Tim D'Annecy

tdannecy@gmail.com Header image

#Windows #Azure #AVD

Recently, a company I work with requested a way for users to access a web app that they were hosting on-premises, but didn't want to open up connections to the app to the internet. The app is out of support from the vendor and can't be opened outside of their secure network.

We planned to allow access to the app by instructing users to connect over a VPN, but we found this would be a hassle for users, as they would need to install the VPN client, connect to the VPN, and then launch a browser to access the app. In this case, the site also requires IE11 with a custom extension to be installed. These requirements just to access a single site really made it a headache for users and the Helpdesk received regular tickets from staff who had issues accessing the site.

Instead of the VPN approach, we deployed a Microsoft Edge shortcut in Azure Virtual Desktop. This approach has advantages because it allows users to launch a browser window and jump onto the network that the Host Pool is connected to. If you have your networking configured correctly in Azure, you can access internal sites and apps without going over the internet directly from the client PC. This also allows you to control the browser version and other settings that are configured in the Host Pool. If paired with Intune policies, you can define the browser settings and extensions that are available to users and require certain sites to open in Internet Explorer Compatibility Mode. This could be helpful if you have a legacy app that only works in IE11 and requires a specific extension to be installed.

In this post, I'll show you how to deploy a Microsoft Edge shortcut in Azure Virtual Desktop.

To start, you must have an existing Azure Virtual Desktop deployment set up with Host Pools and a Workspace. You'll also need at least Contributor access to the Resource Group you're working in.

Create a new Application Group in Azure Virtual Desktop.

On the Basics tab, make the following changes:

  • Subscription and Resource group – Set for your AVD environment.
  • Host Pool – Select the Host Pool you want to deploy the shortcut to.
  • Application group type – Remote App (RAIL)
  • Application Group name – Something like BrowserShortcuts

Screenshot of Azure Application Group creation wizard, Basics tab

On the Applications tab, click the “Add applications” button and set the following properties:

  • Application source: File path
  • Application path: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  • Application name: Your shortcut name
  • Display name: Your shortcut name
  • Icon path: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  • Icon index: 0
  • Description:
  • Require command line: Yes
  • Command line: http://google.com/

Screenshot of Azure Application Group creation wizard, Applications tab

If you want multiple tabs to open, separate the URLs with a space. For example, http://google.com/ http://bing.com/

Screenshot of the Application Group settings

On the Assignments tab, select your user or group:

Screenshot of the Application Group settings

On the Workspace tab, change the “Register application group” to “Yes” and you should already have an application group assigned.

Screenshot of the Application Group settings

You can leave the Advanced and Tags tabs as default.

After saving the Application Group, you should see the shortcut in the Azure Virtual Desktop client in a few minutes. You may need to click the Refresh button to force it to update:

Screenshot of Azure Virtual Desktop, showing the new shortcut

These steps allow you to deploy secure web apps inside your AVD deployment. Whether you're connecting to a legacy web app that you're hosting on prem or you have specific application or environment requirements that you need to meet, this is a great way to provide access to your users without having to jump through hoops.

If you combine this Edge shortcut with Intune policies that require Edge to open certain sites in Internet Explorer Compatibility Mode, you can ensure your users can easily access apps and sites quickly without compromising your secure internal network.

Discuss...

#Windows #Azure #AVD #Intune

I recently had an issue with an Azure AD Joined host pool in Azure Virtual Desktop where users could not successfully login using their Azure AD credentials.

In our environment, both the client computer and the Azure Virtual Desktop host computer are Azure AD Joined. The user was able to log in to their Azure AD Joined computer, but when they tried to log in to the Azure Virtual Desktop host computer, they would get an error message:

Couldn't connect. Something went wrong when we tried to connect. If this keeps happening, ask your admin or tech support for help. Error code: 0x9735 Extended error code: 0x0 Activity ID: {e194ae11-b2ed-4d33-9520-c1d5ed140000}

Screenshot of error message

The error message the users received came after a loop of unsuccessful logins using a combo of azuread\user or user@domain.com that would say “Establishing Connection”, “Configuring Gateway”, “Securing connection to remote PC” and then fail with the following error: “The username and password used to connect to the remote resource didn't work. Enter a different account and try again.”

Screenshot of error message

As a note: Connections to Host Pools in a different AVD environment that are joined to Active Directory work fine. The issue seems to occur when the client computer and the AVD host computer are Azure AD Joined.

