Automatically roll over the Kerberos decryption key Azure AD Connect SSO

Its’ highly recommended to roll over the kerberos key for Azure AD Connect SSO computer account every 30 days. There is no feature to enable auto roll over of this key.

You will notice this warning in the Azure portal if the key hasn’t been rolled over recently.

I’ve used this Blog article to secure the password on the server for the service account:
http://www.sameie.com/2017/10/05/create-hashed-password-file-for-powershell-use/

I’ve configured a Powershell script that runs as a scheduled task on the server where Azure AD Connect is Installed.

Output:

Disclaimer: All scripts and references on this blog are offered “as is” with no warranty.  These scripts are tested in my environment, it is recommended that it is tested in a test environment before using in production.

Install Azure File Sync Agent (preview) on Windows Server 1709

!!NOT SUPPORTED!!
Only Windows Server 2012 R2 and Windows Server 2016 with full Ui is currently supported by Microsoft.
Do not recommend this for production environments.

I wanted to install this on a File Cluster running Windows Server 1709 to see if it was possible.
This is how I did it.

1. Install Azure Resource Manager Powershell module on the Cluster node.

2. Download and Install Storage Sync Agent:
By browser:
https://www.microsoft.com/en-us/download/details.aspx?id=55988
By Powershell directly to Cluster node:

Run:

Press X when you hit the “Sign In”. It will fail since its not able to load IEFRAME.dll

3. Connect to AzureRM

List Subscription and Tenant ID

Name : Visual Studio Enterprise with MSDN
Id : cfxxxxx-7axxx-4xxx-axxx-edxxxxxxxxx
TenantId : 91xxxxx-2xxx-4xxx-8xxx-a1xxxxxxxxx
State : Enabled

4. Connect to Azure Storage Sync 

5. Register Server with Azure Storage Sync

ServerRole : ClusterNode
ClusterName : lab-filecluster01
ClusterId : exxxxxxx-3xxx-4xxx-axxx-6xxxxxxxxxxxxx
LastHeartBeat : 20.02.2018 22:31:57
ServerOSVersion : 10.0.16299.0
ServerManagementErrorCode : 0
AgentVersion : 2.0.11.0
ProvisioningState : Succeeded
Name : 8xxxxxxx-axxx-4xxx-axxx-2xxxxxxxxxxx
DisplayName : lab-FIL01.domain.com
Location : westeurope
Id : /subscriptions/

6. Run same procedure on the rest of the file cluster nodes. (If needed)

Now you will see the endpoint registration in the Azure Portal.

You can now configure your newly added File Cluster Endpoint to Azure Sync Groups

Disclaimer: All scripts and references on this blog are offered “as is” with no warranty.  These scripts are tested in my environment, it is recommended that it is tested in a test environment before using in production.

Dynamic Groups in Azure AD

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-groups-dynamic-membership-azure-portal

Have tried to use the advanced queries and heres an example of an advanced query:

This query will add members:

UserPrincipalName Starts with e, u or b
UserPrincipalName Match @domain.com and Account is Enabled and UserType is Member

 

Classifications for Office365 Groups and Microsoft Teams

These commands are a part of the Azure Active Directory Powershell V2 module.

Install the AzureAD or the AzureADPreview Module

Connect to Azure AD

Verify if the Directory Settings exists

If no result, the settings are not created and you will need to create it first.

Creating the Classifications if no Directory Settings exists

Creating the Classifications if Directory Settings exists

Configuring the Default Classification for Office365 Groups

Manually assign Classifications to Office365 Groups.

This will require Exchange Online Powershell Module.
I recommend to install the latest Exchange Online Powershell Module that support Modern Authentication.

If you try to configure a Classification that is not defined in the “ClassificationList”

DataClassification provided is not supported. Valid values are “Internal,External,Confidential”.

Creating a new Office365 Group / Microsoft Teams

Now you will see a new option when creating Office365 Groups/Microsoft Teams and you can now select Classifications

 

Office365 Group for this Microsoft Team is classified as External.

 

Disclaimer: All scripts and references on this blog are offered “as is” with no warranty.  These scripts are tested in my environment, it is recommended that it is tested in a test environment before using in production.

Remove Azure MFA configuration for a specific user

How to reset a users MFA configuration in Azure.
After this is executed, user would need to enroll/first time setup for Azure MFA if required.

Disclaimer: All scripts and references on this blog are offered “as is” with no warranty.  These scripts are tested in my environment, it is recommended that it is tested in a test environment before using in production.

Converting a mailbox type in Active Directory

After converting a Regular Mailbox or a Shared mailbox in Exchange Online.
The AD object isn’t updated back to on premise (Exchange 2010).

To convert AD object to correct mailbox type:

 

Disclaimer: All scripts and references on this blog are offered “as is” with no warranty.  These scripts are tested in my environment, it is recommended that it is tested in a test environment before using in production.

Importing Modern Authentication Exchange Online powershell module into Powershell

Prereq: In the Exchange Admin Console, go to Hybrid > Setup and click the appropriate Configure button to download the Exchange Online Remote PowerShell Module for multi-factor authentication.

Disclaimer: All scripts and references on this blog are offered “as is” with no warranty.  These scripts are tested in my environment, it is recommended that it is tested in a test environment before using in production.