Prep Tool

  1. Navigate to the Microsoft Win32 Content Prep Tool from Microsoft's Github site: https://github.com/microsoft/Microsoft-Win32-Content-Prep-Tool
  2. Click on the Code icon and select “Download Zip”: Github page for Microsoft Win32 Content Prep Tool
  3. Unzip the file in a location like C:\temp
  4. Open Powershell or the Windows Terminal and navigate to the location by typing: cd C:\temp\Microsoft-Win32-Content-Prep-Tool-master
  5. Run the app “IntuneWinAppUtil.exe”
  6. Make sure you have the 3 files in your C:\temp\package directory before proceeding: Screenshot of Windows File Explorer with 3 files
    • setup.exe
    • install.xml
    • uninstall.xml
  7. Fill in the prompts with the following information:
    • Please specify the source folder: C:\temp\package
    • Please specify the setup file: C:\temp\package\setup.exe
    • Please specify the output folder: C:\temp\package
    • Do you want to specify catalog folder (Y/N)? N
  8. The package will begin to build and you'll see a file created at C:\temp\package\setup.intunewin : Windows Terminal running Win32 Content Prep Tool

When the process is complete, you are ready to upload the package to Intune and configure your Application Deployment.

Create an Application Deployment in Intune

  1. Navigate to the Intune/Endpoint dashboard: https://endpoint.microsoft.com/

  2. Navigate to Apps > Windows and click the “Add” button. Select “Windows app (Win 32)” from the dropdown list and click the “Select” button: Screenshot of Intune dashboard, Windows App Deployment creation

  3. On the App Information tab, click “Select app package file” and upload your setup.intunewin file from C:\temp\package. Click the OK button:Screenshot of Intune dashboard, Windows App Deployment creation, App package file tab

  4. Back on the App Information tab, begin by filling in some basic information about the package and click the “Next” button when finished: Screenshot of Intune dashboard, Windows App Deployment creation, App information tab

  5. On the “Program” tab, configure the Install Command and Uninstall Command fields and leave the rest default. Click “Next” to continue: Screenshot of Intune dashboard, Windows App Deployment creation, Program tab

    • Install command: setup.exe /configure install.xml
    • Uninstall command: setup.exe /configure uninstall.xml
    • Install behavior: System
    • Device restart behavior: App install may force a device restart
  6. On the “Requirements” tab, set the following options and click Next to continue: Screenshot of Intune dashboard, Windows App Deployment creation, Requirements tab

    • Operating system architecture: Set this value based on your Office Customization Tool setting.
    • Minimum operating system: Windows 10 1607
  7. On the “Detection rules” tab, set the following options and click Next to continue: Screenshot of Intune dashboard, Windows App Deployment creation, Detection rules tab

    • Rules format: Manually configure detection rules
    • Rule type: Registry
    • Key path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\
    • Value name: 16.0
    • Detection method: Key exists
    • Assocated with a 32-bit app on 64-bit clients No
  8. Leave the “Dependencies” and “Supersedence” tabs unconfigured.

  9. On the “Assignments” tab, select the group you want to target for deployment or uninstallation.

  10. Double check the options on the “Review + create” tab and then click “Create” to begin uploading your package.

After the application is uploaded, your deployment will begin: Screenshot of Intune Application Deployment

The setup.exe package will always pull the latest version of Office from Microsoft, but your install.xml file determines whether the applications will be automatically updated. If you need to push a new version or a different version (e.g. Standard or ProPlus), you may need to repackage and deploy again.

I hope this is helpful to someone and I wanted to write my steps down in case I have to go back and fix something later.

Discuss...

Enter your email to subscribe to updates.