Currently, as of February 2023, the official Microsoft package for the Remote Desktop app in the Microsoft Store installs an old version of 10.2.3000.0 that has bugs connecting to Azure AD Joined Azure Virtual Desktop Host Pools. This buggy version impacted our organization because we deploy the Microsoft Remote Desktop app using an Application Deployment in Intune. We've tested this issue using the Microsoft Store for Business, Microsoft Store (Legacy), and the new Microsoft Store (WinGet) deployments and all of them have the same issue and run the same version:

Screenshot of Microsoft Store, Microsoft Remote Desktop app page

The workaround for this error is to uninstall the Microsoft Store version of the application and install the latest version of the Remote Desktop app from the Microsoft website at this link: https://learn.microsoft.com/en-us/azure/virtual-desktop/whats-new-client-windows

I manually installed Public Release version 1.2.3918.0 and it fixed my connectivity issues. To get this rolled out to your Intune devices, you will need to package the MSI file from the Microsoft website and deploy it using an Application Deployment in Intune.

Screenshot of Microsoft Remote Desktop app version 1.2.3918.0

I hope this helps someone else who is having this issue. Microsoft should really update the Microsoft Store version of the Remote Desktop app to the latest version to avoid this issue.

References

Footer image

Discuss...

#Netsuite

I recently had a request to make expense reporting easier for a finance department. They wanted an easier way to get their employees' reported expenses into Netsuite and associate them to an expense report without a lot of manual entry. The process they were using required the employee to email receipts to the finance department, then someone would take time out of their day to manually enter the expenses one-by-one into Netsuite. This was a time consuming process and prone to errors.

To make things easier, I created a CSV import that would allow them to import expenses in bulk and then review them before submitting the expense report.

CSV file template

The process begins by creating a CSV file with the following columns:

EXTERNAL ID EMPLOYEE STATUS DATE AMOUNT FOREIGN AMOUNT CURRENCY EXCHANGE RATE EXPENSE CATEGORY MEMO SOURCE TYPE IMPORT TYPE CARD CURRENCY CORPORATE CARD
20230202-01 Jane Doe Ready 1/31/2023 12345.67 USD CC – Printing and Copying Test Visa USD
20230202-02 Guy Person Ready 2/1/2023 5555.11 USD CC – Postage and Delivery Test 2 American Express USD TRUE
20230202-03 Tim Kavaklian-D'Annecy Ready 2/2/2023 987.65 USD CC – Travel-Airfare Test 3 Mastercard USD

Screenshot of Excel, Netsuite transactions import template

Save the CSV somewhere on your computer and open it in Excel. The first row is the header row and the second row is an example of the data that needs to be entered. The columns are as follows:

The values for these columns come from Netsuite and you will need to copy and paste the valid entries into the CSV for it to be imported correctly:

  • External ID – This needs to be a unique value. I recommend using the date with a number (e.g. 20230202-01).
  • Employee – This needs to be a name from the “Employees” page.
  • Status – For you to add it to an Expense Report, this value needs to be set to “Ready”.
  • Date – Format is mm/dd/yyyy (e.g. 02/02/2023).
  • Amount – No currency indicator, just raw number (e.g. 123.45)
  • Foreign amount – I left this value blank.
  • Currency – This needs to be set as a valid currency. In the Sandbox, USA is the currency. This is found under Lists > Accounting > Currencies.
  • Exchange rate – I left this value blank.
  • Expense category – This value needs to be set as one of the named categories under Setup > Accounting > Expense Categories (e.g. CC – Printing and Copying).
  • Memo – This field can be blank or a short description.
  • Source Type – This needs to be set as a value from Setup > Accounting > Accounting Lists > Type: Payment Method (e.g. American Express, Visa)
  • Import Type – I left this field blank.
  • Card Currency – This needs to be set as a valid currency. In the Sandbox, USA is the currency. This is found under Lists > Accounting > Currencies.
  • Corporate Card – This can be set as “True” or “False”.

    CSV Import setup

After filling in the information in the CSV file, navigate in Netsuite to Setup > Import/Export > Import CSV Records.

In the Import Assistant, set the “Import Type” to Employees and the “Record Type” to Imported Employee Expenses. Change the CSV file location to your imported file then click the Next button:

If you don't have a “Imported Employee Expenses” item, you will need to enable this feature first.

Screenshot of Netsuite, CSV Import Assistant wizard

Leave the Import Option as “Add” and click the Next button:

Screenshot of Netsuite, CSV Import Assistant wizard

On the Field Mapping page, leave the values as default and click the Next button:

Screenshot of Netsuite, CSV Import Assistant wizard

On the “Save mapping…” page, hover over the dropdown arrow and click “Run”:

Screenshot of Netsuite, CSV Import Assistant wizard

The job will begin to import. Click on the “Import Job Status” link to view the progress:

Screenshot of Netsuite, CSV Import Assistant wizard

The MESSAGE column will indicate any issues with your import. Click the “CSV Response” link to download a report:

Screenshot of Netsuite, CSV Import Assistant wizard, Job Status page

These records will need to be re-imported once remediated:

Screenshot of Excel, showing Netsuite Expense Import results

Associating Employee Expenses with Expense Reports

Back in Netsuite, once you have all of the records re-imported, navigate to Transactions > Employees > Imported Employee Expenses. Choose the Employee from the dropdown or select “-All-” and add more filters. Select the items you want to import, then click the “Add to New Expense Report” button:

Screenshot of Netsuite, Imported Employee Expenses page

From there, you can see the imported Expenses at the bottom of the page and submit the report:

Screenshot of Netsuite, Expense Report

A note about permissions

I created this report and can run it with the Administrator Role.

