Category: Azure

Automatically roll over the Kerberos decryption key Azure AD Connect SSO

February 23, 2018 Joachim AzureAD

Its’ highly recommended to roll over the kerberos key for Azure AD Connect SSO computer account every 30 days. There is no feature to enable auto roll over of this key.

You will notice this warning in the Azure portal if the key hasn’t been rolled over recently.

I’ve used this Blog article to secure the password on the server for the service account:
http://www.sameie.com/2017/10/05/create-hashed-password-file-for-powershell-use/

I’ve configured a Powershell script that runs as a scheduled task on the server where Azure AD Connect is Installed.

# Requirements:
# Microsoft Online Services Sign-In Assistant.
# 64-bit Azure Active Directory module for Windows PowerShell.

$CloudUser = 'service_account@domain.com'
$CloudEncrypted = Get-Content "C:\Scripts\Cloud_Encrypted_Password.txt" | ConvertTo-SecureString
$CloudCred = New-Object System.Management.Automation.PsCredential($CloudUser,$CloudEncrypted)
$OnpremUser = 'DOMAIN\service_account'
$OnpremEncrypted = Get-Content "C:\Scripts\Onprem_Encrypted_Password.txt" | ConvertTo-SecureString
$OnpremCred = New-Object System.Management.Automation.PsCredential($OnpremUser,$OnpremEncrypted)

Import-Module 'C:\Program Files\Microsoft Azure Active Directory Connect\AzureADSSO.psd1'
New-AzureADSSOAuthenticationContext -CloudCredentials $CloudCred
Update-AzureADSSOForest -OnPremCredentials $OnpremCred

# Requirements:

# Microsoft Online Services Sign-In Assistant.

# 64-bit Azure Active Directory module for Windows PowerShell.

$CloudUser = 'service_account@domain.com'

$CloudEncrypted = Get-Content "C:\Scripts\Cloud_Encrypted_Password.txt" | ConvertTo-SecureString

$CloudCred = New-Object System.Management.Automation.PsCredential($CloudUser,$CloudEncrypted)

$OnpremUser = 'DOMAIN\service_account'

$OnpremEncrypted = Get-Content "C:\Scripts\Onprem_Encrypted_Password.txt" | ConvertTo-SecureString

$OnpremCred = New-Object System.Management.Automation.PsCredential($OnpremUser,$OnpremEncrypted)

Import-Module 'C:\Program Files\Microsoft Azure Active Directory Connect\AzureADSSO.psd1'

New-AzureADSSOAuthenticationContext -CloudCredentials $CloudCred

Update-AzureADSSOForest -OnPremCredentials $OnpremCred

Output:

Disclaimer: All scripts and references on this blog are offered “as is” with no warranty. These scripts are tested in my environment, it is recommended that it is tested in a test environment before using in production.

Install Azure File Sync Agent (preview) on Windows Server 1709

February 22, 2018 Joachim Azure File Sync

!!NOT SUPPORTED!!
Only Windows Server 2012 R2 and Windows Server 2016 with full Ui is currently supported by Microsoft.
Do not recommend this for production environments.

I wanted to install this on a File Cluster running Windows Server 1709 to see if it was possible.
This is how I did it.

1. Install Azure Resource Manager Powershell module on the Cluster node.

# Install Azure Resource Manager module
Install-Module AzureRM

1 2	# Install Azure Resource Manager module Install-Module AzureRM

2. Download and Install Storage Sync Agent:
By browser:
https://www.microsoft.com/en-us/download/details.aspx?id=55988
By Powershell directly to Cluster node:

#Download Storage Sync Agent
Invoke-WebRequest -Uri 'https://download.microsoft.com/download/A/3/1/A318690B-1D85-43F8-BB97-730CC6E4D49D/StorageSyncAgent_PreviewRefresh1_WS2016.msi' -OutFile 'c:\temp\StorageSyncAgent.msi'

1 2	#Download Storage Sync Agent Invoke-WebRequest -Uri 'https://download.microsoft.com/download/A/3/1/A318690B-1D85-43F8-BB97-730CC6E4D49D/StorageSyncAgent_PreviewRefresh1_WS2016.msi' -OutFile 'c:\temp\StorageSyncAgent.msi'

Run:

C:\Temp\StorageSyncAgent.msi

1	C:\Temp\StorageSyncAgent.msi

Press X when you hit the “Sign In”. It will fail since its not able to load IEFRAME.dll

3. Connect to AzureRM

$Username ="admin@domain.com"
$Password = ConvertTo-SecureString "Your Password" -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential($Username, $Password)
Login-AzureRmAccount -Credential $Cred

