Automatically roll over the Kerberos decryption key Azure AD Connect SSO

Its’ highly recommended to roll over the kerberos key for Azure AD Connect SSO computer account every 30 days. There is no feature to enable auto roll over of this key.

You will notice this warning in the Azure portal if the key hasn’t been rolled over recently.

I’ve used this Blog article to secure the password on the server for the service account:
http://www.sameie.com/2017/10/05/create-hashed-password-file-for-powershell-use/

I’ve configured a Powershell script that runs as a scheduled task on the server where Azure AD Connect is Installed.

Output:

Disclaimer: All scripts and references on this blog are offered “as is” with no warranty.  These scripts are tested in my environment, it is recommended that it is tested in a test environment before using in production.

Install Azure File Sync Agent (preview) on Windows Server 1709

!!NOT SUPPORTED!!
Only Windows Server 2012 R2 and Windows Server 2016 with full Ui is currently supported by Microsoft.
Do not recommend this for production environments.

I wanted to install this on a File Cluster running Windows Server 1709 to see if it was possible.
This is how I did it.

1. Install Azure Resource Manager Powershell module on the Cluster node.

2. Download and Install Storage Sync Agent:
By browser:
https://www.microsoft.com/en-us/download/details.aspx?id=55988
By Powershell directly to Cluster node:

Run:

Press X when you hit the “Sign In”. It will fail since its not able to load IEFRAME.dll

3. Connect to AzureRM

List Subscription and Tenant ID

Name : Visual Studio Enterprise with MSDN
Id : cfxxxxx-7axxx-4xxx-axxx-edxxxxxxxxx
TenantId : 91xxxxx-2xxx-4xxx-8xxx-a1xxxxxxxxx
State : Enabled

4. Connect to Azure Storage Sync 

5. Register Server with Azure Storage Sync

ServerRole : ClusterNode
ClusterName : lab-filecluster01
ClusterId : exxxxxxx-3xxx-4xxx-axxx-6xxxxxxxxxxxxx
LastHeartBeat : 20.02.2018 22:31:57
ServerOSVersion : 10.0.16299.0
ServerManagementErrorCode : 0
AgentVersion : 2.0.11.0
ProvisioningState : Succeeded
Name : 8xxxxxxx-axxx-4xxx-axxx-2xxxxxxxxxxx
DisplayName : lab-FIL01.domain.com
Location : westeurope
Id : /subscriptions/

6. Run same procedure on the rest of the file cluster nodes. (If needed)

Now you will see the endpoint registration in the Azure Portal.

You can now configure your newly added File Cluster Endpoint to Azure Sync Groups

Disclaimer: All scripts and references on this blog are offered “as is” with no warranty.  These scripts are tested in my environment, it is recommended that it is tested in a test environment before using in production.

Dynamic Groups in Azure AD

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-groups-dynamic-membership-azure-portal

Have tried to use the advanced queries and heres an example of an advanced query:

This query will add members:

UserPrincipalName Starts with e, u or b
UserPrincipalName Match @domain.com and Account is Enabled and UserType is Member

 

Remove Azure MFA configuration for a specific user

How to reset a users MFA configuration in Azure.
After this is executed, user would need to enroll/first time setup for Azure MFA if required.

Disclaimer: All scripts and references on this blog are offered “as is” with no warranty.  These scripts are tested in my environment, it is recommended that it is tested in a test environment before using in production.