If you want to allow your users to access this report, you will need to make the visibility “Public”.

Additionally, update each users' Employee page under Access > Global Permissions > Imported Employee Expenses. I set this value to “Full”, but you might be able to just set to “Create”:

Screenshot of Netsuite, Employee page, Access tab, Global Permissions sublist

Conclusion

I wanted to write this up as a blog post because I think it's a good example of how you can use the CSV import feature to make your life easier.

I also wanted to write this down because Netsuite is overly complicated and there is no free training available. I'm sure someone else has had this same issue and is looking for a solution.

Footer image

Discuss...

#Exchange #AzureAD

Microsoft has announced several times that they are depreciating Basic Authentication for Exchange Online soon, possibly this month (January 2023).

A recent post has information about the deprecation and how to prepare for it.

I wanted to write down how to identify any Basic Authentication usage in your environment from that post and simplify it to just a few clicks. This is a good way to identify any applications that are using Basic Authentication and need to be updated before they get blocked.

Navigate to the Azure AD portal sign in to Azure AD with an account that has Global Administrator permissions.

Select Azure Active Directory > Sign-in logs: Screenshot of Azure AD dashboard

Add some filters in the top bar, specifying the time range you want to search. For Client app select all options that are under the “Legacy Authentication Clients” section of the dropdown:

Screenshot of Azure AD Sign-in logs, dropdown for Legacy Authentication Clients

To filter out the brute force login attempts, change Result type to Success.

This list will give you all of the sign in attempts that are using Basic Authentication. You can then use this list to identify the applications that are using Basic Authentication and update them before they get blocked:

Screenshot of Azure AD Sign-in logs for Basic Authentication

The easiest way to get these logins remediated is to implement an Azure AD Conditional Access policy that blocks or audits Basic Authentication. You can then use this information and contact the application owners or users to get these methods updated.

Discuss...

#Azure

After setting up RedCap in Azure in a previous post, I got a request to add an external person to your RedCap installation. I wanted to document what I did to make it easier for others.

To make user management easier, I created an Assigned Security Group in Azure AD titled “RedCap Users”. I then added the Group assignment to the RedCap app in Azure AD at Enterprise applications > RedCap > Users and groups > Add user/group:

Screenshot of Azure AD Enterprise Applications, Users and groups blade

After I assigned the Group to the app, I invited my external Gmail account to the Azure AD tenant at Users > New user > Invite external user:

Screenshot of Azure AD, new user create button

I added my user information, then added the account to the RedCap users group: Screenshot of Azure AD New User invite, Groups pane

After I added the account, I needed to change the setting in Azure AD to allow external Microsoft accounts to access Redcap. To do this, I needed to change the App Registration Manifest, found in Azure AD > App registrations > RedCap > Manifest.

I changed 2 values from the default:

  • "accessTokenAcceptedVersion": Null,"accessTokenAcceptedVersion": 2,
  • "signInAudience": "AzureADMyOrg","signInAudience": "AzureADandPersonalMicrosoftAccount",

Screenshot of Azure AD App, Manifest file Screenshot of Azure AD App, Manifest file

After making these changes, I checked my email and completed the invitation to the Azure AD tenant:

Screenshot of an email from Azure AD inviting a user to a tenant

After going through the signup process, I see the App listed in the My Apps page for my Guest account: Screenshot of Microsoft My Apps page

After clicking through, I was able to setup my RedCap account and was authorized to login:

Screenshot of RedCap Basic User Information Form Screenshot of RedCap Account created notification

My RedCap user account shows up as my email at tdannecy_gmail.com#ext#@DOMAIN.onmicrosoft.com, indicating that I am a Guest/External account in the tenant:

Screenshot of RedCap login information

When I login as a RedCap administrator, I can see my Guest account has been added to the Browse Users list:

Screenshot of RedCap Browse Users page

I hope this was helpful to others. It took me a bit to find the attribute I needed to change in the Manifest to get it working.

Discuss...

#Windows #Intune

A company I'm working with requested an Application Deployment of Word LTSC using a Multiple Activation Key (MAK) purchased through Volume Licensing in their Intune/Endpoint environment.