$Username ="admin@domain.com"

$Password = ConvertTo-SecureString "Your Password" -AsPlainText -Force

$Cred = New-Object System.Management.Automation.PSCredential($Username, $Password)

List Subscription and Tenant ID

Get-AzureRmSubscription

1	Get-AzureRmSubscription

Name : Visual Studio Enterprise with MSDN
Id : cfxxxxx-7axxx-4xxx-axxx-edxxxxxxxxx
TenantId : 91xxxxx-2xxx-4xxx-8xxx-a1xxxxxxxxx
State : Enabled

4. Connect to Azure Storage Sync

#Import Azure Storage Sync Module
Import-Module "C:\Program Files\Azure\StorageSyncAgent\StorageSync.Management.PowerShell.Cmdlets.dll"

#Login to Azure Storage Sync
Login-AzureRmStorageSync -SubscriptionID "cfxxxxx-7axxx-4xxx-axxx-edxxxxxxxxx" -TenantID "91xxxxx-2xxx-4xxx-8xxx-a1xxxxxxxxx" -Credential $Cred

#Import Azure Storage Sync Module

Import-Module "C:\Program Files\Azure\StorageSyncAgent\StorageSync.Management.PowerShell.Cmdlets.dll"

#Login to Azure Storage Sync

Login-AzureRmStorageSync -SubscriptionID "cfxxxxx-7axxx-4xxx-axxx-edxxxxxxxxx" -TenantID "91xxxxx-2xxx-4xxx-8xxx-a1xxxxxxxxx" -Credential $Cred

5. Register Server with Azure Storage Sync

Register-AzureRmStorageSyncServer -SubscriptionId "cfxxxxx-7axxx-4xxx-axxx-edxxxxxxxxx" -ResourceGroupName "Resourse Group" -StorageSyncService "FileSync Service Name"

1	Register-AzureRmStorageSyncServer -SubscriptionId "cfxxxxx-7axxx-4xxx-axxx-edxxxxxxxxx" -ResourceGroupName "Resourse Group" -StorageSyncService "FileSync Service Name"

ServerRole : ClusterNode
ClusterName : lab-filecluster01
ClusterId : exxxxxxx-3xxx-4xxx-axxx-6xxxxxxxxxxxxx
LastHeartBeat : 20.02.2018 22:31:57
ServerOSVersion : 10.0.16299.0
ServerManagementErrorCode : 0
AgentVersion : 2.0.11.0
ProvisioningState : Succeeded
Name : 8xxxxxxx-axxx-4xxx-axxx-2xxxxxxxxxxx
DisplayName : lab-FIL01.domain.com
Location : westeurope
Id : /subscriptions/

6. Run same procedure on the rest of the file cluster nodes. (If needed)

Now you will see the endpoint registration in the Azure Portal.

You can now configure your newly added File Cluster Endpoint to Azure Sync Groups

Dynamic Groups in Azure AD

January 20, 2018 Joachim AzureAD

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-groups-dynamic-membership-azure-portal

Have tried to use the advanced queries and heres an example of an advanced query:

((user.userPrincipalName -startsWith "e") -or (user.userPrincipalName -startsWith "u") -or (user.userPrincipalName -startsWith "b"))
 -and ((user.userPrincipalName -match "@domain.com") -and (user.accountEnabled -eq true) -and (user.userType -eq "Member"))

1 2	((user.userPrincipalName -startsWith "e") -or (user.userPrincipalName -startsWith "u") -or (user.userPrincipalName -startsWith "b")) -and ((user.userPrincipalName -match "@domain.com") -and (user.accountEnabled -eq true) -and (user.userType -eq "Member"))

This query will add members:

UserPrincipalName Starts with e, u or b
UserPrincipalName Match @domain.com and Account is Enabled and UserType is Member

Remove Azure MFA configuration for a specific user

January 17, 2018 Joachim Azure

How to reset a users MFA configuration in Azure.
After this is executed, user would need to enroll/first time setup for Azure MFA if required.

#Connect to Microsoft Online Services
Connect-MsolService

1 2	#Connect to Microsoft Online Services Connect-MsolService

#Remove Azure MFA config for a specific user
$AzureMFA=@()
Set-MsolUser -UserPrincipalName "username@domain.com" -StrongAuthenticationMethods $AzureMFA

#Remove Azure MFA config for a specific user

$AzureMFA=@()

Set-MsolUser -UserPrincipalName "username@domain.com" -StrongAuthenticationMethods $AzureMFA