To deploy Office LTSC, I needed to have the MAK key in hand before starting this process, as you'll need it when zipping up the .intunewin package.

To keep things clean, I'm building my package at C:\temp\package

Create an XML configuration for installation using the Office Customization Tool

Open the Office Customization Tool page and begin defining your settings for deployment:

Screenshot of the Office Customization Tool

  • Products and releases
    • Architecture: 64-bit
    • Products: Select the products that you want to deploy.
    • Office Suites: I selected Office LTSC Standard 2021 - Volume License
    • Update Channel:
    • Select the update channel: Office LTSC 2021 Perpetual Enterprise
  • Language
  • Installation
    • Installation options
    • Where do you want to deploy Office from? Office Content Delivery Network (CDN)
    • Show installation to user: Off
    • Shut down running applications: Off
  • Update and upgrade
    • Update and upgrade options
    • Where do you want to deploy updates from? Office Content Delivery Network (CDN)
    • Automatically check for updates On
    • Upgrade options
    • Uninstall any MSI versions of Office, including Visio and Project Off
    • For uninstalled MSI versions of Office, install the same languages Off
    • Automatically upgrade to the selected architecture On
  • Licensing and activation
    • Automatically accept the EULA On
    • Product Key
    • Office LTSC Standard 2021 – Volume License MAK and paste in your 25-character key value here.
    • Product activation
    • User based
  • General
    • Customize as needed.
  • Application preferences
    • Customize as needed.

Save this XML file at C:\temp\package\install.xml

Here is the contents of my file to just install Word and allow regular updating:

<Configuration ID="f42ea3d0-d7a4-46bf-8a49-594df9549b6f">
  <Add OfficeClientEdition="64" Channel="PerpetualVL2021" MigrateArch="TRUE">
    <Product ID="Standard2021Volume" PIDKEY="XXXXX-XXXXX-XXXXX-XXXXX-XXXXX">
      <Language ID="en-us" />
      <ExcludeApp ID="Excel" />
      <ExcludeApp ID="OneDrive" />
      <ExcludeApp ID="OneNote" />
      <ExcludeApp ID="Outlook" />
      <ExcludeApp ID="PowerPoint" />
      <ExcludeApp ID="Publisher" />
      <ExcludeApp ID="Teams" />
    </Product>
  </Add>
  <Property Name="SharedComputerLicensing" Value="0" />
  <Property Name="FORCEAPPSHUTDOWN" Value="FALSE" />
  <Property Name="DeviceBasedLicensing" Value="0" />
  <Property Name="SCLCacheOverride" Value="0" />
  <Property Name="AUTOACTIVATE" Value="1" />
  <Updates Enabled="TRUE" />
  <Display Level="None" AcceptEULA="TRUE" />
</Configuration>

Create an XML configuration for uninstallation

Open Notepad or another text editor like VS Code and create an XML file at the location C:\temp\package\uninstall.xml

Add the following information:

<Configuration>
    <Display Level="None" AcceptEULA="True"/>
    <Property Name=""FORCEAPPSHUTDOWN" Value="True"/>
    <Remove>
        <Product ID="Standard2021Volume"> </Product>
    </Remove>
</Configuration>

Be sure to change your Product ID to match what you have in your install.xml file that was generated by the Office Customization Tool:

Screenshot of VS Code

Create an .intunewin package

To perform the next steps, you will need to download two apps, the Office Deployment Tool (ODT) and the Microsoft Win32 Content Prep Tool.

Install the Office Deployment Tool (ODT)

  1. Download the ODT from Microsoft's website and run the application: https://www.microsoft.com/en-us/download/details.aspx?id=49117
  2. You will need to select a destination to extract the files. I'm using C:\temp\
  3. When the extraction is complete, you should have 5 files in the folder: Windows File Explorer, Office Deployment Tool files
  4. Move the setup.exe file to C:\temp\package\setup.exe

Use the Win32 Content Prep Tool

  1. Navigate to the Microsoft Win32 Content Prep Tool from Microsoft's Github site: https://github.com/microsoft/Microsoft-Win32-Content-Prep-Tool
  2. Click on the Code icon and select “Download Zip”: Github page for Microsoft Win32 Content Prep Tool
  3. Unzip the file in a location like C:\temp
  4. Open Powershell or the Windows Terminal and navigate to the location by typing: cd C:\temp\Microsoft-Win32-Content-Prep-Tool-master
  5. Run the app “IntuneWinAppUtil.exe”
  6. Make sure you have the 3 files in your C:\temp\package directory before proceeding: Screenshot of Windows File Explorer with 3 files
    • setup.exe
    • install.xml
    • uninstall.xml
  7. Fill in the prompts with the following information:
    • Please specify the source folder: C:\temp\package
    • Please specify the setup file: C:\temp\package\setup.exe
    • Please specify the output folder: C:\temp\package
    • Do you want to specify catalog folder (Y/N)? N
  8. The package will begin to build and you'll see a file created at C:\temp\package\setup.intunewin : Windows Terminal running Win32 Content Prep Tool

When the process is complete, you are ready to upload the package to Intune and configure your Application Deployment.

Create an Application Deployment in Intune

  1. Navigate to the Intune/Endpoint dashboard: https://endpoint.microsoft.com/

  2. Navigate to Apps > Windows and click the “Add” button. Select “Windows app (Win 32)” from the dropdown list and click the “Select” button: Screenshot of Intune dashboard, Windows App Deployment creation

  3. On the App Information tab, click “Select app package file” and upload your setup.intunewin file from C:\temp\package. Click the OK button:Screenshot of Intune dashboard, Windows App Deployment creation, App package file tab

  4. Back on the App Information tab, begin by filling in some basic information about the package and click the “Next” button when finished: Screenshot of Intune dashboard, Windows App Deployment creation, App information tab

  5. On the “Program” tab, configure the Install Command and Uninstall Command fields and leave the rest default. Click “Next” to continue: Screenshot of Intune dashboard, Windows App Deployment creation, Program tab

    • Install command: setup.exe /configure install.xml
    • Uninstall command: setup.exe /configure uninstall.xml
    • Install behavior: System
    • Device restart behavior: App install may force a device restart
  6. On the “Requirements” tab, set the following options and click Next to continue: Screenshot of Intune dashboard, Windows App Deployment creation, Requirements tab

    • Operating system architecture: Set this value based on your Office Customization Tool setting.
    • Minimum operating system: Windows 10 1607
  7. On the “Detection rules” tab, set the following options and click Next to continue: Screenshot of Intune dashboard, Windows App Deployment creation, Detection rules tab

    • Rules format: Manually configure detection rules
    • Rule type: Registry
    • Key path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Office\
    • Value name: 16.0
    • Detection method: Key exists
    • Assocated with a 32-bit app on 64-bit clients No
  8. Leave the “Dependencies” and “Supersedence” tabs unconfigured.

  9. On the “Assignments” tab, select the group you want to target for deployment or uninstallation.

  10. Double check the options on the “Review + create” tab and then click “Create” to begin uploading your package.

After the application is uploaded, your deployment will begin: Screenshot of Intune Application Deployment

The setup.exe package will always pull the latest version of Office from Microsoft, but your install.xml file determines whether the applications will be automatically updated. If you need to push a new version or a different version (e.g. Standard or ProPlus), you may need to repackage and deploy again.

I hope this is helpful to someone and I wanted to write my steps down in case I have to go back and fix something later.

Discuss...

#Azure

I recently got a trial of Lucidscale, a tool that can ingest your Azure environment and automatically create a resource visualization diagram.

I am pretty happy with the product and will recommend that my company purchase it for client work.

I wanted to detail the setup process in Azure so it's easy to use.

To get Lucidscale to interact with your Azure subscription, you will need to be a Global Administrator. To try Lucidscale, you will need a trial. Once you get that setup, you can continue to configure it.

First, navigate to the main Lucid website and click New > Lucidscale > Azure Model:

Screenshot of Lucid New menu

We will need to configure the subscription information to connect into Azure. Click “Open Data hub to Import Subscriptions”:

Screenshot of Lucidscale Azure subscription setup screen

Click “New Subscription”:

Screenshot of Lucidscale Subscriptions tab

You can automate using an Azure CLI script, but for now let's set it up manually. Click “Azure AD Application”:

Screenshot of LucidScale - New Azure Subscription page

Now, we are ready to configure your Azure environment to allow access to the tool. Open a new tab and navigate to Azure Active Directory. Click “App registrations” and then click “New registration”

Screenshot of Azure Active Directory, App Registration blade

Inside the wizard, type the name you want to use and then click “Register”. Leave the other options on the default setting:

Screenshot of Azure Active Directory, App Registration wizard

After registering the app, open the configuration settings inside Azure AD. Navigate to the “Overview” blade and copy and paste the Application (client) ID and Directory (tenant) ID over into the Lucidscale setup page:

Screenshot of Lucidscale Azure subscription setup and Azure AD App Registration Overview tab

After pasting in that info, navigate to the “Certificates & secrets” blade in Azure AD and click the “Client secrets” tab. Click “New client secret”. Fill in a name and click “Add”:

Once you've created the secret, copy and paste the “Value” of the client secret from the Azure AD page into the “Client Secret” box in Lucid:

After pasting in the three required values, enter an Application name in Lucid. I named mine after the client company.

Now, we will need to give permissions to the App Registration so that it can read the Azure environment. Navigate to the Subscription blade in Azure and click on the one you want to use. Click on the “Access control (IAM)” blade, then click “Add > Add custom role”:

Screenshot of Azure Subscription blade, Access Control IAM tab

On the “Basics” tab, type a Custom role name. I used “Lucidscale import”. Under “Baseline permissions”, select “Start from JSON” and upload the following file:

{
    "properties": {
        "roleName": "Lucidscale import",
        "description": "Role that gives Lucidscale read access to import resources",
        "assignableScopes": [],
        "permissions": [
            {
                "actions": [
                    "Microsoft.Authorization/roleAssignments/read",
                    "Microsoft.ApiManagement/service/read",
                    "Microsoft.Compute/disks/read",
                    "Microsoft.Compute/virtualMachines/read",
                    "Microsoft.Compute/virtualMachineScaleSets/read",
                    "Microsoft.Databricks/workspaces/read",
                    "Microsoft.DBforMySQL/servers/databases/read",
                    "Microsoft.DBforMySQL/servers/read",
                    "Microsoft.DBforPostgreSQL/servers/databases/read",
                    "Microsoft.DBforPostgreSQL/servers/read",
                    "Microsoft.DocumentDB/databaseAccounts/read",
                    "Microsoft.KeyVault/vaults/read",
                    "Microsoft.Network/applicationGateways/read",
                    "Microsoft.Network/azurefirewalls/read",
                    "Microsoft.Network/connections/read",
                    "Microsoft.Network/dnszones/read",
                    "Microsoft.Network/dnszones/recordsets/read",
                    "Microsoft.Network/frontDoors/read",
                    "Microsoft.Network/loadBalancers/read",
                    "Microsoft.Network/localnetworkgateways/read",
                    "Microsoft.Network/networkInterfaces/read",
                    "Microsoft.Network/networkSecurityGroups/read",
                    "Microsoft.Network/privateDnsZones/read",
                    "Microsoft.Network/privateDnsZones/ALL/read",
                    "Microsoft.Network/privateDnsZones/virtualNetworkLinks/read",
                    "Microsoft.Network/privateEndpoints/read",
                    "Microsoft.Network/publicIPAddresses/read",
                    "Microsoft.Network/routeTables/read",
                    "Microsoft.Network/trafficManagerProfiles/read",
                    "Microsoft.Network/virtualNetworkGateways/read",
                    "Microsoft.Network/virtualNetworks/read",
                    "Microsoft.Network/virtualNetworks/subnets/read",
                    "Microsoft.Resources/subscriptions/read",
                    "Microsoft.Resources/subscriptions/resourceGroups/read",
                    "Microsoft.ServiceBus/namespaces/read",
                    "Microsoft.ServiceBus/namespaces/queues/read",
                    "Microsoft.Sql/servers/databases/read",
                    "Microsoft.Sql/servers/read",
                    "Microsoft.Storage/storageAccounts/read",
                    "Microsoft.Web/serverfarms/Read",
                    "microsoft.web/sites/functions/read",
                    "Microsoft.Web/sites/Read"
                ],
                "notActions": [],
                "dataActions": [],
                "notDataActions": []
            }
        ]
    }
}

Screenshot of Azure custom role wizard, Basics tab

Navigate to the Permissions tab. The JSON is not complete and you will need to add an additional role to this list. Click the “Add permissions” button, then search for “managed”. Check the box for Microsoft.ManagedIdentity/userAssignedIdentities > Read : Get User Assigned Identity. Click the “Add” button when you're finished.

Screenshot of Azure custom role wizard, Permissions tab

Navigate to the “Assignable scopes” tab and click the “Add assignable scopes” button. Change the Type field to “Subscription”, then click on your subscription in the right column. Click “Select” when you're finished:

Screenshot of Azure custom role wizard, scopes tab

Leave the JSON tab as default and complete the wizard to Create the role.

Once you've created the role, return to Azure Active Directory and open Subscriptions. Select the subscription you want to use.

Navigate to the “Access control (IAM)” blade and navigate to the “Roles” tab. Search for “Lucid” and locate your newly created role. Click the “View” link:

Screenshot of Azure Subscriptions, Access Control (IAM) blade, Roles tab

In the new popup, click on the Assignments tab, then click “Add assignment”:

Screenshot of Azure Subscriptions, Access Control (IAM) blade, Assignments tab

Navigate to the “Members” tab. Check the radio button for “Assign access to” as “User, group, or service principal” and click the “Select members” button. Search for “Lucid” in the popup window and click on your app. Click the “Select” button when you're finished:

Screenshot of Azure Subscriptions, Access Control (IAM) blade, Assignments, Members tab

After you've completed this part, complete the wizard to add the role assignment in Azure AD.

Now that we've configured the environment, return to Lucidscale to complete the configuration. Move to the “Select Subscriptions” page and check the box next to the correct subscription:

Screenshot of Lucidscale New Azure Subscription, Select Subscriptions tab

On the “Subscription configuration” tab, leave all options as default and click the “Import Azure subscriptions” button:

Screenshot of Lucidscale New Azure Subscription, Select

After completing the wizard, data import will begin. This process could take a while, depending on the size of your environment.

Lucidscale Azure Data Hub page, Subscriptions tab, Importing data

When it's complete, select your subscription and click the “Create new Model” button:

Lucidscale Azure Data Hub page, Subscroptions tab, Create new Model

Check the box next to the subscription you want to diagram, then click the “Choose subscriptions” button at the bottom right.

Lucidscale Azure, Create new Model wizard

Review your selection and then click “Create Azure Model”.

Now, Lucidscale will build your model in the background. It could take a while, depending on the size of your environment:

Lucidscale Azure, Creating Lucidscale Model

After it's complete, your diagram will be generated:

Lucidscale Azure diagram complete

Footer image

Discuss...

#Azure #PowerShell #Windows

If you’ve added a new session host to an existing Azure Virtual Desktop host pool, you might get a Windows Activation error watermark notifying you that the Windows license wasn’t found:

Screenshot of a Windows 10 desktop, showing a Windows activation error

Activate Windows. Go to Settings to activate Windows.

When I got the ticket from users complaining about the watermark, I started brainstorming. I thought I might be able to fix this issue several ways:

  1. License users with Microsoft 365 E5.

  2. Manually add an existing Windows license (only possible if you’re running a stock image of Windows, not the Azure-specific Windows Enterprise Multi-Session).

Since I don’t have those E5 licenses already and I’m running the multi-session OS, it would add cost to purchase and I would need to get approval.

Instead, I found that you can check the VM license by running this command in PowerShell (change the XXX values to match your Resource Group and VM name):

Import-Module AzCLI 
Connect-AzAccount
Get-AzVM -ResourceGroupName XXXresourcegroupXXX -Name XXXvirtualmachineXXX

After running that command, the string that you want to focus on is LicenseType. If it says Windows_Client, you are good to go and Azure will apply the license on the OS-level.

If it is null or displays as {}, that could be a cause for the Activation error. You can run this PowerShell command in the AzCLI (edit the XXX values to match your environment):

$rg = XXXresourcegroupXXX
$vm = XXXvirtualmachineXXX
$vm.LicenseType = ‘Windows_Client’

Get-AzVM -ResourceGroupName $rg -Name $vm | Update-AzVM 

I wish Azure had a built in Troubleshooting function or feature to “quick fix” this issue, but I couldn’t find one.

Putting this here for my notes when I have to fix this issue again.

Discuss...

#Intune #Windows

A company I'm working with requested an Intune deployment of Adobe Acrobat Pro DC to users on machines running Windows 10 or 11.

I wasn't able to find great documentation about how to deploy this using Intune, so I wanted to write all of this down. There are some guides going around about MSP transforms, but that's not necessary for a simple deployment.

  1. First, download the Adobe Acrobat Pro single app package and select the 64 bit Windows installer:

Screenshot of Adobe Acrobat Pro installer download page

  1. Then, download the Microsoft Win32 Content Prep Tool.

  2. Unzip all of the files to that they're in a format as follows:

    • C:\temp\Microsoft-Win32-Content-Prep-Tool-Master
    • C:\temp\Adobe Acrobat
  3. Now that you have the prereqs, we need to build the .intunewin package for Intune. Open Command Prompt and cd into the C:\temp\Microsoft-Win32-Content-Prep-Tool-Master folder and run .\IntuneWinAppUtil.exe

  4. Step through the prompts to build the package:

    • Please specify the source folder: C:\temp\Adobe Acrobat
    • Please specify the setup file: C:\temp\Adobe Acrobat\setup.exe
    • Please specify the output folder: C:\temp\Adobe Acrobat
    • Do you want to specify catalog folder (Y/N)? n

Screenshot of Windows Terminal running the Microsoft Win32 Content Prep tool for Adobe Acrobat Pro

Now that the intunewin package is built, it's time to upload it on the Microsoft Endpoint and create an app package. You can close the Win32 Content Prep tool.

  1. Log into the Intune/Endpoint dashboard and navigate to Apps > Windows > Add. Set the “App type” to Windows app (Win32):

Screenshot of Intune dashboard, Windows app creation wizard

  1. On the “App information” tab, upload the file you created at C:\temp\Adobe Acrobat\setup.intunewin and fill out the required fields to continue:

Screenshot of Intune dashboard, Windows app creation wizard, App information tab

  1. On the “Program” tab, enter the following values:
    • Install command: setup.exe /sAll
    • Uninstall command: msiexec /x "{AC76BA86-1033-FFFF-7760-BC15014EA700}" /q
    • Install behavior: System
    • Device restart behavior: App install may force a device restart
    • Specify return codes to indicate post-installation behavior: Leave as default.

Screenshot of the Intune dashboard, Add App wizard, Program tab

  1. On the “Requirements” tab, enter the following values:
    • Operating system architecture: 64-bit
    • Minimum operating system: Windows 10 1607

Screenshot of the Intune dashboard, Add App wizard, Requirements tab

  1. On the “Detection rules” tab, set “Rules format” to Manually configure detection rules, then click the “+ Add” button. Change the “Rule type” to MSI and set the “MSI product code” field to {AC76BA86-1033-FFFF-7760-BC15014EA700}. Set the “MSI product version check” to No:

Screenshot of the Intune dashboard, Add App wizard, Detection rules tab

  1. On the “Dependencies” and “Supersedence” tabs, just leave the defaults.

  2. On the “Assignments” tab, target your deployment group or users for installation. You may want to hide the “End user notifications” so that it's completely silent, but this is optional:

Screenshot of the Intune dashboard, Add App wizard, Assignments tab

After uploading the file, your application deployment will be complete:

Screenshot of the Intune dashboard, Add App wizard, file upload

Machines will begin to check in and pick up the app assignment. I find that installation can take up to 30 minutes, so be patient!

Screenshot of a Windows 11 desktop notification for Intune/Endpoint application deployment

Screenshot of a Windows 10 desktop notification for Intune/Endpoint application deployment

Discuss...

#Sharepoint #Windows

One of the companies that I'm working with wants to migrate all of their files on a local file share and move them into a Sharepoint site.

To do this, I ran the official Microsoft Sharepoint Migration Tool from the file server. I set my source as the shared folder containing 1.8 TB of files and the target destination as the Documents library in a newly created Sharepoint site.

After letting the tool run for a few hours, the migration tool completed and reported that it had successfully moved 209,726 files, but 500 were not moved because the scanner has issues with special characters:

Screenshot of the Microsoft Sharepoint Migration Tool, migration report page.

They're an international organization and has French, Spanish, and Portuguese workers that connect into the shared drive. They're also using a mix of MacOS and Windows PCs, so the folders can get pretty cluttered with UTF and non-Windows character sets.

From the logs, the Sharepoint Migration Tool seems to only allow ANSI characters, probably for URLs and other internal compatibility. I needed to rename all of the non-migrated files from the accented characters into the ANSI equivalents and then run an incremental sync.

To fix the accent characters, I could go in manually an rename all of the files, but I needed an easier way to automate this.

Instead of figuring out the right regex command and running a rename command in Powershell, I decided to keep it simple and use the Bulk Rename Utility app that I've used for other projects, including the project I wrote about to redact Microsoft Word files quickly.

After downloading and installing the app on the file server, open it and target the share location on the local drive.

Inside the app, click on the option at Special > Character Translations.

I copied and pasted all of the accented characters and their ANSI equivalents into Excel and formatted it for Bulk Rename Utility to be able to use the list. Copy and paste this list into this Character Translation popup window:

Á=A
á=a
À=A
à=a
Â=A
â=a
Ã=A
ã=a
Ä=A
ä=a
Å=A
å=a
ç=c
Ç=C
É=E
é=e
È=E
è=e
Ê=E
ê=e
Ë=E
ë=e
Í=I
í=i
Ì=I
ì=i
Î=I
î=i
Ï=I
ï=i
Ó=O
ó=o
Ò=O
ò=o
Ô=O
ô=o
Ö=O
ö=o
Õ=O
õ=o
Ú=U
ú=u
Ù=U
ù=u
Û=U
û=u
Ü=U
ü=u

After pasting in the info, press OK and return to the main window:

Screenshot of Bulk Rename Utility, character translation popup with characters

Make sure that you have the following options checked:

✓ Files > Files

✓ Files > Folders

✓ Files > Subfolders

✓ Special > Character Translations

Screenshot of Bulk Rename Utility, subfolders and character translations selected.

After checking those boxes, click into the file list at the top right of the window and press the Ctrl + A keys on the keyboard to select all items. This could take a few seconds, depending on the number of files that you have.

To verify, click the “Preview” button, then press “Rename” if the renaming task looks correct:

Screenshot of Bulk Rename Utility, file rename preview popup window

After renaming these files, I returned to the Sharepoint Migration Tool and started the Incremental sync. The sync completed successfully without any file scan issues or unrecognized characters.

Footer

Discuss...

Enter your email to subscribe to updates.